Micro Focus Enterprise Server Security and Microsoft Active
Directory:
Initial Setup
Preliminary Documentation
Copyright © 2006-2008 Micro Focus (IP) Limited. All
rights
reserved.
Contents
- Introduction
- Overview
- Using ADAM
- The ADAM Software
- Creating the ADAM Application
Partition
- ES LDAP Setup
- Prerequisites
- Running the Setup Script
- Configuring ES
- Additional Information
- Browsing the ADAM Repository
- Adding Repository Objects using
ADSIEdit
- Adding Existing MTO Users to the LDAP
Repository
- Setting User Passwords with esfadmin
- Enabling MFDS Administration for LDAP and
User Password Changes
Introduction
Starting with WebSync 2 for Micro Focus Enterprise Server 5.0, ES with
Mainframe Transaction Option (ES/MTO) includes a security feature called
the External Security Facility
or ESF. ESF lets ES authorize
users and control access to
resources by querying one or more external
security managers (ESMs), which are facilities outside ES that
can verify
users and/or supply rules for resource access control. ES communicates
with ESMs using ESM Modules,
plug-ins that are loaded by ESF based on the security
configuration created by the ES administrator.
ESF lets you secure ES using OS or third-party security
mechanisms. You can have ES verify MTO users via the operating
system, so MTO user accounts are managed by the OS, for example.
You also now have more flexible control over the access that MTO users
have to various resources (programs, datasets, etc).
One popular option is to put user definitions and resource control
rules into an LDAP directory, such as Microsoft's Active Directory
Application Mode (ADAM), which is a
simplified version of Active Directory suitable for running on
workstations and maintaining
application data. This documentation describes the initial setup
of ADAM for use with ES.
Using Active Directory with ESF
If you have the full Active Directory running on your network (on
Windows domain controllers), and you want to use it for storing your
Enterprise Server security information, you should refer to two other
documents included with Micro Focus Net Express 5.0 WebSync 3, LDAP-Setup-Instructions.rtf
and LDAP-ES-Admin-Setup.rtf. The instructions here can be used
with Active Directory, but because Active Directory is used to maintain
enterprise configuration data, it's more complex than ADAM, so we
supply additional documentation.
Even if you intend to use Active Directory, you may want to experiment
with ADAM first to gain familiarity with how ES uses LDAP.
Using Other LDAP Servers
We do not currently provide instructions for configuring other LDAP
servers for use with ES, but the information here and in the two
documents listed above is mostly relevant to other LDAP servers as well.
Overview
External security can be enabled for
ES servers and for the Directory Server (MFDS) through the security
configuration panels in the MFDS administration GUI. ESM modules are
defined in the ES directory, much like servers, listeners, and other
objects. Then one or more modules can be specified in a security
configuration. There is a security configuration for MFDS itself, a
"default server" configuration that applies to all ES servers that do
not have their own security configuration, and an optional
configuration for each individual server. This lets you use different
security configurations for different servers (eg for test and
production systems), and a different configuration for MFDS.
Here we will only configure one ESM module, the MLDAP ESM module which is used with
LDAP servers. You may want to configure it only
for ES servers, or even for only one server, until you become familiar
with how it operates.
When external security is enabled for an ES component, that component
will load and initialize the ESF Manager at startup. (MFDS loads ESF
Manager shortly after it starts. ES servers load ESF Manager in each
SEP as the SEP initializes.) ESF Manager will load and initialize each
defined (and enabled) ESM Module. In the case of the MLDAP ESM Module,
the module will connect to the LDAP server (here ADAM).
At appropriate points in processing, the ES component will call the ESF
Manager to verify a user signon or authorize user access to a resource.
ESF Manager will relay these requests to the MLDAP ESM Module, which
will perform the appropriate searches of the LDAP repository and
process the returned information in order to make its decision.
In the default (and simplest) configuration, the MLDAP ESM Module uses
LDAP object types defined by Micro Focus (an LDAP schema), which specify users and
resource definitions. So configuring the LDAP repository for ES
security
requires importing the Micro Focus schema and creating user and
resource objects.
