[Info-vax] LDAP
Craig A. Berry
craigberry at nospam.mac.com
Sat Oct 10 18:41:32 EDT 2020
On 10/10/20 5:19 PM, Grant Taylor wrote:
> On 10/10/20 3:36 PM, Craig A. Berry wrote:
>> Another feature that I think no one has mentioned is that you can
>> control who gets to log in to the VMS system by setting up your LDAP
>> search to only get results for a specified AD group.
>
> I ran into that when configuring Active Directory Integration for Unix /
> Linux at my last job.
>
> Local accounts are inherently local. If you don't have a local account,
> you can't do anything.
>
> Directory accounts (AD / NDS / eD / LDAP / NIS(+)) are inherently much
> larger scope than local accounts. It's expected that people will have a
> directory account that should not be logging in to any given system.
>
> As such, you become dependent on a new piece of information being
> required to scope who can and can not log into a given system.
> Explaining this during the ADI4U project ended up taking a LOT of
> meeting time.
>
> Q: But why do I need a new group to say who can and can not log into
> this system using this new Directory thingy? I didn't need it using the
> old method.
Because the first line support folks can readily add and remove people
from AD groups since they do it all the time for other apps and other
systems. Typing arcane commands that update SYSUAF not so much.
Hopefully this new WebUI thingy from VSI will help with that, but it's
still something different that can't be centrally managed like
everything else most shops have.
> Me: <facepalm>
More information about the Info-vax
mailing list