Re: ACMELDAP with Active Directory

Thomas Pauli · ‎04-17-2007

Since we are urged by our auditors to introduce a strict password policy in our company, we established an W2003 Active Directory Server which handles the authorization requests for most our customer logins. A lot of our users still use interactive logins on a range of OpenVMS systems, which are not synchronized with Active Directory and require different passwords. We aim to authenticate non-core users on these systems external via ACME and LDAP.
To check this out we installed a DS10 alpha with OpenVMS V8.3, Update V2, TCP/IP V5.6, added VMS83A_ACMELDAP-V0200 and V83_ACMELDAP_STD, and tried to establish an ACME LDAP server.
We created a sys$manager:ldapacme.ini, had a logical ldapacme$init pointing to it and use these commands:
$ def/syst/exec ldapacme$init sys$manager:ldapacme.ini
$ def/syst/exec ldapacme$no_tls true
$ set noon
$ set server acme /exit
$ dele/nolog/noconf sys$manager:acme$server.log;*
$ set server acme /start
$ set server acme /trace=10
$ set server acme /conf=(name=VMS)
$ set server acme /conf=(name=LDAP,fac=LDAPACME,cred=VMS)
$ set server acme /enable=name=vms
$ set server acme /enable=name=ldap
$ type sys$manager:acme$server.log;*
We were only partially sucessful, since we only got this:
ACME Agent id: 2 State: Initialized
Name: "LDAP"
Image: "DISK$SYSFEP:[VMS$COMMON.SYSLIB]LDAPACME$LDAP_ACMESHR.EXE;1"
Identification: "LDAPACME Agent V1.0-BL2"
Information: "ldap_agent initialized, waiting to be enabled"
Domain of Interpretation: Yes
Execution Order: 0
The log file contains lines like
%ACME-I-TRACE, trace event from "ACME_ReadControlMBX: Enable received" on 18-AP?
-ACME-I-THREAD, thread: id = 1, type = CONTROL
%ACME-I-TRACE, trace event from "ACME_EnableServer: ERROR" on 18-APR-2007 07:18?
-ACME-I-THREAD, thread: id = 1, type = CONTROL
-ACME-I-EXITSTATUS, exiting with status = %X074ABEB2

Has somebody an idea what's possibly wrong?

John Gillings · ‎04-17-2007

Thomas,
According to the status:

$ exit %X074ABEB2
%ACME-E-INCOMPATSTATE, server state is incompatible with requested operation

Note that the /TRACE value is a bitmask. Value 10 will trace "general" and "ast" operations only. You may wish to enable more things. To enable everything use /TRACE=2047 (to make things clearer when dealing with bitmasks, it might be better to use hex /TRACE=%X7FF)

A crucible of informative mistakes

Thomas Pauli · ‎04-17-2007

Thanks for that hint, but I am still not wiser! I included the new log file generated with /TRACE=%x7FF - perhaps there is someon who can see what's wrong.

John Gillings · ‎04-17-2007

Thomas,
You have a different status:

-ACME-I-GETCLIENTF, client message acquisition failure, status = %X074AD83A

$ exit %X074AD83A
%ACME-E-NOMSGFND, no acceptable message found

Anything in the log files from the directory server?

A crucible of informative mistakes

Thomas Pauli · ‎04-17-2007

I've got a TCPTRACE running which shows absolutely nothing. The server seems not to be ready to try to connect yet.

john Dite · ‎04-17-2007

I assume you are planning the LDAP server available on OpenVMS. If not, how are you planning to define the required schema on the external LDAP server?

Have you started/configured the OpenVMS LDAP/Directory Server?

If you check for the DXD$DSA_SERVER process then that will tell you that an attempt was made to start the Directory server.

If you have DECnet+ installed the following NCL command will show you the status:

$MC NCL SHOW DSA ALL STATUS

Then see if the LDAP Port has been set:

$MC NCL SHOW DSA LDAP PORT

Thomas Pauli · ‎04-17-2007

The external Server is an existing MS Windows 2003 Server. The current problem is how to start the ACME LDAP server, connecting and questioning the external LDAP server will be the next one...

john Dite · ‎04-18-2007

Thomas

can you show us the contents of your sys$manager:ldapacme.ini file.

john Dite · ‎04-18-2007

Thomas,

the existing ACME LDAP Server is based on the OpenVMS Enterprise Directory V5.5+ (?). You will have to install this kit and then depending whether you have DECnet installed or not use either a JAVA or the NCL utility to initally set up the directory.

I'm sure this is all described in the accompanying documentation.

As I have said before, if you're planning to use an external LDAP server you'll have to find a way to integrate the ACME schema files on the remote LDAP server.

Richard Whalen · ‎04-18-2007

You might want to consider Process Software's VAM product. http://www.process.com/VMSauth/index.html
It has the necessary glue between loginout and Active Directory.

Chris Barratt · ‎04-18-2007

sorry Thomas, I can't help, but I did want to question the assertion from John Dite that you need to use an OpenVMS LDAP server.

That was certainly what I understood to be true, but in the recently released VMS83A_ACMELDAP-V0200 kit (which Thomas has installed), it says....

5.1 New functionality addressed in this kit

5.1.1 Add Active Directory Support

5.1.1.1 Functionality Description:

This ACMELDAP kit adds Active Directory support to the
LDAP ACME agent so users can

1. Login to VMS using their Active Directory usernanme
and password

2. Change their Active Directory password from VMS

So I read from this that you could now get external authentication working against AD.

