How to get LDAP Case Sensitive Passwords with eDirectory 8.7.3#

This document (3057961) is provided subject to the disclaimer at the end of this document.

environment Novell eDirectory 8.7.3 for All Platforms

Situation#

Customers have requested a way to use LDAP Case-sensitive Passwords on eDirectory 8.7.3

Resolution#

The complete solution to have Case Sensitive Passwords via LDAP is to upgrade to eDirectory 8.8, however there is a way to have this functionality in eDirectory 8.7.3.

To see more information about the solution to this problem in eDirectory 8.8 (and greater) please see the following link.

The only way to accomplish this in eDirectory 8.7.3 is to Enable Universal Password and select the option in the Universal Password Policy Definitions to "Remove the NDS password when setting Universal Password"

Note: The option to "Remove the NDS password when setting Universal Password" can be very misleading. It does NOT remove the NDS password (or the Public/Private Key hash). It randomizes the NDS Password to an unknown value each time the Universal Password is set. Please be aware that "Removing the NDS password" can be problematic for applications and products that are not Universal Password aware. Selecting the option to "Remove the NDS password when setting Universal Password" could break these applications and/or products . Novell recommends you test this configuration in a lab environment to verify your applications will continue to work.

Configure LDAP to have Case-sensitive Passwords for eDirectory 8.7.3:#

To configure LDAP to use Case-sensitive Passwords, you must enable Universal Password and select the option in the Universal Password Policy Wizard to "Remove the NDS password when setting Universal Password". Once this policy is created and assigned to a user, the next time the password is changed, the NDS password will be randomized only leaving the Universal Password. You can configure Universal Password through iManager with the Password Management Plug‑ in installed.

How LDAP binds work on eDirectory 8.7.3:#

An LDAP bind against an eDirectory 8.7.3 server will always try the NDS password first. If the NDS Password fails, the server invokes the Simple Password NMAS Method which will first try the Universal Password. If the Universal Password is not currently set it will then try the Simple Password.

Q: If Universal Password is not set, a LDAP bind will try the NDS Password, then the Simple Password, however will it "create" the Universal Password?

Yes, it can. If a Simple Password is set on a user prior to enabling Universal Password and it is different than the NDS Password, once Universal Password has been enabled, the next LDAP bind with the Simple Password will cause the Simple Password to "migrate" into the Universal Password.

Note: This is not the case if you only have the NDS password set and have enabled Universal Password with the settings above. A Password migration won't happen via LDAP unless the NDS and Simple passwords are different and we bind with the Simple Password.

Q: Will an LDAP bind try the Simple Password after failing against the NDS Password and Universal Password?

A: No. An LDAP bind will always try the NDS password first. If it fails, the bind will then try the Universal Password. If the bind fails against the Universal Password, the ldap bind will fail. Note: The only way to get to the Simple Password via a LDAP bind would be if the Universal Password was not set or if Universal Password had been removed from the user.

Q: What happens if the Simple password is different from the NDS Password and Universal Password?

A: Once a Universal Password is set, the simple password is NOT ever used for a LDAP bind. After Universal Password has been set, we never fail over to the Simple Password. Note: Depending on the Universal Password Policy Options set, after a password change, it is possible to have a randomized NDS password, an old Simple Password (untouched - as the policy can be configured to NOT keep the Simple Password in sync with the Universal Password), and a new Universal Password. additional notes

Document ID: 3057961

Creation Date: 2006-09-27 14:28:56.0

Modified Date: 2006-09-27 14:27:08.0

Novell Product: NMAS (Novell Modular Authentication Services)

Novell Product: eDirectory

More Information#

There might be more information for this subject on one of the following: ...nobody

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 22-Jul-2016 12:06 by jim