LDAP user objects include such information as the user name, a password
verifier (which can be a plain-text password or a password hash), and
user data such as default group, idle timeout, and expiration
date. Resource objects name the resource or resources they apply
to and include an access control list
(ACL) which details who is allowed what kind of access to the object.
Resource objects can use wildcards in their names, as can ACL entries,
which makes it possible to easily create generic rules. ACL entries can
also apply to individual users or to user groups, for role-based access
control.
The rest of this document covers configuration of the LDAP
server. For more information on the MLDAP ESM Module, access
control rules, and external security in general, see your product
documentation.
Using ADAM
The Enterprise Server product line includes ADAM and
automatically installs it. ADAM is a
Windows component, and is always installed into the ADAM
directory under the system root (usually C:\Windows).
If you are using AD, and not using ADAM, you
can skip the final step in this section, "Creating the ADAM Application
Partition".
Some people may want to initially configure ES to use ADAM while they
get acquainted with the LDAP support in ESF, even if they eventually
intend to use AD, as ADAM is simpler to administer and use.
The
ADAM Software
ADAM should have been installed automatically when you installed or updated
Enterprise Server (or Net Express).
If for some reason ADAM is not installed on your system,
the ADAM installer can be downloaded
from Microsoft free of charge. That Microsoft page also
contains additional information on installing and configuring ADAM, but
the instructions here should be sufficient.
Note:
There is a known issue with ADAM on some versions of Windows which may
cause problems if the following Registry key is set to any value other
than 0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\forceguest
You can ensure that this key has the value 0 by running the
following
command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t REG_DWORD /d 0 /f
or by editing the Registry using a tool such as Regedit.
After downloading the installer, simply run it (as an administrative
user) to install ADAM.
Creating the
ADAM Application Partition
You can skip this step if you plan to use Active Directory rather than
ADAM.
Select "Start" > "Programs..." > "ADAM"
> "Create an ADAM Instance...".
(You can
also open an "ADAM Tools Command Prompt" window, or open a
regular command
prompt window and cd to %systemroot%\ADAM, and
run adaminstall.exe.)
Each "ADAM
Instance" is an LDAP server running on your machine.
We'll create an instance specifically for ES
use, though if you already had an ADAM instance (or Active Directory)
running
locally you could use that.
Note:
ADAM Instances appear in the Add/Remove
Programs control panel after
they have been created, as "ADAM Instance Name".
To remove an ADAM Instance, select the instance in Add/Remove
Programs,
click "Remove", and follow the prompts.
You'll have to click through a few warnings about deleting
the
configuration set; this is normal and safe.
In the Wizard screens specify the following:
- The option "A unique instance"
- The instance name "MFES"
- LDAP port 389
- The option to "Create an application
directory partition",
with the name "CN=Micro Focus,CN=Program Data,DC=local"
- Accept the default file store location (or specify a custom one
– this
should make no difference)
- Run the service using the default network service account (you
will get a
warning; accept it)
- For ADAM administration, use your current logged on account (note
that you
can create an additional ADAM administrative account in a later step,
in
case you do not normally use an Administrative account)
- The option "Import the selected LDIF
files",
and add "MS-User.LDF" to the
list of files to be imported
As the
instance is created you may be prompted by your firewall; configure it
appropriately to allow your ADAM instance to accept connections at
least from localhost
on port 389.
ES LDAP Setup
After installing ES and ADAM, and creating your ADAM application
partition (unless you are using AD), you will need to define the LDAP
object classes and containers (the schema)
that will hold ES data. That data includes:
- The users who are authorized to sign on to MTO and/or MFDS.
- User attributes such as display name, timeout, and account
expiration. One important attribute is the password verifier, which is used to
check the user's password at sign-on. The verifier is a salted
cryptographic hash of the password, and cannot be "decrypted" to
recover the password.
- User groups. Permissions can be assigned to groups rather than
individual users, for administrative convenience and to provide
role-based security.
- Resource access definitions. ES groups resources into classes,
and within each class you can specify access rules for individual
resources, or for multiple resources using wildcards. Resource access
rules themselves are Access Control
Lists that set the access level for a single user, a user group,
or any users or groups that match a string with wildcard characters.
