Novell Home

My Favorites

Close

Please to see your favorites.

History of Issues Resolved for Novell Security Components

This document (7005397) is provided subject to the disclaimer at the end of this document.

Environment

Novell eDirectory 8.7.3 for All Platforms
Novell eDirectory 8.8 for All Platforms
Novell Modular Authentication Service (NMAS)
Novell Certificate Server (PKIS)
Novell International Cryptographic Infrastructure (NICI)
Novell NTLS

Situation

Where is a comprehensive list of all Security Component fixes?

Resolution

This TID has been obsoleted as security component fixes now ship in eDirectory patches.  This TID covers fixes from Security patch SSP201 through eDir 8.8 SP6 Patch 2.
 
Therefore, all security component fixes going forward will be documented in the eDirectory "History of Issues Resolved" TID.  It can be found here:

Additional Information

_______________________________________________________________________________________
eDirectory 8.8 Support Pack 6 Patch 2 Security Updates
For eDirectory 8.8 SP6 Platforms
June 02, 2011

NMAS 3.3.3.3
- NMAS SAML LSM disallows logins when Network Address Restrictions are set on the authenticating user object (Bug 640866)

Novell SASL GSSAPI Login Method 2.8.3.1 for NMAS
- Multiple checksum handling vulnerabilities - MITKRB5-SA-2010-007
KDC: Bug 655931
Method: Bug 655715
To resolve this defect in the older Novell KDC product, the KDC, method and LDAP extensions must be updated.
The updated KDC 1.5 for OES 2 SP2 and OES 2 SP3 and the LDAP extensions are available over the appropriate OES channel.
For OES 2 SP3 this fix is in novell-kerberos-base-1.5-49 & novell-kerberos-ldap-extensions-1.5-49 or higher via the oes2sp3-novell-kerberos update package in the channel.
_______________________________________________________________________________________
eDirectory 8.8 Support Pack 5 Patch 6 Security Updates
For eDirectory 8.8 SP5 Platforms
June 03, 2011

NMAS 3.3.2.5
- Doublefree issue when stress testing the server using a multi threaded nmas bind program (Bug 628257/662327)
- NMAS SAML LSM disallows logins when Network Address Restrictions are set on the authenticating user object. (Bug 640866)

NTLS 2.0.5.1
- Security Vulnerability - OpenSSL Handshake renegotiation of existing connections (Bug 586809) (CVE-2009-3555)

Novell SASL GSSAPI Login Method 2.8.3.1 for NMAS
- Multiple checksum handling vulnerabilities - MITKRB5-SA-2010-007
KDC: Bug 655931
Method: Bug 655715
To resolve this defect in the older Novell KDC product, the KDC, method and LDAP extensions must be updated.
The updated KDC 1.5 for OES 2 SP2 and OES 2 SP3 and the LDAP extensions are available over the appropriate OES channel.
For OES 2 SP2 this fix is in novell-kerberos-base-1.5-46.6 & novell-kerberos-ldap-extensions-1.5-46.6 or higher via the oes2sp2-novell-kerberos update package in the channel.

_______________________________________________________________________________________
NMAS 3.3.3
For eDirectory 8.8 SP6 Platforms
October 15, 2010
Contains NMAS 3.3.3, Novell Certificate Server 3.3.4, NICI 2.7.6, NMAS Methods 2.8.3, and NTLS 2.0.6

NMAS 3.3.3
- NDSD core in NESCM method due to NMAS connection reuse\timeout defect  (Bug 571006)
- Memory buildup due to too many values in pwdFailureTime  (Bug 552875)
- Timestamps are being added to the pwdFailureTime attribute when NMAS server times out or client cancels login (Bug 535495)
- Enhancement:  NMAS now can use XDAS for audit reporting  (Bug 601989 613988)
- Multiple core issues resolved  (Bug 615851)
- Changes made to make all authentication failures consistent in their delay  (Bug 593174)
 
NMAS Methods: 2.8.3
- Localization fixes  (Bug 489638)
- SAML method login fails in User Application if a period is in the DN  (Bug 599089)
- NMAS Saml method does not escape dot notation in username  (Bug 507271)
- Core due to memory corruption in the DIGEST-MD5 method  (Bug 507198)
- Multiple coring issues resolved due to null pointers, uninitialized variables, etc  (Bug 618227)
- Error, ' Warning: configFile contains unrecognized label' when installing the Simple Password NMAS method using nmasinst  (Bug 598361)
- SAML method added to 64 bit Linux  (Bug 521470)
- GSSAPI.zip file was not bundled with the novell-sasl-gssapi-method rpm  (Bug 497184)
- LDAP bind with SASL GSSAPI when the realm container is deleted causes ndsd core dump  (Bug 499662)
 
NTLS: 2.0.6
- Core in NTLS while on startup when 3rd party cert is used for CA and force creation is turned on  (Bug 542587)
- Symbolic links in AIX filesets' pointing to absolute path instead of relative path  (Bug 621787)
 
PKI: 3.3.4
- Encoding of domainComponent attributes should be IA5String  (Bug 540127)
- Certificate Server was stripping out the alt. subject name when imported an externally signed public key  (Bug 534618)
- Error: -1238 received from importing an Entrust signed cert due to Terisa error  (Bug 471699)
- Remote Code Execution Vulnerability via Buffer Overflow  (Bug 575057)
- Error: -1409 NICI_BUFFER_OVERFLOW errors when exporting the self signed certificate from the CA  (Bug 578543)
- Error processing certificate validations in Access Manager  (Bug 487210)
- Validating a KMO with an incomplete certificate chain causes Java to crash  (Bug 570727)
- Error: -601 trying to create server certificates with a wildcard GoDaddy signed certificate  (Bug 577205)
 
NICI: 2.7.6
- High utilization on Mid Tier Servers  (Bug 393478)
- Performance issue on Solaris 64 bit due to deadlock  (Bug 477597)
- The SSP206 install was continuing to copy files from the old 873 location resulting in NICI being overwritten (Bug 517444)
 
 
_______________________________________________________________________________________
NMAS 3.3.2.3 Patch 1
February 16, 2010

NMAS 3.3.2.3
Audit PA failover feature fails when NMAS Auditing is turned on (Bug 541579)

Novell SASL GSSAPI Login Method 2.0.2 for NMAS 3.3.2.3
- Security vulnerability in the crypto library of MIT Kerberos (Bug 573387) (CVE-2009-4212) (MITKRB5-SA-2009-004)
(TID 7002100)
To resolve this defect as reported by MIT Kerberos both Kerberos and the GSSAPI method must be updated.
Kerberos 1.5-41: http://download.novell.com/Download?buildid=i9_BmLPleO0~
GSSAPI method: http://download.novell.com/Download?buildid=9Ddu8DuN63Q~


________________________________________________________________________________________
NMAS 3.3.2.2 Patch 1
October 9, 2009

NMAS 3.3.2.2
- NMAS no longer increments the intruder lockout count on User App timeout (Bug 525172)
Note: the User App patch 370A will also be required for the above issues (Bug 537416)
For more information please see Section 7.2 of the NMAS admin guide
- eDirectory instrumentation does not provide the source user for password events when UP is enabled (Bug 511455)
- Authentication Error: -1691 when near constant login requests are not allowing a policy lock which results in no login sequences being returned (Bug 500066)
- Failing to migrate the Simple Password to the Universal Password (Bug 495969)
- pwdFailureTime attribute now has a ceiling on the number of values held to prevent replication problems (Bug 475392)
- Audit failing: Error: 0 - SNMP trap ndsVerifyPass is now sent (Bug 484898)
- 601 Object not found when user name contains a " . " using the SAML method (Bug 507271)
- Bluelance: no event thrown for password change when using universal passwords (Bug 206597)
- Public symbol error when loading NMAS on NetWare due to missing sal.nlm dependancy (Bug 533937)
- On NetWare, NMAS command LoginInfo does not have any effect (Bug 535849)

NMAS methods 2.8.2_FTF1
October 9, 2009
- NMAS cores in DIGEST-MD5 login method (Bug 507198)
- Problems migrating the Simple Password to the Universal Password (Bug 495969)


________________________________________________________________________________________
NMAS Client 3.3.2 FTF

June 5, 2009
For eDirectory 8.8 SP5 Platforms

NMAS Client
- Handling of NMAS "OR" sequence shows "Novell Security Message" when it shouldn't (Bug 229641)


________________________________________________________________________________________
Security Bundle 2.0.9
June 5, 2009
For eDirectory 8.8 SP5 Platforms
Contains NMAS 3.3.2, Novell Certificate Server 3.3.3, NICI 2.7.6, NMAS Methods 2.8.2, and NTLS 2.0.5
NMAS 3.3.2
- ndsd memory buildup due to the amount of memory assigned to NMAS threads (Bug 409434)
- server cores due to a null pointer returned by NMAS_GetAttribute (Bug 492240/491894)
- After a successful login using the NDS Method, NMAS returns ERROR: -1645 Server timed out waiting for data (Bug 472741)
- Users cannot login due to NMAS RW Writer thread stuck waiting to aquire Read Lock (Bug 481664)
- NMAS_E_INCOMPATABLE_LOGIN_DATA (-1695) when attempting to change password from client (Bug 437499)
- Code(-9065) Unable to determine value of attribute nspmDistributionPassword for object
NOTE: An updated version of 8.8 SP3 is also required due to a -659 error (Bug 445215)
- 625 errors due to dclient context not being connected to a server (Bug 478421)
- Memory leak and memory corruption issue (Bug 424296\481664)
- Password migration will fail if "Allow user to initiate password change" is disabled in UP policy (Bug 433571)
- NMAS no longer increments the login intruder attempts if there is a failure because the following: Account Disabled/Expired, Time restrictions, AddressRestrictions , MaxStationRestriction , Intruder locked out (Bug 443034)
- ndsd cores after installing a DSfW child DC (Bug 491881)
- Change to only update user's login policy attributes during password change or login not when password is read (Bug 445215)

Novell Certificate Server 3.3.3
- Localiation fixes
- X509 Authentication fails for Double Byte character Users in certificate Directory Name (Bug 346736)
- Server cores when it does not have a copy of the security container (Bug 456594)
- DS cores in SEC_unicpy (Bug 481104)
- NDSD cores: event handler not correctly handling loading\unloading of module (Bug 486099\483085)
- Pkiserver.log is getting created under dib directory instead of the log directory (Bug 487563/574642)

NICI 2.7.6
- High utiliation and users cannot login to MiddleTier (Bug 393478)
- Previous security bundles would copy nici files from /vart/novell/nici to /var/opt/novell/nici if it exists overwritting good nici files (Bug 517444)
- Windows 64 bit: ldapsearch hangs if preallocate cache is more than 4GB (Bug 467264)
- Manually installing 64 bit returns conflicts with the existing 32 bit files (Bug 468220/473876)
- Incorrect libccs2.so Path Might Cause eDirectory Configuration Error on Red Hat 5.0 (Bug 430609)
- Dhost is crashing while shutting down the eDirectory (Bug 410848)
- Added the ability to backup NICI files using the -e option in DSBK (Bug 96116/458279)
- NetWare: CIFS threads would get stuck inside NICI code resulting in an abend (Bug 476803)

NMAS Methods 2.8.2
- SASL logins fail randomly using Certmutal method (Bug 475822)
- GSSAPI plugin\Kerberos management plugin fails to delete realm with a "." in realm name (Bug 478925)


