OpenVMS Notes: LDAP (Lightweight Directory Access Protocol)

The information presented here is intended for educational use by qualified OpenVMS technologists.
The information presented here is provided free of charge, as-is, with no warranty of any kind.

Quick-Nav Menu

LDAP (Lightweight Directory Access Protocol)
ACME (Authentication Credentials Management Extensions)
VAM (VMS Authentication Module)
External Links

Edit: 2023-05-30 (html tweaks)

LDAP (Lightweight Directory Access Protocol)

I've read lots of RFC material over the years but the subject of LDAP seems to be the most obscure topic of all. If you're like me, you'd first pull up the rfc title page then hit control-F to quickly locate desired titles on the page. Doing this on 2008-04-19 shows 78 documents which means that any brain-bootstrap will be very time consuming.
If you've got access to an Alpha VMS system, then a faster way to get your brain up-to-speed would be to type the following:
```
$ help ldap
```
Then read the introduction as well as any of the other 20 topics. Unlike the RFCs, these VMS documents are written in plain English.

If you've got access to an Alpha VMS system, and you are a programmer, then you might want to read the following files:

$ type sys$examples:ldap_example.c

$ type sys$common:[decc$lib.reference.sys$startlet_c]LDAP.h

After reading the programmer's remarks, I learned even more by compiling the C program (on an OpenVMS platform) then running it with no command line parameters which then returns this single help line:

    usage: [server] [base] [filter] <attributes>

Caveat: please note that the supplied example is written to perform an anonymous bind to the specified server. This will not work on servers requiring authorization credentials. See notes 5 and 6 below for details about changing the code.

DCL Command	Explanation
$demo :== $sys$examples:ldap_example.exe	creates a foreign VMS command (so we can pass "unix style" parameters on the command line)
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" $demo bhxcvx.qc.bell.ca "cn=NEIL RIECK"	returns everything available for name "NEIL RIECK" (search is restricted to "bell.ca") returns everything available for name "NEIL RIECK" (the result can be very instructive)
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o	only returns "o" (organization in this case) "o" really means object search is restricted to "bell.ca"
$demo bhxcvx.qc.bell.ca "o=BELL, c=CA" "cn=NEIL RIECK" o mail	only returns "o" and "mail" for this name search is restricted to "bell.ca"
$demo bhxcvx.qc.bell.ca "c=CA" "cn=NEIL RIECK" o mail telephonenumber	only returns "o" and "mail" and "telephonenumber" search is restricted to ".ca" (across multiple organizations)
$demo bhxcvx.qc.bell.ca "c=CA" "telephonenumber=5195716303" cn	only returns "cn" (canonical name) for this telephone search is restricted to ".ca" (across multiple organizations)

download the next four example files from here

Example File	Explanation
ldap_example.c	the original example "C" file from sys$examples:
ldap_example_hack.c	tweaked for real-world use
ldap_example_hack_authenticated.c	tweaked for real-world use on an LDAP server requiring authentication
ldap.h	the original header file from sys$library:

An "anonymous bind" is done like this:

stat = ldap_simple_bind_s(ld, NULL, NULL)	              // this is the connection line


if (stat != LDAP_SUCCESS) {

    report_error("simple_bind (anonymous)",stat,ld);
    goto finished;
}

A "credentials bind" is done like this:
```
stat = ldap_simple_bind_s(ld, ldapUser, ldapPassword)	// this is the connection line
 
if (stat != LDAP_SUCCESS) {
    report_error("simple_bind (with credentials)",stat,ld);
    goto finished;
}
```
BTW, here is an actual LDAP "user string" issued to my department by my company's IS/IT people:
```
"ou=ICSIS,ou=Applications,o=BELL,c=CA
```
In this example, the string fragment "ou=ICSIS" specifies our username which is used when connecting with the LDAP server.

ACME (Authentication Credentials Management Extensions)

HP OpenVMS Programming Concepts Manual
Authentication and Credential Management (ACM) System Service in chapter #33
HP OpenVMS System Services Reference Manual
SYS$ACM and SYS$ACMW
HP OpenVMS Guide to System Security: OpenVMS Version 8.4
Enabling External Authentication

Let's do a little VMS exploration

Title : "Let's do a little VMS exploration"
Legend: <sr> = system response
        <ur> = user response
==============================================================================
<sr>	$
<ur>	write sys$output f$getsyi("ARCH_NAME")," ",f$getsyi("VERSION")
<sr>	Alpha V8.4
	$
<ur>	set def sys$help
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSHLP]

	ACMELDAP_STD_CONFIG_INSTALL.PDF;1
	ACMELDAP_STD_CONFIG_INSTALL.TXT;1
	LDAPACME$README-STD.TXT;1
	ACME_DEV_GUIDE.PDF;1
	ACME_DEV_README.TXT;1
	$
<ur>	set def sys$examples
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSHLP.EXAMPLES]

	LDAP_EXAMPLE.C;1 
	LDAP_EXAMPLE.ZIP;1 
	ACMEUTIL.C;1 
	ACMEUTIL.CLD;1 
	ACMEUTIL.COM;1 
	ACMEUTIL_SETUP.COM;1
	ACME_EXAMPLE_DOI.H;1
	ACME_EXAMPLE_DOI_ACME.C;1
	ACME_EXAMPLE_DOI_BUILD.COM;1
	ACME_EXAMPLE_DOI_MSG.MSG;1
	ACME_EXAMPLE_README.TXT;1
	ACME_PERSONA_BUILD.COM;1
	ACME_PERSONA_EXT.C;1
	$
<ur>	set def sys$update
<sr>	$
<ur>	dir *ldap*,*acme*/col=1
<sr>	Directory SYS$COMMON:[SYSUPD]

	ACMELOGIN_POSTINSTAL_UPGRADE.COM;1
	ACMELOGIN_PREINSTAL_UPGRADE.COM;1
	ACME_DEV_KITS.BCK;1
	$

VAM (VMS Authentication Module)

I just (2008-04-xx) finished playing with a trial copy of VAM from Process Software. Version 2.1 supports selective or full transfer of VMS authentication to other corporate systems supporting one of: LDAP, SECURID, or RADIUS, with the option of falling back to UAF authentication on VMS if your network partner is unavailable. I was only able to test the LDAP portion but it works.

Caveat: your initial testing will complete sooner if...

Action	Data	Comment
you edit this file:	sys$sysdevice:[vam]VAM_CONFIG.DAT
then change this line:	LDAP_SERVER LDAP://LIMA.BEANS.COM
to this:	LDAP_SERVER ldap://lima.beans.com	lower case "ldap:" changes the port
or this:	LDAP_SERVER lima.beans.com:389/	:389 forces the port

Be sure to start VAM like this:

@ VAM:VAM_STARTUP.COM LGI

Failure to do so will result in some very strange login problems for other users where they'll see the following text before the login prompt:

%SYSTEM-F-NOLOGNAM, no logical name match

Note: this is described on page 2-4 in the 2.1 documentation but one of the lines has slid into the next page. Also, you never see the LGI command line parameter used in any of the example listings.

External Links

http://www.faqs.org/rfcs/
http://www.openldap.org/
http://www.process.com/VMSauth/index.html
http://www.openldap.org/ - includes download locations
http://www.process.com/techsupport/installing_configuring_openldap.pdf

Back to Home
Neil Rieck
Waterloo, Ontario, Canada.