[Info-vax] LDAP

[dthi...@gmail.com]

"One password to rule them all."

My project set up LDAP authentication to our corporate domain on our Integrity rx2620 per corporate login consolidation requirements, but they required us to use a domain service account assigned to our Integrity server to connect to the domain controller to verify the OpenVMS user login against the domain. What killed us was the requirement to change the server's domain service account password every *30* days, despite only being used by the "trusted" non-interactive LDAP connector on the OpenVMS server, and having to be a complex password of over 28 characters long. After activating the LDAP connection, the first time that the service password expired over a weekend and all of the OpenVMS users were unable to login (after about six months of service account password changes) got the LDAP module immediately removed, since corporate would not give us a waiver on the service password expiration duration. We would have happily set a nearly-unbreakable 128-character password if they would have set the service account password expiration to a year. Not a chance. Project management rejected the corporate LDAP requirement based on the projected cost of the administrative overhead of changing the password every 30 days and of the projected lost productivity of the OpenVMS users during LDAP failure events, assuming at least one such event a year, and was granted a waiver from the corporate LDAP password requirement. Thanks to our fine corporate for making the required consolidated domain logins actually unusable for our OpenVMS users.  :-)

I think (but am not sure) that this was done when we were running HPE OpenVMS 8.3-1.

If you do set up LDAP on your system, may your corporate experience be better than ours!