VMS Software / Documentation / VSI OpenLDAP V2.6-6A for OpenVMS

VSI OpenLDAP V2.6-6A for OpenVMS

Release Notes and Installation Guide

Publication Date: April 2026

Operating Systems:
VSI OpenVMS Alpha Version 8.4-2L1 or higher
VSI OpenVMS IA-64 Version 8.4-2L1 or higher
VSI OpenVMS x86-64 Version 9.2-3 + Update V3 or higher
Software Version:
VSI OpenLDAP for OpenVMS Version 2.6-6A
Kit Names:
AXPVMS-OPENLDAP-V0206-6A-1.PCSI
I64VMS-OPENLDAP-V0206-6A-1.PCSI
X86VMS-OPENLDAP-V0206-6A-1.PCSI

1. Introduction

Thank you for your interest in this port of OpenLDAP to VSI OpenVMS Alpha, IA-64, and x86-64. The current release of OpenLDAP for OpenVMS is based on the OpenLDAP 2.6.6 distribution.

OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project (https://www.openldap.org/) and released under the OpenLDAP Public License.

This port of OpenLDAP for OpenVMS includes all functionality provided by the open source release, including client and server components, utilities, tools, and sample clients. Additional information about OpenLDAP can be found at https://www.openldap.org/.

1.1. OpenLDAP ACME Agent

VSI OpenLDAP ACME agent for OpenVMS combines the Lightweight Directory Access Protocol (LDAP) with the VSI OpenVMS Authentication and Credentials Management Extension (ACME) authentication mechanism to provide a solution that allows VSI OpenVMS customers to extend single sign-on procedures to include OpenVMS hosts and manage user accounts in a centralized directory.

The OpenLDAP ACME agent for VSI OpenVMS provides "simple bind" authentication during login using an LDAP-compliant directory server, such as a Microsoft Active Directory domain controller or an OpenLDAP server. With this authentication method, users enter the user ID and password of their LDAP directory account when accessing the OpenVMS host. When successfully authenticated, the external user ID is mapped to the appropriate OpenVMS username and the correct user profile is obtained.

The agent supports logins from multiple user domains and provides multiple mechanisms to map domain usernames to OpenVMS usernames. Secure Socket Layer (SSL)/Transport Layer Security (TLS) LDAP communication is supported to prevent user IDs and clear-text passwords from being exposed over the network.

For information on post-installation tasks, username mapping, details of existing issues and restrictions, troubleshooting help, and further useful reference material, please refer to the VSI OpenLDAP ACME Agent for OpenVMS Configuration and User Guide.

2. Release Notes

This section lists the new features, fixes, and known issues in this release of OpenLDAP for VSI OpenVMS.

2.1. What's New in This Release

This release introduces the first unified OpenLDAP product for OpenVMS, combining the functionality of the previously separate LDAP and ACME LDAP products into a single solution.

Support for the OpenLDAP ACME agent is now available on x86-64 systems. As a result, the unified OpenLDAP product is available on all supported OpenVMS platforms.

Existing functionality from both LDAP and ACME LDAP products is preserved within the unified OpenLDAP product.

2.2. Fixed Issues

The following known issues were fixed in this release:

  • Fixed an issue where the OpenLDAP ACME agent failed to start after the ACME server was abruptly stopped.

  • Fixed an issue where failover to the next LDAP server did not occur when the first server specified in the "server" list was unreachable and "port_security" was set to StartTLS.

  • Fixed an issue where the "scope" directive was treated as case sensitive.

2.3. Known Problems and Restrictions

  • The following backends are not currently supported in the OpenVMS version of OpenLDAP: ndb (MySQL NDB Cluster), perl, sql, wt (WiredTiger), and sasl (Cyrus SASL).

  • The following functionality has not been tested: dirsync (requires Microsoft Active Directory) and dsee (requires Directory Server Enterprise Edition).

