Automated Password Self Service (APASS) #
We recommend that interested parties look into the Password Management Applications#PWM
Having worked with many of Novell's clients and seeing there was a lacking of solutions for many of our clients, At the request of several clients, we have developed a semi-custom Automated Password Self Service (APASS) that provides most of the requirements to allow password self-Service for eDirectory.
Although the focus of the APASS is for non-Novell Client customers as the Novell Client provides some of the functionality as APASS.
The demo service is just as it sounds, a demo. Demonstrates only the functionality. As there are many configuration that we have found that clients desire, our concentration has been on providing the functionality and leaving the job of making it pretty or branding it to the clients or others that can do a better job.
We create the "back-end" service to provide your desired functionality and provide you with sample pages to demonstrate the usage of the APASS.
We can provide you with a user to use with the demo service if you contact us an provide:
- Your Real Email address (we will email you the details)
- Desired starting password
More information on Novell's Challenge Response System#For details on what we know on Novell's Challenge Response System
Set Challenges#A user which has an designated ChallengeSet associated to their assigned password policy, can setup their Questions for the ChallengeSet.
User must know their userID and password.
Get Password#The get password Service allows a user to display their password on the screen by providing responses to setup ChallengeSet.
User must know their userID and the responses to the ChallengeSet
Reset Password#The Reset Password Service allows a user Reset their password by providing responses to setup ChallengeSet and then presenting a new password.
User must know their userID and the responses to the ChallengeSet.
Delete User Questions#The Delete User Questions service will remove all responses and configured challenge questions from the user entry.
Novell's Password Policy#Some background information on Novell's password policy.
Setup and Operation#
https://#Please make certain that all http communication is performed over https:// as otherwise passwords and challenges responses will be passed in clear text.
ldaps://#All of the servlet's communication with the LDAP data store is performed of secure LDAP Connections.
Java Keystore#The Novell Password Management Service requires a properly configured java keystore with an appropriate certificate within the keystore to enable secure LDAP communication between the servlet and the eDirectory LDAP server. The servlet communication will fail with a LDAP result code of "91" if this is not properly configured.
eDirectory #We are using eDirectory 8.8.3 with the latest NAMS. However, the functionality should work with any nearly up-to-date 8.8.x with the latest Security Services patch. Will probably work if all recent patches are applied to anything 8.7.3 or better. Provide feedback.
Servlet Container#We have tested this with:
- Apache Tomcat/6.0.16 using JVM Version 1.6.0_06-b02.
- Apache Tomcat/6.0.13 using JVM Version 1.5.0_15
The code was complied using JDK Version 1.5.0_15.
Known Libraries#These should be obtained direct from their providers but if you have trouble finding them please advise.
- Apache Commons Lang (commons-lang-2.3.jar)
- Apache Log4j (apache-log4j-1.2.15)
- JDOM 1.0
- JLDAP (October 17, 2007)
Configuration File#The parameters for setting up the servlet are located in the ChallengeResponseServlet.properties file and described below:
- cr.edirectory.host - LDAP server DNS hostname or IP Address
- cr.edirectory.port - Port on which the LDAP server is listening for SSL Requests.
- cr.edirectory.basedn - The baseDN where the servlet performs searches for user entries. (example: ou=people,dc=willeke,dc=com)
- cr.edirectory.searchforattribute - The attribute the servlet uses to locate the users by (example: cn - Must be unique in Tree)
- cr.edirectory.servicedn - The Fully distinguished name of an entry with admin-level (read-only) rights (Example: cn=admin,dc=willeke,dc=com). This account is used only(?) to locate user entries.
- cr.edirectory.servicednpwd - The cr.edirectory.servicedn password
- cr.edirectory.ssl - Must be set to true
- cr.edirectory.keyStoreLocation - The path on the servlet engine to the keystore file that holds either the LDAP server or the issuer of the lDAP server's certificate (Example: /home/jim/certs/jimskeystore)