[Info-vax] LDAP
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Sat Oct 10 16:41:34 EDT 2020
Den 2020-10-10 kl. 20:50, skrev Stephen Hoffman:
> On 2020-10-10 11:07:53 +0000, Marc Van Dyck said:
>
>> We tried it, it works, but it can only be used to store passwords. LDAP
>> does not have any provision to store the SYSUAF info so you need to keep
>> local user definitions anyway. It just will disregard the password stored
>> in SYSUAF in favor of the LDAP one. Means that for system admin people,
>> it's twice the work... We decided it was not worth the effort and we
>> dropped it. The only real advantage that I can see is that the LDAP
>> password hashing algorithm is probably better than the one used in SYSUAF
>> so the systems would be marginally safer, which might be important for
>> some cases.
>
> External Authentication synchronizes passwords, as well as password-related
> access settings, and ~nothing else.
>
> LDAP can be extended and does have provisions to store SYSUAF data or
> pretty much anything else account-related.
>
> OpenVMS didn't and doesn't use that mechanism, preferring a ~shadow passwd
> file. (This is where wholly-local LDAP would be nice, but... I digress.)
>
> The password is stored twice, once locally in SYSUAF using the
> highly-performant and memory-efficient (whoops) Purdy, and once using the
> LDAP hash.
>
> OpenVMS supports the MSV1_0 NT LAN Manager hash, though the doc claims that
> can be extended.
>
> One of the biggest advantages for many sites is a single source of
> information on active accounts, with one spot to shut off access ~everywhere.
>
>
Note, the password will never be specified, entered or changed from VMS.
The password management routines are already in place on the corporate
level on AD. That we do not comply to on our VMS boxes, of course...
More information about the Info-vax
mailing list