Password Enhancements in eDirectory 8.8
Novell Cool Solutions: AppNote
By Sarangthem Chanu
Digg This -
Posted: 5 Mar 2006
This AppNote describes the enhancements of the Universal Password (UP) feature in Novell eDirectory 8.8. The eDirectory authentication is enhanced to always log in through NMAS. It will explain how different passwords work and what enhancements were made from the previous release. It will also discuss password configuration and how it works with legacy clients. This AppNote is directed towards eDirectory Administrators at a beginning level.
Basics on Password Types
The passwordstypes - NDS password, Simple Password (SP) and Universal Passwords (UP) - are three different attributes stored in the user objects.
When the NDS Password is used, public and private keys (RSA) are created and stored on the user object. It can be lengthy to create the keypair whenever a password is set or changed. Only a hash of the password is stored in eDirectory; therefore, this password can never be reversed. NDS Password is used in many of the existing Novell applications written to Novell client APIs. You can apply the following policies to the NDS password.
- Password expiration
- Minimum length
- Password uniqueness
- Intruder lockout
- Date, time and network restriction
Simple Password was designed to allow migration from third party systems such as Sun Java directory server. It is typically a SHA-1 or MD5 password hash, but it can be in clear text as well. Simple Password values are stored encrypted with DES or 3DES, based on your tree key. There are other restrictions on a Simple Password, such as "no password policy enforced" and "password does not expire."
Enhanced password (EP)
Enhanced Passwords are no longer supported; they have been replaced by Universal Password, which provides one-way password synchronization - from EP to UP and NDS passwords. EP is stored in NMAS's SecretStore. No API is provided to read EP because it would then expose the entire NMAS's SecretStore. Thus only the Enhanced Password LSM could read it.
Enhanced password supports policies of min/max length and repeatable/consecutive characters.
Universal Password (UP)
Universal passwords are designed to address the limitations of NDS Password and simple Password. UP policy provides options to synchronize it with NDS Password and Simple Password. With password synchronization turned on, setting UP sets both the other two passwords, NDS and Simple password.
After enabling UP, the first password used to authenticate is set to the other two passwords. For example, if NDS Password was used for the first authentication, then Simple Password and UP will be set to the NDS password (the case will be as provided by the user during the login). Password synchronization is initiated from the client, if the user logged in with NDS Password or Simple Password (stored as hash). Or, it is initiated by the NMAS server ,if the user logged in with simple password (stored as clear text).
Once UP is enabled and set, the Simple Password login and NDS login methods of NMAS always use UP. The administrator can define password policies and set the type of characters that are allowed in the password.
The following password policies are available through UP:
- Minimum/maximum characters
- Repeatable/consecutive characters
- Exclude list
- Expiration settings
- Numeric/special characters, such as !@#$%^`&*()
- Requirement for unique passwords
- Forgotten passwords
- Advantages of Universal Password
Prior to the development of UP, administrators had to manage multiple password types (such as, simple password, NDS password, and enhanced password). Additionally, administrators had to keep the passwords synchronized. Novell introduced UP to address these challenges by simplifying the integration and management of different passwords and authentication systems into a single coherent network. UP also gives a number of other important benefits, such as, advanced password policy enforcement. UP can also be used by applications which need to retrieve a password in reversible form from the directory (IDM, etc).
Changes in eDirectory 8.8
Prior to eDirectory 8.8, only Client32 and other direct NMAS logins made use of UP. After enabling UP, though the logins through Client32 were case-sensitive, they were still case-insensitive when logging in through LDAP, iManager, or the DSAPI NDK. Note: The behavior of legacy clients remains the same with eDirectory 8.8 (see the Configuration section to allow or disallow Legacy client logins below).
eDirectory logins can be categorized as:
- DS or server utility logins
- iManager on NetWare
- Standalone Client logins
- iManager on Unix and Windows
Prior to version 8.8, for LDAP and other server logins, eDirectory validates the password against NDS Password first, and on failure it tries Simple Password login. (This is also the case with eDirectory 8.8, if the environment variable NDSD_TRY_NMASLOGIN_FIRST is not set to true.) Therefore, both the Simple and NDS Passwords worked for local logins. But full logins (required if the user is not local or needs access to a remote server) worked only with NDS Password. Similarly, standalone clients worked only with NDS Password, as it performed NDS login in the traditional way.
eDirectory 8.8 has enhanced the eDirectory standalone client, DS utilities, and LDAP to support UP by using NMAS login. The login method used will be based on the default login sequence (sasDefaultLoginSequence attribute) of the user. It uses the NDS login method if the default login sequence is not specified. In cases where NMAS login fails due to NMAS not being configured properly or NMAS server is down, etc., then a fallback to NDS login is done.
LDAP and server utilities require the environment variable NDSD_TRY_NMASLOGIN_FIRST to be set to true in order to get the UP enhancement. As described in the flowchart below, LDAP and server utilities check for the environment variable and then decide whether to perform NMAS login.
The following flowchart shows the login flow for LDAP, DS utilities, and other standalone clients.
