VSI-AXPVMS-ACMELDAP-V0200-1A-1-RNOTES.PDF

This document introduces ACME LDAP for OpenVMS Alpha and Integrity, a solution released in February 2021 that combines LDAP with OpenVMS ACME authentication for centralized user account management. It enables "simple bind" authentication during login, matching user input to OpenVMS credentials, and supports SSL/TLS for secure communication.

Key updates in this release (2.0-1A):

• It utilizes a new OpenLDAP client for VSI OpenVMS and OpenSSL 1.1.1g, offering enhanced LDAP functionality and improved security.
• A significant change is a stricter server certificate validation: the Subject Common Name (CN) must now match the server hostname. If this check fails (e.g., due to connecting via an IP address or alias), the connection will not be established.
• Solutions for the certificate issue: Use the x509v3 Subject Alternative Name (SAN) extension in the server certificate to list multiple valid hostnames, or, less securely, comment out the ca_file directive and restart the ACME Server.

Requirements for ACME LDAP 2.0-1A:

• VSI OpenVMS Version 8.4-2L1 or higher.
• VSI, HPE, or MultiNet TCP/IP Services.
• SYS$ACM-enabled LOGINOUT.EXE and SETPO.EXE images.
• VSI OpenLDAP 2.4.53 or later.
• VSI SSL111 1.1-1g or later (for OpenSSL 1.1.1g+).
• Familiarity with LDAP server environments like Microsoft Active Directory or OpenLDAP.

Installation: The product is installed using an OpenVMS PCSI kit via the command PRODUCT INSTALL ACMELDAP. While it doesn't require a system reboot, restarting the ACME SERVER ($ SET SERVER ACME_SERVER /RESTART) is usually necessary to activate the new components, which may temporarily disrupt authentication requests.

Post-installation: Detailed configuration is found in SYS$HELP:ACMELDAP2_STD_CONFIG_INSTALL.PDF. General steps involve installing required login images and the LDAP persona extension, configuring and starting the LDAP ACME agent, and then configuring user accounts to use external authentication.