I don't know the answer to your question but oh boy! > I really don't like the idea of having a RACF SPECIAL user floating around > that nobody knows why it has SPECIAL
You can say that again! Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Pommier, Rex Sent: Friday, July 9, 2021 10:10 AM To: [email protected] Subject: LDAP confusion with security settings Hi list, I don't know if this belongs in the TCP/IP list, RACF list or here so I'm starting here. Here's the situation as best I understand it. First off, LDAP is a black hole as far as I'm concerned. It was set up here long before my time. We're using it to communicate and authenticate to RACF for users coming in from a browser into our CICS regions. The LDAP server runs under a user ID of LDAPSRV. Users coming in from the browser are given a logon screen where they enter their own ID and password which LDAP validates against RACF. LDAP provides the appropriate ICH408I message if they fat-finger a password etc. That part is all OK. The RACF group that LDAPSRV is a member of is LDAPGRP and some of the attributes assigned to LDAPSRV are actually given through the group. The LDAP server is defined within RACF in the APPL class and anybody that tries to log on through LDAP need to have READ access to this APPL. Here's where I'm getting confused. There is another ID on the system, we'll call LDAPU, that has no special privileges except this ID is RACF SPECIAL. The group this ID belongs to (LDAP) also has no special privileges. The ID is not UID0 and the only connection LDAPU has is to the LDAP group, the only permission it has is to the LDAPSRV APPL. The LDAP group actually has no permissions given to it. The only thing strange is that the ID has SPECIAL. Since the ID isn't anything special (or so I thought) I removed SPECIAL from it. As soon as I removed SPECIAL, anybody coming in through the browser started getting invalid userid or password errors on their browser logon page. They were getting NO RACF ICH408I messages being logged either in the SYSLOG or in the LDAPSRV address space. As soon as I gave SPECIAL back to LDAPU everything started working again. I can find nowhere within the LDAP config file that defines LDAPU as any kind of special ID that has magical powers over people trying to log in thru the LDAP. If anybody has any idea where I could go look for what LDAP is using this ID for or where it is defined to use this ID for something, I'd appreciate it. I really don't like the idea of having a RACF SPECIAL user floating around that nobody knows why it has SPECIAL. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
