OpenVMS Notes: LDAP (Lightweight Directory Access Protocol)

The information and software presented on this web site are intended for educational use only for OpenVMS application developers and OpenVMS system attendants.
The information and software presented on this web site are provided free of charge.
The information and software presented on this web site are presented to you as-is. I will not be held responsible in any way if the information and software presented on this web site damages your computer system, business or organization (sounds like the legal warning from a Microsoft shrink-wrap seal, eh?)
Is this text too small? You have two options:
1. hold down the CTRL key while rolling the mouse wheel (zoom-in, zoom-out)
2. use your keyboard like so:
  - hit: CTRL with "-" key to zoom smaller
  - hit: CTRL with "+" key to zoom larger
  - hit: CTRL with zero key to reset zoom

Menu

LDAP (Lightweight Directory Access Protocol)
ACME (Authentication Credentials Management Extensions)
VAM (VMS Authentication Module)
External Links

Edit: 2012-09-30

LDAP (Lightweight Directory Access Protocol)

I've read lots of RFC material over the years but the subject of LDAP seems to be the most obscure topic of all. If you're like me, you'd first pull up the rfc title page then hit control-F to quickly locate desired titles on the page. Doing this on 2008-04-19 shows 78 documents which means that any brain-bootstrap will be very time consuming.
If you've got access to an Alpha VMS system, then a faster way to get your brain up-to-speed would be to type the following:
```
$ help ldap
```
Then read the introduction as well as any of the other 20 topics. Unlike the RFCs, these VMS documents are written in plain English.

If you've got access to an Alpha VMS system, and you are a programmer, then you might want to read the following files:

$ type sys$examples:ldap_example.c

$ type sys$common:[decc$lib.reference.sys$startlet_c]LDAP.h

After reading the programmer's remarks, I learned even more by compiling the C program (on an OpenVMS platform) then running it with no command line parameters which then returns this single help line:

    usage: [server] [base] [filter] <attributes>

Caveat: please note that the supplied example is written to perform an anonymous bind to the specified server. This will not work on servers requiring authorization credentials. See notes 5 and 6 below for details about changing the code.

DCL Command	Explanation
$demo :== $sys$examples:ldap_example.exe	creates a foreign VMS command (so we can pass "unix style" parameters on the command line)
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK"	returns everything available for name "NEIL RIECK" (including non-standard additional attributes) search is restricted to "bell.ca"
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o	only returns "o" (organization in this case) "o" really means object search is restricted to "bell.ca"
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o mail	only returns "o" and "mail" for this name search is restricted to "bell.ca"
$demo bhxcvx.qc.bell.ca "c=CA" "cn=NEIL RIECK" o mail telephonenumber	only returns "o" and "mail" and "telephonenumber" search is restricted to ".ca" (across multiple organizations)
$demo bhxcvx.qc.bell.ca "c=CA" "telephonenumber=5195716303" cn	only returns "cn" (canonical name) for this telephone search is restricted to ".ca" (across multiple organizations)

download example zip c-ldap-examples.zip from this site which includes:

Example File	Explanation
ldap_example.c	the original example "C" file from sys$examples:
ldap_example_hack.c	tweaked for real-world use
ldap_example_hack_authenticated.c	tweaked for real-world use on an LDAP server requiring authentication
ldap.h	the original "H" file from sys$library:

An "anonymous bind" is done like this:

stat = ldap_simple_bind_s(ld, NULL, NULL)	// this is the connection line

if (stat != LDAP_SUCCESS) {
    report_error("simple_bind (anonymous)",stat,ld);
    goto finished;
}

A "credentials bind" is done like this:
```
stat = ldap_simple_bind_s(ld, ldapUser, ldapPassword)	// this is the connection line
 
if (stat != LDAP_SUCCESS) {
    report_error("simple_bind (credentials)",stat,ld);
    goto finished;
}
```
BTW, here is an actual LDAP "user string" issued to my department by my company's IS/IT people:
```
"ou=ICSIS,ou=Applications,o=BELL,c=CA
```
In this example, the string fragment "ou=ICSIS" specifies our username which is used when connecting with the LDAP server.

