Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAP password synchronization

2 views
Skip to first unread message

Ramon Frontera

unread,
Nov 6, 2008, 1:14:34 PM11/6/08
to
Hello,

we're running:
%PMDF-I-VERSION, PMDF version is PMDF V6.4
hp AlphaServer GS1280 7/1300 running OpenVMS Alpha V8.3
PMDF_SHARE_LIBRARY version V6.4; linked 17:23:52, Jul 25 2008

In the security.cnf we have:
[RULESET=default]
ENABLE=SYSTEM/PLAIN,LOGIN/*

The OpenVMS users are authenticated by LDAP, and the flags that they
have in the Authorize are:
LockPwd ExtAuth PwdMix

It works fine, but after the users do a telnet connection, the OpenVMS
password has been synchronized with external password.

After that, when the user change the LDAP password, PMDF only works
with the SYSUAF password, not with the LDAP password.
The users needs to do a new telnet connection to synchronize the
password.

Do you know the reason??
Is necessary disable password synchronization on OpenVMS?


Thanks,
Regards

------------------------------------------
Ramon Frontera Gallardo
Centre de Tecnologies de la Informació
Universitat de les Illes Balears
Ctra. Valldemossa km 7,5
07122 Palma de Mallorca
E-mail: Ramon.f...@uib.es
------------------------------------------






Valerie Miller

unread,
Nov 6, 2008, 1:38:38 PM11/6/08
to
>ENABLE=SYSTEM/PLAIN,LOGIN/*

With this ENABLE list, PMDF does not know anything about LDAP. PMDF is not
looking at LDAP directly at all. The only thing you are telling PMDF about is
the SYSUAF, so PMDF only checks with SYSUAF to look for the username and
password. Anything having to do with LDAP is being done by OpenVMS itself,
which PMDF is completely unaware of and has nothing to do with.

If you want PMDF to check LDAP for the username/password, you have to configure
PMDF to use LDAP directly. You have to specify the LDAP authentication source
on the ENABLE line, and configure the AUTH_SOURCE=LDAP section. Configuring
PMDF to use LDAP is documented in the System Manager's Guide, chapter 14.

Valerie Miller
Process Software

Valerie Miller

unread,
Nov 6, 2008, 1:55:04 PM11/6/08
to
One more thing.

I'm guessing that something about logging in directly (such as via telnet)
is triggering OpenVMS to synchronize the passwords between SYSUAF and LDAP.

I'm also guessing that what PMDF does to check the SYSUAF for the username
and password does not trigger OpenVMS to do that synchronization (PMDF
accesses the SYSUAF by calling SYS$GETUAI).

Malcolm Dunnett

unread,
Nov 6, 2008, 2:51:07 PM11/6/08
to

That is correct. When one logs in using the ACME enabled LOGINOUT.EXE
program the password is authenticated via the $ACM system services
(which in this case are configured to use LDAP). A side-effect of this
authentication process is to update the password in the SYSUAF.

Any pre-existing program which does its own authentication (ie by
reading SYSUAF directly or by calling $GETUAI) will not trigger this
update. One would hope that the vendors will, over time, modify their
code to use the $ACM routines so that they can automatically integrate
with whatever authentication method the site has chosen. {HINT,HINT).
Using the $ACM services also triggers auditing, breakin detection, etc
(features which must otherwise be replicated by the vendors own code in
order to provide a proper security environment)

0 new messages