It sounds like you are using the old zos LDAP server which IBM discontinued circa zos 1.11 for good reason ... replaced by the Tivoli LDAP server which uses SDBM to access RACF. Probably to fix this key integrity vulnerability that you have highlighted. It is a very high risk for your zos to be hacked running this way, you undoubtedly realize what SPECIAL can do. You need to switch to a supported and working LDAP server on zos, there are no free ones for RACF but ACF2 and TSS come with an LDAP server included. Maybe IBM will cut you a deal for the Tivoli Directory Server that you need.
On Sat, Jul 10, 2021 at 3:10 AM Pommier, Rex <[email protected]> wrote: > Hi list, > > I don't know if this belongs in the TCP/IP list, RACF list or here so I'm > starting here. Here's the situation as best I understand it. First off, > LDAP is a black hole as far as I'm concerned. It was set up here long > before my time. We're using it to communicate and authenticate to RACF for > users coming in from a browser into our CICS regions. The LDAP server runs > under a user ID of LDAPSRV. Users coming in from the browser are given a > logon screen where they enter their own ID and password which LDAP > validates against RACF. LDAP provides the appropriate ICH408I message if > they fat-finger a password etc. That part is all OK. The RACF group that > LDAPSRV is a member of is LDAPGRP and some of the attributes assigned to > LDAPSRV are actually given through the group. > > The LDAP server is defined within RACF in the APPL class and anybody that > tries to log on through LDAP need to have READ access to this APPL. > > > Here's where I'm getting confused. There is another ID on the system, > we'll call LDAPU, that has no special privileges except this ID is RACF > SPECIAL. The group this ID belongs to (LDAP) also has no special > privileges. The ID is not UID0 and the only connection LDAPU has is to the > LDAP group, the only permission it has is to the LDAPSRV APPL. The LDAP > group actually has no permissions given to it. The only thing strange is > that the ID has SPECIAL. Since the ID isn't anything special (or so I > thought) I removed SPECIAL from it. As soon as I removed SPECIAL, anybody > coming in through the browser started getting invalid userid or password > errors on their browser logon page. They were getting NO RACF ICH408I > messages being logged either in the SYSLOG or in the LDAPSRV address > space. As soon as I gave SPECIAL back to LDAPU everything started working > again. I can find nowhere within the LDAP config file that defines LDAPU > as any kind of special ID that has magical powers over people trying to log > in thru the LDAP. If anybody has any idea where I could go look for what > LDAP is using this ID for or where it is defined to use this ID for > something, I'd appreciate it. I really don't like the idea of having a > RACF SPECIAL user floating around that nobody knows why it has SPECIAL. > > Apologies if this sounds as confusing to you reading it as it does to me > writing it. > > Thanks, > Rex > > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
