[Info-vax] LDAP

[Scott Dorsey]

Marc Van Dyck  <marc.gr.vandyck at invalid.skynet.be> wrote:
>
>We tried it, it works, but it can only be used to store passwords. LDAP
>does not have any provision to store the SYSUAF info so you need to 
>keep
>local user definitions anyway. It just will disregard the password
>stored in SYSUAF in favor of the LDAP one. Means that for system admin
>people, it's twice the work... We decided it was not worth the effort
>and we dropped it. The only real advantage that I can see is that the
>LDAP password hashing algorithm is probably better than the one used in
>SYSUAF so the systems would be marginally safer, which might be
>important for some cases.

This is a feature, not a bug.

In most cases, the whole point of using LDAP is because people have an IT
organization that uses LDAP for central authentication of everything and
the IT organization insists that VMS systems be integrated into their 
authentication arrangement so that they can have control over them.

This configuration allows the IT people to be happy because now they control
authentication of VMS systems, but also allows their authentication to be
readily overriden when the IT systems fail.  

The argument I have been repeatedly given about central authentication is
that it is necessary to allow user accounts to be immediately closed as 
soon as a user is dismissed.  (The fact that this is perceived to be an 
issue would indicate a more fundamental management issue to me, but we 
won't go there.)  This configuration allows the IT people to disable access
as users leave, while permitting sufficient local control that the loss of
the LDAP server does not totally shut down critical systems.
--scott

-- 
"C'est un Nagra. C'est suisse, et tres, tres precis."