Enabling MFDS Administration for LDAP and User Password Changes

Restriction: This topic applies only when the Enterprise Server feature is enabled.

By default, ES uses the MFReader account to connect to the LDAP server. As its name suggests, MFReader does not have authority to make changes to the repository, only to read from it.

You may want to configure your MLDAP Security Manager in MFDS with different LDAP user credentials (Authorized ID and Password), to give it update access to part or all of the repository. You can configure it with credentials for an administrative user, or create a new LDAP user (see Adding Repository Objects using ADSIEdit) and then set ACLs in the LDAP repository (using ADSIEdit or other Microsoft tools) to give that user write access to specific parts of the repository.

For example, if you have created an AD LDS user named "MFUpdate", you could give it write access to user objects by setting an ACL with the dsacls.exe AD LDS utility:

dsacls "\\localhost\CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data,DC=local" /I:S   /G "CN=MFUpdate,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local":WP

(Enter this command all on one line.)

You should not give the MFReader LDAP user write access to the repository, because its name and password are well-known. Configure your security manager to use a different account instead, and be careful to keep that account's password a secret. (If non-privileged users have access to the system where MFDS is running, it's a good idea to set ACLs on the MFDS configuration files so that they can only be read by the account MFDS runs under, which is usually SERVICE.)

If MFDS is configured to use an MLDAP Security Manager that has update access to the various ES objects in the LDAP repository, then you can use MFDS to administer those objects. From the Security page of the MFDS administration GUI, go to the Security Managers tab, edit the Security Manager you have defined for LDAP, and click its Properties button. From there, you can view and edit users, groups, and resource access controls.