Re: ACME Authentication issues when LDAP server is down.

Michael D. Ober wrote:

In may be "correct", but it's certainly not robust.

Certainly not what one would expect of VMS.


Actually, after some thought, it isn't "correct" either.

I think they meant "correct" as in "we intended this behaviour"
not as a comment that the behaviour is useful to the customer.

A "correct" solution would take the user's actual requirement of the login subsystem always working and never hanging into account, which means that multiple LDAP servers, or even quick and transparent fallback to the VMS UAF for authorization (without having to use the /LOCAL switch on the userid) would be a "correct" solution.


Yes, I was rather disappointed with the response, I would think
a "Production Quality" authentication mechanism in the VMS world
would be more robust. Accepting multiple LDAP servers, with a reasonable
timeout between them (may 5-10 seconds, certainly much less than the 1 minute it now has) would be better. Even if the current behaviour was
modified so that I could control the time it waits for the LDAP server, and so that it would bypass the LDAP server entirely when one requests
the VMS DOI (when making an ACME call) would be better than the current situation.

I could re-write my code to do an old-style "$HASH_PASSWORD
and read the SYSUAF entry directly" authentication if the ACME call
to the LDAP DOI times out, but that's a lot of work and defeats the
purpose of having a generalized authentication API. (btw, "my code"
is a shim for the OSU authenticator to allow users to authenticate
to the OSU server with password checking being done against their
Active Directory account)

I can only hope that the "future release" they may consider
fixing this in isn't too far off.

I would investigate purchasing the Process Software product, but
money is extremely tight this year (and may be for then next few
years too).

VMS Engineering's answer falls into the category of be "technically correct but totally useless."

Mike.


.

Relevant Pages

  • SUMMARY ldapclient server failover?
    ... > Is anyone using ldapclient for authentication with multiple ... > We have 2 LDAP servers, with replication from the master to the slave. ... It turns out this is a new bug. ... > Then the client will fail over almost immediately. ...
    (SunManagers)
  • Re: Vamp Hacked!
    ... >> mechanisms within VMS rather than applications that ... >> can call the $ACM system service for authentication purposes. ... >> If you need services not native to VMS, like smart card support, ... Although as this is by definition an anonymous public resource, ...
    (comp.os.vms)
  • Re: Vamp Hacked!
    ... >> bulletin board system the site is using) to gain Admin access. ... > can call the $ACM system service for authentication purposes. ... > If you need services not native to VMS, like smart card support, ...
    (comp.os.vms)
  • using SYS$ACM to authenticate arbitrary windows user?
    ... I've now got the authentication ... working properly for a VMS account with either ... mapped to a VMS username via the EXTAUTH flag). ...
    (comp.os.vms)
  • Re: Authenticating CSWS against Active Directory?
    ... The current mod_auth_openvms module only supports UAF-based authentication. ... flag set in their UAF record. ... > I have a number of pages on this server which are protected by VMS ... > account, but they all have active directory accounts for their various ...
    (comp.os.vms)