In article <email@example.com>, ***@vajhoej.dk
Post by Arne Vajhøj
(no quote as this is not related to any particular post)
I am thinking like this: getting VMS authentication using
LDAP (AD or otherwise) seems to be as much fun as dental surgery -
would it be better to try and change the problem?
I'm sitting here at home debugging a weird problem with my
home-brew LDAP ACME agent (because our customer's LDAP
service is strange and non-standard and the standard VMS
LDAP-STD agent can't cope with it.) It ALMOST works.
Everything works for normal logins, local terminals,
DECnet terminals, LAT, SSH (both with password and public
key authentication),etc. etc. EXCEPT processes created
with $ run/detached/authorize get blown away right in the
finish phase... The really weird thing is the user in
question is NOT an EXTAUTH user, so my agent should have
no effect. (I did just find a bug in the sys$example
program that causes a buffer overflow, but that doesn't
fix the problem
The OTHER thing I'm doing is waiting for my gum to heal
from dental surgery - I had a tooth extracted last week so
they can put in an implant.
So I should be emminantly qualified to answer all the
questions here, and will try to do so, but on the other
hand, I feel that I mostly have no idea at all what is
going on and wny things are doing what thay do.
Post by Arne Vajhøj
Instead of users authenticating against VMS authenticating against
LDAP server then having users authentication against the application
authenticating against LDAP server.
This is a non-starter if users are having DCL access. But that
is not so common anymore.
If people are presented with some sort of UI (does not matter
if it is VT SMG$ or web browser or something else) then ask
for their AD username+password, authenticate and manage
them based on that.
That changes the problem from integrating VMS with LDAP
server using the apparently thin documentation to
finding an LDAP client library and change application
to use that.
May - just maybe - that would be a better way forward.
We are gradually transition our apps from using character
cell interfaces (e.g. SMG) to GUIs. Some are web/HTML
based and most are Java. The Java GUIs run in the user's
device (Windows, Mac, Unix, Linux, whatever) and access
the VMS system via a server process using SSL (really TLS
1.2, I think) as a communications mechanism. The server
process (running on VMS) authenticates the user against
the VMS SYSUAF and performs applications control, data
access, data modifications, etc. as allow by the VMS
rights assigned to the user. For many years, the server
has been using SYS$ACM() to authenticate the users, who
ware all local. My new agent will enable LDAP
authentication instead of VMS authentication for users
marked EXTAUTH in the SYSUAF. This all falls out, we
don't even have to recompile anything!
The remaining character cell interfaces will also use the
same LDAP agent, no matter how the user connects to VMS.
I hope this helps see what is possible.