After a good night sleep, I delved into this problem further. I do not think this is an ACL issue as I can change the password using the ldapmodify command.
On the z/OS LDAP Server, we are using TDBM and RACF for native authentication. We have the following: Server Configuration adminDN: cn=ldapadm, o=PHI adminPW: *not configured* allowAnonymousBinds: on armName: GLDSRVR audit 1: off commThreads: 10 db2StartUpRetryInterval: 45 db2StartUpRetryLimit: 0 db2Terminate: recover dnCacheSize: 1000 idleConnectionTimeout: 0 listen 1: ldap://:389 logfile: /tmp/gldlog.output maxConnections: 65535 operationsMonitor: IPANY operationsMonitorSize: 1000 pcIdleConnectionTimeout: 0 pcThreads: 10 pwSearchOutput: binary schemaPath: /var/ldap/schema schemaReplaceByValue: on securityLabel: off sendV3StringsOverV2As: UTF-8 serverCompatLevel: 5 serverEtherAddr: 4020980269E6 serverSysplexGroup: undefined sizeLimit: 500 srvStartUpError: ignore sslAuth: serverAuth sslCertificate: none sslCipherSpecs: 050435363738392F303132330A1613100D0915120F0C0306 sslMapCertificate: off fail supportKrb5: off tcpTerminate: recover timeLimit: 3600 validateIncomingV2Strings: on database TDBM GLDBTD31 TDBM-0001 aclSourceCacheSize: 100 attrOverflowCount: 512 attrOverflowSize: 255 changeLoggingParticipant: on dbUserid: LDAPSRV dnToEidCacheSize: 1000 entryCacheSize: 5000 entryOwnerCacheSize: 100 extendedGroupSearching: off filterCacheBypassLimit: 100 filterCacheSize: 5000 krbIdentityMap: off multiServer: off nativeAuthSubtree: all nativeUpdateAllowed: on persistentSearch: off pwCryptCompat: on pwEncryption: none readOnly: off secretEncryption: none serverName: USPHIDSNC sizeLimit: 500 suffix 1: o=PHI timeLimit: 3600 useNativeAuth: all I have the following specified in SLES11-SP1?s /etc/ldap.conf pam_password racf /etc/pam.d/passwd looks like the following: auth required pam_env.so auth sufficient pam_ldap.so auth required pam_unix2.so account sufficient pam_ldap.so account required pam_unix2.so password sufficient pam_ldap.so session sufficient pam_ldap.so session required pam_limits.so session required pam_unix2.so session optional pam_umask.so The Red Paper titled ?Securing Linux for zSeries with Central z/OS LDAP Server (RACF)? available at http://www.redbooks.ibm.com/redpapers/pdfs/redp0221.pdf on page 21 suggest that the pam_password racf in the Linux ldap.conf allows the Linux passwd command to work with RACF. Am I missing something or have something misconfigured? Any experiences out there? Thanks as always. Peter From: Peter E Abresch/EP/PEP To: Linux on 390 Port <[email protected]> Date: 08/15/2011 05:51 PM Subject: RACF LDAP and Linux passwd command We have RACF LDAP server setup under z/OS Version 1.11. We are using SLES11-SP1 Linux. We are using LDAP to authenticate with RACF passwords and DB2 for the TDBM backend. We populated the TDBM and everything is working great with one exception. We cannot change the RACF password from Linux using the passwd command. This should work. Here is what we are seeing: x062tst@linuxm02:~> passwd Changing password for x062tst. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Protocol error R006010 Unsupported extended operation '1.3.6.1.4.1.4203.1.11.1' (srv_process_extended_request) passwd: Permission denied I am thinking this is an ACL issue but am clueless how to setup the ldif file for the ACL permission for the ldapmodify command. This is how it looks now: # ESE Testing ID, ESE, IT, PHI dn: cn=ESE Testing ID,ou=ESE,ou=IT,o=PHI cn: ESE Testing ID aclentry: cn=this:critical:w aclentry: cn=anybody:NORMAL:RSC:SYSTEM:RSC aclpropagate: TRUE aclsource: ou=ESE, ou=IT, o=PHI entryowner: access-id:cn=ldapadm,o=PHI ownerpropagate: TRUE ownersource: ou=ESE, ou=IT, o=PHI Does anyone have experience with this or can point be in the right direction. Thanks in advance. Peter This Email message and any attachment may contain information that is proprietary, legally privileged, confidential and/or subject to copyright belonging to Pepco Holdings, Inc. or its affiliates ("PHI"). This Email is intended solely for the use of the person(s) to which it is addressed. If you are not an intended recipient, or the employee or agent responsible for delivery of this Email to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this Email is strictly prohibited. If you have received this message in error, please immediately notify the sender and permanently delete this Email and any copies. PHI policies expressly prohibit employees from making defamatory or offensive statements and infringing any copyright or any other legal right by Email communication. PHI will not accept any liability in respect of such communications. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
