Operating System - OpenVMS
1748269 Members
3684 Online
108760 Solutions
New Discussion юеВ

Re: ACME LDAP Username matching

 
SOLVED
Go to solution
Mike R Smith
Frequent Advisor

ACME LDAP Username matching

We are looking into setting up ACME LDAP on VMS 8.3 to authenticate against Active directory. A question came up that I want to verify what I think is the correct answer.

If AD accounts and VMS login usernames don't match, what happens? Another way to ask this question is, "Do AC account usernames and the VMS login usernames have to match?"

I did find the below as a restriction from the 2007 release notes and I believe that is what this means. I just want to make sure I haven't missed some enhancement or note somewhere else.

LDAP-to-OpenVMS username mapping is currently required to be one-to-one. That is, the username entered at login that matches an LDAP entry must have a corresponding record in the local systems's SYSUAF.DAT file.

Thanks so much!
5 REPLIES 5
Hoff
Honored Contributor
Solution

Re: ACME LDAP Username matching

The username and the entry in Open Directory (OD) or Active Directory (AD) LDAP has to match; AFAIK, there's no provision for a username-to-LDAP "proxy" mapping mechanism here. I've certainly not encountered it in my "adventures" here.

Oh, and the ACME documentation is, um, weak.

Before you start this quest, check in with the HP OpenVMS Engineering folks. It would not surprise me to learn that they have updated documentation.

I've certainly accumulated a pile of (local) documentation from my experiences. To your advantage here, AD should be a bit easier to sort than OD, as AD is what HP most often seems to document here.

I did successfully get the OpenVMS boxes authenticating to the Mac OS X Server and an OD infrastructure.

Beyond any documentation updates that HP might have, here are some URLs you'll want to review:

http://www3.sympatico.ca/n.rieck/docs/openvms_notes_ldap.html

http://labs.hoffmanlabs.com/node/619

http://h71000.www7.hp.com/openvms/journal/v4/openvms_journal.pdf
Mike R Smith
Frequent Advisor

Re: ACME LDAP Username matching

Thanks so much for the reply, I got my initial information from your site which had the 2007 doc on it. I will check the links you provided.
sgprasad
New Member

Re: ACME LDAP Username matching

Hi,

Yes, on V8.3 and V8.3-1H1, there is currently only one-to-one mapping.

The next release of OpenVMS (V8.4 to be released), there is a proxy mechanism (i.e. mapping between directory server users and the sysuaf.dat (OpenVMS users). The documentation for the LDAP ACME is also getting updated on this OS version.

Thanks and warm regards,
Prasad
Mike R Smith
Frequent Advisor

Re: ACME LDAP Username matching

Thanks so much and to the earlier point, the documentation is a bit economical. It will be great to see it enhanced.
Mike R Smith
Frequent Advisor

Re: ACME LDAP Username matching

Per the answers given, the mapping is one to one. In the event of a local account that is not in AD, one would not put the external authentication flag on that account which would keep it authenticating locally.