Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Enterprise Directory help binding DUA to DSA on AD win2003

dougy_1
Occasional Visitor

Enterprise Directory help binding DUA to DSA on AD win2003

Good Morning,

Having tried various commands both from DXIM and NCL I still cannot Bind from VMS Alpha DUA to the Test Active Directory we have setup on Windows 2003 Server.
The 'test' set up is;
Open VMS Alpha V7.3-2
DXDA V 5.6
TCPIP V 5.4-ECO 7

Step 1;
We do not wish to use the HP Administrator for Enterprise Directory windows GUI (Version 2.2), but we did fire this up just to test. From this we could see the temporary DSA set up on our VMS node, we could update the DSA manually from DXIM and the GUI displayed the updates. We also could see on a second Alpha a second dsa, this gave us some confidence. So we then blew these DSA's away.

Step 2;
What we are now trying to achieve is access from the DUA on our test vms alpha node, to the test Windows 2003 Server active directory.

I had a look inside the command file DXD$DUA_CONFIGURE at how this checks where the 'remote' DSA exists. I tried using the same command here ( ip address replaced with x's );

$ DXDPING == "$sys$system:DXD$DSA_RFC-INTERFACING_PING.EXE"

$dxdping """DSA""/""DSA""/""DSA""/RFC1006+xx.xxx.x.xxx+389,RFC1006"G.EXE"

no luck here, $STATUS = %X10000002

I tried monitoring the win server TCP processes using the sysinternals tools kindly provided from MS, ran a short dcl command file to ping and one to dxdping, but nothing useful there.

What would be useful is knowing what the Windows Server requires, does it use the DSA/DSA/DSA syntax?

Anyone managed to achieve successfull Binding from Alpha to a Windows AD ?

I have RTFM by the way :-)

Thanks for any help,

Doug.
gloves made from your own skins
8 REPLIES
dougy_1
Occasional Visitor

Re: Enterprise Directory help binding DUA to DSA on AD win2003


I should mention that when we try to 'click' the DSA (on the Win Server 2003 AD)using the HP Admin Enterprise Directory GUI, that we get the following message box;

"Unable to bind to sdrtdc01.xxxxx.nhs.uk:389:Unsupported DSA type."

Thanks,

Doug.
gloves made from your own skins
JohnDite
Frequent Advisor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

Doug,

I think you may have got the wrong end of the stick here.

You say you want to connect to an Win2003 AD. That means that an OpenVMS component that you're using (ACME(?)) wants to connect via a LDAP library function to the Win2003 AD. That would imply that you do NOT want to use the Enterprise Directory Server as the LDAP Server.

You also talk of the HP Administrator for Enterprise Directory windows GUI not being able to connect to the Win2003 AD. As far as I'm aware, unless they have added LDAP client functionality into it more recently, this GUI was only ever intended to allow someone to manage the Enterprise Directory without having to resort to NCL or DXD$NCL ie. a command line interface.

As you may have also noticed dxim only supports DAP.

So summarizing:
1. There is no standard standalone LDAP client available on OpenVMS.

2. dxim does not (to date) support LDAP (as it should)

3. HP Administrator for Enterprise Directory windows GUI as the name implies is purely an "Administrator GUI" and does not support LDAP

4. Although connecting differing DAP(X.500) Servers to distribute and/or replicate parts of a directory has been fairly common over the last 10 years, I have not heard much with regard to LDAP directores, bar propietary solutions such as AD. Hence I do not see how you could connect HP Enterprise Directory to another LDAP directory.

5. You could of course, before connecting to a Win2003 AD, use the HP Directory as a test LDAP server. Having said that, you would need to know how to configure it first.

Hopefully the situation is a bit more clearer.

John
dougy_1
Occasional Visitor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

John,

Thank you for the excellent reply, it certainly answers our problem, i.e. we can't achieve our aim!

>
"That would imply that you do NOT want to use the Enterprise Directory Server as the LDAP Server."

yes that's right.

>
"You also talk of the HP Administrator for Enterprise Directory windows GUI not being able to connect to the Win2003 AD. As far as I'm aware, unless they have added LDAP client functionality into it more recently, this GUI was only ever intended to allow someone to manage the Enterprise Directory without having to resort to NCL or DXD$NCL ie. a command line interface."

Okay, we were only attempting this as an extra test anyway, it wasn't a requirement.

>As you may have also noticed dxim only supports DAP."

Er, no.

>Hence I do not see how you could connect HP Enterprise Directory to another LDAP directory."

Ok, looks like it's plan B then ;-)

>
"Hopefully the situation is a bit more clearer."

Yes, a bit.

Many thanks again John for the reply.

doug.


gloves made from your own skins
JohnDite
Frequent Advisor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

Doug,

what are you trying to achieve? What is plan B?

Just curious.

John
Venkatesh_19
Occasional Visitor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

Hello Doug,

The ping utility in the command file DXD$DUA_CONFIGURE is used for checking the availability of the DSA's on VMS. The syntax used by the PING utility as shown below: "DSA"/"DSA"/"DSA"/RFC1006+xx.xxx.x.xxx+389,RFC1006"G.EXE"
is very specific to the DSA's running on VMS Alpha.

The syntax "DSA/DSA/DSA" is used in OSI based environments where each of the token seperated by '/' is known as a selector and the three 'DSA' tokens indicate the selectors in the OSI environment at different layers (Application, Presentation and Session).

Trying to use DXD$DUA_CONFIGURE or the ping utility does not work for DSAs running on windows (such as Windows AD).

Hope the above information helps.

Regards,
Venkatesh
dougy_1
Occasional Visitor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

John,

We currently manage user accounts via a DCL command files, which update UAF & PWRKS & Windows/AD. Until we go live with Single Sign On, this command file has to be retained for now for administration purposes.

We have moved an application from VMS to Windows and integrated the applicationâ s login with AD. At login the application needs to read a number of AD custom attributes. As our current account management procedures run on VMS and we are looking for a mechanism to update these AD attributes from VMS. We thought we might be able to use the client portion of the HP Enterprise Directory to do this.

Plan B is to update these attributes manually which is much less elegant than automating the process.

Doug.
gloves made from your own skins
JohnDite
Frequent Advisor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

As I have mentioned there is no stand-alone client, but you could write your own, specifically for your requirements.

Look at the example LDAP_EXAMPLE.C in SYS$EXAMPLES, that could be a start.

Or put in your request to HP that it was about time that they update dxim to support LDAP. ;-))



dougy_1
Occasional Visitor

Re: Enterprise Directory help binding DUA to DSA on AD win2003

Thanks John & Venkatesh for your help/replies.

I'll leave the decision with upper management :-)
gloves made from your own skins