________________________________________________________________________________________
NMAS 3.3.1.3 FTF
- Simple Bind failed when using Simple Password after the Simple Password method was install and before another login occurred (Bug 406046)
- Changed to allow password migration when "Allow user to initiate password change" is disabled in UP policy (Bug 433571)
- Change to remove corrupted password values or password history values during password change (Bug 437499)
- Change to increment "login intruder attempts" counter only when a login method fails not on a login policy violation (Bug 443034)
- Replaced dstrace statment "ERROR: -1645 Server timed out waiting for data" that appeared after a successful login (Bug 472741)
- NMAS refreshpolicy issue causing NMAS authentication issues (Bug 481664)


________________________________________________________________________________________
Security Bundle 2.0.8
December 3, 2008
For eDirectory 8.8 SP4 Platforms
Contains NMAS 3.3.1, Novell Certificate Server 3.3.2, NICI 2.7.5, NMAS Methods 2.8.1, and NTLS 2.0.4

NMAS 3.3.1
- 1437 error when authenticating through NMAS or modifying Universal Password (Bug 426423)
- Simple password can now be set which removes the UP password and allows simple to migrate to UP (Bug 260977)
- DSfW not able to reuse password after it is set if pwdInHistory exists (Bug 390138)
- Excessive rights on files (Bug 414898)
- Nmas core in MAF_CheckHandle (Bug 416280)
- Core because of size of password history (Bug 426629)
- LSM module not properly handling a password with a length of zero (Bug 430138)
- NMAS server crashes eDirectory during a chained search (Bug 443827)

Novell Certificate Server 3.3.2
- CRL list for user certificates filters out those beyond their expiration (Bug 361911)
- Files have excessive permissions (Bug 357202)

NICI 2.7.5
- NICI not getting set to server mode due to missing link (Bug 417261\418679)

NTLS 2.0.4
- NTLS not installing in a Solaris zone environment (Bug 416212/351302)


________________________________________________________________________________________
Security Bundle 2.0.7
NOTE: This and all subsequent Security Bundles are no longer available seperately. They are only available in eDirectory 8.8 Support Packs.
July 31, 2008
For eDirectory 8.8 SP3 Platforms
Contains NMAS 3.3.0, Novell Certificate Server 3.3.1, NICI 2.7.4, NMAS Methods 2.8.0, and NTLS 2.0.3

NMAS 3.3.0
- after migrating from simple password to UP, retrieving password status fails with error 1695 (Bug 307962)
- IDM can now detect if password was changed by the admin or user (Bug 335733)
- Install: NMASINST -i will abends when trying to apply the NMAS Extension (Bug 377493)
- LDAP bind performance increased (Bug 337604)
- nspmPasswordKey could be overwritten if there is an error reading the attribute (Bug 337983)
- Password expiration time is only modified when verify compliance on login is set (Bug 344829)
- Partition root is checked for intruder detection policy (Bug 349172)

Novell Certificate Server 3.3.1
- Allow KMO to be created even if Terisa key file is not created (Bug 334934)
- Prevent memory buildup with performance increase (Bug 339953)
- CRL may not get issued if the aveTime field is too large (Bug 345049)
- Health check now exports the CA certificate on Linux and Windows (Bug 348172)
- SAS error -255 when configuring SAS service (Bug 358786)
- Error: -672 when users create a personal certificate in iManager (Bug 363063)
- Change in where certificates are stored so multi-instance can work (Bug 395144)

NICI 2.7.4
- NICI segfault when installing eDirectory 8.8.2 on AMD X86_64 (Bug 396943)
- NICI does not install in Solaris zone environment (Bug 351300)

NMAS Methods 2.8.0
- Core in ndsd due to null pointer exception in nmas Challenge Response method (Bug 423753)

NTLS 2.0.3
- 64 bit ports
- NTLS does not install in Solaris Zone environment (Bug 351302)

OTHER:
Note:This version of Novell's Security Support Pack is shipped with eDirectory only. There are no longer standalone Security Support Packs. To upgrade to the latest version the latest version of eDirectory must be installed.

WHATS NEW:
- iManager plug-ins for Graded Authentication: Provides a way to manage graded authentication functionality using iManager. See Section 4.0, Using Graded Authentication.
- iManager plug-ins for password policy: These are generally available.
- LDAP case-sensitive passwords: See the eDirectory 8.8 Administration Guide.
- Security container caching: Security container data is now cached onto the local server. This feature eliminates the problem of slow authentication when the server housing the security container is not available. See the Miscellaneous chapter of the eDirectory 8.8 Administration Guide for more information.
- Additional DSTRACE information: When you run DSTRACE, NMAS returns more information for troubleshooting purposes. See Section 6.2, Using DSTRACE.
- Auditing using NSure® Audit: You can now audit NMAS events using Nsure Audit. See Section 6.5, Auditing NMAS Events Using Nsure Audit.
- GSSAPI SASL mechanism: Allows you to authenticate to eDirectory using a Kerberos* ticket. See the eDirectory 8.8 Administration Guide.


