This section provides specific overview information for the following key OES components:
For more authentication topics,
Access, Authenticate, Log In
in the OES online documentation.
In OES, the NetIdentity Agent works with Novell® eDirectory™ authentication to provide background authentication to Windows Web-based applications that require eDirectory authentication through a secure identity “wallet” on the workstation. Applications access the eDirectory credentials without prompting users for a username and password.
The NetIdentity Agent supports applications running on OES server platforms as follows:
OES Linux: NetStorage
OES NetWare: Virtual Office, NetStorage, and iPrint (if authentication is required)
NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.
The Novell Client™ provides authentication credentials to NetIdentity, but it does not obtain authentication credentials from NetIdentity because it is not a Web-based application.
NetIdentity Agent requires
XTier (NetStorage) on the OES server in the URL for the Web-based applications.
The NetIdentity agent installed on the workstations.
For more information on using the NetIdentity agent, see the NetIdentity Administration Guide for NetWare 6.5 .
Novell Modular Authentication Service (NMAS™) lets you protect information on your network by providing various authentication methods to Novell eDirectory on NetWare®, Windows, and UNIX networks.
These login methods are based on three login factors:
Password
Physical device or token
Biometric authentication
For example:
You can have users log in using only a password, a fingerprint scan, a token, a smart card, a certificate, or a proximity card, etc.
You can have users log in using a combination of methods, thus providing a higher level of security.
Some login methods require additional hardware and software. You must ensure you have all of the necessary hardware and software for the methods to be used.
NMAS software consists of the following:
NMAS server components: Installed as part of OES.
The NMAS Client: Required on each Windows workstation that will be authenticating using NMAS.
NMAS includes several login methods on the Novell Client CD in the nmas\nmasmethods folder.
Other third-party methods are available for download. For information on the available third-party login methods, see the NMAS Partner’s Web site. Each method has a readme.txt file or a readme.pdf file that includes specific installation and configuration instructions.
For more information on how to use NMAS, see the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide .
In the past, administrators have had to manage multiple passwords (simple password, NDS® passwords, Samba passwords) because of password differences. Administrators have also had to deal with keeping the passwords synchronized.
In OES you have the choice of retaining your current password maintenance methods or deploying Universal Password to simplify password management. In either case, if you deploy Virtual Office, users can manage their own passwords. For more information, see
Change Password
in the
Novell Virtual Office Configuration Guide
. Also see
Password Self-Service
in the
Novell Nsure Identity Manager 2.0.1 Administration Guide
.
All Novell products and services are being developed to work with extended character (UTF-8-encoded) passwords. For a current list of products and services that work with extended characters, see Novell TID 10083884 .
The password types supported in eDirectory are summarized in Table 20-1.
Table 20-1 eDirectory Password Types
|
Password Type |
Description |
|---|---|
|
NDS |
The NDS password is stored in a hash form that is nonreversible in eDirectory. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system. |
|
Samba |
In OES, Samba users get a Universal Password policy assigned by default. OES also supports the Samba hash password if desired. However, you must choose to not deploy Universal Password if you want to use the Samba hash password. Choosing the Samba password requires that users always remember to synchronize it when changing their eDirectory password. For more information, see
|
|
Simple |
The simple password provides a reversible value stored in an attribute on the User object in eDirectory. NMAS securely stores a clear-text value of the password so that it can use it against any type of authentication algorithm. To ensure that this value is secure, NMAS uses either a DES key or a triple DES key (depending on the strength of the Secure Domain Key) to encrypt the data in the NMAS Secret and Configuration Store. The simple password was originally implemented to allow administrators to import users and hashed passwords from other LDAP directories such as Active Directory and iPlanet*. The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced. Also, by default, users do not have rights to change their own simple passwords. |
|
Universal |
Universal Password (UP) enforces a uniform password policy across multiple authentication systems by creating a password that can be used by all protocols and authentication methods. Universal Password is managed in iManager by the Secure Password Manager (SPM), a component of the NMAS module installed on OES servers. All password restrictions and policies (expiration, minimum length, etc.) are supported. All the existing management tools that run on clients with the UP libraries automatically work with the Universal Password. Universal Password is not automatically enabled unless you install Novell Samba on an OES Linux server. You can optionally choose to have the Samba hash password stored separately. This requires, however, that users always synchronize the Samba password when changing their eDirectory password. The Novell Client supports the Universal Password. It also supports the NDS password for older systems in the network. The Novell Client automatically upgrades to use Universal Password when UP is deployed. For more information, see
|