[Info-vax] Single Sign On (SSO) from ActiveDirectory
Malcolm Dunnett
nothome at spammers.are.scum
Thu Oct 29 18:32:19 EDT 2009
CY wrote:
> Found that since 7.3 ACME supports NTLM 1.0 sso as en extension of
> their ptahworkss endevour I think...
> I got an 8.2 alpha and an 8.3 IA but just reading and listing files
> like SYS$STARTUP:NTA$STARTUP_NT_ACME.com
> doesnt get me all the way, is there a better instruction than what
> hoffman labs put out (sort of, it works)
> or do the easy way out be to go with http://www.process.com/VMSauth/OpenVMS%20Auth%20Module.pdf
> and if so how costly is that? is it by number of users in the AD/LDAP
> catalog then it could get scary.
>
> Anyone tried out going MS AD LDAP SSO to a alpha running OVMS 8.2,
You are talking about two different options here. The NTLM
authentication is distinct from the LDAP authentication. You
don't need to do anything with the NTA$STARTUP_NT_ACME module
if you are going to use LDAP.
I have been using LDAP to an Active Directory in production
for about a year now (VMS 8.3). It's been mostly trouble-free.
The biggest problem I recall is installing a patch that blew
away the LDAP enabled login and replaced it with the
standard one. The other thing I really dislike is that you can only
specify one LDAP server - if it goes away you are dead. I
think that is supposed to be fixed in 8.4. Hopefully they'll
make the patches in future robust enough to recognize
the LDAP enabled loginout and deal with it properly (or just
make it the standard loginout.
It's not truly single sign on - You still have to supply your
password to VMS when you log in - it's just that it will look
it up VIA LDAP rather than using the one stored in SYSUAF. Also
note that some products (such as the HP supplied SSH program)
can't use ACME and will always reference the password in the UAF.
I came up with a hack that allows the Multinet SSH client to
work with the ACME LDAP login by writing my own
LDAP-PLUGIN to replace the stub that comes with Multinet
but it's non-supported and needs to be re-installed
whenever Multinet is updated. What both these products need
is a supported way to implement the keyboard-interactive
authentication method.
Hope this helps.
More information about the Info-vax
mailing list