- LDAP users. ES itself needs to sign on to the LDAP server (ADAM
or AD) with at least read access to the repository, so the setup
process creates a user account in the LDAP server named "MFReader" with
read-only access. Also, the setup process needs administrative access
to the repository, so it creates an administrative account (for ADAM
only; for AD, you have to specify an existing administrative account).
After the LDAP schema is created, it needs to be populated with the ES
users, groups, and resources from the default configuration, plus any
additional MTO users and MFDS users and groups you may have created.
Micro Focus supplies a command script, es-ldap-setup.cmd,
which will perform these steps for you.
Prerequisites
You need to have Micro Focus Net Express 5.0 or Server 5.0 installed,
with MTO, and Websync 2 or later. (Websync 3 is preferred.) ADAM
should be installed, even if you plan to
use AD, so that the script can use the ADAM utilities.
Running the Setup
Script
Open a Command Prompt window, and change to the bin directory
of your Net Express or Server installation.
You can run es-ldap-setup with no parameters for the default
behavior. Without parameters it will prompt you for several pieces of
information, such as the LDAP server location. You can just press Enter
to accept the default values unless you need to specify something else.
The full syntax for es-ldap-setup is:
es-ldap-setup [options] username password partition server
- The /? option will display a syntax message and
information about what actions the script will perform.
- The /AD option tells the script that you are using AD
rather than ADAM, so it will not try to create an LDAP administrative
user account.
- The username is the
name of a new administrative user for ADAM, which can optionally be used
in the future to administer ES users, groups, and resources in MFDS.
(To administer ES definitions in AD, you have to supply MFDS with the
username and password of a user that already exists in AD and has
suitable permissions, so this step is skipped if you're using AD.)
It defaults to the current user's name.
You can disable or remove this user after the script runs, if you don't
want to administer ES LDAP definitions through MFDS.
If you specify a username, the script will also use that account when adding
existing CAS users to the directory, rather than using the account you're
logged into on the local system.
You can also
specify "-" for this parameter to have it use your login account
(the default action).
- Password is the new LDAP
administrator's initial password; it defaults to "password". You can
change this password after the script runs using the ADAM ADSIedit tool.
You can also specify "-" to have the script
prompt you for a password (the default action).
- The partition parameter specifies the
LDAP distinguished name (DN)
of the application partition where the ES LDAP objects should be
created. The default is "CN=Micro Focus,CN=Program Data,DC=local",
which is generally
suitable for use with ADAM, but AD users will probably need to specify
the DN of a container within their corporate LDAP hierarchy. See your
LDAP administrator for more information.
- The server parameter is
the hostname and port of the LDAP server. It defaults to
"localhost:389", which is the standard address for an LDAP server
running on the local machine.
Most users will run es-ldap-setup with no parameters, but in
some cases you may need to specify some or all of them:
- If you're running es-ldap-setup
under your normal login ID, and using your local ADAM installation as
your LDAP server, and your ID has permission to make changes to the
ADAM repository, just run the script with no parameters.
- If you're using ES with AD, specify
the /AD option and all four parameters. Provide the username
of a user with administrative access to AD, and that user's password.
(You can also use "-" for the username and password to use the account you're
currently logged in with, or specify a username and use "-" for the password
to have it prompt you for the password.) Also provide
the DN of the part of the LDAP repository that will hold ES data, and
the hostname and port of the AD server.
- With ADAM, if you're running es-ldap-setup under an
administrative account that isn't your normal login ID,
it's usually best to specify your normal login ID as the username.
That way, if you
want to run the cas-to-ad
utility in the future, you can run it
under your normal login ID rather than having to specify a different
user.
- If you want a password other than the
default "password" for the administrative account, specify both the username
and password parameters. (ADAM only)
- If you're using ADAM and are logged into Windows as a domain user,
and that user has a local account with the same name but a different password,
you may get errors trying to make changes to ADAM. In that case, specify
the full domain\username and password on the command line.
