Problem:

The Micro Focus Enterprise Server's ESF feature can be used with the MLDAP External Security Module (mldap_esm) to provide LDAP-based security. This module provides various options for how user passwords are verified. One option is to let the module verify the password against a verifier stored in the user's record in the LDAP repository. In this case user account information is stored as microfocus-MFDS-User objects in the repository, and during a user sign-on request, a string computed using the supplied password will be compared against the value of the microfocus-MFDS-User-Pwd attribute of the microfocus-MFDS-User object for that user. You can find more details are about the MF-MD5 Password Scheme in the attached document MF-MD5-passwords.html. This article describes how to generate an MF-MD5 encoded password and insert a new USER in your LDAP.

Resolution:

1. The code to generate a MF-MD5 encoded password is: mfmd5.cbl cobmd5.cbl cobb64.cbl

   The simplest way to do it is to open a Net Express Command Prompt and change directory to the directory where you have unzipped the .zip file attached to this article.

2. The compilation and link of the sample generating MF-MD5 encoded password is: cbllink mfmd5.cbl cobmd5.cbl cobb64.cbl
3. Mfmd5.exe usage:

   mfmd5: Compute an MF-MD5 verifier for a password

   usage: mfmd5 password

4. Generation of an MF-MD5 encoded password for password SYSAD

   Mfd5 SYSAD

   MF-MD5 encoded password: MF-MD5:qDhQqhYp:qr7UVfvulNT4YZaWMEeU6A==

5. Using the ADAM ADSI Edit tool, rename the SYSAD user (for example, rename SYSAD to SYSADxx)
6. Start an ES secure region: casstart /rESDEMO /pSYSAD /uSYSAD

   You should get the following error message:

   ESDEMO CASSE0032E User ID "SYSAD" invalid or password incorrect, region terminating 17:36:41

7. Insert a new SYSAD user in the LDAP

   InsertUserInLDAP.bat:

   …

   ldifde -i -f mfds_usersSYSAD.ldf -s localhost:389 -k -v -j .

   …

   File mfds_usersSYSAD.ldf:

   dn: cn=SYSAD,CN=Enterprise Server Users,CN=Micro Focus,CN=Program Data,DC=local

   changetype: add

   cn: SYSAD

   adminDisplayName: SYSAD

   objectClass: microfocus-MFDS-User

   microfocus-MFDS-UID: 1.2.840.5043.09.002.1213175521.9be700.cef204.1.8

   microfocus-MFDS-User-MTO-Priority: 0

   microfocus-MFDS-User-MTO-Timeout: 0

   microfocus-MFDS-User-MTO-OperatorClass: 0

   microfocus-MFDS-User-AllowLogon: TRUE

   microfocus-MFDS-User-Pwd: MF-MD5:qDhQqhYp:qr7UVfvulNT4YZaWMEeU6A==

8. Start an ES secure region: casstart /rESDEMO /pSYSAD /uSYSAD

   You should be now able to start your ES region and get a message like:

   ESDEMO ESFEM1030I MLDAP ESM: SYSAD AUTH request for "casstart" allowed by rule "casstart" 17:38:48

9. Using the ADAM ADSI Edit tool, rename the SYSAD user
   
   1. Suppress the SYSAD user created in step 7 and rename back the SYSADxx ( step 5) ) to SYSAD
   2. Start an ES secure region: casstart /rESDEMO /pSYSAD /uSYSAD
   3. It should still work.

Incident Number: 2258226