The VMS Shark

OpenVMS Notes: LDAP (Lightweight Directory Access Protocol)

  1. The information and software presented on this web site are intended for educational use only for OpenVMS application developers and OpenVMS system attendants.
  2. The information and software presented on this web site are provided free of charge.
  3. The information and software presented on this web site are presented to you as-is. I will not be held responsible in any way if the information and software presented on this web site damages your computer system, business or organization (sounds like the legal warning from a Microsoft shrink-wrap seal, eh?)
  4. Is this text too small? You have two options:
    1. hold down the CTRL key while rolling the mouse wheel (zoom-in, zoom-out)
    2. use your keyboard like so:
      • hit: CTRL with "-" key to zoom smaller
      • hit: CTRL with "+" key to zoom larger
      • hit: CTRL with zero key to reset zoom
 

Menu

  1. LDAP (Lightweight Directory Access Protocol)
  2. ACME (Authentication Credentials Management Extensions)
  3. VAM (VMS Authentication Module)
  4. External Links

Edit: 2012-09-30

LDAP (Lightweight Directory Access Protocol)

  1. I've read lots of RFC material over the years but the subject of LDAP seems to be the most obscure topic of all. If you're like me, you'd first pull up the rfc title page then hit control-F to quickly locate desired titles on the page. Doing this on 2008-04-19 shows 78 documents which means that any brain-bootstrap will be very time consuming.
     
  2. If you've got access to an Alpha VMS system, then a faster way to get your brain up-to-speed would be to type the following:
    $ help ldap
    Then read the introduction as well as any of the other 20 topics. Unlike the RFCs, these VMS documents are written in plain English.
     
  3. If you've got access to an Alpha VMS system, and you are a programmer, then you might want to read the following files:
    $ type sys$examples:ldap_example.c
    $ type sys$common:[decc$lib.reference.sys$startlet_c]LDAP.h
    After reading the programmer's remarks, I learned even more by compiling the C program (on an OpenVMS platform) then running it with no command line parameters which then returns this single help line:
        usage: [server] [base] [filter] <attributes>
    Caveat: please note that the supplied example is written to perform an anonymous bind to the specified server. This will not work on servers requiring authorization credentials. See notes 5 and 6 below for details about changing the code.
    DCL Command  Explanation
    $demo :== $sys$examples:ldap_example.exe creates a foreign VMS command (so we can pass "unix style" parameters on the command line)
    $demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK"

    returns everything available for name "NEIL RIECK" (including non-standard additional attributes) search is restricted to "bell.ca"

    $demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o only returns "o" (organization in this case)
    "o" really means object search is restricted to "bell.ca"
    $demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o mail only returns "o" and "mail" for this name search is restricted to "bell.ca"
    $demo bhxcvx.qc.bell.ca "c=CA" "cn=NEIL RIECK" o mail telephonenumber only returns "o" and "mail" and "telephonenumber" search is restricted to ".ca" (across multiple organizations)
    $demo bhxcvx.qc.bell.ca "c=CA" "telephonenumber=5195716303" cn only returns "cn" (canonical name) for this telephone search is restricted to ".ca" (across multiple organizations)

  4. download example zip c-ldap-examples.zip from this site which includes:
     
    Example File Explanation
    ldap_example.c the original example "C" file from sys$examples:
    ldap_example_hack.c tweaked for real-world use
    ldap_example_hack_authenticated.c tweaked for real-world use on an LDAP server requiring authentication
    ldap.h the original "H" file from sys$library:

  5. An "anonymous bind" is done like this:
    stat = ldap_simple_bind_s(ld, NULL, NULL)	// this is the connection line
    if (stat != LDAP_SUCCESS) {     report_error("simple_bind (anonymous)",stat,ld); goto finished; }
  6. A "credentials bind" is done like this:
    stat = ldap_simple_bind_s(ld, ldapUser, ldapPassword)	// this is the connection line
     
    if (stat != LDAP_SUCCESS) {
    report_error("simple_bind (credentials)",stat,ld);
    goto finished; }

    BTW, here is an actual LDAP "user string" issued to my department by my company's IS/IT people:

    "ou=ICSIS,ou=Applications,o=BELL,c=CA

    In this example, the string fragment "ou=ICSIS" specifies our username which is used when connecting with the LDAP server.

ACME (Authentication Credentials Management Extensions)

VAM (VMS Authentication Module)

I just (2008-04-xx) finished playing with a trial copy of VAM from Process Software. Version 2.1 supports selective or full transfer of VMS authentication to other corporate systems supporting one of: LDAP, SECURID, or RADIUS, with the option of falling back to UAF authentication on VMS if your network partner is unavailable. I was only able to test the LDAP portion but it works.

Caveat: your initial testing will complete sooner if...

Action Data Comment
 you edit this file: sys$sysdevice:[vam]VAM_CONFIG.DAT  
 then change this line: LDAP_SERVER LDAP://LIMA.BEANS.COM  
 to this: LDAP_SERVER ldap://lima.beans.com lower case "ldap:" changes the port
 or this: LDAP_SERVER lima.beans.com:389/ :389 forces the port

Be sure to start VAM like this:

@ VAM:VAM_STARTUP.COM LGI

Failure to do so will result in some very strange login problems for other users where they'll see the following text before the login prompt:

%SYSTEM-F-NOLOGNAM, no logical name match

Note: this is described on page 2-4 in the 2.1 documentation but one of the lines has slid into the next page. Also, you never see the LGI command line parameter used in any of the example listings.

External Links


Back to OpenVMS
 Back to Home
 Neil Rieck
 Kitchener - Waterloo - Cambridge, Ontario, Canada.