× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2005

Re: Preventing user profile lockout

Stu Bramley wrote: 
I have a requirement to prevent certain service/connection accounts from
being locked out - for example due to password validation errors. This
is to prevent the profiles being deliberately locked out as part of a
denial of service attack.

We do not want to set QMAXSIGN to *NOMAX as this applies at a system,
rather than an individual profile level.

Does anyone know of a way to do this? Is there an exit point we can hook
into when a user profile is disabled and use this either to stop the
profile from being disabled or re-enable the profile? Is there a way to
override this system value at an individual user profile level?


Stu-

Any time that a user profile is disabled, message id CPF1393 gets issued. As others have noted, this message gets sent to QSYSMSG if it exists, otherwise they get sent to QSYSOPR. I have QSYSMSG set up, so here is an example of the message in QSYSMSG:

I'm not sure of how to do it with an exit program but here is an alternative solution:

Set up the QSYSMSG message queue in QSYS, then write a never-ending program that adopts the necessary authority and uses either RCVMSG or the receive message API to receive messages from the QSYSMSG message queue, looking for occurrences of the CPF1393 message for the specified profile, then take the necessary action to log the event and re-enable the user profile.

Regards,
Steve

Example of the user profile disable message:

Subsystem QINTER disabled user profile SJL2 on device QPADEV0004.

Second-level text:
                          Additional Message Information

Message ID . . . . . . : CPF1393 Severity . . . . . . . : 70
Message type . . . . . : Information
Date sent . . . . . . : 03/21/05 Time sent . . . . . . : 10:53:53

Message . . . . : Subsystem QINTER disabled user profile SJL2 on device
QPADEV0004.
Cause . . . . . : User profile SJL2 has been disabled because the maximum
number of sign-on attempts specified for the QMAXSIGN system value has been
reached.
Recovery . . . : To enable the user profile, have the security officer
change the STATUS parameter to *ENABLED on the Change User Profile
(CHGUSRPRF) command.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.