That is correct. When one logs in using the ACME enabled LOGINOUT.EXE
program the password is authenticated via the $ACM system services
(which in this case are configured to use LDAP). A side-effect of this
authentication process is to update the password in the SYSUAF.

Any pre-existing program which does its own authentication (ie by
reading SYSUAF directly or by calling $GETUAI) will not trigger this
update. One would hope that the vendors will, over time, modify their
code to use the $ACM routines so that they can automatically integrate
with whatever authentication method the site has chosen. {HINT,HINT).
Using the $ACM services also triggers auditing, breakin detection, etc
(features which must otherwise be replicated by the vendors own code in
order to provide a proper security environment)


-----Original Message-----
From: Valerie Miller [mailto:miller@process.com]
Sent: November 6, 2008 10:55 AM
To: info-pmdf@process.com
Subject: Re: LDAP password synchronization

One more thing.

I'm guessing that something about logging in directly (such as via
telnet)
is triggering OpenVMS to synchronize the passwords between SYSUAF and
LDAP.

I'm also guessing that what PMDF does to check the SYSUAF for the
username
and password does not trigger OpenVMS to do that synchronization (PMDF
accesses the SYSUAF by calling SYS$GETUAI).