Using Broadcom LDAP Server to change an ACF2 user's password phrase
Article ID: 276244
Updated On:
Products
Issue/Introduction
How can a site build a application connector to manage ACF2 passphrases via the LDAP Server? What password phrase field information will be needed?
Resolution
The LDAP Server can be used to manage ACF2 password phrases. The following describes the password phrase ObjectClass Hierarchy, objectclass entries and UFNs(User Friendly Name Override File, ACF2 to LDAP Server) related to ACF2 password phrase fields, using the 'ldapmodify' command line utility as an example.
The LDAP Server provides an interface to the ACF2 security databases using the ACF2 backend module. The CAACF2_UTF Backend provides access to the ACF2 security databases through the R_Admin callable service.
The 'ldapmodify' command line utility or an application can programmatically issue a LDAP request specifying the HOST and PORT that the LDAP Server is listening on, LDAP Server will then translate the LDAP request into a R_Admin call to access the ACF2 database to satisfy the request.
For example the 'ldapmodify' command line utility for z/OS UNIX System Services can be used to modify the password phrase of a user. The ldapmodify -- Modify an LDAP Object opens a connection to an LDAP Server using a bind operation and then modifies an object in the LDAP directory.
Sample 'ldapmodify' command that can be issued from OMVS:
Syntax:
ldapmodify -h host -D cn=user -p port -w passwd -f file
Example:
./ldapmodify -h your.host.example.net -D cn=adm0002 -p port -w adm0002 -f /example/ldif.inp
-h Specifies the host name or IP address that runs a LDAP Server that accepts an ldap:// connection.
-D binddn Binds to the LDAP Server directory. binddn is a string-represented DN as defined in RFC 1779.
CN= specifies the administrator logonid 'adm0002' that is making the ldapmodify request.
-p port Specifies the TCP port where the LDAP Server runs.
-w passwd Specifies administrator 'adm0002' logonid's password 'adm0002' for simple authentication.
-f file Specified the file(LDIF) to be read instead of from standard input that contains the update
requests, such as Add, Modify, Delete, and Rename, as a set of records, one record for each
update request.
The following file(LDIF) that is read from the ldapmodify command above, contains the modify request. In this example the modify request is to change the password phrase of a user USER001.
EDIT /example/ldif.inp Columns 00001 00072
Command ===> Scroll ===> CSR
****** ***************************** Top of Data ******************************
000001 dn: acf2UserPwphrase=user001,acf2lid=user001,acf2admingrp=lids,host=your.host.example.net,o=test,c=us
000002 changetype: modify
000003 replace: PasswordPhrase
000004 PasswordPhrase: LPAPchangepasswordphrase
****** **************************** Bottom of Data ****************************
acf2UserPwphrase=user001 specifies the object is used to access the PWPhrase user profile records.
acf2lid=user001 USER001 is the logonid whose password phrase will be change.
acf2admingrp=lids specifies the Lids objectclass entry.
your.host.example.net,o=test,c=us the host name or IP address that runs a LDAP Server that accepts an ldap:// connection.
changetype: modify specifies that the change type is a modify.
replace: PasswordPhrase specifes the PWPHRASE User Profile UFN field for password phrase.
PasswordPhrase: LPAPchangepasswordphrase specifes the new password phrase.
Example 'ldapmodify' issues from TSO, OMVS, administrator logonid ADM0002 is changing the password phrase for logonid USER001:
READY
OMVS
# cd /ldap/install/directory
# ./ldapmodify -h your.host.example.net -D cn=adm002 -p 389 -w adm002 -f /example/ldif.inp
ldap_bind: Success (0)
additional info: ACF01137 ADM0002 LAST SYSTEM ACCESS 06.37-11/20/23 FROM xxxxxxxx
modifying entry "acf2UserPwphrase=USER001,acf2lid=USER001,acf2admingrp=lids,host
=your.host.example.net,o=test,c=us"
#
Additional Information
Details can be found in the LDAP Server documentation.
Feedback
