As mentioned above, there are two LDAP operations affected:
bind and password or password phrase modify. There is a set of criteria
that is used to determine if an entry actually participates in native
authentication. This criteria changes depending on the configuration
options that have been selected. The following table outlines all
the possible operating modes for native authentication binding.
Table 1. Operating modes for native authentication binding
Operation |
useNativeAuth |
nativeUpdate Allowed |
ibm-nativeId |
uid |
Behavior |
Bind |
selected |
any value |
User1 |
|
Entry is configured correctly and native authentication
is attempted. |
Bind |
selected |
any value |
|
User1 |
Entry is not correctly configured for native authentication
so an LDAP simple bind is attempted. The uid attribute is not
used when useNativeAuth is selected. |
Bind |
selected |
any value |
|
|
Entry has not been configured for native authentication
so an LDAP simple bind is attempted. |
Bind |
all |
any value |
User1 |
User2 |
The ibm-nativeId attribute is used to attempt
native authentication. |
Bind |
all |
any value |
|
User1 |
Entry is configured correctly and native authentication
is attempted. |
Bind |
all |
any value |
|
|
For ease of implementation, an LDAP simple bind
is attempted, even though you have specified that all entries should
use native authentication. This entry should be configured correctly. |
Notes: This table assumes that the entry is located within native authentication
subtrees.
|
In native authentication binding, the LDAP server invokes
the RACROUTE REQUEST=VERIFY, ENVIR=CREATE macro using the mapped user
ID and the password or password phrase supplied in the bind request.
The following LDAP reason codes are mapped to return codes returned
by the RACROUTE REQUEST=VERIFY,ENVIR=CREATE macro:
Table 2. LDAP return and reason codes returned to the client
when binding with native authentication
LDAP return code |
Reason code |
Text |
LDAP_INVALID_CREDENTIALS |
R004111 |
The password is not correct |
LDAP_INVALID_CREDENTIALS |
R004112 |
A bind argument is not valid |
LDAP_INVALID_CREDENTIALS |
R004109 |
The password has expired |
LDAP_INVALID_CREDENTIALS |
R004128 |
Native authentication password change failed: The
new password is not valid, or does not meet requirements |
LDAP_INVALID_CREDENTIALS |
R004110 |
The user ID has been revoked |
LDAP_OPERATIONS_ERROR |
R000208 |
Unexpected racroute error safRC=safRC racfRC=racfRC racfReason=racfReason |
Note: The same reason codes are issued when binding with a
password or a password phrase.