16.2 Authentication Services

16.2.1 Overview of Authentication Services

This section provides specific overview information for the following key OES components:

For more authentication topics, see access, authenticate, log in in the OES online documentation.

NetIdentity Agent

In OES 11, the NetIdentity Agent works with NetIQ eDirectory authentication to provide background eDirectory authentication to NetStorage through a secure identity “wallet” on the workstation.

NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.

The Novell Client provides authentication credentials to NetIdentity, but it does not obtain authentication credentials from NetIdentity because it is not a Web-based application.

NetIdentity Agent requires

  • XTier (NetStorage) on the OES 11 server included in the URL for the Web-based applications.

  • The NetIdentity agent installed on the workstations.

For more information on using the NetIdentity agent, see the NetIdentity Administration Guide for NetWare 6.5.

NetIQ Modular Authentication Services (NMAS)

NetIQ Modular Authentication Services (NMAS) lets you protect information on your network by providing various authentication methods to NetIQ eDirectory on NetWare, Windows, and UNIX networks.

These login methods are based on three login factors:

  • Password

  • Physical device or token

  • Biometric authentication

For example:

  • You can have users log in through a password, a fingerprint scan, a token, a smart card, a certificate, a proximity card, etc.

  • You can have users log in through a combination of methods to provide a higher level of security.

Some login methods require additional hardware and software. You must have all of the necessary hardware and software for the methods to be used.

NMAS software consists of the following:

  • NMAS server components: Installed as part of OES.

  • The NMAS Client: Required on each Windows workstation that will be authenticating using NMAS.

Support for Third-Party Authentication Methods

Novell Client distributions include a number of NMAS login methods.

For more information on how to use NMAS, see the NetIQ Modular Authentication Services Administration Guide.

Password Support in OES

In the past, administrators have needed to manage multiple passwords (simple password, NDS passwords, Samba passwords) because of password differences. Administrators have also needed to deal with keeping the passwords synchronized.

In OES you have the choice of retaining your current password maintenance methods or deploying Universal Password to simplify password management. For more information, see the NetIQ Password Management Administration Guide.

All Novell products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, see Novell TID 3065822 .

The password types supported in eDirectory are summarized in Table 16-7.

Table 16-7 eDirectory Password Types

Password Type

Description

NDS

The NDS password is stored in a hash form that is nonreversible in eDirectory. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system.

Novell AFP and Novell CIFS

In OES 11 SP3, AFP and CIFS users have Universal Password policies assigned by default. More information about password policy planning is available in Section J.0, Coordinating Password Policies Among Multiple File Services.

Samba

In OES 11 SP3, Samba users have a Universal Password policy assigned by default.

OES 11 SP3 also supports the Samba hash password if desired. However, you must choose to not deploy Universal Password if you want to use the Samba hash password. Choosing the Samba password requires that users always remember to synchronize it when changing their eDirectory password.

For more information, see Samba Passwords in the OES 11 SP3: Novell Samba Administration Guide.

Simple

The simple password provides a reversible value stored in an attribute on the User object in eDirectory. NMAS securely stores a clear-text value of the password so that it can use it against any type of authentication algorithm. To ensure that this value is secure, NMAS uses either a DES key or a triple DES key (depending on the strength of the Secure Domain Key) to encrypt the data in the NMAS Secret and Configuration Store.

The simple password was originally implemented to allow administrators to import users and hashed passwords from other LDAP directories such as Active Directory and iPlanet*.

The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced. Also, by default, users do not have rights to change their own simple passwords.

Universal

Universal Password (UP) enforces a uniform password policy across multiple authentication systems by creating a password that can be used by all protocols and authentication methods.

Universal Password is managed in iManager by the Secure Password Manager (SPM), a component of the NMAS module installed on OES servers. All password restrictions and policies (expiration, minimum length, etc.) are supported.

All the existing management tools that run on clients with the UP libraries automatically work with the Universal Password.

Universal Password is not automatically enabled unless you install Novell AFP, Novell CIFS, Domain Services for Windows, or Novell Samba on an OES server. (You can optionally choose to have the Samba hash password stored separately. This requires, however, that users always synchronize the Samba password when changing their eDirectory password.)

The Novell Client supports the Universal Password. It also supports the NDS password for older systems in the network. The Novell Client automatically upgrades to use Universal Password when UP is deployed.

For more information, see Deploying Universal Password in the NetIQ Password Management Administration Guide.

16.2.2 Planning for Authentication

For planning topics, see the access, authenticate, log in in the OES online documentation.

16.2.3 Authentication Coexistence and Migration

For authentication and security coexistence and migration information, see Section 22.0, Security and Section 23.0, Certificate Management in this guide.

16.2.4 Configuring and Administering Authentication

For a list of configuration and administration topics, see access, authenticate, log in in the OES online documentation.