Novell is now a part of Micro Focus

Beyond the "Three-of-Four" Policy with NMAS

Novell Cool Solutions: Feature
By Aaron Burgemeister

Digg This - Slashdot This

Posted: 9 May 2007

Introduction: NMAS, IDM 3.5, and "3 of 4"

Recently, a new version of NMAS was released along with Novell Identity Manager (IDM) 3.5. This release included fixes from previous versions, as well as a couple of new features in response to customer requests. Besides being able to put password policies anywhere in the tree, you can create a less-secure password policy that matches a default Microsoft password policy. The rules implemented by Microsoft are referred to as "three of four," meaning three of the four requirements for a password must be met for the password to be valid. This is in contrast to a password policy from Novell which, if four requirements were in place, would need all four to be met for the password to be valid. Having this functionality will allow passwords to flow to and from Active Directory (AD) more easily in a default setup. As a note, the latest IDM or Universal Password plugins must be used in iManager 2.6 to create this type of policy.

While this alone is certainly an interesting addition to NMAS functionality, there is also the potential to move beyond a static three-of-four policy as well. Currently, this is not technically supported and the normal iManager interface does not, at least as of now, provide a way to do this. A new attribute on a password policy called 'nspmComplexityRules' (when accessed via LDAP) is actually filled with XML implementing the new rules. Exporting a three-of-four policy looks like the following via LDAP:


# 3of4, Password Policies, Security
dn: cn=3of4,cn=Password Policies,cn=Security
nspmAdminsDoNotExpirePassword: FALSE
nspmComplexityRules:: PENvbXBsZXhpdHlQb2xpY2llcz48UG9saWN5PjxSdWxlU2V0PjxSdWxl
nsimPwdRuleEnforcement: FALSE
nsimForgottenAction:: PEZvcmdvdHRlblBhc3N3b3JkPjxFbmFibGVkPmZhbHNlPC9FbmFibGVk
nsimForgottenLoginConfig: TRUE
nspmExtendedCharactersAllowed: TRUE
nspmDisallowedAttributeValues: cn
nspmDisallowedAttributeValues: displayName
nspmDisallowedAttributeValues: Full Name
nspmDisallowedAttributeValues: Given Name
nspmDisallowedAttributeValues: Surname
nspmConfigurationOptions: 852
passwordUniqueRequired: FALSE
passwordAllowChange: TRUE
objectClass: nspmPasswordPolicy
objectClass: Top
description: Default microsoft password policy decreasing security.
cn: 3of4

Notice the long value in nspmComplexityRules. If you take that value, join all the lines together, and then decode it with a Base64 decoder, you get the following:

    <Rule MinPwdLen="6" />
    <Rule MaxPwdLen="128" />
  <RuleSet ViolationsAllowed="1">
    <Rule MinUppercase="1" />
    <Rule MinLowercase="1" />
    <Rule MinNumeric="1" />
    <Rule MinSpecial="1" />

Modifying the Rules

These rules can also be modified directly via the normal eDirectory tools, avoiding the need to export, convert, change, convert, and then import again.

In ConsoleOne:

1. Browse to the policy.

2. Open the policy's properties.

3. Go to the Other tab and modify the attribute there.

4. Click Apply to apply the changes.

In iManager:

1. Go to the Directory Administration and choose Modify Object. Modifying the object from the normal Passwords role will not work because the 'Other' sub-tab is not available.

2. Browse to the Password Policy and choose it to be modified.

3. Go to the General tab and then to the Other sub-tab.

4. Choose the attribute and click 'Edit' to make changes.

5. Click Apply to see the confirmation that changes were saved.

At this point it is fairly simple to see what is taking place. Rules are embedded in this XML stating that a password must be from 6 to 128 characters, inclusive, and that they must include at least one upper case, lower-case, numeric, and special character. Also, there is one "Violation" allowed, which makes the three-of-four part work.


This opens up a few possibilities for more customization that would not otherwise be there. For instance, if you wanted to have a two-of-four rule, or a one-of-four, that could be done. Also, it is possible to increase the minimum number of characters in each category (lowercase, uppercase, numeric, and special) as well as the minimum and maximum lengths of the password. With changes made to the XML, the new rules must be imported back into the password policy.

Taking the XML with the ViolationsAllowed set to '2' and Base64 encoding it results in the following string:


This can then be reimported with the following LDIF file (contents) via ICE or ldapmodify:

dn: cn=3of4,cn=Password Policies,cn=Security
changetype: modify
replace: nspmComplexityRules
nspmComplexityRules:: PENvbXBsZXhpdHlQb2xpY2llcz48UG9saWN5PjxSdWxlU2V0PjxSdWxlIE1pblB3ZExlbj0iNiIgLz48UnVsZSBNYXhQd2RMZW49IjEyOCIgLz48L1J1bGVTZXQ+PFJ1bGVTZXQgVmlvbGF0aW9uc0FsbG93ZWQ9IjEiPjxSdWxlIE1pblVwcGVyY2FzZT0iMSIgLz48UnVsZSBNaW5Mb3dlcmNhc2U9IjEiIC8+PFJ1bGUgTWluTnVtZXJpYz0iMSIgLz48UnVsZSBNaW5TcGVjaWFsPSIxIiAvPjwvUnVsZVNldD48L1BvbGljeT48L0NvbXBsZXhpdHlQb2xpY2llcz4=

With this done, password changes should only require two of the four rules to be followed. Other customizations follow the same set of steps and allow for some interesting ways to re-increase security for this type of policy.

ldapmodify and ldapsearch, which can be used to import and export (respectively) policies, are part of most default OS distributions. Microsoft Windows is an exception to this rule, but there are versions of ldapsearch and ldapmodify available for Windows as online downloads. ldapsearch and ldapmodify also are part of ConsoleOne when the eDirectory 8.7 snapins are added (available from Other LDAP browsers, such as LDAP Browser/Editor, are freely available and work on multiple platforms.

Note: iManager 2.6 and the IDM 3.5 plugins are available from

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates