The VMS Shark

OpenVMS Notes: LDAP (Lightweight Directory Access Protocol)

  1. The information presented here is intended for educational use by qualified OpenVMS technologists.
  2. The information presented here is provided free of charge, as-is, with no warranty of any kind.
  3. Is this text too small? You have two options:
    1. hold down the CTRL key while rolling the mouse wheel (zoom-in, zoom-out)
    2. use your keyboard like so:
      • hit: CTRL with "-" key to zoom smaller
      • hit: CTRL with "+" key to zoom larger
      • hit: CTRL with zero key to reset zoom


  1. LDAP (Lightweight Directory Access Protocol)
  2. ACME (Authentication Credentials Management Extensions)
  3. VAM (VMS Authentication Module)
  4. External Links

Edit: 2017-01-27 (updated a few links)

LDAP (Lightweight Directory Access Protocol)

  1. I've read lots of RFC material over the years but the subject of LDAP seems to be the most obscure topic of all. If you're like me, you'd first pull up the rfc title page then hit control-F to quickly locate desired titles on the page. Doing this on 2008-04-19 shows 78 documents which means that any brain-bootstrap will be very time consuming.
  2. If you've got access to an Alpha VMS system, then a faster way to get your brain up-to-speed would be to type the following:
    $ help ldap
    Then read the introduction as well as any of the other 20 topics. Unlike the RFCs, these VMS documents are written in plain English.
  3. If you've got access to an Alpha VMS system, and you are a programmer, then you might want to read the following files:
    $ type sys$examples:ldap_example.c
    $ type sys$common:[decc$lib.reference.sys$startlet_c]LDAP.h
    After reading the programmer's remarks, I learned even more by compiling the C program (on an OpenVMS platform) then running it with no command line parameters which then returns this single help line:
        usage: [server] [base] [filter] <attributes>
    Caveat: please note that the supplied example is written to perform an anonymous bind to the specified server. This will not work on servers requiring authorization credentials. See notes 5 and 6 below for details about changing the code.
    DCL Command  Explanation
    $demo :== $sys$examples:ldap_example.exe creates a foreign VMS command (so we can pass "unix style" parameters on the command line)
    $demo "o=BELL, c=CA" "cn=NEIL RIECK"

    returns everything available for name "NEIL RIECK" (including non-standard additional attributes) search is restricted to ""

    $demo "o=BELL, c=CA" "cn=NEIL RIECK" o only returns "o" (organization in this case)
    "o" really means object search is restricted to ""
    $demo "o=BELL, c=CA" "cn=NEIL RIECK" o mail only returns "o" and "mail" for this name search is restricted to ""
    $demo "c=CA" "cn=NEIL RIECK" o mail telephonenumber only returns "o" and "mail" and "telephonenumber" search is restricted to ".ca" (across multiple organizations)
    $demo "c=CA" "telephonenumber=5195716303" cn only returns "cn" (canonical name) for this telephone search is restricted to ".ca" (across multiple organizations)

  4. download the next four example files from here
    Example File Explanation
    ldap_example.c the original example "C" file from sys$examples:
    ldap_example_hack.c tweaked for real-world use
    ldap_example_hack_authenticated.c tweaked for real-world use on an LDAP server requiring authentication
    ldap.h the original header file from sys$library:

  5. An "anonymous bind" is done like this:
    stat = ldap_simple_bind_s(ld, NULL, NULL)	// this is the connection line
    if (stat != LDAP_SUCCESS) {     report_error("simple_bind (anonymous)",stat,ld); goto finished; }
  6. A "credentials bind" is done like this:
    stat = ldap_simple_bind_s(ld, ldapUser, ldapPassword)	// this is the connection line
    if (stat != LDAP_SUCCESS) {
    report_error("simple_bind (credentials)",stat,ld);
    goto finished; }

    BTW, here is an actual LDAP "user string" issued to my department by my company's IS/IT people:


    In this example, the string fragment "ou=ICSIS" specifies our username which is used when connecting with the LDAP server.

ACME (Authentication Credentials Management Extensions)

VAM (VMS Authentication Module)

I just (2008-04-xx) finished playing with a trial copy of VAM from Process Software. Version 2.1 supports selective or full transfer of VMS authentication to other corporate systems supporting one of: LDAP, SECURID, or RADIUS, with the option of falling back to UAF authentication on VMS if your network partner is unavailable. I was only able to test the LDAP portion but it works.

Caveat: your initial testing will complete sooner if...

Action Data Comment
 you edit this file: sys$sysdevice:[vam]VAM_CONFIG.DAT  
 then change this line: LDAP_SERVER LDAP://LIMA.BEANS.COM  
 to this: LDAP_SERVER ldap:// lower case "ldap:" changes the port
 or this: LDAP_SERVER :389 forces the port

Be sure to start VAM like this:


Failure to do so will result in some very strange login problems for other users where they'll see the following text before the login prompt:

%SYSTEM-F-NOLOGNAM, no logical name match

Note: this is described on page 2-4 in the 2.1 documentation but one of the lines has slid into the next page. Also, you never see the LGI command line parameter used in any of the example listings.

External Links

Back to OpenVMS
 Back to Home
Neil Rieck
Kitchener - Waterloo - Cambridge, Ontario, Canada.