ACF2ACF2 - DB2 OptionACF2 for zVMACF2 - z/OSACF2 - MISC
We are using CA Identity Suite 14.2 and have RACF as one of the endpoints. We are on z/OS - 2.2 and CA LDAP server version 15.1, when we type passwords in mixed case from IdM/Provisioning are being propagated to RACF using UPPER case instead of mixed case. How to make it work?
z/OS - 2.2 and CA LDAP server 15.1
The code fully supports uppercase or mixed case, based on the settings in the RACF RCVT. If the RCVT is not refreshed, then the flag stating lower case passwords are supported will be off and the LDAP code will force to upper case.
Our testing on z/OS 2.1 & 2.3 shows that after issuing the RACF SETR PASSWORD(MIXEDCASE), RACF dynamically updates the RCVT and a IPL is not needed. After issuing the command, either to set MIXEDCASE or NOMIXEDCASE, client must restart LDAP to see the change, the setting is only checked during initialization.
In order to see what LDAP detected, perform following:
1. Edit the slapd.env file 2. Add the following anywhere in the file: CADSI_DEBUG=ANY CADSI_DEBUG_FILENAME=/usr/lpp/caldapr151/cadsi_init.log Change /usr/lpp/caldapr151 to be your install dir or /tmp 3. Restart LDAP 4. Review the cadsi_init.log file
On our system, with SETR PASSWORD(MIXEDCASE), we see: +++ security system fold password: no
When we turn off SETR PASSWORD(NOMIXEDCASE), we start LDAP, the log now shows: +++ security system fold password: yes
Once working, comment out the 2 lines added in slapd.env, restart LDAP and this should work as desired.
2 things to remember: 1. LDAP sets the password to value it receives without changing it, so the TSO login works with nothing else in the middle no matter what the mixed case flag is. 2. LDAP has a new global option to set user password to NOEXPIRED, but not needed, can be set at the specific user if sent by the application (IdM in this case) by using the attribute added for IdM, eTSelfChange: Y.