- If you need to specify one parameter,
you also have to provide values for the parameters before it. For
example; if you need to specify a different LDAP server, you'll have to
provide username, password, and partition as well. Note you can use
"-" for the username and password parameters, which makes them
use their default behavior.
These are the actions es-ldap-setup performs:
- Prompts for values for username, etc, if they are not specified
on the command line. Press Enter to accept the default, or supply a
different value.
- If ADAM is not configured to allow password operations
over unsecured connections, the script will configure it to allow them.
This is required by some of the following actions. If the script
changes this option on the server, it will reset it to its old value
before exiting.
- Adds the ES user, group, and resource LDAP class definitions to
the schema. These specify what attributes each of these types of object
has.
- Adds the container objects for ES to the repository.
- Creates MFReader, the default LDAP user account for ES.
- Creates the administrative LDAP user for adding MTO users. (This
step is skipped if the /AD option is specified.)
- Imports MTO users that are defined in the default MTO resource
definition file into the LDAP repository. See Adding
MTO Users to the LDAP Repository for more information.
- Imports MFDS users and groups into the LDAP repository.
- Imports the default MTO resource access control definitions into
the LDAP repository.
Before each action, es-ldap-setup will pause and tell you
what it's
about to do. When it finishes, it will report how many actions
succeeded and how many failed, and give a list of the failing actions,
which you can provide to Micro Focus Support if you have questions.
Note:
Some users may encounter a known issue with the ADAM dsmgmt
utility when running the script. If you get an error message similar to
the following:
DsBindWithSpnExW error 0x6ba (The RPC server is
unavailable.)
then there is an issue with your network configuration which is
preventing the utility from connecting to your ADAM server. This is a
Windows issue, not a Micro Focus one. Possible fixes include:
- Remove IPv6 support from your network configuration.
- Specify the LDAP server address for the script using your
local hostname rather than localhost. (Remember to include
the port number, as in myhost:389.)
- Disable your local system's firewall while running the
script. With some application firewalls, such as Symantec Client
Security, disabling the firewall may not be sufficient, and you may
have to manually disable or delete rules that affect the ICMP protocol.
- Check that your hosts file (%systemroot%\system32\drivers\etc\hosts)
does not contain any invalid entries for localhost or your
local hostname.
Configuring ES
After you have successfully configured your LDAP server for ES, you can
configure ES to use LDAP for security. This is discussed in more detail
in the product documentation. Here is a short overview:
- To use an LDAP server for ES external security, you need to
create a Security Manager
object in MFDS. The security manager will use these options:
- Module will be mldap_esm.
- Connection Path should be the hostname and port of your LDAP
server, just as you supplied it on the es-ldap-setup command
line. You can leave it blank if you're using a local ADAM server.
- If you want ES to use an LDAP user account other than MFReader,
supply an Authorized ID and Password. The format of Authorized ID
depends on your LDAP server and some optional settings of the mldap_esm
module, but usually it will be either an LDAP DN (eg CN=MFReader,CN=ADAM
Users,CN=Micro Focus,CN=Program Data,DC=local) or a Windows username with domain
(eg mydomain\MFReader).
- If you are using an application partition other than the
default (CN=Micro Focus,CN=Program Data,DC=local), you will need to provide the
non-default DN
in the Configuration Information text area, in this manner:
[LDAP]
Base=CN=My Partition,DC=mydomain,DC=com
- Once the security manager has been created, you can enable it for
a specific ES server, for all ES servers that don't have a specific
security configuration, and/or for MFDS. It's best not to configure it
for MFDS until you have tried it with an ES server, though, or you may
find it difficult to sign on to MFDS in order to fix your configuration.
- To enable your security manager for a specific ES server, edit
that server in MFDS. Select Server in the top row of tabs, Properties
in the second row, and Security in the third. Uncheck the option "Use
default ES Security Manager configuration" and apply the change. An
"Add" button should appear in the Security Manager List area at the
bottom of the form. Click it and add your security manager.
- To enable your security manager for all ES servers that don't
have a specific security configuration, edit the default ES security
manager configuration in MFDS, and add your manager.
