[Info-vax] LDAP

Craig A. Berry craigberry at nospam.mac.com
Sat Oct 10 17:36:37 EDT 2020 

On 10/10/20 3:41 PM, Jan-Erik Söderholm wrote:
> Den 2020-10-10 kl. 20:50, skrev Stephen Hoffman:
>> On 2020-10-10 11:07:53 +0000, Marc Van Dyck said:
>>
>>> We tried it, it works, but it can only be used to store passwords. 
>>> LDAP does not have any provision to store the SYSUAF info so you need 
>>> to keep local user definitions anyway. It just will disregard the 
>>> password stored in SYSUAF in favor of the LDAP one. Means that for 
>>> system admin people, it's twice the work... We decided it was not 
>>> worth the effort and we dropped it. The only real advantage that I 
>>> can see is that the LDAP password hashing algorithm is probably 
>>> better than the one used in SYSUAF so the systems would be marginally 
>>> safer, which might be important for some cases.
>>
>> External Authentication synchronizes passwords, as well as 
>> password-related access settings, and ~nothing else.
>>
>> LDAP can be extended and does have provisions to store SYSUAF data or 
>> pretty much anything else account-related.
>>
>> OpenVMS didn't and doesn't use that mechanism, preferring a ~shadow 
>> passwd file. (This is where wholly-local LDAP would be nice, but... I 
>> digress.)
>>
>> The password is stored twice, once locally in SYSUAF using the 
>> highly-performant and memory-efficient (whoops) Purdy, and once using 
>> the LDAP hash.
>>
>> OpenVMS supports the MSV1_0 NT LAN Manager hash, though the doc claims 
>> that can be extended.
>>
>> One of the biggest advantages for many sites is a single source of 
>> information on active accounts, with one spot to shut off access 
>> ~everywhere.
>>
>>
> 
> Note, the password will never be specified, entered or changed from VMS.

Unless you set it up so it is.  If you specify VMSAUTH as well as
EXTAUTH in the SYSUAF flags, then the VMS password that gets synched
with the external password whenever the user logs in can be specified by
entering /LOCAL after the username and then no external authentication
takes place. This is either awfully convenient when Active Directory is
down or a security hole when a compromised Windows password has been
changed but the VMS system has not been synched yet. Synching can be
disabled with DISPWDSYNCH.

Also, it is possible to change your external password from VMS.  I
believe there was some problem doing this with Active Directory that
eventually got fixed.

Another feature that I think no one has mentioned is that you can
control who gets to log in to the VMS system by setting up your LDAP
search to only get results for a specified AD group.

More information about the Info-vax mailing list