ACME (Authentication Credentials Management Extensions)

HP OpenVMS Programming Concepts Manual
Authentication and Credential Management (ACM) System Service in chapter #33
http://h71000.www7.hp.com/doc/82FINAL/5841/5841pro_contents.html
HP OpenVMS System Services Reference Manual
http://h71000.www7.hp.com/doc/83FINAL/4527/4527pro_002.html#acm_001
SYS$ACM and SYS$ACMW
Configuring LDAP External Authentication (In ACME)
http://labs.hoffmanlabs.com/index.php?q=node/619
Note: follow these instructions very carefully in order to reveal hidden ACMELDAP docs
HP OpenVMS Guide to System Security: OpenVMS Version 8.4
http://h71000.www7.hp.com/doc/84final/ba554_90015/index.html
Enabling External Authentication
http://h71000.www7.hp.com/doc/84final/ba554_90015/ch07s04.html

Let's do a little VMS exploration

Title : "Let's do a little VMS exploration"
Legend: <sr> = system response
        <ur> = user response
==============================================================================

<sr>	$
<ur>	write sys$output f$getsyi("ARCH_NAME")," ",f$getsyi("VERSION")
<sr>	Alpha V8.4
	$
<ur>	set def sys$help
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSHLP]

	ACMELDAP_STD_CONFIG_INSTALL.PDF;1
	ACMELDAP_STD_CONFIG_INSTALL.TXT;1
	LDAPACME$README-STD.TXT;1
	ACME_DEV_GUIDE.PDF;1
	ACME_DEV_README.TXT;1
	$
<ur>	set def sys$examples
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSHLP.EXAMPLES]

	LDAP_EXAMPLE.C;1 
	LDAP_EXAMPLE.ZIP;1 
	ACMEUTIL.C;1 
	ACMEUTIL.CLD;1 
	ACMEUTIL.COM;1 
	ACMEUTIL_SETUP.COM;1
	ACME_EXAMPLE_DOI.H;1
	ACME_EXAMPLE_DOI_ACME.C;1
	ACME_EXAMPLE_DOI_BUILD.COM;1
	ACME_EXAMPLE_DOI_MSG.MSG;1
	ACME_EXAMPLE_README.TXT;1
	ACME_PERSONA_BUILD.COM;1
	ACME_PERSONA_EXT.C;1
	$
<ur>	set def sys$update
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSUPD]

	ACMELOGIN_POSTINSTAL_UPGRADE.COM;1
	ACMELOGIN_PREINSTAL_UPGRADE.COM;1
	ACME_DEV_KITS.BCK;1
	$

VAM (VMS Authentication Module)

I just (2008-04-xx) finished playing with a trial copy of VAM from Process Software. Version 2.1 supports selective or full transfer of VMS authentication to other corporate systems supporting one of: LDAP, SECURID, or RADIUS, with the option of falling back to UAF authentication on VMS if your network partner is unavailable. I was only able to test the LDAP portion but it works.

Caveat: your initial testing will complete sooner if...

Action Data Comment

you edit this file: sys$sysdevice:[vam]VAM_CONFIG.DAT

then change this line: LDAP_SERVER LDAP://LIMA.BEANS.COM

to this: LDAP_SERVER ldap://lima.beans.com lower case "ldap:" changes the port

or this: LDAP_SERVER lima.beans.com:389/ :389 forces the port

Action	Data	Comment
you edit this file:	sys$sysdevice:[vam]VAM_CONFIG.DAT
then change this line:	LDAP_SERVER LDAP://LIMA.BEANS.COM
to this:	LDAP_SERVER ldap://lima.beans.com	lower case "ldap:" changes the port
or this:	LDAP_SERVER lima.beans.com:389/	:389 forces the port

Be sure to start VAM like this:

@ VAM:VAM_STARTUP.COM LGI

Failure to do so will result in some very strange login problems for other users where they'll see the following text before the login prompt:

%SYSTEM-F-NOLOGNAM, no logical name match

Note: this is described on page 2-4 in the 2.1 documentation but one of the lines has slid into the next page. Also, you never see the LGI command line parameter used in any of the example listings.

External Links

Back to OpenVMS
Back to Home
Neil Rieck
Kitchener - Waterloo - Cambridge, Ontario, Canada.