Environment
Novell Modular Authentication Service (NMAS) 3.2.0
Novell Modular Authentication Service (NMAS) 3.2.1
Novell Modular Authentication Service (NMAS) 3.3.0
Novell eDirectory 8.8.x for All Platforms
Novell eDirectory 8.7.3.10 for Platforms
Novell Modular Authentication Service (NMAS) 3.2.1
Novell Modular Authentication Service (NMAS) 3.3.0
Novell eDirectory 8.8.x for All Platforms
Novell eDirectory 8.7.3.10 for Platforms
Situation
How to disable the pwdFailureTime attribute from being updated
Resolution
A NMAS command can be set to disable the pwdFailureTime and other NMAS related attributes.
This setting is as follows:
nmas LoginInfo #
The value for the # (number) is as follows:
0 (or off) = Do not update any login attributes
1 = Only update attributes required by intruder detection
2 = update all login attributes except unused user password policy attributes
3 or on = update all login attributes
example:
nmas LoginInfo 0
nmas LoginInfo 1
nmas LoginInfo 2
nmas LoginInfo 3
NetWare:
The command "nmas LoginInfo #" should be added at the end of the SYS:\SYSTEM\AUTOEXEC.NCF. After making this change, reset the server. The command may also be executed at the NetWare console.
Windows:
When eDirectory/NMAS is started, it processes the commands in the file "nmas.cfg" . Manually create the nmas.cfg file in the same directory as the dib files (default directory is c:/novell /nds/dibfiles.) and add the "nmas LoginInfo #" in the nmas.cfg file. This command can also be executed from the Novell eDirectory Services console by selecting nmas.dlm, typing the command in the Startup Parameters field, then clicking Configure. Restart eDirectory after making adding the command in the nmas.cfg file.
Linux/Unix:
When eDirectory/NMAS is started, it processes the commands in the file nmas.config. Manually create the nmas.config file in the same directory as the dib files and add the "nmas LoginInfo #" in the nmas.config file. The nmas.config file must be in the same directory as the dib directory. For example, if the dib directory path is
"/var/opt/novell/eDirectory/data/dib" then the nmas.config file path would be "/var/opt/novell/eDirectory/data/nmas.config". Restart ndsd after adding this command in the nmas.config. File permissions on this file should be set to at least 644. NMAS uses the same uid that ndsd uses so the owner should be root,
unless it is a non root install. Then the owner should be the same user/uid that is running ndsd.
This setting is as follows:
nmas LoginInfo #
The value for the # (number) is as follows:
0 (or off) = Do not update any login attributes
1 = Only update attributes required by intruder detection
2 = update all login attributes except unused user password policy attributes
3 or on = update all login attributes
example:
nmas LoginInfo 0
nmas LoginInfo 1
nmas LoginInfo 2
nmas LoginInfo 3
NetWare:
The command "nmas LoginInfo #" should be added at the end of the SYS:\SYSTEM\AUTOEXEC.NCF. After making this change, reset the server. The command may also be executed at the NetWare console.
Windows:
When eDirectory/NMAS is started, it processes the commands in the file "nmas.cfg" . Manually create the nmas.cfg file in the same directory as the dib files (default directory is c:/novell /nds/dibfiles.) and add the "nmas LoginInfo #" in the nmas.cfg file. This command can also be executed from the Novell eDirectory Services console by selecting nmas.dlm, typing the command in the Startup Parameters field, then clicking Configure. Restart eDirectory after making adding the command in the nmas.cfg file.
Linux/Unix:
When eDirectory/NMAS is started, it processes the commands in the file nmas.config. Manually create the nmas.config file in the same directory as the dib files and add the "nmas LoginInfo #" in the nmas.config file. The nmas.config file must be in the same directory as the dib directory. For example, if the dib directory path is
"/var/opt/novell/eDirectory/data/dib" then the nmas.config file path would be "/var/opt/novell/eDirectory/data/nmas.config". Restart ndsd after adding this command in the nmas.config. File permissions on this file should be set to at least 644. NMAS uses the same uid that ndsd uses so the owner should be root,
unless it is a non root install. Then the owner should be the same user/uid that is running ndsd.
Additional Information
This attribute was originally added in NMAS 3.1.3 (Security Services 2.0.4 - March 2007.) It was also included in eDirectory 8.8.2 release (NMAS 3.2.0 - October 2007.)
update pwdFailureTime attribute | remove pwdFailuretime attribute on Successful login
nmas LoginInfo 0 no no
nmas LoginInfo 1 no no
nmas LoginInfo 2 yes yes
The pwdFailureTime attribute was implemented as defined in the LDAP Password Policy IETF draft which states the following in section 5.3.4:
"pwdFailureTime: This attribute holds the timestamps of the consecutive authentication failures"
update pwdFailureTime attribute | remove pwdFailuretime attribute on Successful login
nmas LoginInfo 0 no no
nmas LoginInfo 1 no no
nmas LoginInfo 2 yes yes
The pwdFailureTime attribute was implemented as defined in the LDAP Password Policy IETF draft which states the following in section 5.3.4:
"pwdFailureTime: This attribute holds the timestamps of the consecutive authentication failures"