Figure 1: Login flowchart
UP can be enabled at the entry, container, partition, or tree level. Note that the lower level takes the higher priority. In other words the effective password policy for a given user object is obtained by searching for the policy in the order of object, direct container, partition root, tree-wide (login policy object). Note that the policy associated with a container object is applicable to the immediate children only.
To enable UP, create a password policy that enables UP and assigns the policy at any of the levels specified above. If UP is enabled, you can use advanced policies such as synchronization rules, password retrieval, extended characters in password, and a single password for all access to eDirectory.
With the default policy, UP gets synchronized with NDS Passwords when set. Use the iManager task "Set Universal Password" to set UP.
Configuring the Login Sequence
Unlike eDirectory 8.7.3, in version 8.8 LDAP login with Simple Password will not work by default; the NDS login method is set as default. The login sequence attribute, sasDefaultLoginSequence, needs to be set. This can be set at the tree, partition, container, or user object, as in case of UP policy. The effective login sequence for a given user object is obtained by searching for the sequence in the order of object, direct container, partition root, tree-wide (Login Policy object).
Note: On Linux and Unix platforms, currently the client-side Simple Password method is not supported. Therefore, while using the ndslogin utility or iManager on Unix, Simple Password login cannot be used.
Enforcing UP for Legacy Clients
Legacy clients will continue to work with eDirectory 8.8 server by default. Legacy clients need to be disallowed if complete case-sensitive password support is required. This can be done at the partition or user level (eDirectory 8.7.3 had object class level support, which is now discontinued in 8.8). The following options are available to disallow legacy clients.
- Disallow only set password and change password
- Disallow all password operations (set/change/login/verify password)
iManager is used for configuring the above options. The user level configuration overwrites the partition level configuration. In response to login attempts from legacy clients when enforcement of UP policy is set, the server returns the ERR_OBJECT_OP_DISABLED (-6039) error. This indicates that the operation is not allowed and should use the latest client.
With the UP policy, the NDS password can also be cleared while setting UP. This in turn fails NDS logins and change-password calls from legacy clients. However, the client will just get an authentication failure error(-669).
NDSD_TRY_NMASLOGIN_FIRST Environment Variable
UP enhancement is disabled in the shipping version of eDirectory 8.8. The NDSD_TRY_NMASLOGIN_FIRST environment variable needs to be set to True to enable this feature. You can do this as follows:
NetWare: Add this variable in c:\server\startup.ncf and reboot the box or set it at the command prompt and reload the ds.nlm.
Windows: This variable is set as a System Environment Variable and requires rebooting the machine.
Linux and UNIX: Export the variable in the /etc/init.d/ndsd script and restart the server (we recommend this) or export it in the command line and restart the server.
Note: This environment variable will not be required for future releases of eDirectory, and may be ignored. It needs to be set in case of iManager on NetWare if remote login through iManager is needed.
Case StudySuppose the ING company wants to create a policy that forces end users to have case-sensitive passwords. Without this functionality, you will be able to force an end-user to have a case sensitive password, but they will also be able to authenticate through the NDS Password Login, which would override case-sensitivity.
Here are the requirements of ING, and how they can be implemented:
- All the eDirectory authentications must be case-sensitive. This can be achieved if all authentications use UP. Restart eDirectory after setting the environment variable NDSD_TRY_NMASLOGIN_FIRST.
- UP is to be enabled at the tree level. Now the logins from any LDAP client and all the DS utilities and latest NDS SDK will be case sensitive.
- Logins from legacy clients must still be case-insensitive. Use the "Enforce Universal Password" task to disallow the legacy clients. You can do this at the partition or user level.
Complete the following steps to enable UP:
1. Log in to iManager.
2. Go to the Password > Password Policies task.
3. Select New to create a password policy.
4. Enter the details and click Next.
Figure 2: Creating a password policy
5. Select Yes to enable UP and click Next.
Figure 3: Enabling UP
6. Set the Advanced Password Rules and click Next, and follow the steps.
Figure 4: Setting the Advanced Password Rules
7. In the policy assignment page, provide "Login Policy.Security" to enable UP at the tree level.
Figure 5: Enabling UP at the tree level
Enforcing Universal Password
Complete the following steps to enforce UP:
1. Log in to iManager.
2. Go to NMAS > Enforce Universal Password.
3. Choose Partition and click OK.
Figure 6: Enforcing UP
4. Specify the Partition and click OK.
Figure 7: Partition for UP
5. Choose Disable for both the options to disallow all the password operations from legacy clients.
6. Click OK.
Figure 8: Disallowing password operations from legacy clients
The benefits provided by UP make a compelling case for deploying Universal password. UP enhancement in eDirectory, makes it all the more complete by supporting UP through all the eDirectory logins whether it is LDAP, ConsoleOne, iManager, or any other applications using NDK.
UP support is available for the following:
- iManager on Unix/Windows - 2.5 Version
- ConsoleOne - 1.3.6.c Version
- iManager on NetWare with eDirectory 8.8 installed
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com