The following table outlines some Novell services and the password limitations they have. These limitations are addressed by Universal Password:
| Service | Description | Limitations |
|---|---|---|
Novell ClientTM for Windows* NT*/2000/XP versions prior to 4.9 and Novell Client for Windows 95/98 versions prior to 3.4. |
The Novell Client software for file and print services. Uses the NDS® password, which is based on the RSA public/private key system. |
|
Windows Native Networking (CIFS) in NetWare 6 and NetWare 5.1 (NFAP add-on pack for NetWare 5.1) |
Novell's CIFS server as part of the Native File Access Protocols. It allows Windows* clients to access Novell services using the built-in Windows Client Networking Services. |
|
Macintosh* Native Networking (AFP) in NetWare 6 and NetWare 5.1 (NFAP add-on pack for NetWare 5.1) |
Novell's AFP server as part of the Native File Access Protocols. It allows Macintosh clients to access Novell services using the built-in Macintosh Client Networking Services. |
|
LDAP |
Novell's LDAP services allow a user to bind using username and password across a Secure Sockets Layer (SSL) connection. |
|
LDAP User Import |
Uses ICE or other tools to import users from foreign directories into eDirectory. Passwords are also brought in. |
|
Web-Based Services |
Novell Web-based services (Apache Web server) authentications. This includes eGuide, Novell Portal Services, and other Web-based applications. |
|
RADIUS Services |
Novell RADIUS Authentication Services |
|
NetWare Remote Manager |
Novell's Web-based server health and management interface. |
|
NDS for NT |
Novell eDirectoryTM Services for Microsoft Windows NT 4 Server domains. |
|
DirXML® Password Synchronization for Windows 1.0 and DirXML Starter Pack |
Enables synchronization of passwords for NT, Active Directory*, and eDirectory accounts. |
|
If you answer yes to any of the following questions, you should plan to deploy and use Universal Password:
NMAS relies on storage of policies that are global to the eDirectory tree. The eDirectory tree is effectively the security domain. The security policies must be available to all servers in the tree.
NMAS places the authentication policies and login method configuration data in the Security container that is created off of the [Root] in NetWare 5.1 or later eDirectory trees. This information must be readily accessible to all servers that are enabled for NMAS. The purpose of the Security container is to hold global policies that relate to security properties such as login, authentication, and key management.
With NMAS, we recommend that you create the Security container as a separate partition, and that the container be widely replicated. This partition should be replicated as a Read/Write partition only on those servers in your tree that are highly trusted.
NOTE: Because the Security container contains global policies, be careful where writable replicas are placed, because these servers can modify the overall security policies specified in the eDirectory tree. In order for users to log in with NMAS, replicas of the User objects must be on the NMAS server.
For additional information, see Novell TID 10091343.
Verify that the SDI Domain Key servers meet minimum configuration requirements and have consistent keys for distribution and use by other servers within the tree.
From a NetWare server console, load sdidiag.nlm.
From a Windows server, open a command prompt box and run sdidiag.exe.
NOTE: Sdidiag.nlm ships with NetWare 6.5 or later. Sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) associated with Novell TID 2966746.
Log in as an Administrator by entering the tree name, the server, the context, the user name, and the password.
Check to make sure all you servers are using 168 bit keys. Follow the instructions in Novell TID 10093969 to ensure this requirement is met.
Enter the command CHECK -v >> sys:system\sdinotes.txt
The output to the screen will display the results of the CHECK command.
If no problems are found, go to Step 5 - Upgrade At Least One Server in the Replica Ring to NetWare 6.5 or later or eDirectory 8.7.1 or later.
or
If problems are found, follow the instructions written to the sys:system\sdinotes.txt file to resolve any configuration and key issues.
Verify that the SDI Domain Key Servers are Running NICI 2.4.2 or later
We recommend that NetWare 6.5 or later or eDirectory 8.7.1 or later be installed on your SDI Domain Key servers. However, this is not required. At a minimum, you need to install NICI 2.4.2 or later on these servers.
You can verify if NICI 2.4.2 is installed on these servers:
From the server console, execute the NetWare command M NICISDI.NLM.
The version must be 24212.98 or later.
