No announcement yet.

User password external validation when parameter LCLPWDMGT(*NO).

  • Filter
  • Time
  • Show
Clear All
new posts

  • User password external validation when parameter LCLPWDMGT(*NO).


    I have been asked to setup a custom password validation for IBM i.
    The programs to check and validate the "password" (a OneTimePassword kind of code) already exist and run on IBM i.
    I can check/validate manually with code running internally on the IBM i that checks if the code is correct, and/or, with a request to a web page on a webserver that compares the code with it's own and returns true or false, with out any problems.
    Please note that the webserver can be running inside the IBM i or it can be anywhere in the network.
    These programs are internally developed and can be changed or adapted to suite our needs.

    Replacing the user password in the IBM i is another story...

    I have checked all kinds of exit points and i think it is possible to implement a solution but, it would be necessary to create a lot of exit programs. One (or more) for each host server (SSH, FTP, REXEC, Etc) and some more for other functions (5250 TELNET initialization for example). So manny we fear we will miss some...

    One possible solution (system global and efective) would be to set the USRPRF parameter LCLMGTPWD to *NO and configure the validation to one of the validation programs.
    I seems simple but i cant find any information on how to configure, on the IBM i, the program or the server/web page to execute the validation or what parameters are required and how to pass them.

    I have found a lot of information about Enterprise Identity and LDAP and a lot of third party softwares that are of no help to me.

    All i want/need to know is: Is it possible to configure a program (CL, RPG, C, Free, Java, Whatever) to execute this validation?
    If yes, where and how, please...

    If anyone has another idea or way to implement something like this, i will welcome any and all sugestions.

    I also have these limitations:
    NO 2FA. The company does not want more steps in user validation.
    Keep the validation inside the IBM i, if possible...

    Thanks in advance.