Hello Team,

I just want to know is there any way to call LMI APIs from infoMap without LMI Admin and sec_master Credentials?

We have implemented some password policy on underlying LDAP, we tried to update the user password with SCIM API.

But password policy was not enforced. After that we enable the password policy checkbox in the SCIM configuration still we face some issues.

So we tried to change the user password with pdadmin command from infoMap with help of LMI APIs. but LMI APIs required LMI and sec_master credentials.

So, is there any way to call LMI API without credentials?

Any pointer could be helpful.

------------------------------
Mukesh
------------------------------

Hi Mukesh,

Calling management (LMI) APIs as part of a runtime flow is not recommended - performance and high availability can be an issue.

I wonder if there is an option using the UserLookup helper or the Native LDAP Helper to perform these actions.  I think they would run through similar code as calling pdadmin and so should have password policy applied (I am not sure though - maybe others can confirm?)

What are the issues that you are having when using the SCIM APIs to request the password reset?  Have you spoken to Support about these issues?

To answer your specific question, it is possible to call the LMI using a client certificate to authenticate instead of a username/password.  The signer of the client certificate must be loaded to the lmi keystore and, if I remember correctly, the CN of the certificate must be the username of the user to authenticate.   However, I don't think there is any way to bypass the requirement for the sec_master credentials.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed June 16, 2021 09:02 AM
From: Mukesh Bhati
Subject: ISAM - Can we use LMI APIs from InfoMap without Admin Credentials?

Hello Team,

I just want to know is there any way to call LMI APIs from infoMap without LMI Admin and sec_master Credentials?

We have implemented some password policy on underlying LDAP, we tried to update the user password with SCIM API.

But password policy was not enforced. After that we enable the password policy checkbox in the SCIM configuration still we face some issues.

So we tried to change the user password with pdadmin command from infoMap with help of LMI APIs. but LMI APIs required LMI and sec_master credentials.

So, is there any way to call LMI API without credentials?

Any pointer could be helpful.

------------------------------
Mukesh
------------------------------

Hi Jon,

I'm not able to recall the exact what was the issue. but it was related to either inbuild boolean or custom boolean attribute which we have configured with SCIM.

the reason was SCIM was expecting that attribute to be in lowercase and underlying LDAP was expecting that boolean value in upper case.

Even I tried with passing as a string but getting an error either from SCIM or underlying attribute.

After that I tried with the changePassword method it was working as expected but for the expired password changepassword method was not working as expected.

And for Forgot Password setPassword method was not enforcing the password policy of underlying LDAP.

That's why I tried with the PdAdmin command.

So is there any other method available for password change when the password is expired and for forgot password.?


------------------------------
Mukesh
------------------------------

Original Message:
Sent: Wed June 16, 2021 10:36 AM
From: Jon Harry
Subject: ISAM - Can we use LMI APIs from InfoMap without Admin Credentials?

Hi Mukesh,

Calling management (LMI) APIs as part of a runtime flow is not recommended - performance and high availability can be an issue.

I wonder if there is an option using the UserLookup helper or the Native LDAP Helper to perform these actions.  I think they would run through similar code as calling pdadmin and so should have password policy applied (I am not sure though - maybe others can confirm?)

What are the issues that you are having when using the SCIM APIs to request the password reset?  Have you spoken to Support about these issues?

To answer your specific question, it is possible to call the LMI using a client certificate to authenticate instead of a username/password.  The signer of the client certificate must be loaded to the lmi keystore and, if I remember correctly, the CN of the certificate must be the username of the user to authenticate.   However, I don't think there is any way to bypass the requirement for the sec_master credentials.

Jon.


------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed June 16, 2021 09:02 AM
From: Mukesh Bhati
Subject: ISAM - Can we use LMI APIs from InfoMap without Admin Credentials?

Hello Team,

I just want to know is there any way to call LMI APIs from infoMap without LMI Admin and sec_master Credentials?

We have implemented some password policy on underlying LDAP, we tried to update the user password with SCIM API.

But password policy was not enforced. After that we enable the password policy checkbox in the SCIM configuration still we face some issues.

So we tried to change the user password with pdadmin command from infoMap with help of LMI APIs. but LMI APIs required LMI and sec_master credentials.

So, is there any way to call LMI API without credentials?

Any pointer could be helpful.

------------------------------
Mukesh
------------------------------