About Managing an LDAP

You can use the property screens for a security manager definition that uses mldap_esm to add, edit and delete user, group and resource definitions held in the associated LDAP repository, and for specifying resource permissions.

The mldap_esm security manager binds at configuration time only to the LDAP server, using credentials supplied as part of its configuration. All the privileges that it has for that repository are determined by those credentials. Therefore, in order to manage users, groups and resources through these property screens, you will need to ensure that these credentials have sufficient permissions on the LDAP server.

Note:

The MF Directory Server user ID with which you access the property screens is not related in any way to the credentials with which the mldap_esm security manager connects to the LDAP server. For added protection, when you attempt to access the security manager property screens, MF Directory Server will switch to "Restrict administration access" mode, requiring you to enter valid MF Directory Server user credentials.

Note also that when no authorized ID and password is specified in the security manager definition, the mldap_esm security manager uses the user ID, CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local (though the last two components can be changed by setting the base DN), which is the user object created for this purpose in the sample configuration, and the password "mf_rdr" to connect to the LDAP repository. Of course, as these values are well known, you should not give MFReader write permission to your LDAP repository.

Instead of storing user passwords in the LDAP repository, the Security Facility stores password verifiers, in the form of salted MD5 hashes.