There are various ways for Enterprise Server users to change passwords stored in an LDAP. The Security Facility relays these requests to the security managers that are used to verify the user. Whether or not a password change request is honoured by a security manager depends on that manager and the security manager module that is used to connect to it.
When using the mldap_esm security manager, changing a user's password involves changing an attribute of the associated user object in the LDAP repository. This in turn requires that the mldap_esm security manager has write access to the repository. However, the mldap_esm security manager does not connect to the repository with the credentials of the user requesting the password change; it uses the authorized id and password that are specified in the Edit Security Manager screen.
In order to enable the mldap_esm security manager to support the changing of user passwords, you need to modify the security manager definition to specify an authorized user ID and password that has write access to the Enterprise Server user objects within the LDAP repository. The ID and password combination that you supply should, of course, be secret. To do this:
This user should have read access to the Enterprise Server user, group, and resource objects in the LDAP repository, and modify access to user definitions to support letting users change their passwords from ES (for example from the CICS signon screen).
When no authorized ID and password is specified in the security manager definition, the MLDAP ESM uses the user ID, CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local (though the last two components can be changed by setting the base DN), which is the user object created for this purpose in the sample configuration, and the password mf_rdr to connect to the LDAP repository. Of course, as these values are well known, you should not give MFReader write permission to your LDAP repository.