I was finding a user profile being disabled by a ldap connection.
First, I did the CRTMSGQ QSYSMSG to copy 'serious' messages from qsysopr
automatically to that one.
Then I noticed this message appearing
CPF1393 - User profile <redacted> has been disabled.
F9=Display message details
From job . . . . . . . . . . . : QUSRDIR
User . . . . . . . . . . . . : QDIRSRV
Number . . . . . . . . . . . : 447554
WRKJOB QUSRDIR
10. Display job log
And it even tells me the IP address that did it.
Twas an error in an application migration. I'll get that resolved.
However, while looking at that joblog I noticed numerous
Message ID . . . . . . : GLD0120
Message . . . . : Bind error with directory server.
Cause . . . . . : Distinguished name (dn) 'CN=ADMINISTRATOR' at IP
address
<redacted> failed to bind with the directory server.
Recovery . . . : This condition may occur when the user name or
password is
incorrect. The server will continue to operate normally. Repeated
failures
for the same user or from the same IP address may indicate that someone
is
trying to guess a correct user name and password.
The IP address is the same IP address as this lpar of IBM i.
Something on it is trying to do a ldap bind as ADMINISTRATOR. It's
hacking itself.
Is there some setup I've missed? Some default user in service or some
other area that needs to be configured?
Rob Berendt
midrange.com
