How to use LDAP Server to change an ACF2 user's password phrase
search cancel

How to use LDAP Server to change an ACF2 user's password phrase


Article ID: 276244


Updated On:


ACF2 - z/OS


How can a site build a application connector to manage ACF2 passphrases via the LDAP Server? What password phrase field information will be needed?


The LDAP Server can be used to manage ACF2 password phrases. The following describes the password phrase ObjectClass Hierarchy, objectclass entries and UFNs(User Friendly Name Override File, ACF2 to LDAP Server) related to ACF2 password phrase fields, using the 'ldapmodify' command line utility as an example.

The LDAP Server provides an interface to the ACF2 security databases using the ACF2 backend module. The CAACF2_UTF Backend provides access to the ACF2 security databases through the R_Admin callable service.

The 'ldapmodify' command line utility or an application can programmatically issue a LDAP request specifying the HOST and PORT that the LDAP Server is listening on, LDAP Server will then translate the LDAP request into a R_Admin call to access the ACF2 database to satisfy the request.

For example the 'ldapmodify' command line utility for z/OS UNIX System Services can be used to modify the password phrase of a user. The ldapmodify -- Modify an LDAP Object  opens a connection to an LDAP Server using a bind operation and then modifies an object in the LDAP directory.

Sample 'ldapmodify' command that can be issued from OMVS:

ldapmodify -h host -D cn=user -p port -w passwd -f file

./ldapmodify -h -D cn=adm0002 -p port -w adm0002 -f /example/ldif.inp  

  -h Specifies the host name or IP address that runs a LDAP Server that accepts an ldap:// connection. 
  -D binddn Binds to the LDAP Server directory. binddn is a string-represented DN as defined in RFC 1779.
      CN= specifies the administrator logonid 'adm0002' that is making the ldapmodify request.
  -p port Specifies the TCP port where the LDAP Server runs. 
  -w passwd Specifies administrator 'adm0002' logonid's password 'adm0002' for simple authentication.
  -f file Specified the file(LDIF) to be read instead of from standard input that contains the update 
           requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each
           update request.

The following file(LDIF) that is read from the ldapmodify command above, contains the modify request. In this example the modify request is to change the password phrase of a user USER001.

EDIT       /example/ldif.inp                               Columns 00001 00072
Command ===>                                                  Scroll ===> CSR 
****** ***************************** Top of Data ******************************
000001 dn: acf2UserPwphrase=user001,acf2lid=user001,acf2admingrp=lids,,o=test,c=us
000002 changetype: modify                                                      
000003 replace: PasswordPhrase                                                 
000004 PasswordPhrase: LPAPchangepasswordphrase    
****** **************************** Bottom of Data ****************************

  acf2UserPwphrase=user001 specifies the object is used to access the PWPhrase user profile records.
  acf2lid=user001 USER001 is the logonid whose password phrase will be change.
  acf2admingrp=lids specifies the Lids objectclass entry,o=test,c=us the host name or IP address that runs a LDAP Server that accepts an ldap:// connection.
  changetype: modify specifies that the change type is a modify.
  replace: PasswordPhrase specifes the PWPHRASE User Profile UFN field for password phrase.
  PasswordPhrase: LPAPchangepasswordphrase specifes the new password phrase.

Example 'ldapmodify' issues from TSO, OMVS, administrator logonid ADM0002 is changing the password phrase for logonid USER001:


Licensed Material - Property of IBM                                    
5650-ZOS Copyright IBM Corp. 1993, 2017                                
(C) Copyright Mortice Kern Systems, Inc., 1985, 1996.                  
(C) Copyright Software Development Group, University of Waterloo, 1989.
U.S. Government Users Restricted Rights -                              
Use,duplication or disclosure restricted by                            
GSA ADP Schedule Contract with IBM Corp.                               
IBM is a registered trademark of the IBM Corp. 
# cd /ldap/install/directory

# ./ldapmodify -h -D cn=adm002 -p 389 -w adm002 -f /example/ldif.inp                                             
ldap_bind: Success (0)                                                          
        additional info: ACF01137 ADM0002 LAST SYSTEM ACCESS 06.37-11/20/23 FROM xxxxxxxx                                                                       
modifying entry "acf2UserPwphrase=USER001,acf2lid=USER001,acf2admingrp=lids,host,o=test,c=us"                                          

Additional Information

Details can be found in the LDAP Server documentation.