There are various ways for Enterprise Server users to change passwords stored in an LDAP server. The Security Facility relays these requests to the security managers that are used to verify the user. Whether or not a password change request is honoured by a security manager depends on that manager and the security manager module that is used to connect to it.
When using the mldap_esm security manager, changing a user's password involves changing an attribute of the associated user object in the LDAP repository. This in turn requires that the mldap_esm security manager has write access to the repository. However, the mldap_esm security manager does not connect to the repository with the credentials of the user requesting the password change; it uses the authorized ID and password that are specified in the Edit Security Manager screen.
In order to enable the mldap_esm security manager to support the changing of user passwords, you need to modify the security manager definition to specify an authorized user ID and password that has write access to the Enterprise Server user objects within the LDAP repository. The ID and password combination that you supply should, of course, be secret. To perform this in ESCWA:
This opens the Defined External Security Managers page.
This opens the External Security Manager Configuration dialog box.
This user should have read access to the Enterprise Server user, group, and resource objects in the LDAP repository, and modify access to user definitions to support letting users change their passwords from ES, for example, from the CICS signon screen.
mfsecret:configuration-name:secret-path
or:
mfsecret::secret-path
or:
mfsecret:secret-path