If the version is earlier, you must do ONE of the following:
NOTE: You can download NICI version 2.4.2 from the Novell Free Download site. Select Novell International Cryptographic Infrastructure from the Choose a Product drop-down list, then click Submit Search. NICI 2.4.2 requires eDirectory 8.5.1 or later.
Also, you must reinstall NICI 2.4.2 or later if you install an eDirectory upgrade after installing NICI. This issue will be resolved with the Consolidated Support Pack 10.
To remove a server as an SDI Domain Key Server:
1. At the server console, load SDIDIAG.
2. Log in as an Administrator that has management rights over the Security container and the W0.KAP.Security objects by entering the tree name, the server, the context, the user name, and the password.
3. Enter the command RS -s servername
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
To add a server as an SDI Domain Key Server:
1. At the server console, load SDIDIAG.
2. Log in as an Administrator by entering the Tree name, the Server, the Context, the User name, and the password.
3. Enter the command AS -s servername
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
After completing one of the options above, you might want to rerun the SDIDIAG check command. See Step 1.d.
NOTE: For more information on SDIDIAG, see Novell TID 10083939 and Novell TID 10088626.
Identify the container that holds the User objects of those users who will be using Universal Password.
Find the partition that holds that container and the User objects.
Identify at least one server that holds a writable replica of the partition.
Upgrade that server to NetWare 6.5 or later or eDirectory 8.7.1 or later.
You do not need to upgrade all servers in your tree in order to enable Universal Password, but we recommend that you eventually upgrade them all. Plan to upgrade the servers that hold writable replicas first, followed by those with read-only replicas or no replicas. This allows Universal Password support for services on all those servers.
NOTE: If you have LDAP and CIFS (Windows Native Networking) and/or AFP (Macintosh Native Networking) servers that you want to use Universal Password, you must upgrade those servers to NetWare 6.5.
Check to ensure that all instances of cryptographic keys are consistent throughout the tree. Sdidiag ensures that each server has the cryptographic keys necessary to securely communicate with the other servers in the tree.
From a NetWare server console, load sdidiag.nlm.
From a Windows server, open a command prompt box and run sdidiag.exe.
Enter the command CHECK -v >> sys:system\sdinotes.txt -n container DN
For example, if user Bob exists in container USR in the organization Acme within the Acme_Inc tree, you would type .USR.Acme.Acme_Inc. for the container DN.
This reports if there are any key consistency problems among the various servers and the Key Domain servers.
The output to the screen displays the results of the CHECK command.
If no problems are reported, you are ready to enable Universal Password. Go to Step 7 - Turn on Universal Password.
or
If problems are reported, follow the instructions in the sdinotes.txt file.
In most cases, you will be prompted to run the command RESYNC -T -n container DN.
This command can be repeated any time NMAS reports -1418 or -1460 errors during authentication with Universal Password.
For more information on SDIDIAG options and operations, refer to Novell TID 10081773.
If you are using the Password Management plug-in, do the following:
Start Novell iManager.
Under Roles and Tasks > Passwords, click Password Policies.
Start the Password Policy Wizard by clicking New.
Provide a name for the policy and click Next.
Select Yes to enable Universal Password.
Complete the Password Policy Wizard.
IMPORTANT: If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers. To determine whether a container is a partition root, browse for the container and note whether a partition icon is displayed beside it.
If you assign a policy to a container that is not the root of a partition, the policy assignment is inherited only by users held in that specific container. It is not inherited by users that are held in subcontainers. If you want the policy to apply to all users below a container that is not a partition root, you must assign the policy to each subcontainer individually.
You can deploy the Novell Client for Windows NT/2000/XP version 4.9, Novell Client for Windows 95/98 version 3.4, or NMAS Client 2.2 or later prior to enabling Universal Password, but the client does not take advantage of these services until you enable Universal Password (see Step 7 - Turn on Universal Password). The new Novell Client software automatically starts using the Universal Password when it is turned on. Users will see no differences in the client, except with case-sensitive passwords.
NOTE: You must manually install Client NICI 2.6.1 for Windows or later and NMASTM Client 2.2 in order for Novell Client for Windows 95/98 to start using the Universal Password services.