________________________________________________________________________________________
Security Bundle 2.0.6
July 21, 2008
For eDirectory 8.8 SP2 and 8.7.3 SP10b. OES:NetWare 6.5 SP6\SP7
Contains NMAS 3.2.1, Novell Certificate Server 3.3.0.1, NICI 2.7.3, NMAS Methods 2.7.7, and NTLS 2.0.2

NMAS 3.2.1:
- After migrating a hashed Simple Password to the Universal Password, the diagpwd utility fails with the error -1695 (NMAS_E_INCOMPATIBLE_LOGIN_DATA) (Bug 307962)
- NMAS returns buffer overflow when min and max numeric password values set in advanced password policy (Bug 326893)
- Small memory leak during failed login attempts when intruder detection is enabled (Bug 334597)
- Context leak when a password policy is not assigned to the user object, to the user object's parent container, or the user object's partition root (Bug 338686)
- NMAS login does not treat account expiration time in the same way as eDirectory login (Bug 341012)
- Password policy compliance not being enforced when using ldap (Bug 344416)
- If NDSD_TRY_NMASLOGIN_FIRST is set to true the IDM Role Service Driver will fail to start with a -779 (ERR_CANNOT_GO_REMOTE) error (Bug 353146)
- NMAS cores while setting Universal Password when removing password history values (Bug 353606)
- Random password generation not correctly adhering to maximum consecutive character restrictions (Bug 357864)
- Microsoft Complexity Policy - Don't check if a disallowed attribute value is contained in the password if the attribute value is less than three characters (Bug 372830)
- Resolved several NMAS issues when the eDirectory process has consumed most or all of the memory available to it (Bug 372864)
- Unable to unlock scrsaver on server with no replicas when NMAS auditing is enabled (Bug 391388)
- NMAS cores when XML complexity policy is enabled and "Verify password for compliance during login" option is not enabled (Bug 401408)

CERTIFICATE SERVER 3.3.0.1:
- Abend when revoking Certificate with DSTrace enabled (Bug 390486)
- Rights issues when creating user certificates (Bug 363063)

NMAS METHODS 2.7.7:
- Enhancement: When answering Challenge Questions allow answers to be masked (TID 3794808) (Bug 134210)
- Special characters in the Challenge response causes login failed (Bug 340150)
- Challenge/Response Method fails to install resource DLL (Bug 341202)
- Challenge/Response Security Vulnerability in which clipboard contents can be pasted into input fields (Bug 341363)
- Invoking the forgotten password feature may cause eDirectory to crash (Bug 379693)
- Simple Password always expires the password when it sets the Universal Password (Bug 331004)

Notes:
-OES 1 SP2 installations should use the channel to update eDirectory and install this patch.
- Do NOT install this patch on eDirectory 8.8 SP3 or higher.
- NMAS 3.2.1 was the last release that supported both eDirectory 8.7.3 and 8.8 SPx
- If the Security Services 2.0.6 patch is being installed on NetWare 6.5 SP6 with iManager 2.6, it is crucial the NPKIAPI.nlm, NPKIT.nlm and npki.jar files on the server be version 3.30 or greater to avoid an ABEND. iManager and the Novell Certificate Server plug-in use the npki.jar file in the "sys:\tomcat\4\webapps\nps\WEB-INF\lib" directory.


________________________________________________________________________________________
NMAS 3.2.0.1 FTF
November 30, 2007
- Small memory leak during login when intruder detection is enabled (Bug 334597)
- NMAS returns buffer overflow when min and max numeric password values set in advanced password policy (Bug 326893)
- Context leak when password policy is assigned to Login Policy (TID 3018646) (Bug 338686)
- NMAS does not treat account expiration time as unsigned int (TID 3647842) (Bug 341012)
- Password policy compliance not being enforced when using ldap (Verify option and NDSD_TRY_NMASLOGIN_FIRST=true) (TID 3442146) (Bug 344416)


________________________________________________________________________________________
Security Bundle 2.0.5
October 8, 2007
For eDirectory 8.8 SP1 and 8.7.3 SP9. OES:NetWare 6.5 SP6\SP7 and OES Linux 1 SP2
Contains NMAS 3.2.0, Novell Certificate Server 3.3.0, NICI 2.7.3, NMAS Methods 2.7.5, and NTLS 2.0.2

NMAS 3.2.0:
- Enhancement: Increased LDAP Bind performance with NDSD_TRY_NMASLOGIN_FIRST=true (Bug 169581)
- After applying SSP201 scrsaver.nlm will not unlock screensaver with users that have a network address restriction applied equal to the server IP Address (Bug 198083)
- Enhancement: intruder detection, allow account to be locked indefinitely (Bug 207777)
- Enhancement: allow NMAS to use external Certificates for Novell Audit (Bug 222419)
- Scrsaver.nlm fails to unlock screen if admin user has a default sequence defined (Bug 230950)
- Enhancement: fail over to NDS method when default is not possible (Bug 233069)
- Enhancement: NMAS evaluates X number of characters to support character limited systems (Bug 235403)
- Minimum and Maximum upper and lower case rules confusing (Bug 235884)
- Remove Password history values if they can't be decrypted on password changes. Error: FFFFFA78 error when trying to change a password (Bug 240427)
- Enhancement: limit Universal password access to only admins of a special group (Bug 258105)
- NMAS spmnwcc 'breaks' legacy functionality of addr restrictions (Bug 253852)
- NMAS Error: -1642 when trying to autoprovision for the first time with NCP (Bug 253852)
- Unable to get nspm password(2) failed, Error: -1697 (Bug 260538)
- -16022 errors in IDM trace when no maximum password length is specified or if min and max password lengths are set to the same value (Bug 267496)
- Generate Password token gives -6022 NMAS error when nspmMinUniqueCharacters is equal to nspmMaximumLength (Bug 267748)
- Third party NMAS method only works once then next authenticiation returns Error: -1662 (Bug 274573)
- Enhancement: do not set password expiration forward when a user cancels out of password change (Bug 285723)
- Generate Password noun does not abide by rules with Microsoft Complexity (Bug 291259)
- Minimum password length is changing to 0 when using Microsoft Complexity Policy (Bug 299984)

