Symantec Privileged Access Management

Expand all | Collapse all

managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Jump to Best Answer
  • 1.  managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 04-21-2020 08:32 PM
    Hello

    We are setting up PAM to manage ACF2 accounts via CA LDAP.

    PAM Application configuration
    Type: LDAP
    Server Type: CA LDAP to ACF2

    The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

    The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

    What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.





  • 2.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"
    Best Answer

    Posted 04-22-2020 07:21 PM
    Hello Chris, I am not aware of a configuration in PAM for this and thought this would/should be handled on the CA LDAP for Mainframe side.


  • 3.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-01-2020 01:04 PM
    Hi Chris,
          In a recent implementation, we used the ExpirePassword LDAP mapped attribute for this purpose. Your master account must be granted the required privilege (Scoped SECURITY) to modify the PSWD-EXP attribute.   





  • 4.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-04-2020 12:53 PM
    Shinu,

    Thank you for the lead on the attribute.

    Do you know if there was any configuration required in CA LDAP to map that attribute back to ACF2?

    Thanks

    Chris


  • 5.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-04-2020 09:45 PM
    I have no idea how CA LDAP is configured.  I just asked my contact to configure some accounts for me in CA LDAP and to assist me with figuring out how to configure PAM.

    Ed

    --
    Ed Vogel
    Principal Support Engineer
    Privileged Access Manager
    Broadcom
    610-712-1658





  • 6.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-01-2020 02:06 PM
      |   view attached
    I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------

    Attachment(s)

    zip
    ACF2config.zip   145K 1 version


  • 7.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-04-2020 12:52 PM
    Ed,

    Thanks so mush for the detailed steps.

    We are still running into the issue where the PAM account in ACF2 is set in a policy to automatically expire when it is changed by another account.


  • 8.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-26-2020 09:10 AM
    Ed - quick Q -

    In the application setup, was anything setup specifically for "LDAP Attributes"?


  • 9.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-26-2020 01:34 PM
    The Server Type should be CA LDAP for ACF2 and the Port should be set to the port on which CA LDAP is listening.  There are some other fields that I didn't change, that you might have to change depending on your CA LDAP configuration.

    Regards.

    Ed





  • 10.  RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

    Posted 05-28-2020 07:07 PM
    Ed,

    Thank you for the write up on the how to..

    One additional step will be to add the ExpirePassword LDAP attribute set to N where ACF2 policy automatically expires an account upon change.