Cheers,
chris

Thomas Pauli · ‎04-18-2007

First, thanks to all who engaged themselves in this case!
I appended the contents of my LDAPACME.INI file. The bind_dn value is based on what AD says about my account: "pclan.iplan.dklb.de/DKLB-BUSINESS-UNITS
/DKLB-SYS/DKLB-SYSMGMT/PAULI"
But as far as I know ACMELDAP does not even try to connect to the AD server, since I have TCPTRACE running. The only things I see there are the broadcasts of the AD server itself.

JohnDite · ‎04-18-2007

Hi Thomas,

I stand to be corrected as far as the Active Directory support is concerned. I tested ACME this withe the EAK version so my experiences are based on using the OpenVMS Enterprise Directory.

Now I don't know whether you want to initially go down that route to see whether ACME works with the 'local' LDAP server before trying to connect it to AD.

We can assume that dkexcv1.iplan.dklb.de resolves to an IP Address?

John

Thomas Pauli · ‎04-18-2007

John,

no, we don't want to establish a VMS LDAP server, we've got the MS one running and want to use it.
The dkexcv1 name does translate, I checked it with a ping (TCPIP PING dkexcv1).

JohnDite · ‎04-19-2007

Thomas,

I don't have an V8.3 System but don't you have a LDAPACME$STARTUP.COM startup file, that is possibly in your SYSTARTUP_VMS.COM file?

If I start the ACME Server using the commands as you have listed then I get the same error.

You did:
$ set server acme /enable=name=vms
$ set server acme /enable=name=ldap

However if I follow the documentation "hp OpenVMS LDAP SYS$ACM Authentication Agent Guide 2003" and use
$ set server acme/enable=name=(ldap,vms)

then I get it to start (see attachment)

John

Thomas Pauli · ‎04-19-2007

John,

incredible - that did the trick! Now I got both servers up and active!

Thanks the lot!

JohnDite · ‎04-19-2007

Thomas,

glad to hear that the ACME server is now running. I would be interested to hear of your results when using the AD for OpenVMS user authentication.

For all followers of the AD may I point you to an interesting article:

http://www.cs.kent.ac.uk/pubs/2000/2115/content.pdf

John

Thomas Pauli · ‎04-19-2007

John,

thanks for all the help. Next thing is to modify the AD schema to satisfy ACME requests.
I will keep the thread open to provide informations about our progress.

JohnDite · ‎04-19-2007

Hi Thomas,

if ACME claims to have added
"Active Directory Support" does the documentation tell you explicitly that you have to adapt the AD schema or is there some other flag that indicates to the ACME LDAP Agent that you are doing a lookup on an AD?

John

Thomas Pauli · ‎04-19-2007

Hi John,

sadly there is no such flag! We are now facing the task to facilitate changes to our AD scheme so it will work with ACME. The documentation we managed to extract from all possible sources is not too instructive, so we will have to set up a test AD server to find everything out.
This will take it's time, but we think it's worth it!

JohnDite · ‎04-20-2007

Hi Thomas,

I thought support for AD would entail more than having to compile your own schema, and that on a W$ system.

If it helps I have attached the source schema files that come with the OpenVMS Enterprise Directory (albeit the ones delivered with the EAK). The latest one would be in one of the Enterprise Save Sets and is called ACCOUNT.SC. Hopefully you can adapt it and compile it on your W$ system.

John

Fernando Mühe · ‎05-26-2009

Thomas,

I was reading your small adventure configuring LDAP for OPenVMS, and I'm curious about how did you go making everything work. I followed exactly your steps, and I have LDAP up and running at a OpenVMS 8.3 box, but I still couldn't see any TCPDUMP activity against my W2003 AD server. Did you had to change anything at your AD server? Could you share with us?

Fernando MÃ¼he

Jeremy Begg · ‎05-26-2009

We set this up recently to test some ideas for a customer. I didn't have much to do with it but from memory we didn't have to change the AD schema at all.

We had some problems getting the ACME LDAP agent to work, which were eventually traced to the LDAPACME$INIT logical name not being defined /SYS/EXEC. This logical name should be defined automatically by SYS$STARTUP:ACME$START.COM but for some reason wasn't getting /EXEC. So in the end our startup now looks like this:

In SYLOGICALS.COM ...

$ define/sys/exec ldapacme$init sys$startup:ldapacme$config-std.ini

In SYSTARTUP_VMS.COM ...

$ set server acme/restart

Once we got that sorted out it sprang into life and seems to work.

A few things we've noticed...
1. The ACME LDAP kit supplies new LOGINOUT and SETP0 images which as a side-effect write out messages to the user's terminal saying their login has been authenticated via LDAP. This is very useful for debugging when you're first setting it up, but it would be nice to be able to disable these messages.

3. The ACME LDAP agent will propagate the user's AD password to the VMS SYSUAF record if necessary. This is good.

3. If the LDAP server (AD) is not running the login process can be very slow, even for VMS accounts which don't have ExtAuth flag in SYSUAF. This seems like a bug to me; surely the ACME LDAP agent should only be invoked if the user's SYSUAF entry has ExtAuth set? Note that it's not *always* slow so I'm not sure yet what's happening here.

Regards,
Jeremy Begg

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ACMELDAP with Active Directory

ACMELDAP with Active Directory