Roger Long and Bob Hansel nailed it. The userID is performing RACF LG commands and when I removed SPECIAL these commands started failing on the middleware machine. They were failing silently because I turned on UAUDIT for this ID and got absolutely nothing back. I just completed testing of adding ROAUDIT and removing SPECIAL and it is still working.
Thanks all, for your assistance and especially Bob and Roger for pointing me in the right direction. One more RACF SPECIAL account removed! Rex -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Robert S. Hansel (RSH) Sent: Saturday, July 10, 2021 5:58 AM To: [email protected] Subject: [External] Re: LDAP confusion with security settings Hi Rex, Very strange indeed. This does not seem like a native LDAP issue. Have you looked at the source code of the software that is processing logons to see if this ID is embedded in the code? Is this ID coded as the USERID on any CICS terminal definitions or started transaction EXEC CICS START commands related to this logon process? If you have SETROPTS SAUDIT or AUDIT(USER) active, have you looked at SMF data to see if it is issuing any RACF commands, in particular ALTUSER PASSWORD NOEXPIRE? Have you tried adding UAUDIT to the ID to see what else it might be doing? If you have a product like zSecure Access Monitor, what activity does it show for this ID? What happens if you swap ROAUDIT for SPECIAL? If you define profiles LISTUSER and LU in the PROGRAM class with ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ) AUDIT(ALL), does SMF data show this ID using these programs? My extreme SWAG is that it is being used to handle password expiration and password changes. Regards, Bob Robert S. Hansel 2021 #IBMChampion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- Date: Fri, 9 Jul 2021 17:10:22 +0000 From: "Pommier, Rex" <[email protected]> Subject: LDAP confusion with security settings Hi list, I don't know if this belongs in the TCP/IP list, RACF list or here so I'm starting here. Here's the situation as best I understand it. First off, LDAP is a black hole as far as I'm concerned. It was set up here long before my time. We're using it to communicate and authenticate to RACF for users coming in from a browser into our CICS regions. The LDAP server runs under a user ID of LDAPSRV. Users coming in from the browser are given a logon screen where they enter their own ID and password which LDAP validates against RACF. LDAP provides the appropriate ICH408I message if they fat-finger a password etc. That part is all OK. The RACF group that LDAPSRV is a member of is LDAPGRP and some of the attributes assigned to LDAPSRV are actually given through the group. The LDAP server is defined within RACF in the APPL class and anybody that tries to log on through LDAP need to have READ access to this APPL. Here's where I'm getting confused. There is another ID on the system, we'll call LDAPU, that has no special privileges except this ID is RACF SPECIAL. The group this ID belongs to (LDAP) also has no special privileges. The ID is not UID0 and the only connection LDAPU has is to the LDAP group, the only permission it has is to the LDAPSRV APPL. The LDAP group actually has no permissions given to it. The only thing strange is that the ID has SPECIAL. Since the ID isn't anything special (or so I thought) I removed SPECIAL from it. As soon as I removed SPECIAL, anybody coming in through the browser started getting invalid userid or password errors on their browser logon page. They were getting NO RACF ICH408I messages being logged either in the SYSLOG or in the LDAPSRV address space. As soon as I gave SPECIAL back to LDAPU everything started working again. I can find nowhere within the LDAP config file that defines LDAPU as any kind of special ID that has magical powers over people trying to log in thru the LDAP. If anybody has any idea where I could go look for what LDAP is using this ID for or where it is defined to use this ID for something, I'd appreciate it. I really don't like the idea of having a RACF SPECIAL user floating around that nobody knows why it has SPECIAL. Apologies if this sounds as confusing to you reading it as it does to me writing it. Thanks, Rex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
