topic Re: ACMELDAP with Active Directory in Operating System - OpenVMS

ACMELDAP with Active Directory

Thomas Pauli — Wed, 18 Apr 2007 00:36:38 GMT

Since we are urged by our auditors to introduce a strict password policy in our company, we established an W2003 Active Directory Server which handles the authorization requests for most our customer logins. A lot of our users still use interactive logins on a range of OpenVMS systems, which are not synchronized with Active Directory and require different passwords. We aim to authenticate non-core users on these systems external via ACME and LDAP.
To check this out we installed a DS10 alpha with OpenVMS V8.3, Update V2, TCP/IP V5.6, added VMS83A_ACMELDAP-V0200 and V83_ACMELDAP_STD, and tried to establish an ACME LDAP server.
We created a sys$manager:ldapacme.ini, had a logical ldapacme$init pointing to it and use these commands:
$ def/syst/exec ldapacme$init sys$manager:ldapacme.ini
$ def/syst/exec ldapacme$no_tls true
$ set noon
$ set server acme /exit
$ dele/nolog/noconf sys$manager:acme$server.log;*
$ set server acme /start
$ set server acme /trace=10
$ set server acme /conf=(name=VMS)
$ set server acme /conf=(name=LDAP,fac=LDAPACME,cred=VMS)
$ set server acme /enable=name=vms
$ set server acme /enable=name=ldap
$ type sys$manager:acme$server.log;*
We were only partially sucessful, since we only got this:
ACME Agent id: 2 State: Initialized
Name: "LDAP"
Image: "DISK$SYSFEP:[VMS$COMMON.SYSLIB]LDAPACME$LDAP_ACMESHR.EXE;1"
Identification: "LDAPACME Agent V1.0-BL2"
Information: "ldap_agent initialized, waiting to be enabled"
Domain of Interpretation: Yes
Execution Order: 0
The log file contains lines like
%ACME-I-TRACE, trace event from "ACME_ReadControlMBX: Enable received" on 18-AP?
-ACME-I-THREAD, thread: id = 1, type = CONTROL
%ACME-I-TRACE, trace event from "ACME_EnableServer: ERROR" on 18-APR-2007 07:18?
-ACME-I-THREAD, thread: id = 1, type = CONTROL
-ACME-I-EXITSTATUS, exiting with status = %X074ABEB2

Has somebody an idea what's possibly wrong?

Re: ACMELDAP with Active Directory

John Gillings — Wed, 18 Apr 2007 02:01:54 GMT

Thomas,
According to the status:

$ exit %X074ABEB2
%ACME-E-INCOMPATSTATE, server state is incompatible with requested operation

Note that the /TRACE value is a bitmask. Value 10 will trace "general" and "ast" operations only. You may wish to enable more things. To enable everything use /TRACE=2047 (to make things clearer when dealing with bitmasks, it might be better to use hex /TRACE=%X7FF)

Re: ACMELDAP with Active Directory

Thomas Pauli — Wed, 18 Apr 2007 02:40:53 GMT

Thanks for that hint, but I am still not wiser! I included the new log file generated with /TRACE=%x7FF - perhaps there is someon who can see what's wrong.

Re: ACMELDAP with Active Directory

John Gillings — Wed, 18 Apr 2007 03:31:52 GMT

Thomas,
You have a different status:

-ACME-I-GETCLIENTF, client message acquisition failure, status = %X074AD83A

$ exit %X074AD83A
%ACME-E-NOMSGFND, no acceptable message found

Anything in the log files from the directory server?

Re: ACMELDAP with Active Directory

Thomas Pauli — Wed, 18 Apr 2007 03:47:06 GMT

I've got a TCPTRACE running which shows absolutely nothing. The server seems not to be ready to try to connect yet.

Re: ACMELDAP with Active Directory

john Dite — Wed, 18 Apr 2007 05:57:12 GMT

I assume you are planning the LDAP server available on OpenVMS. If not, how are you planning to define the required schema on the external LDAP server?

Have you started/configured the OpenVMS LDAP/Directory Server?

If you check for the DXD$DSA_SERVER process then that will tell you that an attempt was made to start the Directory server.

If you have DECnet+ installed the following NCL command will show you the status:

$MC NCL SHOW DSA ALL STATUS

Then see if the LDAP Port has been set:

$MC NCL SHOW DSA LDAP PORT

Re: ACMELDAP with Active Directory

Thomas Pauli — Wed, 18 Apr 2007 06:00:13 GMT

The external Server is an existing MS Windows 2003 Server. The current problem is how to start the ACME LDAP server, connecting and questioning the external LDAP server will be the next one...

Re: ACMELDAP with Active Directory

john Dite — Wed, 18 Apr 2007 08:25:30 GMT

Thomas

can you show us the contents of your sys$manager:ldapacme.ini file.

Re: ACMELDAP with Active Directory

john Dite — Wed, 18 Apr 2007 08:43:53 GMT

Thomas,

the existing ACME LDAP Server is based on the OpenVMS Enterprise Directory V5.5+ (?). You will have to install this kit and then depending whether you have DECnet installed or not use either a JAVA or the NCL utility to initally set up the directory.

