Technical data
System Management Release Notes
5.3 External Authentication
For externally authenticated users, the normal system authorization database
(SYSUAF.DAT) is used to construct the OpenVMS process profile (UIC, privileges,
quotas, and so on) and to apply specific login restrictions. However, there are two
key differences between externally authenticated users and normal OpenVMS
users. The following is true for externally authenticated users:
• The password stored in the SYSUAF is not the password used to verify the
user.
• The user name stored in the SYSUAF and used to identify the OpenVMS
process is not necessarily the same as the external user ID used to
authenticate the user during login.
OpenVMS attempts to keep a user’s SYSUAF and external user password
synchronized to minimize these problems. An up-to-date copy of the user’s
external password is kept in the SYSUAF, but this is not the case if, for example,
the external password contains characters that are invalid in OpenVMS, or if
SYSUAF password synchronization is disabled by the system manager. (Password
synchronization is enabled by default.)
If you enable external authentication, Compaq recommends you do the following
to minimize incompatibility with layered products or applications that use
traditional SYSUAF-based authentication:
• Do not disable password synchronization.
• Limit external user passwords to those characters from the OpenVMS valid
password character set (A–Z, 0–9, underscore (_), and dollar sign ($)).
• Assign users the same user name in both the external authentication service
and OpenVMS.
• Do not assign the same user name or user ID to more than one user.
The $GETUAI and $SETUAI system services do not support external passwords.
These services operate only on passwords stored in the SYSUAF, and updates
are not sent to the external authentication service. Sites using software that
makes calls to these services to check passwords or updates should not enable
external authentication. Compaq expects to provide a new programming interface
to support external passwords in a future release.
5.3.9 Mixed-Version OpenVMS Cluster Systems
V7.1
Compaq recommends using external authentication on OpenVMS Cluster systems
only if all systems are running OpenVMS Version 7.1 or later.
LOGINOUT on earlier version systems continues to enforce normal OpenVMS
password policy (password expiration, password history, and so on), on all users,
including externally authenticated users.
5.3.10 LGI Callout Services Disable External Authentication
V7.1
Starting with Version 7.1, the presence of LOGINOUT (LGI) callouts disables
external authentication.
5–6 System Management Release Notes