- To enable your security manager for MFDS, edit the MFDS
security configuration and add your manager. If your manager is already
set up as the default ES security manager, you can also select the
option to use the default ES configuration as the MFDS security
configuration.
Additional Information
This section describes some optional tasks that may be useful in
creating, viewing, and editing your ES LDAP security configuration.
Browsing the ADAM
Repository
You can use the Microsoft ADAM ADSIEdit utility (ADAM-ADSIedit.msc)
to view the ES areas of your
LDAP repository.
Start ADAM ADSIEdit from the Start menu, then:
- Select Actions → Connect to..., which lets you create a view
of a part of the repository.
- Create a connection to the ES application partition:
- Connection name "MF"
- Server name "localhost" and
port "389"
- Option "Distinguished name (DN) or
naming context"'
- "CN=Micro Focus,CN=Program
Data,DC=local" as
the DN
- Option "The account of the currently
logged-on user"
- Click OK.
Now the left-hand pane should contain a tree view item named "MF". If
you expand this item, and then the container within it, you will see
the ES containers such as "CN=Enterprise Server Users", the container
"CN=ADAM Users" which has the definition of the MFReader user, and
automatically-generated containers such as "CN=Roles".
You can open these containers and double-click on the objects within
them to view (or edit) their attributes.
Adding Repository
Objects using ADSIEdit
You can also use ADSIEdit to create new objects in the repository, such
as new MTO users, using Action → New. Select the appropriate
object type, then complete the wizard, which will prompt for required
values and give you an opportunity to enter optional ones. (You can
change any of these later by editing the object.)
- To create an MTO user, go into the "CN=Enterprise Server Users"
container and create a new microfocus-MFDS-User object:
- Set the cn attribute to the username
- The dialog will prompt for some mandatory MTO attributes such
as microfocus-MFDS-User-MTO-Timeout. You can set the Timeout,
Priority, and OperatorClass attributes to 0
(or any other value which is valid under MTO).
- Set the microfocus-MFDS-User-AllowLogon attibute to TRUE.
- The microfocus-MFDS-UID attribute must be set, but
currently the format of this value does not matter. You can set it to
the username, for example.
- If you want to set an initial password, when you reach the
final page of the dialog (with the "Finish" button), click "More
Attributes", find the microfocus-MFDS-User-Pwd attribute, and
double-click it. Set its value to "literal:password".
Note that this
password will be stored in plaintext (and so will be visible by anyone
who has read access to the repository) until you change it.
- Other optional attributes you may want to set:
- displayName to the user's "display" name (often a
person's legal name, etc)
- description to any descriptive text you want to
associate with the user
- microfocus-MFDS-User-DefaultGroup to the user's
default MTO group (eg ALLUSR)
- microfocus-MFDS-User-MTO-GroupPrefix and microfocus-MFDS-User-MTO-OperatorID
if you use MTO group prefixes and/or operator IDs with your normal MTO
user definitions
- microfocus-MFDS-User-CreateToken and microfocus-MFDS-User-UseToken
if you use passtokens (typically, set both of these to self
for users who will be using MFDS and ESMAC)
- To create an MTO user group, go into the "CN=Enterprise Server
User Groups" container and create a new microfocus-MFDS-Group
object:
- Set the cn attribute to the group name. Note that
this name must be no longer than 8 characters.
- The microfocus-MFDS-UID attribute must be set, but
currently the format of this value does not matter. You can set it to
the group name, for example.
- To set the members of the group (you can change this later by
editing the group object), click "More Attributes" on the final page of
the dialog. Double-click the microfocus-MFDS-Group-Member
attribute to get a dialog that lets you add or remove members.
- To create an MTO resource class, go into the "CN=Enterprise
Server Resources" container and create a new container
object. Set its cn attribute to the name of the resource
class.
- To create an MTO resource access control object, expand the
"CN=Enterprise Server Resources" container in the tree view, then go
into the container for the class of the resource you want to create.
Create a new microfocus-MFDS-Resource object:
- Set the cn attribute to the resource name, or to a
string that contains wildcards to create a generic rule. Wildcards are
explained in the documentation for the MLDAP ESM Module in your product
documentation.