  • The OpenVMS version has known issues with the hotp and remoteauth overlays. An issue has also been identified with delta consumer configuration synchronization.

3. Installation and Configuration

This section walks you through the tasks that you need to perform to be able to use this release of OpenLDAP for VSI OpenVMS.

3.1. Before You Install

Before installing and using VSI OpenLDAP for OpenVMS, it is recommended to read the documentation available at https://www.openldap.org/doc/ in order to better understand how to configure and manage the software.

3.2. Requirements

This section lists hardware and software requirements for VSI OpenLDAP V2.6-6A:

Operating System Requirements

Depending on the architecture, VSI OpenLDAP V2.6-6A for OpenVMS requires the following operating system versions:

  • VSI OpenVMS Alpha Version 8.4-2L1 or higher

  • VSI OpenVMS IA-64 Version 8.4-2L1 or higher

  • VSI OpenVMS x86-64 Version 9.2-3 + Update V3 or higher

For VSI OpenVMS Alpha and IA-64, the following RTL ECO kits must be installed:

Operating System VersionRequired RTL ECO Kit
VSI OpenVMS Alpha V8.4-2L1ECO VMS842L1A_RTL-V0600 or later
VSI OpenVMS Alpha V8.4-2L2ECO VMS842L2A_RTL-V0600 or later
VSI OpenVMS IA-64 V8.4-2L1ECO VMS842L1I_RTL-V0600 or later
VSI OpenVMS IA-64 V8.4-2L3ECO VMS842L3I_RTL-V0600 or later

Note

The RTL ECO kits mentioned above require their respective DPML V0200 ECO to be installed first.

Product Requirements

  • VSI SSL3 V3.0-16 or later.

  • The privileges TMPMBX, NETMBX, BYPASS, SYSPRV, and DETACH are required in order to run the OpenLDAP start-up and shutdown scripts. The LDAP server process (run as a detached process) will inherit the default privileges for the username under which it is started.

  • The LDAP server can require considerable resources in order to operate efficiently, depending on workload requirements. The following quotas should be adequate for most purposes; however, resource usage should be carefully monitored, and quotas adjusted as necessary:

    Maxjobs:         0  Fillm:       256  Bytlm:      128000
Maxacctjobs:     0  Shrfillm:      0  Pbytlm:          0
Maxdetach:       0  BIOlm:       150  JTquota:      4096
Prclm:          50  DIOlm:       150  WSdef:        4096
Prio:            4  ASTlm:       300  WSquo:        8192
Queprio:         4  TQElm:       100  WSextent:    16384
CPU:        (none)  Enqlm:      4000  Pgflquo:    256000

  • If the LDAP server is expected to support large numbers of concurrent clients, then it may also be necessary to increase the CHANNELCNT system parameter. This parameter can usually be safely set to its maximum value of 65535.

  • In addition to the above requirements, it is recommended that the software is installed on an ODS-5-enabled file system.

3.3. Installing the Kit

Caution

Do not use the /DESTINATION qualifier with the PRODUCT INSTALL command when installing VSI OpenLDAP for OpenVMS to specify an alternative (non-default) installation location. VSI OpenVMS includes OpenLDAP components bundled with the operating system, which imposes specific requirements in terms of location of these components and associated configuration files.

This kit is provided as an OpenVMS PCSI kit that can be installed by a suitably privileged user by running the following command:

$ PRODUCT INSTALL OPENLDAP

In an OpenVMS cluster...

… with multiple system disks, install the software on each system disk.

The installation will then proceed as follows. Note that the output may differ slightly from that shown below depending on the platform and other factors:

The following product has been selected:
    VSI I64VMS OPENLDAP V2.6-6A            Layered Product

Do you want to continue? [YES]

Configuration phase starting ...

You will be asked to choose options, if any, for each selected product and for
any products that may be installed to satisfy software dependency requirements.

