Novell Home

Why NMAS?

Novell Cool Solutions: Feature
By Marcel Cox

Digg This - Slashdot This

Posted: 25 Oct 2006
 

Problem

A Forum reader recently asked:

"We're a small organization - under 600 Novell users. Currently we have Novell 4.11 and we are getting ready to move over to 6.5 (finally!). I'm testing the new server, and playing around with NMAS settings. Then it occurred to me...do we really need it?

Novell is ONLY used for file sharing. It does not run applications - it doesn't even run print services. We will have one Netware server where the user files are, and one Linux as the eDirectory replica.

So our needs are rather basic. I *do* want to enforce strong password policies. But I'm thinking eDirectory is good enough - the extra management of NMAS seems accessory. Any thoughts?"

And here's the response from Marcel Cox ...

Solution

NMAS itself allows alternate (other than simple NDS password) authentication methods to be used against eDirectory. Initially, NMAS was mainly developped to implement hardware authentication devices, but now with NetWare 6.5 and later, NMAS has been used to implement Universal Password.

My guess is that the only aspect that might poentially interrest you in NMAS is the Universal Password aspect.

Universal Password gives you two main advantages over NDS passwords:

  • Additional features for the password itself (case-sensitive passwords, password self service and stricter and more flexible password rules)
  • Better use of a single password accross different applications

Of course, the advantages come with extra complexity for configuration. If you don't need the extra functionality and want to avoid the extra configuration work, simply stick with NDS passwords. In that case, I would also recommend sticking with eDirectory 8.7.3.x, at least as long as it remains well-supported.

If you decide to stick with NDS passwords, be sure you install the Novell client without the NMAS client. This will avoid potential problems.

If at a later time, you want to implement Universal Password, it is relatively easy to migrate from an NDS password to an Universal Password configuration. So not using Universal Password form the start will not be a major problem for later changes.

Additional Thoughts

1) I found that installing the NMAS client later was no problem at all. When I migrated from NDS passwords to UP, I simply used the ACU functionality of the client to roll out a new client configuration with NMAS included. I have been using ACU to update client versions for years already, and adding NMAS to an existing configuration is just as easy as a normal client update. When you implement UP, you want an up-to-date and consistent client at that point. You don't want to run into inconsitent behavior because of older clients with older NMAS versions that may behave differently or have annoying bugs. In fact, NMAS with UP is still very much work in progress, and every new NMAS version adds new functionality.

2) I consider installing just the NMAS client a bad idea, in case you don't use NMAS on the server side. The worst problems you would create by blindly installing NMAS on the clients include login failures, slow login, and inconsistent login behavior. There are, in fact, a number problem scenarios here:

a) You don't have any servers with NMAS running. This will severely slow down your login process, especially with multiple servers. In fact, the client will contact each individual server to see if it supports NMAS. Only when it doesn't find any NMAS server at all will it switch back to NDS login mode.

b) Only some of your servers are NMAS. In this case, you force all clients to do their login through those NMAS servers. Note that preferred and default server properties will not be honored, if the default or preferred server does not support NMAS. Again, this slows down login, because multiple servers may need to be tried until an NMAS server is found. And if the elected NMAS server happens to be over a WAN link, this will furthermore slow down the login.

c) There were a lot of problems with earlier NMAS versions. This includes the limited NMAS versions included with NetWare 6.0, as well as the first versions included with NetWare 6.5. The main problem was that login restrictions would not work with these NMAS versions. Above all, these NMAS versions did not honor address restrictions and concurrent login restrictions. This was fixed later.

d) Using IPX in an NMAS environment can be a problem too. A number of NMAS versions had a severe bug, where it would simply not work over IPX but only over TCP/IP. This could lead to login failures where IPX was involved.

All in all, if you want to use NMAS on the clients, you really want to have all your login servers at recent eDirectory 8.7.3.x version (preferrable 8.7.3.8). Implementing NMAS clients with oudated NDS or eDirectory versions is just asking for trouble. Above all, NMAS should not be installed at all on clients whose main server is still a 4.11 server.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell