[Info-vax] LDAP

Dave Froble davef at tsoft-inc.com
Sat Oct 10 23:31:23 EDT 2020 

On 10/10/2020 10:10 PM, Grant Taylor wrote:
> On 10/10/20 6:11 PM, Dave Froble wrote:
>> I think using LDAP for passwords for VMS access is a good idea.  Let
>> those people who are suppose to be controlling such things do so, and
>> without having to know much about VMS.
>
> I disagree with the division that you seem to be implying.
>
> I see no reason why the people modifying VMS specific attributes in LDAP
> should not be training in VMS account administration and know exactly
> how the things they change impact the systems that use said information.

First, Jan-Erik wanted a solution for passwords only.

Second, Marc Van Dyck mentioned that LADP on VMs only does passwords. 
Yes, you may be able to store other data in the SD, but, if VMs is not 
set up to get that data from the AD, then what's the use.

> I also believe that /if/ a central directory is used, then it should
> contain all the information that is the same across / duplicated on
> multiple systems.  I don't know what all this entails, but I suspect
> it's considerably more than just the password and associated ID.
>
>> Now, everyone knows I don't get out much, so the following may not be
>> accurate.
>>
>> There is much in SYSUAF that is rather VMS specific.
>
> VMS / Solaris / Windows / JBoss specific doesn't matter to me.  That's
> part of the things with the extensibility of LDAP schemas.  You define
> the format of various pieces of information in the LDAP schema.  Then
> you use a subset of the pieces needed for each record.

And on VMS, if Marc is correct, what do you then do with the data?

> If someone only has a Windows account, then they don't have any of the
> VMS specific attributes associated with their LDAP entry.
>
> Similarly, if someone only has a VMS account, then they don't have any
> of the Windows specific attributes associated with their LDAP entry.
>
> LDAP makes it very easy to have different attributes associated with
> different entries.
>
>> Trying to have people without VMS experience setting up some of that
>> data seems counter-productive to me.
>
> I wouldn't let people without VMS experience change VMS specific
> attributes, much less set them up.

I believe that Jan-Erik asked for, and I wrote about, using a company 
wide password tool.  For such access, only a password is required.

I agree, only someone who knows a bit about what is required for a VMS 
user account should be involved is setting up accounts.

> There is nothing that prevents a properly authorized (in the managerial
> hierarchy / LDAP permission control point of view) VMS administrator
> from entering / updating / deleting the LDAP data.

No, but if a company wants a single point of access control, and is 
willing to have a non-VMS person administer it, why should a VMS person 
then bother?

>> Usually, this data doesn't change, so have a VMS person involved in
>> setting up such data seems reasonable.
>
> The thing is, why do you explicitly want to duplicate it across multiple
> systems if you don't have to?
>
> This may be a poor analogy as I know very little about VMS.  But why
> would you duplicate entries in SYSUAF on multiple systems in a cluster
> if you had the option to have the SYSUAF on a clustered file system so
> that one copy of the SYSUAF was used by all of the systems in the cluster?

If you're discussing a VMS Cluster, then you may find that most such do 
have a single SYSUAF for the entire cluster.

If you are talking non-clustered systems, perhaps different SYSUAF data 
might be required on each system.  I'd prefer one size fit all, but, 
that may not always be possible.

> That centralized storage of data is what LDAP does.  It just does it in
> a way that is platform agnostic.
>
>> For most, I'd think allowing the use of a "local" password would not
>> be reasonable.  Too much chance to get around the corporate (or
>> whatever) control of access.
>
> LDAP can store a LOT more information than just passwords.

And if VMS has no method for retrieving some of that data, as reported?


-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list