Configuring VSI I64VMS OPENLDAP V2.6-6A: OpenLDAP for OpenVMS I64 V2.6-6A (Based on OpenLDAP 2.6.6)

    Copyright 2026 VMS Software, Inc.

    VSI Software Inc.

Do you want the defaults for all options? [YES]

Do you want to review the options? [NO]

Execution phase starting ...

The following product will be installed to destination:
    VSI I64VMS OPENLDAP V2.6-6A            DISK$IA64V842L1S:[VMS$COMMON.]

Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

The following product has been installed:
    VSI I64VMS OPENLDAP V2.6-6A            Layered Product

%PCSI-I-IVPEXECUTE, executing test procedure for VSI I64VMS OPENLDAP V2.6-6A ...
%PCSI-I-IVPSUCCESS, test procedure completed successfully

VSI I64VMS OPENLDAP V2.6-6A: OpenLDAP for OpenVMS I64 V2.6-6A (Based on OpenLDAP 2.6.6)

    Insert the following lines in SYS$MANAGER:SYSTARTUP_VMS.COM:
        @SYS$STARTUP:LDAP$DEFINE_LOGICALS.COM
    Insert the following lines in SYS$MANAGER:SYSHUTDWN.COM:
        @SYS$STARTUP:LDAP$DEASSIGN_LOGICALS.COM

    Verify the OpenLDAP configuration template files.

    Refer to SYS$HELP:OPENLDAP0206-6A-I64.RELEASE_NOTES for more information.

    Following installation, before the new ACME LDAP agent can be
    deployed, the OpenLDAP persona extension must be installed and then
    the system must be rebooted (it is not  sufficient to simply restart the
    ACME server). Follow the post installation instructions provided in the
    release notes to complete configuration of the software.

3.4. Post-Installation Configuration

After the installation is complete, the tasks described in this section may be performed to fully configure VSI OpenLDAP, depending upon how the software is going to be used.

3.4.1. LDAP Server Start-Up

If you intend to run the LDAP server on OpenVMS, then the command procedure SYS$STARTUP:LDAP$STARTUP.COM should be added to SYSTARTUP_VMS.COM to start the server process on system start-up and SYS$STARTUP:LDAP$SHUTDOWN.COM should be added to SYSHUTDWN.COM to ensure that the LDAP server is stopped in an orderly fashion upon system shutdown.

3.4.2. Define Symbols

Foreign commands for various OpenLDAP utilities can be defined by running the command procedure SYS$STARTUP:LDAP$SETUP.COM. Administrators may wish to include this command procedure in their LOGIN.COM.

3.4.3. Run the Installation Verification Procedure (IVP)

The IVP is normally run when LDAP for OpenVMS is installed; however, the IVP may be run at any time by executing the following command:

$ @SYS$TEST:LDAP$IVP.COM

3.4.4. Build the Provided Example Program

A simple example C program is provided in the directory pointed to by the logical name LDAP$EXAMPLES. To compile and link this program, enter the following commands in order:

$ SET DEFAULT LDAP$EXAMPLES
$ CC/INCLUDE=LDAP$ROOT:[INCLUDE] LDAP_EXAMPLE.C
$ LINK LDAP_EXAMPLE.OBJ, SYS$INPUT/OPTIONS
LDAP$LIBLDAP_SHR32/SHAREABLE
LDAP$LIBLBER_SHR32/SHAREABLE
$

Note that the above commands compile and link the example application using 32-bit pointers. If you wish to build applications using 64-bit pointers, then it is necessary to compile the code with the /POINTER_SIZE=64 qualifier and to link with the 64-bit versions of the OpenLDAP libraries, namely the shareable images pointed to by the logical names LDAP$LIBLDAP_SHR and LDAP$LIBLBER_SHR.

3.4.5. OpenLDAP ACME Agent Configuration

To configure and enable the OpenLDAP ACME agent, refer to the VSI OpenLDAP ACME Agent for OpenVMS Configuration and User Guide.