topic Password synchronization to Windows using LDAP? in Operating System - OpenVMS

Password synchronization to Windows using LDAP?

Jim Geier_1 — Mon, 21 Apr 2008 19:58:08 GMT

The documentation for the OpenVMS LDAP SYS$ACM Authentication Agent suggests that password synchronization between OpenVMS and Windows is possible. All of the configuration information in the dicumentation is for synchronizing with a server running Advanced Server. We would like to synchronize passwords from our OpenVMS Alpha 8.3 servers to the Windows domain. Is this is a realistic possibility now using the software and tools available? And is anyone actually doing it successfully in production?

Re: Password synchronization to Windows using LDAP?

Paul Nunez — Tue, 22 Apr 2008 11:11:04 GMT

Hi Jim,

Yes, it is possible. You need to acmeldap v0200 kit. Basically, you:

1. Download and install the dec-axpvms-vms83a_acmeldap-v0200--4 pcsi kit

2. Restore sys$update:acme_dev_kits.bck

3. Install DEC-AXPVMS-V83_ACMELDAP_STD-V0103--4.PCSI;1 and DEC-AXPVMS-V83_ACMELOGIN-V0101--4.PCSI;1

4. Load the Persona Extension with $ mc sysman SYS_LOADABLE ADD LDAPACME LDAPACME$EXT

5. Reboot

6. Configure the ini file (attached)

7. Run @sys$startup:acme$start

8. Confirm LDAP-STD agent is loaded - $ show server acme

9. Set ExtAuth flag on SYSUAF account

Re: Password synchronization to Windows using LDAP?

Edwin Gersbach_2 — Tue, 22 Apr 2008 11:18:13 GMT

Jim

Have a look at the thread http://forums12.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1206017464895+28353475&threadId=1197550
for some retrictions. Especially read the entry by M. T. Hollinger (4. entry)

Edwin

Re: Password synchronization to Windows using LDAP?

Hoff — Tue, 22 Apr 2008 14:44:03 GMT

Configuring LDAP External Authentication:

http://64.223.189.234/node/619

Re: Password synchronization to Windows using LDAP?

Jim Geier_1 — Thu, 08 Jan 2009 18:36:12 GMT

Thanks for the information. On a standalone AlphaServer running OpenVMS 8.3 and patched up to Update V8, I installed the following three kits:
VMS83A_ACMELDAP V2
V83_ACMELOGIN V1.1
V83_ACMELDAP_STD V1.1

I followed the release notes. I am having a problem with the
SYSMAN SYS_LOADABLE ADD LDAPACME LDAPACME$EXT
step. I see in the file SYS$UPDATE:VMS$SYSTEM_IMAGES.IDX a line indicating "SWsystem image LDAPACME$EXT load failed", and after rebooting, I see in VMS$SYSTEM_IMAGES.DATA (in the directory sys$loadable_images) a message "%SYSINIT, system image LDAPACME$EXT load failed."

Any ideas as to how I can get the image to load and get this working? Might something in the VMS 8.3 Update V8 be incompatible with the LDAP images?

Re: Password synchronization to Windows using LDAP?

Jim Geier_1 — Thu, 29 Jan 2009 19:49:58 GMT

The error messages may be something of a red herring. The problem with my LDAP-ACME implementation was a problem with the LOGINOUT.EXE image. When I did the PRODUCT INSTALL V83_ACMELOGIN, a message saying that LOGINOUT.EXE would not be replaced because the version already on the system was newer than the image in the kit. This is true, but the version on the system does not have the LDAP-ACME code in it. So after realizing that this was a problem, I extracted LOGINOUT.EXE from the kit, put it in SYS$COMMON:[SYSEXE], did the INSTALL REPLACE and now I have LDAP password synchronization working.

HP OpenVMS Support knows about this problem -- it was first found on OpenVMS on Integrity. The engineering groups are working on a solution.

Re: Password synchronization to Windows using LDAP?

Bob Olewine — Fri, 30 Jan 2009 16:14:09 GMT

I am addressing a similiar problem in that
we woule like to explore having our Alpha
talk to Active Directory and this would appear to be usable here as well. I have a standalone system upgraded to VMS V8.3 with all of the current patches applied so I have the ACME_LDAP V0200 update. Question is ... where do I find(the other two):

VMS83A_ACMELDAP V2 ----- have it
V83_ACMELOGIN V1.1 ------ need it
V83_ACMELDAP_STD V1.1 --- need it

I have a V8.3 distribution kit.

