How to get LDAP Case Sensitive Passwords with eDirectory 8.7.3 and 8.8

  • 3057961
  • 27-Sep-2006
  • 26-May-2016

Environment

Novell eDirectory 8.7.3 for All Platforms
Novell eDirectory 8.8 for All Platforms

Situation

Customers have requested a way to use LDAP Case Sensitive Passwords on eDirectory 8.7.3




Resolution

The complete solution to have Case Sensitive Passwords via LDAP is to upgrade to eDirectory 8.8 and use the eDirectory 8.8 feature of NDSD_TRY_NMASLOGIN_FIRST=true. For more information about the solution to this problem in eDirectory 8.8 (and greater) refer to eDirectory 8.8 SP8 Documentation, section 5.2.

Note: The NDSD_TRY_NMASLOGIN_FIRST=true feature is ONLY available in eDirectory 8.8 and greater.



Although not recommended, there is an option to have this functionality in eDirectory 8.7.3.



The only way to accomplish this in eDirectory 8.7.3 is to Enable Universal Password and select the option in the Universal Password Policy to"Remove the NDS password when setting Universal Password"


Note: The option to "Remove the NDS password when setting Universal Password" can be very misleading. It does NOT remove the NDS password (or the Public/Private Key hash). It randomizes the NDS Password to an unknown value each time the Universal Password is set. Please be aware that "Removing the NDS password" can be problematic for applications and products that are not Universal Password aware. Selecting the option to"Remove the NDS password when setting Universal Password" could break these applications and/or products . Novell recommends you test this configuration in a lab environment to verify your applications will continue to work.



Configure LDAP to have Case Sensitive Passwords for eDirectory 8.7.3:


To configure LDAP to use Case Sensitive Passwords, you must enable Universal Password and select the option in the Universal Password Policy Wizard to "Remove the NDS password when setting Universal Password". Once this policy is created and assigned to a user, the next time the password is changed, the NDS password will be randomized only leaving the Universal Password. You can configure Universal Password through iManager with the Password Management Plug‑ in installed.



How LDAP binds work on eDirectory 8.7.3:


An LDAP bind against an eDirectory 8.7.3 server will always try the NDS password first. If the NDS Password fails, the server invokes the Simple Password NMAS Method which will first try the Universal Password. If the Universal Password is not currently set it will then try the Simple Password.



Q: If Universal Password is not set, a LDAP bind will try the NDS Password, then the Simple Password, however will it "create" the Universal Password?


Yes, it can. If a Simple Password is set on a user prior to enabling Universal Password and it is different than the NDS Password, once Universal Password has been enabled, the next LDAP bind with the Simple Password will cause the Simple Password to "migrate" into the Universal Password.


Note: This is not the case if you only have the NDS password set and have enabled Universal Password with the settings above. A Password migration won't happen via LDAP unless the NDS and Simple passwords are different and we bind with the Simple Password.


Q: Will an LDAP bind try the Simple Password after failing against the NDS Password and Universal Password?


A: No. An LDAP bind will always try the NDS password first. If it fails, the bind will then try the Universal Password. If the bind fails against the Universal Password, the ldap bind will fail. Note: The only way to get to the Simple Password via a LDAP bind would be if the Universal Password was not set or if Universal Password had been removed from the user.



Q: What happens if the Simple password is different from theNDS Password and Universal Password?


A: Once a Universal Password is set, the simple password is NOT ever used for a LDAP bind. After Universal Password has been set, we never fail over to the Simple Password. Note: Depending on the Universal Password Policy Options set, after a password change, it is possible to have a randomized NDS password, an old Simple Password (untouched - as the policy can be configured to NOT keep the Simple Password in sync with the Universal Password), and a new Universal Password.