Universal Password, Part 1
Novell Cool Solutions: Feature
Digg This -
Posted: 8 Sep 2005
Note: This article is adapted from the BrainShare 2005 presentation TUT251 - Universal Password Management.
Password types from Novell have evolved through the following models:
- NDS Password
- Simple Password
- Enhanced Password
- Universal Password
A brief description and history of each of these types is provided below.
Novell Directory Services (NDS) Password
The NDS Password is used by the Novell Client, LDAP, and by applications written to the Novell Client APIs. With the NDS Password, public and private keys (RSA) are created and stored on the user object. The process is non-reversible - only the "hash" of the password is stored. The customer cannot retrieve the password from eDirectory. The password is never sent on the wire.
A Password Policy can be applied to NDS Passwords, determining such things as:
- Password expiration
- Password minimum length
- Password uniqueness
- Intruder lock
- Time of day restrictions
The Simple Password was originally provided to allow migration from foreign systems, such as iPlanet LDAP directory. Typically, an MD5 or SHA-1 password hash is imported; however, it can be a clear-text password.
Password values are stored encrypted with DES or 3DES, based on setup of the tree key. Simple Passwords are at a lower security than NDS Passwords, because Simple Passwords are sent across the wire and stored so that the password can be extracted. Simple Passwords also do not support extended characters, and no password policy is enforced.
The Enhanced Password model was deprecated in favor of Universal Password. Enhanced Password offers some degree of Password Policy, including minimum/maximum length, and repeatable/consecutive characters. With this model, Password Synchronization is one-way: it flows out from enhanced password to Universal Password (UP) and NDS passwords. The Enhanced Password design was not consistent with Simple or UP, and thus offered different security characteristics.
Universal Password Benefits
Universal Password enables advanced password policies, including extended characters in passwords, synchronization of passwords from eDirectory to other systems, and a single password for all access to eDirectory.
Password Policies are available via Universal Password. They include:
- Minimum/maximum characters
- Repeatable/consecutive characters
- Exclude list
- Expiration settings
- Numeric/special characters, such as !@#$%^`&*()
- Requirement for unique passwords
- Forgotten passwords
Password Policy documentation can be found at:
(paste link into browser)
Universal Password Pre-requisites
Universal Password requires NMAS 2.3 or later to be running on at least one server holding a Read/Write replica of the user object. For best performance, it is recommended that NMAS 2.3 or later be installed on all servers in the replica ring. The latest NMAS Server version (currently 2.3.6) is recommended.
NICI 2.6 or later must be running on the server where NMAS is running. The latest NICI version (currently 2.6.5) is recommended. Also, eDirectory 8.7.3 or later must be running on the server where NMAS is running.
The following items need to be synchronized for Universal Password:
- Replicas of the partition containing the Security Container
- The Security Domain Key (Tree key), on all NMAS servers. It is recommended that the Tree Key is a 3DES key.
For more details, see the Deployment guide:
Universal Password installs by default on the client workstation, with 4.9 and later client versions. This enables NMAS authentication on the workstation, which allows additional means of authenticating to the network, such as:
- Universal Password
- Biometric devices
- Smart cards
- Proximity cards
Universal Password Requirements
Universal Password is designed to provide backward compatibility to existing services. Password changes may be configured to automatically synchronize to Simple and NDS passwords. Use of extended characters in Universal Password could break application compatibility of Simple and NDS passwords (after synchronization). To support compatibility with the use of NDS and Simple passwords, users might have to change their passwords to not include extended characters.
NetWare Requirements for Universal Password
NetWare 6.0 and 5.1 servers running CIFS or AFP will continue to have proper operation of passwords. For ease of deployment, on a NetWare 6.5 server UP is turned off by default. The Client32 shipping with NetWare 6.5 supports UP, although users will continue to use the NDS password until the administrator is ready to enable UP.
The iManager plugin is used to associated password policies at the user, container, partition, or tree level. Sub-containers are not automatically UP enabled. The user object, then the direct parent container, followed by the partition root, and ultimately the top of the tree (Login Policy object) are checked for Password Policy assignment. This discovery scheme does not walk the entire tree; it was chosen for performance reasons.
Figure 1: Checking for Password Policy assignment
Universal Password is authoritative if enabled. The Novell Client 4.9 and later authenticates the user using Universal Password. The Novell client APIs have been modified so that developers can log in or set Universal Password through a new set of APIs (available now on the NDK). For eDirectory 8.8, LDAP has been modified to authenticate the user using Universal Password.
The basic Password Manager flow is shown below, describing how Universal Password interfaces with other Novell components.
Figure 2: Password Manager
General Password Synchronization Rules
After the Universal Password is enabled, the first password used to authenticate is used to set the other two passwords to match. Password synchronization is initiated from the client (if using the Novell Client 4.9 or above), if the user has logged in with an NDS Password or Simple Password (stored as a hash). Password synchronization is initiated from the server if the user logged in with a Simple Password (stored as clear text).
If the Universal Password is enabled but not set:
- The NDS password will be used to login, and the Universal Password will be set to the value of the NDS password.
- The Simple Password will be set to the value of the Universal Password.
If an old Novell Client32 is used to set the NDS password, the next user login with the new Novell Client32 will:
- Check the timestamp of NDS and Universal Passwords
Use the password with the latest timestamp to log in
Set the other passwords to match the one used to log in
Bulk Load of Passwords
All three passwords are set during the bulk load operation:
- Universal Password is enabled but not set.
- ICE is used to set the password through an LDIF import.
- The ICE -l switch is not used (-l will populate only the Simple Password when the Universal Password is not enabled).
Note: For fastest bulk load performance, use iManager to turn off Universal Password before the bulk import. Then let NMAS populate the remaining unset passwords at user login time.
- A user has an NDS Password but not a Simple Password.
- The user wants to use CIFS.
- The user cannot login using CIFS until a Universal Password or a Simple Password is set.
- When Universal Password is enabled, and the user authenticates using the Novell Client 4.9, the NDS password is migrated to the Universal Password and the Simple Password. The user can then log in using the Universal Password (which is the same value as the NDS password) using CIFS.
- The CIFS user now has the benefits of Password Policy enforcement.
With Universal Password enabled:
- An administrator disables a users NDS password through iManager or other administrative tools.
- This is achieved by setting the NDS password to an arbitrary value that is unknown to the user.
The Universal Password is set with this same arbitrary value, causing the NDS Password method and the Simple Password method to be disabled.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com