Novell Home

Universal Password and LDAP

Novell Cool Solutions: Feature
By Donald Lohr

Digg This - Slashdot This

Posted: 14 Jun 2006
 

Problem

A Forum reader asked the following question:

"As I understand things, an LDAP 8.7.3.7 server will FIRST check the NDS password and then use the Universal Password. Yet my tests show that you bind to the LDAP server without the NDS password being set. In that event, you lose case-sensitivity - the NDS password is not case-sensitive. Am I missing something?"

And here's the response from Don Lohr ...

Solution

(Editor's Note: With eDirectory 8.7.x, an LDAP-based login will never use Universal Password.)

I did some testing in 8.7.3.8 with Universal Password. I started by creating a new OU in my tree. I then created a UP policy that had the following elements:

  • Remove the NDS password when setting Universal Password=YES
  • Synchronize NDS password when setting Universal Password=No
  • Synchronize Simple Password when setting Universal Password=No
  • Synchronize Distribution Password when setting Universal Password=No

Then I created several accounts via an ldapmodify command. It uses an LDIF file that includes a "userPassword:" line with a mixed-case password.

My DSTrace showed the creation of an NMAS Session and the use of the NMAS "Simple Password" login method for my ldap bind test, for which my bind was successful. The dstrace also showed an "LDAP: Failed to authenticate" message for which I believe was the failed attempt to perform the NDS password authentication, which eDirectory 8.8 addresses (http://support.novell.com/cgi-bin/search/searchtid.cgi?10099787.htm).

You are correct - an LDAP bind will use the NDS password first (which is a case-ignore password). If a Simple password is also set, but say a different value, then an LDAP bind can use either the NDS or Simple password and bind successfully.

Now since the inception of the Universal Password, the NDS password (RSA-encrypted, case- ignore) and the Simple password have both become legacy, non-NMAS-aware. Novell included the Simple password for things that could not use the NDS password, and as a way to migrate users/password from another vendors directory to NDS.

Now, in walks Universal Password - which is married to NMAS and the array of NMAS Login Methods:

  • CertMutual
  • Challenge Response
  • DIGESTMD5
  • Enhanced Password
  • Entrust
  • Macintosh Native File Access
  • NDS
  • Simple Password
  • Universal Smart Card
  • Windows Native File Access
  • X509 Advanced Certificate
  • X509 Certificate

If your environment is using the latest Novell Client (with NICI and NMAS installed, and NMAS enabled) your have an NMAS-aware client. The NDS password is no longer used - the Universal Password, in conjunction with the NDS NMAS Login Method, is now used during login. If you are still using an older version of the Novell Client (not NMAS-aware) or the MS Client Services for NetWare (not NMAS-aware), you still need to use the legacy NDS password. You might have other things in your environment using the legacy Simple password as well.

That being the case, you likely have had issues keeping the NDS and Simple Passwords synched. Remember - the Universal Password policy has the ability to sync the universal password to the legacy NDS and Simple passwords. With Universal Password, your NMAS-aware logins (which use the Universal Password via an NMAS Login Method) and your non-NMAS aware logins (which use either the NDS or Simple password) can use the same password value. Of course, the legacy NDS password is still a case-ignore password.

If you are using Native File Access (e.g., CIFS or AFP), these logins also use the "Windows Native File Access" and "Macintosh Native File Access" login methods and the Universal Password. These are NMAS-aware logins, because of the marriage that the CIFS and AFP NLMs have with NMAS.

So the point I am trying to make is that old clients still need either the legacy NDS or Simple passwords. New NMAS aware clients can use the Universal Password / NMAS Login Methods. If you do not have any clients needing the legacy NDS or Simple passwords, your Universal Password policy can be set as I indicated above.

Look through the following items - they were very helpful for me when I was learning, testing and deploying Universal Password and NFAP:

To understand Universal Password:
http://www.novell.com/documentation/nw65/pdfdoc/universal_password/universal_password.pdf

Cool Solutions: Universal Password, Part 1:
http://www.novell.com/coolsolutions/feature/15778.html

Cool Solutions: Universal Password, Part 2:
http://www.novell.com/coolsolutions/feature/15780.html

Novell Modular Authentication Service:
http://www.novell.com/documentation/nmas23/pdfdoc/admin/admin.pdf

Universal Password Diagnostic Utility:
http://support.novell.com/cgi-bin/search/searchtid.cgi?2970885.htm

Native File Access Protocols Guide:
http://www.novell.com/documentation/oes/pdfdoc/native/native.pdf


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell