On Monday, 12/08/2008 at 01:30 EST, "Rothman, Peter" <[EMAIL PROTECTED]> wrote: > We currently have z/VM 520 with RACF 1.10 and will shortly upgrade to z/VM 540 > with the RACF feature for 540. > > We want to synchronize new passwords across a number of systems. > > I have looked thru the manual and it?s not obvious to me if there is an exit > available that will get called AFTER RACF has done all its verification (newand > current passwords are OK etc). > > The newcorrect password must be passed to this exit. > > Does RACF provide this and if so does anyone have a sample to share?
No, RACF does not provide such an exit. Instead, it is done with LDAP and a product like IBM Tivoli Directory Integrator (ITDI) as Kris describes. The new password is stored in a PKCS#11 encrypted envelope that is written to the LDAP change log. IBM Tivoli Directory Integrator (ITDI) is capable of retreiving and decrypting the password envelope, propagating it to other systems in the manner they require. (Kerberos, AD, LDAP, ...) Alan Altmark z/VM Development IBM Endicott