Thank you.

Re: Password synchronization to Windows using LDAP?

Ian Miller. — Fri, 30 Jan 2009 16:34:58 GMT

Unpack sys$update:acme_dev_kits.bck

using backup and they are in there

Re: Password synchronization to Windows using LDAP?

Bob Olewine — Fri, 30 Jan 2009 16:40:28 GMT

Thank you!

Re: Password synchronization to Windows using LDAP?

Jim Geier_1 — Thu, 05 Feb 2009 19:38:18 GMT

I had the LDAP password synchronization working, but not using SSL. Our security require that this use SSL communication. I changed the port number in the initialization file to the port number given by our Windows Server admin . Cycled the OpenVMS system, and now password synchronization is not working.

(1) What is really involved in enabling SSL communication between the OpenVMS system snad the LDAP server?

(2) It is difficult to see what is happening when the password synchronization is working. SHOW SERVICE/FULL ACME gives limited information. What is the best way to debug this problem?

(3) When one makes a change in the configuration file (LDAPACME$CONFIG-STD.INI) what is required to stop and restart the service so that the changes are activated? Can one simply restart the ACME service (SET SERVER/RESTART ACME)?

Re: Password synchronization to Windows using LDAP?

Hoff — Thu, 05 Feb 2009 20:47:56 GMT

Best way?

If you've followed the release notes and have selected the port and have selected the authentication and it doesn't work (and you have HP support), then ring up HP support.

Restarting the ACME pieces should be enough here, but (if things get sufficiently tangled) I'd expect to reboot.

There is a SET SERVER /TRACE that might be of interest.

Re: Password synchronization to Windows using LDAP?

Jim Geier_1 — Mon, 09 Feb 2009 05:39:11 GMT

I did get the LDAP-ACME password synchronization working using SSL. The problem was a typographical error in the initialization file. Once corrected, the ACME server was restarted (SET SERVER ACME/RESTART) and it worked right away.

Then I moved the implementation to our 2-system test cluster. And it did not work. So I went through the documentation again and again and found a command I missed -- one MUST run the DCL script sys$update:vms$system_images.com after loading the persona extension and before rebooting.

Generally, the people who answer the HP OpenVMS support calls know nothing or very little about the LDAP-ACME extension. The most challenging problem I encountered was one I found and solved myself -- the problem of LOGINOUT.EXE not getting installed by the V83_ACMELOGIN patch kit because other VMS 8.3 patch kits had left a version with a higher generation. The support folks then researched and told me that this is known by OpenVMS engineering and is to be solved by them "soon". Generally, the LDAP-ACME extension is not well-known, and not well supported. This is too bad, because we see it as a good solution to the continual complaint by our users/customers that there are too many passwords to remember. Synchronizing password from OpenVMS to Active Directory goes a long way towards solving that complaint and giving us happier users/customers.

A short version of the steps, borrowed from the reply by Paul Nunez, and slightly expanded:

1. Download and install the dec-axpvms-vms83a_acmeldap-v0200--4 pcsi kit
2. Restore sys$update:acme_dev_kits.bck
3. Install the two kits from the backup saveset:
DEC-AXPVMS-V83_ACMELDAP_STD-V0103--4.PCSI;1 and
DEC-AXPVMS-V83_ACMELOGIN-V0101--4.PCSI;1
4. Load the Persona Extension with
$ mcr sysman SYS_LOADABLE ADD LDAPACME LDAPACME$EXT
then
$ @sys$update:vms$system_images.com
5. Reboot
6. Configure the initialization file, sys$startup:ldapacme$config-std.ini
7. Uncomment the line in SYS$MANAGER:ACME$START.COM:
$ @SYS$STARTUP:LDAPACME$STARTUP-STD.COM
8. Add SET SERVER ACME/RESTART to SYSTARTUP_VMS.COM, which in turn runs sys$startup:acme$start.com
9. Confirm LDAP-STD agent is loaded using $ show server acme
Should see two ACME agents, #1 name "VMS" and #2 name "LDAP-STD"
10. Set ExtAuth flag on SYSUAF account