[Info-vax] LDAP

[Grant Taylor]

On 10/10/20 6:11 PM, Dave Froble wrote:
> I think using LDAP for passwords for VMS access is a good idea.  Let 
> those people who are suppose to be controlling such things do so, and 
> without having to know much about VMS.

I disagree with the division that you seem to be implying.

I see no reason why the people modifying VMS specific attributes in LDAP 
should not be training in VMS account administration and know exactly 
how the things they change impact the systems that use said information.

I also believe that /if/ a central directory is used, then it should 
contain all the information that is the same across / duplicated on 
multiple systems.  I don't know what all this entails, but I suspect 
it's considerably more than just the password and associated ID.

> Now, everyone knows I don't get out much, so the following may not be 
> accurate.
> 
> There is much in SYSUAF that is rather VMS specific.

VMS / Solaris / Windows / JBoss specific doesn't matter to me.  That's 
part of the things with the extensibility of LDAP schemas.  You define 
the format of various pieces of information in the LDAP schema.  Then 
you use a subset of the pieces needed for each record.

If someone only has a Windows account, then they don't have any of the 
VMS specific attributes associated with their LDAP entry.

Similarly, if someone only has a VMS account, then they don't have any 
of the Windows specific attributes associated with their LDAP entry.

LDAP makes it very easy to have different attributes associated with 
different entries.

> Trying to have people without VMS experience setting up some of that 
> data seems counter-productive to me.

I wouldn't let people without VMS experience change VMS specific 
attributes, much less set them up.

There is nothing that prevents a properly authorized (in the managerial 
hierarchy / LDAP permission control point of view) VMS administrator 
from entering / updating / deleting the LDAP data.

> Usually, this data doesn't change, so have a VMS person involved in 
> setting up such data seems reasonable.

The thing is, why do you explicitly want to duplicate it across multiple 
systems if you don't have to?

This may be a poor analogy as I know very little about VMS.  But why 
would you duplicate entries in SYSUAF on multiple systems in a cluster 
if you had the option to have the SYSUAF on a clustered file system so 
that one copy of the SYSUAF was used by all of the systems in the cluster?

That centralized storage of data is what LDAP does.  It just does it in 
a way that is platform agnostic.

> For most, I'd think allowing the use of a "local" password would not be 
> reasonable.  Too much chance to get around the corporate (or whatever) 
> control of access.

LDAP can store a LOT more information than just passwords.



-- 
Grant. . . .
unix || die