[Info-vax] LDAP on OpenVMS

Craig A. Berry craig.a.berry at gmail.com
Tue Jun 7 11:12:52 EDT 2016 

On Monday, June 6, 2016 at 7:15:20 PM UTC-5, Tym Stegner wrote:
 
> I'm looking for ... some explanation of how to create the necessary directory
> structure on the directory server [system] that the configuration/initializion
> file is talking about.

If you have a working AD domain, then that "directory structure" probably already exists, though you may want modifications to it, depending on what you want to control via administering the AD domain and what you want to control using SYSUAF.

Let's say your domain is acmewidgets.net.  You'll probably need an entry something like this in your ini file:

base_dn = dc=acmewidgets,dc=net

Then say you only want members of the AD group "VMS Bigots" to be able to log in to the VMS system using AD authentication.  You might have a filter that looks like:

filter = memberOf=CN=VMS Bigots,CN=Users,DC=acmewidgets,DC=net

which will search the domain controller only for members of the specified group under the Users category (i.e., machine accounts won't be searched).

That's a start.  There are different ways to do it, and there may well be characteristics of your domain that complicate matteres, but something like this maywork if you don't want to spend two months learning LDAP/AD principles from the ground up. 

And for goodness sake don't mess with the configuration file or the cryptic error messages from the ACME server logs until you have a working example outside of that environment.  Something like the following is what I've used, where hopefully it will be obvious what needs to be replaced with a local value:

$ dctop = "net"
$ dcsub = "acmewidgets"
$ controller = "dc.''dcsub'.''dctop'" ! domain controller
$ bind_dn = "yourserviceaccount,CN=Users,DC=''dcsub',DC=''dctop'"
$ bind_password = "HopeItsGood"
$ adgroup = "VMS Bigots"
$ username = "joeschmoe"
$ mcr dce$ldapsearch -v -h "''controller'" -"b dc=''dcsub',dc=''dctop'" -
 -"D CN='bind_dn'" -
 -w "''bind_password'" -s sub -"R" -
 "(&(sAMAccountName=''username')(&(memberOf=CN=''adgroup',CN=Users,DC=''dcsub',DC=''dctop')(objectCategory=user)))"

Once you have this and the derivative INI file working, consider using SSL so the passwords aren't being sent in the clear to the domain controller.

More information about the Info-vax mailing list