Hi Rex,
Very strange indeed. This does not seem like a native LDAP issue. Have you
looked at the source code of the software that is processing logons to see if
this ID is embedded in the code? Is this ID coded as the USERID on any CICS
terminal definitions or started transaction EXEC CICS START commands related to
this logon process? If you have SETROPTS SAUDIT or AUDIT(USER) active, have you
looked at SMF data to see if it is issuing any RACF commands, in particular
ALTUSER PASSWORD NOEXPIRE? Have you tried adding UAUDIT to the ID to see what
else it might be doing? If you have a product like zSecure Access Monitor, what
activity does it show for this ID? What happens if you swap ROAUDIT for
SPECIAL? If you define profiles LISTUSER and LU in the PROGRAM class with
ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ) AUDIT(ALL), does SMF data show this
ID using these programs? My extreme SWAG is that it is being used to handle
password expiration and password changes.
Regards, Bob
Robert S. Hansel 2021 #IBMChampion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
-----Original Message-----
Date: Fri, 9 Jul 2021 17:10:22 +0000
From: "Pommier, Rex" <[email protected]>
Subject: LDAP confusion with security settings
Hi list,
I don't know if this belongs in the TCP/IP list, RACF list or here so I'm
starting here. Here's the situation as best I understand it. First off, LDAP
is a black hole as far as I'm concerned. It was set up here long before my
time. We're using it to communicate and authenticate to RACF for users coming
in from a browser into our CICS regions. The LDAP server runs under a user ID
of LDAPSRV. Users coming in from the browser are given a logon screen where
they enter their own ID and password which LDAP validates against RACF. LDAP
provides the appropriate ICH408I message if they fat-finger a password etc.
That part is all OK. The RACF group that LDAPSRV is a member of is LDAPGRP and
some of the attributes assigned to LDAPSRV are actually given through the group.
The LDAP server is defined within RACF in the APPL class and anybody that
tries to log on through LDAP need to have READ access to this APPL.
Here's where I'm getting confused. There is another ID on the system, we'll
call LDAPU, that has no special privileges except this ID is RACF SPECIAL. The
group this ID belongs to (LDAP) also has no special privileges. The ID is not
UID0 and the only connection LDAPU has is to the LDAP group, the only
permission it has is to the LDAPSRV APPL. The LDAP group actually has no
permissions given to it. The only thing strange is that the ID has SPECIAL.
Since the ID isn't anything special (or so I thought) I removed SPECIAL from
it. As soon as I removed SPECIAL, anybody coming in through the browser
started getting invalid userid or password errors on their browser logon page.
They were getting NO RACF ICH408I messages being logged either in the SYSLOG or
in the LDAPSRV address space. As soon as I gave SPECIAL back to LDAPU
everything started working again. I can find nowhere within the LDAP config
file that defines LDAPU as any kind of special ID that has magical powers over
people trying to log in thru the LDAP. If anybody has any idea where I could
go look for what LDAP is using this ID for or where it is defined to use this
ID for something, I'd appreciate it. I really don't like the idea of having a
RACF SPECIAL user floating around that nobody knows why it has SPECIAL.
Apologies if this sounds as confusing to you reading it as it does to me
writing it.
Thanks,
Rex
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
