Symantec Privileged Access Management

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2. 

 

Hello Chris, I am not aware of a configuration in PAM for this and thought this would/should be handled on the CA LDAP for Mainframe side.
Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Hi Chris,
      In a recent implementation, we used the ExpirePassword LDAP mapped attribute for this purpose. Your master account must be granted the required privilege (Scoped SECURITY) to modify the PSWD-EXP attribute.   



Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Shinu,

Thank you for the lead on the attribute. 

Do you know if there was any configuration required in CA LDAP to map that attribute back to ACF2?

Thanks

Chris
Original Message:
Sent: 05-01-2020 01:03 PM
From: Shinu Abdulu Vayyattu Kavil
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hi Chris,
      In a recent implementation, we used the ExpirePassword LDAP mapped attribute for this purpose. Your master account must be granted the required privilege (Scoped SECURITY) to modify the PSWD-EXP attribute.   

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Original Message------

Shinu,

Thank you for the lead on the attribute. 

Do you know if there was any configuration required in CA LDAP to map that attribute back to ACF2?

Thanks

Chris

I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

------------------------------
Principal Support Engineer
Broadcom
------------------------------

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Ed,

Thanks so mush for the detailed steps.

We are still running into the issue where the PAM account in ACF2 is set in a policy to automatically expire when it is changed by another account.
Original Message:
Sent: 05-01-2020 02:05 PM
From: Edward Vogel
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Ed - quick Q -

In the application setup, was anything setup specifically for "LDAP Attributes"?
Original Message:
Sent: 05-01-2020 02:05 PM
From: Edward Vogel
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Original Message:
Sent: 5/26/2020 9:10:00 AM
From: Chris Scott
Subject: RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Ed - quick Q -

In the application setup, was anything setup specifically for "LDAP Attributes"?
Original Message:
Sent: 05-01-2020 02:05 PM
From: Edward Vogel
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.

Ed,

Thank you for the write up on the how to..

One additional step will be to add the ExpirePassword LDAP attribute set to N where ACF2 policy automatically expires an account upon change.
Original Message:
Sent: 05-26-2020 01:34 PM
From: Edward Vogel
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

The Server Type should be CA LDAP for ACF2 and the Port should be set to the port on which CA LDAP is listening.  There are some other fields that I didn't change, that you might have to change depending on your CA LDAP configuration.

Regards.

Ed

Original Message:
Sent: 5/26/2020 9:10:00 AM
From: Chris Scott
Subject: RE: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Ed - quick Q -

In the application setup, was anything setup specifically for "LDAP Attributes"?
Original Message:
Sent: 05-01-2020 02:05 PM
From: Edward Vogel
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

I have this working in my test environment.  I've attached a zip file with screen captures of the relelvent pages.  Be aware that your Password Composition Policy will have to match whatever is configured on your mainframe.

------------------------------
Principal Support Engineer
Broadcom

Original Message:
Sent: 04-21-2020 08:31 PM
From: Chris Scott
Subject: managing ACF2 account via LDAP - need help setting LDAP application setting "Additional Attributes for Password Modification"

Hello

We are setting up PAM to manage ACF2 accounts via CA LDAP.

PAM Application configuration
Type: LDAP
Server Type: CA LDAP to ACF2

The PAM target account is setup with a second (master) account to change the account. This master ACF2 account has SECURITY role.

The PAM process of changing the target password works on ACF2. However, as a part of the process, the PWDEXP policy is applied to the target account, making it unusable until an end user logs into the mainframe with the target id and changes the password.

What we are trying to understand how to use the PAM Application LDAP configuration "Additional Attributes for Password Modification" to force the NOPWD-EXP policy to be applied to target account in ACF2.