There are various ways for users of Enterprise Server to change their passwords. The Security Facility relays such requests to those security managers that are used to verify the user. Whether or not a password change request is honoured by a security manager depends on that manager and ESM module that is used to connect to it.
When using the MLDAP ESM, changing a user's password involves changing an attribute of the associated user object in the LDAP repository. This in turn requires that the ESM has write access to the repository. However, the MLDAP ESM does not connect to the repository with the credentials of the user requesting the password change; it uses the authorized id and password that are specified in the Edit Security Manager screen.
In order to enable the MLDAP ESM to support the changing of user passwords, you need to modify the security manager definition to specify an authorized user ID and password that has write access to the Enterprise Server user objects within the LDAP repository. The ID and password combination that you supply should, of course, be secret. To do this:
This user should have read access to the Enterprise Server user, group, and resource objects in the LDAP repository, and modify access to user definitions to support letting users change their passwords from ES (for example from the CICS signon screen).
When no authorized ID and password is specified in the security manager definition, the MLDAP ESM uses the user ID, CN=MFReader,CN=ADAM Users,CN=Micro Focus,CN=Program Data,DC=local (though the last two components can be changed by setting the base DN), which is the user object created for this purpose in the sample configuration, and the password "mf_rdr" to connect to the LDAP repository. Of course, as these values are well known, you should not give MFReader write permission to your LDAP repository.