I'm sure this is all described in the accompanying documentation.

As I have said before, if you're planning to use an external LDAP server you'll have to find a way to integrate the ACME schema files on the remote LDAP server.

Re: ACMELDAP with Active Directory

Richard Whalen — Wed, 18 Apr 2007 09:52:25 GMT

You might want to consider Process Software's VAM product. http://www.process.com/VMSauth/index.html
It has the necessary glue between loginout and Active Directory.

Re: ACMELDAP with Active Directory

Chris Barratt — Wed, 18 Apr 2007 23:43:50 GMT

sorry Thomas, I can't help, but I did want to question the assertion from John Dite that you need to use an OpenVMS LDAP server.

That was certainly what I understood to be true, but in the recently released VMS83A_ACMELDAP-V0200 kit (which Thomas has installed), it says....

5.1 New functionality addressed in this kit

5.1.1 Add Active Directory Support

5.1.1.1 Functionality Description:

This ACMELDAP kit adds Active Directory support to the
LDAP ACME agent so users can

1. Login to VMS using their Active Directory usernanme
and password

2. Change their Active Directory password from VMS

So I read from this that you could now get external authentication working against AD.

Cheers,
chris

Re: ACMELDAP with Active Directory

Thomas Pauli — Thu, 19 Apr 2007 00:17:56 GMT

First, thanks to all who engaged themselves in this case!
I appended the contents of my LDAPACME.INI file. The bind_dn value is based on what AD says about my account: "pclan.iplan.dklb.de/DKLB-BUSINESS-UNITS
/DKLB-SYS/DKLB-SYSMGMT/PAULI"
But as far as I know ACMELDAP does not even try to connect to the AD server, since I have TCPTRACE running. The only things I see there are the broadcasts of the AD server itself.

Re: ACMELDAP with Active Directory

JohnDite — Thu, 19 Apr 2007 03:39:22 GMT

Hi Thomas,

I stand to be corrected as far as the Active Directory support is concerned. I tested ACME this withe the EAK version so my experiences are based on using the OpenVMS Enterprise Directory.

Now I don't know whether you want to initially go down that route to see whether ACME works with the 'local' LDAP server before trying to connect it to AD.

We can assume that dkexcv1.iplan.dklb.de resolves to an IP Address?

John

Re: ACMELDAP with Active Directory

Thomas Pauli — Thu, 19 Apr 2007 03:54:05 GMT

John,

no, we don't want to establish a VMS LDAP server, we've got the MS one running and want to use it.
The dkexcv1 name does translate, I checked it with a ping (TCPIP PING dkexcv1).

Re: ACMELDAP with Active Directory

JohnDite — Thu, 19 Apr 2007 09:39:24 GMT

Thomas,

I don't have an V8.3 System but don't you have a LDAPACME$STARTUP.COM startup file, that is possibly in your SYSTARTUP_VMS.COM file?

If I start the ACME Server using the commands as you have listed then I get the same error.

You did:
$ set server acme /enable=name=vms
$ set server acme /enable=name=ldap

However if I follow the documentation "hp OpenVMS LDAP SYS$ACM Authentication Agent Guide 2003" and use
$ set server acme/enable=name=(ldap,vms)

then I get it to start (see attachment)

John

Re: ACMELDAP with Active Directory

Thomas Pauli — Fri, 20 Apr 2007 00:40:12 GMT

John,

incredible - that did the trick! Now I got both servers up and active!

Thanks the lot!

Re: ACMELDAP with Active Directory

JohnDite — Fri, 20 Apr 2007 02:39:07 GMT

Thomas,

glad to hear that the ACME server is now running. I would be interested to hear of your results when using the AD for OpenVMS user authentication.

For all followers of the AD may I point you to an interesting article:

http://www.cs.kent.ac.uk/pubs/2000/2115/content.pdf

John

Re: ACMELDAP with Active Directory

Thomas Pauli — Fri, 20 Apr 2007 03:25:29 GMT

John,

thanks for all the help. Next thing is to modify the AD schema to satisfy ACME requests.
I will keep the thread open to provide informations about our progress.

Re: ACMELDAP with Active Directory

JohnDite — Fri, 20 Apr 2007 06:26:00 GMT

Hi Thomas,

if ACME claims to have added
"Active Directory Support" does the documentation tell you explicitly that you have to adapt the AD schema or is there some other flag that indicates to the ACME LDAP Agent that you are doing a lookup on an AD?

John

Re: ACMELDAP with Active Directory

Thomas Pauli — Fri, 20 Apr 2007 06:30:33 GMT

Hi John,

sadly there is no such flag! We are now facing the task to facilitate changes to our AD scheme so it will work with ACME. The documentation we managed to extract from all possible sources is not too instructive, so we will have to set up a test AD server to find everything out.
This will take it's time, but we think it's worth it!