Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP ACME Issues on OpenVMS V8.3.1H1

Theodore Jay Allen
Occasional Advisor

LDAP ACME Issues on OpenVMS V8.3.1H1

I am having issues with the subject configuration and have an open case with HP (the first one got inexplicably closed). At one point I was successful in getting non-SSL/TLS LDAP authentication working, however, at this time it is failing as well.

Here are the steps performed:

1. Installed HP I64VMS V83_ACMELDAP_STD V1.3
2. Installed HP I64VMS V83_ACMELOGIN V1.1
3. Loaded the Persona extension:
$ mcr sysman sys_loadable add ldapacme
ldapacme$ext
4. Configured LDAPACME$CONFIG-STD.INI for
non-SSL/TLS authentication.
5. Edited Sys$Startup:ACME$Start.com:
$ define/sys/exec ldapacme$init -
sys$startup:ldapacme$config-std.ini
$ define/sys/exec ldapacme$no_tls "TRUE"
$ @sys$startup:ldapacme$startup-std
6. Added to Systartup_VMS.Com:
$ set server acme/restart
$ @sys$startup:amce$start.com
7. Set ExtAuth flag on a test account's
SYSUAF record.
8. Rebooted
9. Verified LDAP-STD agent was loaded:
$ show server acme/full
10. Verified LDAP logicals defined - NOTE:
*** Logicals defined in SYSTEM table
as BOTH Supervisor and Executive mode
logicals ***

Initially this did not work and the LDAP* logical names were defined ONLY in Supervisor mode, until I added the explicit "@sys$startup:acme$start.com" to Systartup_VMS.Com. HP Support said to add the execution of this procedure directly after the "set server acme/restart". I then ended up with the LDAP* logicals getting defined in both Super and Exec modes.

I am certain that the "set server acme/restart" command actually executes "acme$start.com" and for some reason when it executes it the LDAP* logicals get created in Supervisor mode during the startup. I confirmed this by adding "show logical ldap*" commands in Systartup_VMS.Com prior to and after the "set server acme/restart" and explicit execution of acme$start.com. The Agent requires the LDAP logicals be defined in executive mode, otherwise things fail. The startup procedure is running as user SYSTEM so I see no reason why the "define/sys/exec" would result in supervisor mode logicals getting defined.

At this point all I get is a "User authorization failure" message returned immediately after entering the username and external password for the test user account. I also find no errors indicated in the acme$server.log or acme$start.log files.

As previously stated, at one point this configuration was working. If I can get this working again, I'll try to tackle the SSL/TLS LDAP authentication again (which never did work). I was receiving timeouts, hangs, etc. when attempting SSL/TLS LDAP authentication to the same server.

FWIW, I had both non-secure and secure (SSL/TLS) authentication working with OpenVMS field test V8.3 and the same LDAP servers almost two years ago.

Any and all assistance is greatly appreciated.

Best Regards,

Ted
3 REPLIES
Graham VSM
Occasional Visitor

Re: LDAP ACME Issues on OpenVMS V8.3.1H1

We had a similar issue here when the ldapacme$init logical was defined in acme$start.com. Removing the definition from there and putting it in sylogicals.com resolved the problem.

I think the issue is that the logical must be defined (in exec mode) BEFORE acme starts otherwise the LDAP agent will fail to load.
When it is defined in acme$start.com the process that runs the procedure does not have enough privileges to define a logical in exec mode and falls back to supervisor mode.

I suspect that when you added the definition after the "set server acme/restart" the LDAP agent will already have tried to load and failed due to invalid super mode logical. Try defining it in sylogicals.com as we did and see if it fixes your problem.

Regards.
Graham Rawolle
Theodore Jay Allen
Occasional Advisor

Re: LDAP ACME Issues on OpenVMS V8.3.1H1

Thanks for the response Graham. We actually ended up defining the LDAPACME$INIT logical in SYLOGICALS.COM on August 15, 2008 to resolve the issue.

I should have replied back to this thread and closed it with that information at that time.

As far as I know, at this time, that workaround is still required. However, with the latest VMS831H1I_ACMELDAP-V0100 patch kit we are now seeing other issues...

Best Regards,

Ted
Theodore Jay Allen
Occasional Advisor

Re: LDAP ACME Issues on OpenVMS V8.3.1H1

The solution (or at least a workaround) to this issue was to define the LDAPACME$INIT logical in SYLOGICALS.COM to equate to the LDAP ACME configuration file to be used.