Novell Home

My Favorites

Close

Please to see your favorites.

How to disable the pwdFailureTime attribute from being updated

This document (7002934) is provided subject to the disclaimer at the end of this document.

Environment

Novell Modular Authentication Service (NMAS) 3.2.0
Novell Modular Authentication Service (NMAS) 3.2.1
Novell Modular Authentication Service (NMAS) 3.3.0
Novell eDirectory 8.8.x for All Platforms
Novell eDirectory 8.7.3.10 for Platforms

Situation

How to disable the pwdFailureTime attribute from being updated

Resolution

A NMAS command can be set to disable the pwdFailureTime and other NMAS related attributes.

This setting is as follows:

nmas LoginInfo #

The value for the # (number) is as follows:

0 (or off) = Do not update any login attributes
1 = Only update attributes required by intruder detection
2 = update all login attributes except unused user password policy attributes
3 or on = update all login attributes

example:
nmas LoginInfo 0
nmas LoginInfo 1
nmas LoginInfo 2
nmas LoginInfo 3

NetWare:
The command "nmas LoginInfo #" should be added  at the end of the SYS:\SYSTEM\AUTOEXEC.NCF.  After making this change, reset the server. The command may also be executed at the NetWare console.

Windows:
When eDirectory/NMAS is started, it processes the commands in the file "nmas.cfg" . Manually create the nmas.cfg file in the same directory as the dib files (default directory is c:/novell /nds/dibfiles.) and add the "nmas LoginInfo #" in the nmas.cfg file.  This command can also be executed from the Novell eDirectory Services console by selecting nmas.dlm, typing the command in the Startup Parameters field, then clicking Configure. Restart eDirectory after making adding the command in the nmas.cfg file.


Linux/Unix:
When eDirectory/NMAS is started, it processes the commands in the file nmas.config.  Manually create the nmas.config file in the same directory as the dib files and add the "nmas LoginInfo #" in the nmas.config file. The nmas.config file must be in the same directory as the dib directory. For example, if the dib directory path is
"/var/opt/novell/eDirectory/data/dib" then the nmas.config file path would be "/var/opt/novell/eDirectory/data/nmas.config". Restart ndsd after adding this command in the nmas.config. File permissions on this file should be set to at least 644. NMAS uses the same uid that ndsd uses so the owner should be root,
unless it is a non root install. Then the owner should be the same user/uid that is running ndsd.

Additional Information

This attribute was originally added in NMAS 3.1.3  (Security Services 2.0.4 - March 2007.)  It was also included in eDirectory 8.8.2 release (NMAS 3.2.0 - October 2007.)

                                 update pwdFailureTime attribute  |  remove pwdFailuretime attribute on Successful login
nmas LoginInfo 0                            no                                                                          no
nmas LoginInfo 1                            no                                                                          no
nmas LoginInfo 2                            yes                                                                        yes


The pwdFailureTime attribute was implemented as defined in the LDAP Password Policy IETF draft which states the following in section 5.3.4:

"pwdFailureTime:  This attribute holds the timestamps of the consecutive authentication failures"

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7002934
  • Creation Date:08-APR-09
  • Modified Date:26-APR-12
    • NovellNMAS (Modular Authentication Service)

Did this document solve your problem? Provide Feedback