On Fri, 9 Jul 2021 17:10:22 +0000, Pommier, Rex <[email protected]> wrote:
>Hi list,
>
>I don't know if this belongs in the TCP/IP list, RACF list or here so I'm
>starting here. Here's the situation as best I understand it. First off, LDAP
>is a black hole as far as I'm concerned. It was set up here long before my
>time. We're using it to communicate and authenticate to RACF for users coming
>in from a browser into our CICS regions. The LDAP server runs under a user ID
>of LDAPSRV. Users coming in from the browser are given a logon screen where
>they enter their own ID and password which LDAP validates against RACF. LDAP
>provides the appropriate ICH408I message if they fat-finger a password etc.
>That part is all OK. The RACF group that LDAPSRV is a member of is LDAPGRP
>and some of the attributes assigned to LDAPSRV are actually given through the
>group.
>
>The LDAP server is defined within RACF in the APPL class and anybody that
>tries to log on through LDAP need to have READ access to this APPL.
>
>
>Here's where I'm getting confused. There is another ID on the system, we'll
>call LDAPU, that has no special privileges except this ID is RACF SPECIAL.
>The group this ID belongs to (LDAP) also has no special privileges. The ID is
>not UID0 and the only connection LDAPU has is to the LDAP group, the only
>permission it has is to the LDAPSRV APPL. The LDAP group actually has no
>permissions given to it. The only thing strange is that the ID has SPECIAL.
>Since the ID isn't anything special (or so I thought) I removed SPECIAL from
>it. As soon as I removed SPECIAL, anybody coming in through the browser
>started getting invalid userid or password errors on their browser logon page.
> They were getting NO RACF ICH408I messages being logged either in the SYSLOG
>or in the LDAPSRV address space. As soon as I gave SPECIAL back to LDAPU
>everything started working again. I can find nowhere within the LDAP config
>file that defines LDAPU as any kind of special ID that has magical powers over
>people trying to log in thru the LDAP. If anybody has any idea where I could
>go look for what LDAP is using this ID for or where it is defined to use this
>ID for something, I'd appreciate it. I really don't like the idea of having a
>RACF SPECIAL user floating around that nobody knows why it has SPECIAL.
>
Rex,
At a guess, I would say the application that is presenting the logon
screen to the user is doing either a LU or LG of the user attempting to sign
in. Do you have access to the application code to check if that is the case?
I have had a similar situation when setting up the TS7700 HMC MI authentication
using zOS LDAP and RACF as the backend
Hope that helps.
Roger
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
