On Tue, 19 Oct 2021 16:21:46 -0500, Alan Altmark <[email protected]>
wrote:
>Does anyone know if the z/OS IHS (Apache) server supports password expiry and
>change when performing authentication via LDAP? That is, if the web server
>prompts for credentials and the pw is expired, will it enter into a dialog to
>get it changed?
>
I am not using LDAP at all, authentication is done against RACF in our
installation. But here goes anyway, maybe you can get some ideas from it...
<IfModule mod_status.c>
<Location /server-status>
SAFRunAsEarly On
SAFRunAs %%CLIENT%%
AuthName ServerStatus
AuthType Basic
AuthBasicProvider saf
AuthSAFExpiredForm /change-saf-password
Require saf-group GSYST
Require saf-group GSECADM
SetHandler server-status
</Location>
</IfModule>
This is a little part of my httpd.conf, where the server status link is
defined. The SAFRunAs makes the request being run with the identity of the
client (the browser). UserID and password are asked for if needed (using Basic
Authenthication, see the AuthType clause), authentication is done against RACF
(SAF, that is...). If the password is expired, a redirect is done towards the
/change-saf-password location where the built-in password change page is
defined:
<Location "/change-saf-password">
SetHandler saf-change-pw
# AuthSAFExpiredForm specified here to ensure that
# mod_authnz_saf can redirect back to the form if there was an
# error when trying to update the password.
AuthSAFExpiredForm /change-saf-password
</Location>
Hope this helps.
Cheers,
Jantje.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
