Re: IHS Apache - authentication via LDAP

Tue, 19 Oct 2021 14:50:33 -0700 

On 10/19/21 3:21 PM, Alan Altmark wrote:
Does anyone know if the z/OS IHS (Apache) server supports password expiry and change when performing authentication via LDAP? 


I can't speak for IHS, but based on my experience with AHS (Apache 
proper) and OHS (Oracle) I think that "it depends" is the answer.



That is, if the web server prompts for credentials and the pw is 
expired, will it enter into a dialog to get it changed?



I don't think that HTTP Basic authentication will support this /by/ 
/itself/.  (Independent of IHS / AHS / OHS.)



That being said, you probably can create a web application that could 
deal with this scenario.  I would expect that you could host said web 
application via IHS / AHS / OHS antagonistically.



This web application would be predicated on what can be done with 
password management via LDAP.


1)  Is there a way to test the current password (I believe there is).
2)  Is there a way to change the password (I suspect there is).

3)  Is there a way to determine if the current password is expired (I 
don't know).



If you can do all three, then you should be able to create a web 
application to do what you want.  You'll need to do #1 & #2 and 
conditionally alter how the web application behaves.  Create the new UI 
/ UX to alert the user and allow them to change their password.



I then want to use the authenticated userid as the web client's id 
for the purposes.  (The ID exists in the local RACF database, but I 
don't want to authenticate with it.)



I barely know how to spell RACF, much less have any idea how it will 
behave in regards to crossed security contexts.  I assume that you want 
to use the context of the web application / IHS.  What are you wanting 
to do with the user's RACF ID?  Can you do this as the context of the 
web application / IHS?



Is this something better suited to Liberty/WAS?



Liberty / WAS may provide more foundational framework that rides on top 
of HTTP(S) than IHS (et al.) does.  I have no idea.




--
Grant. . . .
unix || die

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to