[Info-vax] LDAP

[Jan-Erik Söderholm]

Den 2020-10-10 kl. 13:07, skrev Marc Van Dyck:
> It happens that Jan-Erik Söderholm formulated :
>> Hi.
>>
>> I have been asked if we can use LDAP against the corporate AD systems
>> to authenticate our user logins to our OpenVMS system.
>>
>> Currently on VSI/Alpha.
>>
>> Anyone that have looked and/or tested these LDAP parts on Alpha?
>> And if so, any thoughts, findings or something else worth to report?
>> How does it work with a mixed LDAP/local password verification?
>>
>> The users to be verified over LDAP/AD are those that have “personal”
>> VMS accounts using their corporate signature. We also have “workgroup”
>> accounts for the workplaces in the factory, and they are not in the AD.
>>
>> The logins are done using plain telnet sessions from terminal emulators.
>> No ssh here, if that matters in regard to LDAP…
>>
>> Just starting to look at this…
>>
>> Regards, Jan-Erik.
> 
> We tried it, it works, but it can only be used to store passwords. LDAP
> does not have any provision to store the SYSUAF info so you need to keep
> local user definitions anyway. It just will disregard the password
> stored in SYSUAF in favor of the LDAP one. Means that for system admin
> people, it's twice the work... We decided it was not worth the effort
> and we dropped it. The only real advantage that I can see is that the
> LDAP password hashing algorithm is probably better than the one used in
> SYSUAF so the systems would be marginally safer, which might be
> important for some cases.
> 

Thanks for the reply.

Why would it be twice the work? Is there any work involved at all
efter the LDAP link to AD has been established?

The AD administration is already there anyway. Is it more routine work
on the VMS side, after that the LDAP link has been setup?

And yes, password lookup is the only function we are looking at.

What about if the AD password happens to have characters that are
invalid on VMS? Is that transparent if LDAP lookup has been enabled?

Jan-Erik.