[Info-vax] LDAP
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Sat Oct 10 14:50:11 EDT 2020
On 2020-10-10 11:07:53 +0000, Marc Van Dyck said:
> We tried it, it works, but it can only be used to store passwords. LDAP
> does not have any provision to store the SYSUAF info so you need to
> keep local user definitions anyway. It just will disregard the password
> stored in SYSUAF in favor of the LDAP one. Means that for system admin
> people, it's twice the work... We decided it was not worth the effort
> and we dropped it. The only real advantage that I can see is that the
> LDAP password hashing algorithm is probably better than the one used in
> SYSUAF so the systems would be marginally safer, which might be
> important for some cases.
External Authentication synchronizes passwords, as well as
password-related access settings, and ~nothing else.
LDAP can be extended and does have provisions to store SYSUAF data or
pretty much anything else account-related.
OpenVMS didn't and doesn't use that mechanism, preferring a ~shadow
passwd file. (This is where wholly-local LDAP would be nice, but... I
digress.)
The password is stored twice, once locally in SYSUAF using the
highly-performant and memory-efficient (whoops) Purdy, and once using
the LDAP hash.
OpenVMS supports the MSV1_0 NT LAN Manager hash, though the doc claims
that can be extended.
One of the biggest advantages for many sites is a single source of
information on active accounts, with one spot to shut off access
~everywhere.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list