[Info-vax] OT: distributed authentication (etc) .ne. distributed file systems

[johnwallace4 at yahoo.co.uk]

On Friday, 19 February 2016 23:20:27 UTC, David Froble  wrote:
> Stephen Hoffman wrote:
> > On 2016-02-19 19:17:01 +0000, David Froble said:
> > 
> >> Stephen Hoffman wrote:
> >>> On 2016-02-18 20:54:50 +0000, David Froble said:
> >>>
> >>>> Regardless of whether it is a group of files, or a single file 
> >>>> (database), perhaps have that data as a separate part of the 
> >>>> installation, with the installer specifying the location of the 
> >>>> common data.  Along with a procedure to move the data.  Thus, all 
> >>>> the grunt work would be avoided, and, upgrades would not need the 
> >>>> common data moved back to a system disk, and upgrades affecting the 
> >>>> common data would be a separate part of the total upgrade.
> >>>
> >>> Or you give the upgrade credentials to access LDAP and Kerberos â EURO " 
> >>> if not simply reusing the credentials from the existing OS for that 
> >>> access â EURO " and off you go.
> >>>
> >>> As much as I like relational databases over RMS, LDAP and Kerberos 
> >>> are a widely-available distributed authentication system, with 
> >>> built-in support for replication and distribution.
> >>
> >> We all know I don't get out much, but even so, your reply doesn't seem 
> >> to address the topic you've replied to.  What am I missing?
> > 
> > 
> > LDAP can replace most (maybe all?) of the whole pile of shared files, 
> > completely avoiding the mess of having everybody aimed at one disk (for 
> > whatever local definition of "disk" is in use underneath OpenVMS), and 
> > LDAP also directly permitting distributed data replication and 
> > distributed data synchronization.
> > 
> > LDAP and Kerberos are the commonly-accepted mechanisms for 
> > authenticating OpenVMS users and passwords in distributed and single 
> > sign-on environments, and Kerberos for distributed delegation.   These 
> > tools are the approach commonly used across Windows Server Active 
> > Directory and Open Directory servers.   LDAP authentication support was 
> > recently (finally!) integrated into the default OpenVMS distribution, too.
> > 
> > Phillip proposed rebuilding the same "design" that OpenVMS has accreted, 
> > albeit (potentially) with fewer logical names.   Which gives you the 
> > same problems that you have now with the inflexibility of RMS file 
> > (record) formats, the same mess on upgrading a mixed-version 
> > configuration, and the same sorts of contention and related baggage.
> > 
> > LDAP can also be used entirely locally, so if you're going to overhaul 
> > OpenVMS authentication in any significant fashion, then moving entirely 
> > to LDAP -- even if the authentication is performed entirely locally and 
> > not involving access to a network LDAP server -- consolidates everything 
> > into one system and one set of calls, and whatever of the existing 
> > interfaces are deigned worthy of wrapping and preservation.
> > 
> > TL;DR:  LDAP and Kerberos are like DNS, but for distributed 
> > authentication and delegation.  Replicable, distributable, scaleable, 
> > available, etc.
> 
> As initially claimed, I don't have day to day hands on experience with VMS 
> clusters.  It was my impression that the scope of the common data was greater 
> than just login authentication.
> 
> My vague impression of LDAP is that it's mainly for login authentication.  If my 
> understanding is not correct, then I need to do more reading.  (I hate that.)

There's a fair bit of difference between what you can do with a set of
distributed systems [1] with authentication and account properties etc
provided by Kerberos, LDAP, etc and what you can do with a
single-system-image setup as was frequently (but not always) used
with VMSclusters with a clusterwide shared file system (the common
system disk shared across multiple systems).

Single system image seems to be too hard for many people these
days; it probably relies quite a lot on having a well architected
well integrated distributed lock manager, amongst other things.
Certainly a cluster-aware shared file system might be considered
handy.

Tru64 got something resembling a cluster-aware file system and
other core VMScluster concepts eventually, before Tru64 was
abandoned.

NonStop Clusters for SCO got to single system image via a different
route, again before it was abandoned by CPQ (though this one went
open source and begat OpenSSI, which afaik subsequently disappeared).
https://en.wikipedia.org/wiki/OpenSSI

[1] A single standalone system can be built around LDAP etc, it's
just the degenerate case of a distributed system. Some might wonder
whether it introduces unnecessary complexity (and hence vulnerability)
in such a case. Swings and roundabouts. One size does not fit all.