CERTIFICATE SERVER 3.3.0:
- Allow import of certificates without Digital Signature key usages (Bug 147367)
- Fix NPKI man pages (Bug 184542)
- Need the ability to create an AIA extension (Bug 192270)
- Remote Post-install of Certificate server fails, post-install aborts (Bug 217512)
- Enhancement: add Server Self-Provisioning and User Self-Provisioning (Bug 224784)
- If the eDirectory CA acts as SubCA, PKI.NLM will export the Intermediate Trusted Root into the RootCert.der instead of the SelfSigned Trusted Root (Bug 224903)
- Solaris: Ndsd crashing after installing ssp 2.03 with crl list (Bug 229640)
- OES2 Enhancement: add capability to Health Check code to export certificates/private keys to file system for local services to use (Bug 263452)
- "Path Length Violation" while running the validation process on a level three root certificate (Bug 263452)
- Enhancement: add IP/DNS names to Subject Alt Names during CreateDefaultCertificates (Bug 270101)
- Enhancement: add capability to PKI server health check to create default certificates (Bug 272459)
- OES2 Enhancement: PKI Install should be able to configure export of certificates/private keys to file system (Bug 275452)
- Enhancement: allow Health Check "Create Default Certificates" to force certificate creation when CA Changes (Bug 275800)
- OES2 Enhancement: PKI Health Check should insert the eDir CA's certificate into the System JAVA keystore (Bug 278873)
- OES2 enhancement, PKI Health Check to add servers as SDI Key Servers (W0:SDI Key Server DN list) (Bug 282136)
- Exception in NPKIAPI KMOExportClearAllValues call via npki.jar (Bug 283951)
- NPKIGetServerInfo is not returning SHA2 keys (Bug 285673)
- Fix X.509 Decode to include the extended key usages (Bug 287708)

NICI 2.7.2:
- Memory leak during initial config processing (Bug 270704)

NTLS 2.0.2:
- LDAP refresh causes memory build up in xmgr (NICI) (Bug 286166)
- NDSD core using Encrypted Replication (Bug 326676)
- Certmutual logins fail with ldap error 81 (Bug 329130)

NMAS METHODS 2.7.5:
- Challenge Response LSM returns successful authentication on unparseable XML challenge set (Bug 222681)
- Typo in Challenge Response method file (Bug 257677)
- Attempting to authenticate using Challenge Response method causes core on SLES 9 server (Bug 261059)
- If NMAS sequence is set to Challenge/Response but user has no challenge set Error: FFFFFDA5(-603) is returned (Bug 275840)
- DIGEST-MD5 (2.7.4) authentication fails with Invalid credentials (49) or Error: -1632 (Bug 279684)

NMAS PLUGINS 3.2 for iManager 2.7:
- Java exception editing Security Policy object (TID 3505180) (Bug 303930)
- Java exception on Login Sequences page if user has an & in their DN (TID 3272323) (Bug 304397)
- NMAS Plug-in takes a few minutes to return NMAS Login Sequences or NMAS Login Methods tasks in large trees (TID 3020873) (Bug 353291)

NOTES:
- The following bug fixes contained in this patch were not included in eDirectory 8.8 SP2 and NetWare 6.5 SP7:
326676 ndsd core using Encrypted Replication (ntls)
329130 cert mutual logins fail with ldap error 81(ntls)


________________________________________________________________________________________
NMAS 3.1.3.2 FTF
June 6, 2007
- After applying SSP203 scrsaver will not unlock with users that have a network address restriction applied equal to the server IP Address (Bug 198083)
- Need to fail over to NDS method when default is not possible (Bug 233069)
- Remove Password history values if they can't be decrypted on password changes (Bug 240427)
- nmasinst cores when vendor is not specified in config.txt (Bug 251350)
- NMAS spmnwcc breaks legacy functionality of address restrictions (Bug 253852)
- NMAS error -1642 when trying to autoprovision for the first time with NCP (Bug 254685)
- Unable to get nspm password(2) failed, -1697 (Bug 260538)
- NMAS abends when there are no defined login sequences (Bug 270782)
- 3rd party NMAS method only works one time, next authenticaton -1662 (Bug 274573)


________________________________________________________________________________________
Security Bundle 2.0.4
March 16, 2007
For eDirectory 8.8 SP1 and 8.7.3 SP9. OES:NetWare 6.5 SP5\SP6 and OES Linux 1 SP2
Contains NMAS 3.1.3, Novell Certificate Server 3.2.2, NICI 2.7.2, NMAS Methods 2.7.4, and NTLS 2.0.1

NMAS 3.1.3:
- Enable Excluded Passwords list to include wildcards (Bug 85092)
- Nmasinst cannot login to the tree without -h option on Linux (Bug 175663)
- Universal Password setting to not expire passwords when changed by admin (Bug 199328)
- Added Password change timestamp attribute (Bug 206030)
- Expanded containment rules for nspmPasswordPolicy, nsimChallengeSet, nspmPasswordPolicyContainer (Bug 206616)
- Added an option that removes the oldest passwords from the password history when their number exceeds a configured limit (Bug 206875)
- Linux\Unix: Error: -1644 with NMAS authentications (Bug 213208)
- Added an NMAS Attribute ID that will return a typefull DN (Bug 218659)
- Ndsd core dump on AIX in nmasRefresh (Bug 219902)
- Ndsd core dump on Linux in nmasRefresh (Bug 221521)
- Core/Abend when Blank or Null password is set (Bug 225549)
- Cannot read Post Login Config or Secretstore from a PLSM (Bug 225759)
- Once password history is full, with "Verify whether existing password complies..." turned on, each login the user password is expired (Bug 227957)
- NMAS abend after updating to NMAS 3.1.2 on BorderManager 3.8 SP5 VPN server (Bug 227940)
- Nmasinst.nlm not updating local server with nmas extensions (Bug 231409)
- Added additional trace messages for failures loading and unloading methods (Bug 238522)
- Removing Universal Password attributes with "Verify" option enabled causes password migration and states password is expired (Bug 238316)
- NMAS causes core when there is not a handler for the trace messages (Bug 238812)
- IDM setting/reading simple password error 1659, 9065 (Bug 246447)