- The microfocus-MFDS-UID attribute must be set, but
currently the format of this value does not matter. Since resource
names can be long, it may be easiest just to put a dummy value here,
such as "1".
- You must set the microfocus-MFDS-Resource-Class
attribute, but this attribute is no longer used and is only in the
schema for compatibility with pre-release versions. You can set this to
the resource's class name or to any other value.
- If you want to set an initial ACL, click "More Attributes" on
the final page of the dialog. Double-click the microfocus-MFDS-Resource-ACE
attribute to get a dialog that lets you add or remove access-control
entries. See the MLDAP ESM Module documentation for more information.
You may want to create a new ADAM user for ES to use. If you want to
give ES permission to change objects in the repository – to let users change their passwords when they sign
on, or to enable LDAP administration through MFDS – then you
will want to configure the MLDAP Security Manager in MFDS with a
different Authorized ID and Password. (It's not safe to give the
default MFReader account write permission to the repository, because
that username and its password are available to anyone who reads the ES
LDAP setup materials.)
- To create an ADAM user, expand the "CN=ADAM Users" container,
then create a new user object:
- The cn is the only required attribute.
- After creating the user, you can give it the appropriate
permissions by editing the appropriate object in the "CN=Roles"
container and double-clicking on the member attribute, which
will give you a dialog where you can add users to that role. Adding
your new user to the Administrators role will give it administrative
access to the repository, for example.
- You can also give your new user more-specific permissions by
editing the ACLs for specific parts of the repository. See the ADAM
documentation for more information.
Adding MTO Users
to the LDAP Repository
Many existing ES/MTO customers have created multiple MTO resource
definition (RDO) files, to configure various ES servers (or "regions").
These RDO files may contain users defined for MTO. The es-ldap-setup
script reads the default RDO file (files\sys\dfhdrdat under
the product installation directory) and adds any user definitions in it
to the LDAP repository. If you have other RDO files, though, you may
want to extract user definitions from them and import them into LDAP
for use with ES external security.
You can use the cas-to-ad.exe utility to migrate MTO user
definitions into LDAP. Run "cas-to-ad -h" to
get a syntax message.
Current options are:
| Option |
Use
To |
Default |
| -u user |
Set username for
AD connection (name or DN) |
Current logon
name |
| -p password |
Set password for
AD connection |
None; if not
set, you will be prompted |
| -d DN |
DN for AD
application partition |
CN=Micro
Focus,CN=Program Data,DC=local |
| -c container |
container for
added ES users |
CN=Enterprise
Server Users |
| -l host:port |
Location of the
AD server |
localhost:389 |
| -s host:port |
Synonym for -l |
localhost:389 |
| -r path |
Path to CAS RDO
file |
See below |
| -e encoding |
Password encoding |
md5 (the other option is "literal") |
| -U class |
User object class |
microfocus-MFDS-User (see LDAP-Setup-Instructions.rtf)
|
| -v |
Show version and
exit |
N/A |
| -h |
Show syntax help
and exit |
N/A |
Option
values can be appended to the option character or specified as the next
argument on the command line.
The CAS RDO
file (always named dfhdrdat)
that cas-to-ad will process is located as
follows:
- If the -r
option is
used, cas-to-ad will use the specified path
- If not, cas-to-ad
will see if the environment variable TXRDTP is
defined, and if so will use that path
- If not, it
will look for a dfhdrdat
file in the current directory, and if one is
present use it
- If not, it
will look for the Net Express 5 (or Server 5) base directory Registry
key, and use files\sys\dfhdrdat
under that
directory
The -e
option controls how user passwords are stored in LDAP.
The default is -e md5,
which
stores a salted MD5 hash of the password. The
value of the microfocus-MFDS-User-Pwd
attribute will have the form "MF-MD5:base64-salt:base64-hash",
where base64-salt
and base64-hash are character strings
that contain base64-encoded data. This
is an irreversible transformation (the hash can be used to verify the
password
but not to reconstruct it). The other encoding currently supported is -e
literal, which stores the password in plain text,
in the form "literal:password".
