Updating native passwords and password phrases
To update a native password or password phrase, the
LDAP server invokes the RACROUTE REQUEST=VERIFY, ENVIR=CREATE macro
using the mapped user ID and the old and new passwords or password
phrases supplied in the modify delete/add request. The following LDAP
reason codes are mapped to return codes returned by the RACROUTE REQUEST=VERIFY,ENVIR=CREATE
macro:
| LDAP return code | Reason code | Text |
|---|---|---|
| LDAP_INVALID_CREDENTIALS | R004111 | The password is not correct |
| LDAP_INVALID_CREDENTIALS | R004112 | A bind argument is not valid |
| LDAP_INVALID_CREDENTIALS | R004109 | The password has expired |
| LDAP_INVALID_CREDENTIALS | R004128 | Native authentication password change failed: The new password is not valid, or does not meet requirements |
| LDAP_INVALID_CREDENTIALS | R004110 | The user ID has been revoked |
| LDAP_OPERATIONS_ERROR | R004118 | Unexpected racroute error safRC=safRC racfRC=racfRC racfReason=racfReason |
Note: The same reason codes are issued when updating a password
or a password phrase.
Updating native passwords or password phrases during bind
Note: This section applies only to changing native passwords during bind. This method cannot be used
to change the userPassword value during a bind to a TDBM, LDBM, or CDBM entry that
does not use native authentication.
It is also possible to change the RACF® password or
password phrase of a TDBM, LDBM, or CDBM entry participating in native authentication during an LDAP
simple bind. This may be necessary if the ldapmodify command above fails with
LDAP return code LDAP_INVALID_CREDENTIALS and LDAP reason
code:
R004109 The password has expiredcurrentvalue/newvalue The forward slash (/) is used as the indication of a password or password phrase change during
the LDAP simple bind. Password or password phrase changes made using the LDAP simple bind to a TDBM,
LDBM, or CDBM entry participating in native authentication are subject to the system password or
password phrase rules. A password or password phrase change fails with LDAP return code
LDAP_INVALID_CREDENTIALS and LDAP reason code of:
R004128 Native authentication password change failed: The new password is not valid,
or does not meet requirementsNote: A
forward slash (/) is a legal character in a password phrase (but not in a password). During native
authentication bind, a backward slash (\) is an escape character to indicate the next character is
part of the password or password phrase and has no special meaning. The backward slash is removed
during bind processing. Therefore, during bind, a forward slash in a password phrase must be
preceded by a backward slash (\) to indicate that the forward slash is part of the password phrase
and is not the password phrase change indicator. For example, the password phrase
this1slash/ispartofthevalue2use must be specified as
this1slash\/ispartofthevalue2use during bind. A backward slash is a legal character
in a password phrase (but not in a password). Therefore, a backward slash in a password phrase must
be preceded by another backward slash to indicate that it is not an escape character. Once the bind succeeds, the password or password phrase is changed even if the LDAP function eventually fails. The nativeUpdateAllowed server configuration option setting does not control whether password or password phrase modifications can occur on an LDAP bind operation. The setting of nativeUpdateAllowed only controls password or password phrase modifications on an LDAP modify operation.
Assuming an LDBM or TDBM entry
cn=USER1,ou=END,o=IBM,c=US is participating in
native authentication and is mapped to user ID USER1, the following command changes
the RACF password for user USER1 from
abc to def:
ldapsearch -h ldaphost -p ldapport -D "cn=USER1,ou=END,o=IBM,c=US" -w abc/def -b \
"ou=END,o=IBM,c=US" "objectclass=*"