Re: Question on LDAPSRV running on z/OS
Just a wrap up on this. It appears to have been LDAP. We IPLed over the weekend and the mixed case passwords magically started working coming thru LDAP. I'm just guessing here that LDAP cached the password case setting from RACF when it came up and just kept it until LDAP got bounced as part of the IPL. Thanks for the suggestions. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Longnecker, Dennis Sent: Wednesday, September 18, 2019 4:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Question on LDAPSRV running on z/OS We are doing the same. There was no LDAP server changes we needed to do to make this happen. My first guess would be your web front-end is uppercasing it before sending it to LDAP. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pommier, Rex Sent: Tuesday, September 17, 2019 1:44 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Question on LDAPSRV running on z/OS Cross-posted from RACF list because I'm getting desperate. Hello list, I hope this is the right place for this. We're using LDAPSRV running on z/OS 2.2 to take login requests from a browser front-end and authenticate them against RACF. We just implemented mixed case passwords last night and it appears that LDAP is converting the passwords it gets to upper case before sending them on to RACF for validation, so logons are failing for people who have changed their passwords with the mixed case support. Is there a parameter in the LDAP config files to pass passwords through LDAP as-is instead of upper-casing them or am I looking in the wrong place. LDAP is a black box to me. AFAIK, logons are still working just fine for those who haven't changed passwords, only those who have. TIA, Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Question on LDAPSRV running on z/OS
We are doing the same. There was no LDAP server changes we needed to do to make this happen. My first guess would be your web front-end is uppercasing it before sending it to LDAP. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Pommier, Rex Sent: Tuesday, September 17, 2019 1:44 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Question on LDAPSRV running on z/OS Cross-posted from RACF list because I'm getting desperate. Hello list, I hope this is the right place for this. We're using LDAPSRV running on z/OS 2.2 to take login requests from a browser front-end and authenticate them against RACF. We just implemented mixed case passwords last night and it appears that LDAP is converting the passwords it gets to upper case before sending them on to RACF for validation, so logons are failing for people who have changed their passwords with the mixed case support. Is there a parameter in the LDAP config files to pass passwords through LDAP as-is instead of upper-casing them or am I looking in the wrong place. LDAP is a black box to me. AFAIK, logons are still working just fine for those who haven't changed passwords, only those who have. TIA, Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Question on LDAPSRV running on z/OS
This is a right place; RACF-L is more focused but smaller. Did you activate support for mixed-case passwords? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Pommier, Rex Sent: Tuesday, September 17, 2019 4:44 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Question on LDAPSRV running on z/OS Cross-posted from RACF list because I'm getting desperate. Hello list, I hope this is the right place for this. We're using LDAPSRV running on z/OS 2.2 to take login requests from a browser front-end and authenticate them against RACF. We just implemented mixed case passwords last night and it appears that LDAP is converting the passwords it gets to upper case before sending them on to RACF for validation, so logons are failing for people who have changed their passwords with the mixed case support. Is there a parameter in the LDAP config files to pass passwords through LDAP as-is instead of upper-casing them or am I looking in the wrong place. LDAP is a black box to me. AFAIK, logons are still working just fine for those who haven't changed passwords, only those who have. TIA, Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Question on LDAPSRV running on z/OS
Cross-posted from RACF list because I'm getting desperate. Hello list, I hope this is the right place for this. We're using LDAPSRV running on z/OS 2.2 to take login requests from a browser front-end and authenticate them against RACF. We just implemented mixed case passwords last night and it appears that LDAP is converting the passwords it gets to upper case before sending them on to RACF for validation, so logons are failing for people who have changed their passwords with the mixed case support. Is there a parameter in the LDAP config files to pass passwords through LDAP as-is instead of upper-casing them or am I looking in the wrong place. LDAP is a black box to me. AFAIK, logons are still working just fine for those who haven't changed passwords, only those who have. TIA, Rex The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