CERTIFICATE SERVER 3.2.2:
- PKI is not calculating UTC minutes when populating a KMO's NDSPKI:Not Before and Not After values (Bug 189937)
- CA not operational error when you try to Issue Now a CRL (Bug 193288)
- The default certificate : SSL CertificateDNS is not been created in Solaris (Bug 196355)
- Error when trying to add a Novell Extension to a certificate when the CA doesn't have a Novell Extension (Bug 214074)
- Added EKU of Encrypting File System support (Bug 217064)
- Added support for RFC 2985 (Certificate Extensions in a CSR) (Bug 219178)
- VerifyCertificate API getting Error: -1258 Basic Constraints: Subject Path Length violation (Bug 231859)
- eDir cored in module NPKI when restarting server (Bug 240946)

NICI 2.7.2:
- Implement changes in NICI to meet FIPS requirements (Bug 150641)
- Bsafe security vulnerablility VU#845620- https://www.kb.cert.org/vuls/id/ (Bug 220505)
- NW Password Hash sometimes does not process null passwords correctly (Bug 225160)
- With NMAS & NICI Clients installed attempt to login, the nwtray shuts down (Bug 228088)
- Abend PFPE in XMGR.NLM at code start +000184DDh (Bug 228777)

NTLS 2.0.1:
- Double-free of NICI ctx inside ssl_ctx_read_kmo (Bug 209320)
- OpenSSL vulnerability -RSA Signature Forgery (CVE-2006-4339) (Bug 214034)
- CertMutual method fails with -16049 error - SLES 9 SP3 server (Bug 225588)
- NetWare 6.5 SP6 abends if LDAP server is associated to an empty Trusted Roots container (Bug 235496)
- NetWare 6.5 SP6 abends loading Apache (Bug 235496)

NMAS METHODS 2.7.4:
- Jndi md5-digest fails with international characters in username due to using "ISO-8859-1" charset for username in hash (Bug 159239)
- Receive text strings from challenge/response in utf-8 (Bug 165396)
- Long questions in Challenge/Response gives -1639 error (Bug 197189)
- Ampersand (&) in Challenge/Response question or answer causing NMAS Error: -1665 (Bug 201718)
- The 2.7.2 DigestMD5 LSM may hang while unloading on Netware (Bug 203067)
- The 2.7.2 CertMutual LSM may hang while unloading on Netware (Bug 203068)


________________________________________________________________________________________
NMAS 3.1.2.3 FTF
January 31, 2007
Bug 221521 - ndsd core dump on Linux in nmasRefresh - See TID# 3896906
Bug 219902 - ndsd core dump on AIX in nmasRefresh - See TID# 3896906
Bug 225549 - Core/Abend when Blank or Null password is set - See TID# 3316189
Bug 227940 - NMAS abend after updating to NMAS 3.1.2 on BorderManager 3.8 SP5 VPN server - See TID# 3786007


________________________________________________________________________________________
Security Bundle 2.0.3
October 27, 2006
For eDirectory 8.8 SP1 and 8.7.3 SP8. OES:NetWare 6.5 SP5\SP6 and OES Linux 1 SP2
Contains NMAS 3.1.2, Novell Certificate Server 3.2, NICI 2.7.0.2, NMAS Methods 2.7.3, and NTLS 2.0

NMAS 3.1.2:
- Nmasinst for NetWare requires password in clear text on console (Bug 156294)
- Expiring a user's password with grace logins resets after one login without changing the password (Bug 163512)
- NMAS - remove fopen, fclose, etc calls (Bug 164979)
- Require a password not being honored correctly (Bug 178618)
- Failed login delay not reset to default after Login Policy attribute deleted (Bug 189988)
- Security Vulnerability - NMAS BerDecodeLoginDataRequest DoS Vulnerability (Bug 195516)
- Null charactor on Simple Password is dropped when UP writes to simple (Bug 196276)
- User unable to do NMAS authentication via IPX after applying NMAS 3.1.1 (Bug 201321)
- Mapping a volume via CIFS abends server in NMAS.NLM (Owned by CIFSPROX.NLM) (Bug 201688)
- Maximum password length not enforced for password change or set (Bug 201975)
- Nmasldap_check_login_policy can cause NetWare to ABEND (Bug 201991)
- Invalid parameters to nmasldap_set_address_policy can cause server to ABEND (Bug 202028)
- Challenge Response questions\answers being written to multiple servers (Bug 204330)
- Memory leak in MAF_MemMalloc (Bug 204358)
- NMAS abending when logging in with NCP cilent (Bug 205436)
- Error: -659 in nmas trace while doing ldapbinds, even when time is in sync (Bug 206878)
- Network address restriction is not being enforced with SSP 202 (Bug 207307)
- Abend when auditing enabled (Bug 209313)
- SPMNWCC.NLM causes FTP logins to go through NMAS and experience long delays on exref server (Bug 209857)
- NMAS Simple Password Binds are Failing in AIX 5.2 with eDirectory 8.7.3 SP9 (Bug 210217)

CERTIFICATE SERVER 3.2:
- NPKIAPI 3.21: Downgrading CA will cause new certificate creation to fail (Bug 204986)

NICI 2.7.0.2:
- NICI keys do not migrate when running Migration Wizard - Migration Fails (Bug 100339)

NMAS METHODS 2.7.3:
- Challenge ResponseClient truncates Challenge question if longer than 77 characters (Bug 155575)
- Random ASCII characters displayed in place of é in the French challenge questions when displayed from the Novell Client (Bug 161037)

Notes:
- This Security Bundle was the last release that contained the following: Enhanced Password, Universal Smartcard, Entrust, Advanded X.509, and Simple X.509 login methods, Change NDS Password post login method, and Simple Password Windows LCM.
- Nmasinst does not have an option to remove NMAS methods. This must be done using iManager.


