Ralf,
Good thought - Steps I have done so far
1. Application - Account Discovery
BaseDN => acf2admingrp=lids,host=***,o=**********,c=us
Account Object => acf2lid
Name Attribute => acf2lid
Filter =>
2. Credential - LDAP
DN => acf2lid=
<credential> **************** Is this right?3. Verify CA ACF2 LDAP
- Added CA ACF2 as an LDAP source to CA PAM
- Use CA PAM LDAP browser to verify CA ACF2 directory structure
I'm running out of ideas...
Original Message:
Sent: 03-10-2020 01:39 PM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM
Hi Chris, I don't think you need them. the "acf2lid=xxx" looks like a string that comes from the DN setting in the target account. We populate that will some substring initially, but you have to replace that with the correct DN for the account. Is it possible that you didn't configure the DN under the LDAP tab of the target account?
Original Message:
Sent: 03-10-2020 01:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM
Ralf,
Thank you again. Would you happen to know if there are any attributes required for "Additional LDAP Attributes for Password Modification" to set an ACF2 password?
I get the following error as it is:
SEVERE: UpdateTargetAccountCmd.invoke 1600: [LDAP: error code 17 - undefined: attribute type undefined]
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - undefined: attribute type undefined]; remaining name 'acf2lid=<credential>'
Original Message:
Sent: 03-10-2020 10:35 AM
From: Ralf Prigl
Subject: Managing ACF2 Credentials with CA PAM
Hi Chris, page https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-2/release-information/supported-environments.html shows that you need CA LDAP for Mainframe to manage mainframe accounts with PAM. In PAM you just define an LDAP target connector. When you choose application type LDAP in a target application, you'll find a "Server Type" drop-down menu on the "LDAP Details" page, and one of the possible choices is ACF2. For PAM this is just another LDAP credential source, and all the smarts of managing the credentials are in the CA LDAP for Mainframe product.
Original Message:
Sent: 03-08-2020 04:01 PM
From: Chris Scott
Subject: Managing ACF2 Credentials with CA PAM
Hello,
I'm struggling to find documentation on managing ACF2 Credentials with CA PAM (ie rotating ACF2 passwords)
Thanks
Chris