topic ACME LDAP Username matching in Operating System - OpenVMS

ACME LDAP Username matching

Mike R Smith — Thu, 08 Apr 2010 16:07:27 GMT

We are looking into setting up ACME LDAP on VMS 8.3 to authenticate against Active directory. A question came up that I want to verify what I think is the correct answer.

If AD accounts and VMS login usernames don't match, what happens? Another way to ask this question is, "Do AC account usernames and the VMS login usernames have to match?"

I did find the below as a restriction from the 2007 release notes and I believe that is what this means. I just want to make sure I haven't missed some enhancement or note somewhere else.

LDAP-to-OpenVMS username mapping is currently required to be one-to-one. That is, the username entered at login that matches an LDAP entry must have a corresponding record in the local systems's SYSUAF.DAT file.

Thanks so much!

Re: ACME LDAP Username matching

Hoff — Thu, 08 Apr 2010 16:30:30 GMT

The username and the entry in Open Directory (OD) or Active Directory (AD) LDAP has to match; AFAIK, there's no provision for a username-to-LDAP "proxy" mapping mechanism here. I've certainly not encountered it in my "adventures" here.

Oh, and the ACME documentation is, um, weak.

Before you start this quest, check in with the HP OpenVMS Engineering folks. It would not surprise me to learn that they have updated documentation.

I've certainly accumulated a pile of (local) documentation from my experiences. To your advantage here, AD should be a bit easier to sort than OD, as AD is what HP most often seems to document here.

I did successfully get the OpenVMS boxes authenticating to the Mac OS X Server and an OD infrastructure.

Beyond any documentation updates that HP might have, here are some URLs you'll want to review:

http://www3.sympatico.ca/n.rieck/docs/openvms_notes_ldap.html

http://labs.hoffmanlabs.com/node/619

http://h71000.www7.hp.com/openvms/journal/v4/openvms_journal.pdf

Re: ACME LDAP Username matching

Mike R Smith — Thu, 08 Apr 2010 17:47:23 GMT

Thanks so much for the reply, I got my initial information from your site which had the 2007 doc on it. I will check the links you provided.

Re: ACME LDAP Username matching

sgprasad — Fri, 09 Apr 2010 07:00:34 GMT

Hi,

Yes, on V8.3 and V8.3-1H1, there is currently only one-to-one mapping.

The next release of OpenVMS (V8.4 to be released), there is a proxy mechanism (i.e. mapping between directory server users and the sysuaf.dat (OpenVMS users). The documentation for the LDAP ACME is also getting updated on this OS version.

Thanks and warm regards,
Prasad

Re: ACME LDAP Username matching

Mike R Smith — Fri, 09 Apr 2010 11:42:02 GMT

Thanks so much and to the earlier point, the documentation is a bit economical. It will be great to see it enhanced.

Re: ACME LDAP Username matching

Mike R Smith — Fri, 09 Apr 2010 11:44:42 GMT

Per the answers given, the mapping is one to one. In the event of a local account that is not in AD, one would not put the external authentication flag on that account which would keep it authenticating locally.