________________________________________________________________________________________
Security Bundle 2.0.2
August 14, 2006
For eDirectory 8.8 SP1 and 8.7.3 SP8. OES:NetWare 6.5 SP5 and OES Linux 1 SP2
Contains NMAS 3.1.1, Novell Certificate Server 3.2, NICI 2.7, NMAS Methods 2.7.3, and NTLS 2.0

NMAS 3.1.1:
- NMAS is not clearing "Incorrect login count" when the "Intruder attempt reset interval" had elapsed (Bug 143676)
- NMAS can generate audit events which auto loads logevent.nlm and possibly fill up the HD. Now there is an option to turn NMAS audit off (Bug 146019)
- Nmasldap_check_login_policy() does not handle grace logins (Bug 147631)
- Associating Universal Password Policy on a container expires users passwords if their password does not comply with the Policy (Bug 149372)
- Login with iManager for a user which has been moved to a long named OU, shutsdown the NDSD service on SLES 9 (Bug 150726)
- NMAS LSC file contains 2 entries with same ID (Bug 151261)
- LSM audit events should use method name not library name for "component" field in audit events (Bug 156122)
- Update audit event file to support audit's new event groups feature (Bug 156123)
- Nmasinst for NetWare requires password in clear text on console (Bug 156294)
- Nmasinst displays debug messages (Bug 156949)
- MAF_DS functions need to be updated (Bug 158260)
- NDS method is created without the sasMethodVersion attribute (Bug 159917)
- Ndsconfig add is failing (Bug 161308)
- If the nspmExcludeList is not terminated causes an abend (Bug 164568)
- Password history not enforced if password is expired (Bug 164929)
- Core dump on performing LDAP Search / Add / Modify & Delete operations as different users who are members of different dynamic groups (Bug 165179)
- Unknown error -338 occurred during ndsconfig while configuring NMAS service (Bug 167505)
- Password History is not case sensitive (Bug 169483)
- Password policy does not function properly when Verify password on login and Restrict days before password can be changed are both enabled (Bug 169490)
- In certain cases, Password is expired when incorrect password is attempted (Bug 173350)
- With the password management property, we are currently able to set the nspmDistributionPassword, but we are not able to read the password (Bug 175412)
- Not able to set simple password when treekey is DES instead of 3DES (Bug 178722)
- ERROR: -1658 DALCreateLoginSession:GetXKey after uploading users with Passwords (Bug 178777)
- After upgrading to NMAS 3.1, Post Login methods (Secure Workstation) break and give 1660 and 1652 errors (Bug 182893)
- Login fails because Account is Locked, even though Locked By Intruder is False (Bug 184157)
- NDS method set the UP everytime a user logs in, when the advanced UP rules are not enabled (Bug 189684)
- NMAS memory leak in NMAS 3.1.0.1 (eDirectory 8.8 SP1) (Bug 195671)
- Potential for NMAS to cause 100% utilization when users have many authorized clearances assigned to them (Bug 197221)

CERTIFICATE SERVER 3.2:
- Rootcert.der needs to be created during the post-install if it doesn't exist (Bug 85166)
- NPKIT setting umask (Bug 86009)
- Add Private Key to PEM type (Bug 115446)
- Import user cert, error -603 (Bug 160113)
- Solaris: Removed fopen and fclose calls (Bug 161024)
- Timing abend isssue in pki.nlm (Bug 173703)
- Enable Allowable Subject Names matching for User Self-Provisioning (Bug 174590)
- Need a way to use the newest CRL rather than a cached one when validating certificates (Bug 178655)

NMAS METHODS 2.7.3:
- Challenge ResponseClient truncates Challenge question if longer than 77 characters (Bug 155575)
- Random ASCII characters displayed in place of é in the French challenge questions when displayed from the Novell Client (Bug 161037)
- If you are using a Simple Password method version that shipped previous to eDirectory 8.7.3, you may run into an issue with Simple Password when users authenticate through LDAP. You might find that the Universal Password did not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to the version included in this release. The Simple Password method can be updated by using nmasinst, methodinstaller.exe, or ConsoleOne. The Simple Password method is found in the ssp202\nmmthd272\novell\simplepassword directory.
- The following NMAS methods are in the end of life phase and will be removed from a future release of the NMAS methods:
* Advanced X.509 Certificate
* Enhanced Password
* Entrust*
* NDS Change Password
* Simple X.509 Certificate
* Universal Smartcard
* Simple Password Login Client Module (LCM)
- The NMAS Method Installer is in the end of life phase and will be removed from a future release. You can now use iManager to install login methods.

OTHER:
- When a user attempts to change his or her password from the Novell ClientTM, it calls the NMAS Client to read the Universal Password policy. In eDirectory 8.8, a new feature was added to cache the needed information from the Security Container on eDirectory 8.8 external references servers (eDirectory 8.8 servers that don't hold a real copy of the Security Container). NMAS Clients older than NMAS Client 3.2 must walk to the real object and if the Security Container is not available, the password change may fail.
This issue has been resolved in the NMAS Client 3.2 by allowing the NMAS Client to resolve to an eDirectory 8.8 external reference server to read the Universal Password policy. To install NMAS Client 3.2, download and install Novell Client 32 4.91 SP2. NMAS Client 3.2 is included in the Novell Client 32 4.91 SP2 download and install.
- Universal Password: The NDS password is migrated to the Universal Password when doing an LDAP bind if eDirectory 8.8.x is installed and configured to use NMAS login for LDAP binds.