This form
is useful for debugging and when creating ES users using ADSIEdit.
Setting User
Passwords with esfadmin
If you edit a user's password (the microfocus-MFDS-User-Pwd
attribute) directly in the LDAP repository, using a tool such as
ADSIEdit, you can only set a literal password value. This is often not
satisfactory because the password can be seen by anyone who can read
the repository.
If you have enabled MFDS administration of the
LDAP repository, you can use MFDS to change a user's password: go
to the MFDS security options, view the list of Security Managers,
select the MLDAP manager, click the Properties button, edit the user,
and set a new password. See the MFDS documentation for more information.
Another alternative is to use the esfadmin.exe utility, which
is part of Net Express and Server and can be found in the product's bin
directory. esfadmin is a command-line utility that calls the
ESF Admin API to request administrative actions against ESMs. The
advantage of esfadmin is that you supply all its
configuration information on the command line, so you do not have to
configure your MLDAP security manager in MFDS with an LDAP
administrative user ID.
To set a password using the esfadmin command, you will need a
valid ES username and password (not necessarily the user whose password
you're setting), and an LDAP username and password for an account with
write access to the user's record in the repository. esfadmin
has to sign on to ESF before it can perform an admin request, which is
why you need an ES username / password.
You set a password using the setpassword option:
esfadmin [options]
setpassword user=username
password=new-password
esfadmin will prompt for the LDAP user ID and password. (The
user ID is usually specified as an LDAP DN, eg CN=admin,CN=ADAM
Users,CN=Micro Focus,CN=Program Data,DC=local; or as a Windows
username with
domain, eg domain\admin.) You can also specify these on the
command line using the -U and -P options (note
these must be uppercase-U and uppercase-P).
By default esfadmin uses "SYSAD", one of the default accounts
created during setup, for the ES username and password it uses to sign
on to ESF. You can supply a different username and password with the -u
and -p (both lowercase) options.
Enabling MFDS
Administration for LDAP and User Password Changes
By default, ES uses the MFReader account to connect to the
LDAP server. As its name suggests, MFReader does not have authority to
make changes to the repository, only to read from it.
You may want to configure your MLDAP Security Manager in MFDS with
different LDAP user credentials (Authorized ID and Password), to give
it update access to part or all of the repository. You can configure it
with credentials for an administrative user, or create a new LDAP user
(see Adding Repository Objects using ADSIEdit)
and then set ACLs in the LDAP repository (using ADSIEdit or other
Microsoft tools) to give that user write access to specific parts of
the repository.
For example, if you have created an ADAM user named "MFUpdate", you
could give it write access to user objects by setting an ACL with the dsacls.exe
ADAM utility:
dsacls "\\localhost\CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data,DC=local"
/I:S /G "CN=MFUpdate,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local":WP
(Enter this command all on one line.)
Generally speaking, you do not want to give the MFReader LDAP
user write access to the repository, because its name and password are
well-known. Configure your security manager to use a different account
instead, and be careful to keep that account's password a secret. (If
non-privileged users have access to the system where MFDS is running,
it's a good idea to set ACLs on the MFDS configuration files so that
they can only be read by the account MFDS runs under, which is usually SERVICE.)
If an ES/MTO region is configured to use a MLDAP Security Manager that
has update access to user objects, then interactive MTO users will be
able to set their passwords when they sign on to the system (using the CESN
transaction, or another program that calls the EXEC CICS SIGNON
interface). This is particularly useful if you make use of the password
expiration date attribute (microfocus-MFDS-User-Pwd-ExpirationDate)
to force users to change passwords periodically, since it gives them a
way to do so. (Note that the MLDAP ESM Module does not currently
provide any way to automatically set the expiration date; that has to
be done using some other tool.)
If MFDS is configured to use an MLDAP Security Manager that has update
access to the various ES objects in the LDAP repository, then you can
use MFDS to administer those objects. From the Security page of the
MFDS administration GUI, go to the Security Managers tab, edit the
Security Manager you have defined for LDAP, and click its Properties
button. From there, you can view and edit users, groups, and resource
access controls.