Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

ACMELDAP with Active Directory

 
SOLVED
Go to solution
Chris Barratt
Frequent Advisor

Re: ACMELDAP with Active Directory

sorry Thomas, I can't help, but I did want to question the assertion from John Dite that you need to use an OpenVMS LDAP server.

That was certainly what I understood to be true, but in the recently released VMS83A_ACMELDAP-V0200 kit (which Thomas has installed), it says....

5.1 New functionality addressed in this kit

5.1.1 Add Active Directory Support

5.1.1.1 Functionality Description:

This ACMELDAP kit adds Active Directory support to the
LDAP ACME agent so users can

1. Login to VMS using their Active Directory usernanme
and password

2. Change their Active Directory password from VMS


So I read from this that you could now get external authentication working against AD.

Cheers,
chris
Thomas Pauli
Advisor

Re: ACMELDAP with Active Directory

First, thanks to all who engaged themselves in this case!
I appended the contents of my LDAPACME.INI file. The bind_dn value is based on what AD says about my account: "pclan.iplan.dklb.de/DKLB-BUSINESS-UNITS
/DKLB-SYS/DKLB-SYSMGMT/PAULI"
But as far as I know ACMELDAP does not even try to connect to the AD server, since I have TCPTRACE running. The only things I see there are the broadcasts of the AD server itself.
JohnDite
Frequent Advisor

Re: ACMELDAP with Active Directory

Hi Thomas,

I stand to be corrected as far as the Active Directory support is concerned. I tested ACME this withe the EAK version so my experiences are based on using the OpenVMS Enterprise Directory.

Now I don't know whether you want to initially go down that route to see whether ACME works with the 'local' LDAP server before trying to connect it to AD.

We can assume that dkexcv1.iplan.dklb.de resolves to an IP Address?

John
Thomas Pauli
Advisor

Re: ACMELDAP with Active Directory

John,

no, we don't want to establish a VMS LDAP server, we've got the MS one running and want to use it.
The dkexcv1 name does translate, I checked it with a ping (TCPIP PING dkexcv1).
JohnDite
Frequent Advisor
Solution

Re: ACMELDAP with Active Directory

Thomas,

I don't have an V8.3 System but don't you have a LDAPACME$STARTUP.COM startup file, that is possibly in your SYSTARTUP_VMS.COM file?

If I start the ACME Server using the commands as you have listed then I get the same error.

You did:
$ set server acme /enable=name=vms
$ set server acme /enable=name=ldap

However if I follow the documentation "hp OpenVMS LDAP SYS$ACM Authentication Agent Guide 2003" and use
$ set server acme/enable=name=(ldap,vms)

then I get it to start (see attachment)

John
Highlighted
Thomas Pauli
Advisor

Re: ACMELDAP with Active Directory

John,

incredible - that did the trick! Now I got both servers up and active!

Thanks the lot!
JohnDite
Frequent Advisor

Re: ACMELDAP with Active Directory

Thomas,

glad to hear that the ACME server is now running. I would be interested to hear of your results when using the AD for OpenVMS user authentication.

For all followers of the AD may I point you to an interesting article:

http://www.cs.kent.ac.uk/pubs/2000/2115/content.pdf

John
Thomas Pauli
Advisor

Re: ACMELDAP with Active Directory

John,

thanks for all the help. Next thing is to modify the AD schema to satisfy ACME requests.
I will keep the thread open to provide informations about our progress.
JohnDite
Frequent Advisor

Re: ACMELDAP with Active Directory

Hi Thomas,

if ACME claims to have added
"Active Directory Support" does the documentation tell you explicitly that you have to adapt the AD schema or is there some other flag that indicates to the ACME LDAP Agent that you are doing a lookup on an AD?

John
Thomas Pauli
Advisor

Re: ACMELDAP with Active Directory

Hi John,

sadly there is no such flag! We are now facing the task to facilitate changes to our AD scheme so it will work with ACME. The documentation we managed to extract from all possible sources is not too instructive, so we will have to set up a test AD server to find everything out.
This will take it's time, but we think it's worth it!