________________________________________________________________________________________
Security Bundle 2.0.1
March 20, 2006
For eDirectory 8.8 and 8.7.3 SP8. OES:NetWare 6.5 and OES Linux 1 SP2
Contains NMAS 3.1.0, Novell Certificate Server 3.1.1, NICI 2.7, NMAS Methods 2.7.2, and NTLS 2.0

NMAS 3.1:
- Added Verify Password Meets Policy on Login support for Client32 4.9.1 SP2 (Bug 71160)
- Added an NMAS LDAP extension to force NMAS policy refresh for all platforms (Bug 84957)
- Added NMAS LDAP extension to check the login policy for a user and to update a user's login statistics (Bug 85016)
- NDS Proxy LCM no longer times out setting the Universal Password if NDS LSM fails (Bug 85024)
- Added AD complexity Password Policy (Bug 85042)
- Added Filtered Replica Support for Universal Password (Bug 85054)
- With 2000 concurrent client binds, an NMAS server no longer runs out of threads (Bug 85129)
- Notification of intruder lock on Windows is now to a log file, not in message boxes (Bug 85567)
- A remote upgrade from NW65 to NW65 SP4 no longer returns NMAS Login Methods could not be created errors (Bug 97843)
- Setting Simple Password no longer fails with error -603 (Bug 97779)
- Ldapbinds from 300 clients no longer gives errors -669 and -6038 (Bug 105869)
- There is no long delay when setting password (Bug 114164)
- Clients login test to mixed Linux and NW tree no longer gets System could not log you into the network" errors (Bug 114187)
- When a users password has expired, it now shows the change password screen in iManager 2.5 (Bug 115031)
- Can now set Simple password through LDAP after applying NMAS 2.3.9 (Bug 117472)
- Ldapsearch no longer fails with -632 error with wrong password before migrating the password (after enabling UP) (Bug 120572)
- IPX login no longer fails with Network Address Restrictions set to all nodes FFFFFFFFFFFF and with NMAS enabled (Bug 124321)
- IPX Address restriction has been corrected (Bug 131328)
- NDSD no longer cores in NMAS after applying Solaris 8 cluster patch dated 11/10/05 (Bug 133910)
- When user has address restrictions set, a client login no longer causes NMAS to abend (Bug 134196)
- Segmentation fault was corrected in spmDDCAtLoginEndCallBack when DDCVerifyPassword is called (Bug 136716)
- Added configurable login delay (Bug 137705)
- Added an API to retrieve the previous distribution password (Bug 142068)
- Policy Refresh Rate setting is now effective (Bug 142221)
- The intruder count is now cleared after exceeding the intruder expire date (Bug 143676)
- LDAP bind no longer fails when password is expired and the number of grace remaining is not zero (Bug 144147)
- Password lifetime is not enforced when the password is expired (Bug 144358)
- A trace message has been provided to report invalid SASL mechanism (Bug 145614)
- User can now do NMAS authentication via IPX after applying NMAS 2.3.9 or NMAS 2.4.0 (Bug 147780)

CERTIFICATE SERVER 3.1.1
- Cert Server is selected by default for a post-install on NetWare 6.5/OES. Files are downgraded if the post-install is over eDirectory 8.8 (Bug 128484)
- Fix for the dynamic load of DClient symbols problem (Bug 130661)
- Fix for ASN.1 error with decoding CRL Distribution List (Bug 143988)
- Pkiinst now creates security objects (Bug 148939)
- A CRL is now created when the CA is created on second server (Bug 150533)

NMAS METHODS 2.7.2:
- MethodInstaller.exe program execution no longer fails on French Canadian Windows (Bug 83967)
- A description of a Challenge Response item has been added in the NMAS dialog box (Bug 94307)
- Added embedded version and build numbers in the UNIX shared objects (Bug 115108)
- Simple password stored as a hash migration to Universal Password no longer fails (Bug 116521)
- Challenge Response LCM now updates Add/Remove Programs with version info (Bug 116884)
- Uninstalling Challenge Response after uninstalling NMAS no longer returns an error (Bug 121530)
- Simple password no longer randomly hangs with NSL login (Bug 148057)

OTHER:
- When a user attempts to change his or her password from the Novell ClientTM, it calls the NMAS Client to read the Universal Password policy. In eDirectory 8.8, a new feature was added to cache the needed information from the Security Container on eDirectory 8.8 external references servers (eDirectory 8.8 servers that don't hold a real copy of the Security Container). NMAS Clients older than NMAS Client 3.2 must walk to the real object and if the Security Container is not available, the password change may fail.
This issue has been resolved in the NMAS Client 3.2 by allowing the NMAS Client to resolve to an eDirectory 8.8 external reference server to read the Universal Password policy. To install NMAS Client 3.2, download and install Novell Client 32 4.91 SP2. NMAS Client 3.2 is included in the Novell Client 32 4.91 SP2 download and install.

Notes:
- NMAS Methods 2.7.2 are also included in this download; however, they are not installed by default. To install NMAS methods, use methodInstaller.exe from a Windows workstation or nmasinst for the other platforms. Methods are installed once per tree. The NMAS methods are found in the /ssp201/nmmthd272/novell directory.
- If you are using a Simple Password method version that shipped previous to eDirectory 8.7.3, you may run into an issue with Simple Password when users authenticate through LDAP. You might find that the Universal Password did not synchronize with the Simple Password. To remedy this problem, update the Simple Password method to the version included in this release. The Simple Password method can be updated by using nmasinst, methodinstaller.exe, or ConsoleOne. The Simple Password method is found in the ssp201\nmmthd272\novell\simplepassword directory.________________________________________________________________________________________

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7005397
  • Creation Date:25-FEB-10
  • Modified Date:12-DEC-13
    • NovellNMAS (Modular Authentication Service)
      PKIS (Certificate Server)
    • NetIQeDirectory
      Enhanced Smart Card Method (NESCM)
      NICI

Did this document solve your problem? Provide Feedback