Article
Search
Shameless Plugs
Most Popular
Who's online
User login
6103
eDirectory and Case Sensitive LDAP Passwords
Before you read the rest of this dated article, read the documentation here:
Enforcing Case-Sensitive Universal Passwords - How to Make Your Password Case-Sensitive
Then ignore this article and follow the above directions!
Thanks to Aaron with NTS for clarifying. The xad directory that I mention in the article is part of the Domain Services for Windows on OES2.
###########################################################
Do you use case sensitive passwords with eDirectory 8.8 over LDAP? Are you sure? Turns out that /etc/init.d/ndsd appears to have an error.
I was recently working through some test scripts and thought that my eDirectory 8.8.3 was using case sensitive universal passwords over LDAP. To my surprise, it was not.
I did some digging and found that for Universal Password to be tried first via LDAP, the environment variable NDSD_TRY_NMASLOGIN_FIRST must be set to true in the /etc/init.d/ndsd startup script.
Reference:
http://www.novell.com/support/viewContent.do?externalId=3307424&sliceId=1
When I looked at that script what I found was the following:
79 if [ -d /opt/novell/xad/lib/nds-modules ]; then 80 NDSD_TRY_NMASLOGIN_FIRST=true 81 export NDSD_TRY_NMASLOGIN_FIRST 82 fi
The problem here is that /opt/novell/xad/lib/nds-modules doesn't exist so these values are never set. I'm not sure whether this is intentional or not, but I then searched for all files called nds-modules and the only one present in the file system was: /opt/novell/eDirectory/lib/nds-modules
With that info in hand I updated the ndsd start script to the following:
79 ##########CORRECTED########### if [ -d /opt/novell/xad/lib/nds-modules ]; then 80 if [ -d /opt/novell/eDirectory/lib/nds-modules ]; then 81 NDSD_TRY_NMASLOGIN_FIRST=true 82 export NDSD_TRY_NMASLOGIN_FIRST 83 fi
A restart of eDirectory and now my LDAP passwords are case sensitive.
While this is well documented in the above TID, I do wonder why this if statement is present, and why not make it the default.
Hope you find this helpful.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
User Comments
TID corrected
Submitted by aburgemeister on 7 March 2011 - 9:42am.
The TID was incorrect, and the script is correct.
The reason that there are some situations where this environment variable is set by default is that some products which depend on eDirectory require it. The 'xad' reference is for Domain Services for Windows (DSfW) which is part of Open Enterprise Server 2. Current versions of the ndsd script also reference AFP as the AppleTalk File Protocol has a similar requirement. For backward compatibility Novell has not yet made this a default for all situations and as a result leaves it up to the administrator to set this per server.
HOWEVER, this should NOT be set in /etc/init.d/ndsd directly as that file is owned by a package. The reason this is a problem is that subsequent eDirectory patches which include that package (most of them) will undo the setting leaving you in the situation where you were before making the change. To properly set things like this you should use the pre_ndsd_start script which is "sourced" before the ndsd script starts eDirectory. The TID has been updated, as have various other TIDs and documentation with the same incorrect recommendation. This same recommendation (do not modify package-owned files) applies to all files owned by all packages in any package-management system. There are usually ways to implement customizations in a way that will not be overwritten by later patches and those should be used in all cases.
- Be the first to comment! To leave a comment you need to Login or Register
1