From: Chuck Chopp [ChuckChopp@rtfmcsi.com]
Sent: Monday, March 26, 2001 11:46 AM
To: Info-VAX@Mvb.Saic.Com
Subject: FYI: NDS Authentication Services is coming to OpenVMS...

FYI:

I just got back from Novell's BrainShare conference that I attended last
week.  Some interesting tid-bits of information were revealed during the
various sessions that I attended.


1)  The NDS Authentication Services product is being ported to OpenVMS.
It will make use of the external authentication hooks in VMS to allow
users to login as normal but to have their passwords authenticated
against one stored in NDS instead of the one that is hashed & stored in
the SYSUAF.DAT file.  A configuration file makes it possible to provide
control over which accounts will be authenticated locally and which ones
will be authenticated via NDS-AS, so you can always keep SYSTEM and
other privileged accounts from being subject to any network-related
problems that might cut you off from access to NDS.

Also, NDS-AS does its communications with NDS via an SSL encrypted
connection and pretty strong w/respect to encryption of authentication
data on the wire.

NDS-AS is an outgrowth of a product that was custom developed at Clemson
University in South Carolina.  At Clemson, they developed this product
to allow an IBM mainframe (OS 390) and several flavors of Unix to
authenticate users against their NDS tree to provide single-signon
capabilities for 36,000 people [staff, students and faculty].

NDS-AS also has an API library that can be used to allow other
NDS-related information to be obtained from within a client application.

I also asked about NDS Account Management and the possibility of it
running natively in OpenVMS to replace all SYSUAF.DAT/RIGHTSLIST.DAT
access with calls to NDS in such a way that all of the local security
information storage would be replaced with new classes of objects in
NDS.  This would be very much like what was done with the NDS4NT product
that re-directed all SAM access requests out to a new "domain" object in
NDS that held the contents of the SAM database.  I was told that there
may still be engineering issues with OpenVMS and the ability to replace
the system services involved with doing $GETUAI/$SETUAI calls.  However,
the Novell & Compaq folks did mention that it might be very feasible to
use their DirXML product to perform synchronization between SYSUAF.DAT /
RIGHTSLIST.DAT and NDS such that unified account management could be
performed in NDS and then the account data could be replicated out to
individual OpenVMS systems and clusters.  Replication could be
bi-directional so that local changes made with AUTHORIZE would get
replicated back to NDS.


2)  Novell's eDirectory [the multi-platform version of NDS] has been
ported to Tru64 Unix [as well as IBM's AIX platform].  I saw it running
on an Alpha system at Compaq's technology booth.  It had some pretty
impressive performance stats regarding the number of objects it was
storing in NDS and how quickly it could resolve NDS directory access
requests.  If anybody out here would like to see eDirectory running
natively on OpenVMS then its time to start lobbying Compaq and Novell to
make this happen.  I spoke with a Compaq engineer who was doing the
Tru64 demo of eDirectory and he said that he's been pushing for
eDirectory on OpenVMS but its going to take some customer pressure to
make it a priority.  Anybody interested in this should email me and I'll
provide you with the necessary contact information to get the requests
funneled to the correct person at Compaq who can help champion this
cause.

Having eDirectory run natively on OpenVMS [both Alpha and VAX hardware]
seems to me to be a requirement before NDS-AS would be suitable for use
in a mission critical application.


3)  Slightly OT here, but after attending some sessions on NetWare64, it
has become very apparent that Novell has completely redesigned the
kernel [now the nano kernel] of NetWare to be hardware architecture
independent.  I made some comments about why was Novell waiting for
Intel to get IA64 ready for prime-time when they could have used an
Alpha processor for 64-bit computing any time during the past 10 years.
The responses that I got back from the operating system engineering
development folks was "just wait a bit and see what we're doing...".
Unfortunately, there were documents handy with the letters "NDA" on them
so the engineers would not speak in any additional detail about this
issue.  However, it looks like Novell may actually be seriously
considering a port of their new NetWar64 operating system over to the
Alpha architecture.  I've seen the compiler technology that they're
using and it is most definitely capable of targeting the Alpha
architecture.



Item #1 above seems to be the most important one to me.  I've been
wanting this for a long time.  I've had a number of clients who keep on
phasing out their OpenVMS systems in favor of other platforms [SUN, HP,
IBM] because they could not integrate the OpenVMS systems into their IT
infrastructure.  Having single signon capabilities that integrates
OpenVMS system with an NDS eDirectory implementation seems like a good
start towards making OpenVMS fit in better with an enterprise-wide IT
infrastructure.


--
Chuck Chopp

ChuckChopp@rtfmcsi.com            http://www.rtfmcsi.com
                                  ICQ # 22321532
RTFM Consulting Services Inc.     864 801 2795 voice & voicemail
103 Autumn Hill Road              864 801 2774 fax
Greer, SC  29651                  800 774 0718 pager
                                  8007740718@skytel.com