Novell is now a part of Micro Focus

Universal Password, Part 2

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 15 Sep 2005

Note: This article is adapted from the BrainShare 2005 presentation Universal Password Management (TUT251).

Here are some frequently asked questions about Universal Password.

1. Does my LDAP application need to change?

No changes are necessary. The LDAP Server on eDirectory 8.7.3 and later has been updated to change Universal Password. The LDAP Server on eDirectory 8.8 has been changed to use Universal Password for bind requests.

Make sure that your application conforms to the LDAP standard, in that passwords and all data are sent in UTF8 or in the API specified format. In an attempt to solve this industry-wide problem, the following language is being added to the next revision of LDAPv3:

"It is RECOMMENDED that applications prepare textual strings used as password to improve matching. Applications which prepare textural strings used as password are REQUIRED to prepare them as follows:

  • Transcode to Unicode
  • Apply SASLprep
  • Encode as UTF-8."

2. Does my NDAP application need to change?

NWDS API-based applications should use the new APIs that specify the password format:

  • NWDSLoginEx
  • NWDSChangePwdEx
  • NWDSGenerateKeyPairEx
  • NWDSVerifyPwdEx

These new APIs will be invoked by the utilities supporting extended password changes (iManager, ConsoleOne, Novell Client), when selected to support Extended character support. New libraries with the APIs have been available since July 2003.

3. Which password type should I use- NDS Password, Simple Password, or Universal Password - and when?

With NDS Password:

  • You get compatibility with existing applications.
  • A non-extractable password is used.
  • Passwords are never sent on the wire when used with Client32.

With Simple Password:

  • Passwords from foreign system import are preserved.
  • The import format (hash or clear text) is preserved.

With Universal Password:

  • There is one password for all access to eDirectory.
  • You can use extended characters in passwords.
  • You can use advanced password policies.
  • You can synchronize passwords from eDirectory to other systems.

4. What procedures can be used to troubleshoot NMAS?

NMAS Server trace messages are output to DSTrace when the NMAS filter is enabled. More information is available in TID 10092261.

5. What happens when the password history limit is reached?

When the password history limit is reached, the user is no longer able to change his/her password until one or more of the passwords expire from the password history. This prevents the user from changing passwords enough times for the old password to be removed from the password history and allow the old password to be used again.

6. Does the Universal Password get set to "expired" when an administrator sets it?

Yes, if the password policy specifies a password expiration interval. No, if the password policy does not specify a password expiration interval. This is the same procedure as for the NDS Password.

7. When and how is the password expiration calculated?

Password expiration time is calculated by adding the password expiration interval to the time that the password changed. It is calculated when the password is set, and it is recalculated during login if the password interval has been changed to a short amount of time.

8. Is it possible to determine if Universal Password, the NDS Password and the Simple Password are in synch?

A utility called diagpwd is available that can be used to determine the synchronization status of the passwords and the password policy that is effective for one or more users. More information on this is available in TID 2970885. The source code for diagpwd is available for download from the Novell source forge at:

9. What is the maximum size for a Universal password?

The maximum number of characters allowed for a Universal Password is 512. The LDAP standard limits password length to 128 bytes.

10. What rights are needed to install NMAS and the NMAS methods?

Administrative rights are needed to extend schema and install client methods.

11. What if Universal Password is turned off after being enabled for some time?

Users will return to authenticating using the NDS Password, or the Simple Password. Passwords will not be synchronized when passwords are changed.

12. Why can't the Simple Password be set when the Universal Password is enabled?

Setting the Simple Password is disallowed in order to prevent the Simple Password and the Universal Password from having different values.

13. Can I choose on a per-user basis which passwords will be synchronized with Universal Password?

The password policy that is effective for the user specifies if the NDS Password Hash and/or the Simple Password are set when the Universal Password set. Universal Password does not provide the capability to set other types of passwords (such as the Kerberos password) when the Universal Password is set.

14. How can the Tree Key be changed from a DES key to a 3DES key?

  • Use SDIDiag to perform the following operations:
    • Use the "SD -R" command to revoke all Tree Keys and generate a single 3DES key.
    • Use the "RD -T" command to resynchronize the new Tree Key to all the servers in the tree.
    • If an eDirectory server does not get the key after the previous step, restart the server to force the server to retrieve the new Tree Key.
    TID 10088626 describes how to use SDIDiag to verify that the Tree Key has been synchronized to all servers. TID10086669 describes the SDIDiag commands.

    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

    © Copyright Micro Focus or one of its affiliates