Overview #Novell Modular Authentication Service (NMAS) is a component of Novell eDirectory™ that enables you to centrally manage multiple Authentication Methods across your network.
NMAS Functionality#NMAS is designed to help you protect information on your network. In addition to the Password Management tool, NMAS brings together different Authentication Methods to NetIQ eDirectory networks. This helps to ensure that the people accessing your network resources are who they say they are.
NMAS employs three different phases of operation during a user’s session on a workstation with respect to authentication devices. These phases are as follows:
- User Identification Phase (who are you?)
- Authentication (Login) Phase (prove who you say you are)
- Device Removal Detection Phase (are you still there?)
User Identification Phase#User Identification Phase is the process of gathering the username. Also provided in this phase are the NDS Tree-name, the user’s context, the server name, and the name of the NMAS sequence to be used during the Authentication phase. This authentication information can be obtained from an authentication device, or it can be entered manually by the user.
Authentication (Login) Phase#NMAS uses three different approaches to logging in to the network called Authentication Factors. These Authentication Factors describe different items or qualities a user can use to authenticate to the network:
- Password Authentication (something You Know)
- Physical Device Authentication (something You Have)
- Biometric Authentication (something You Are)
- NDS Password: The NDS Password is stored in a hash form that is non-reversible and only the NDS system can make use of this password. This option, by default, uses the Universal Password if enabled and set.
- Simple Password: The simple password allows administrators to import users and passwords (plaintext and hashed) from foreign LDAP directories. This option, by default, uses the Universal Password if enabled and set.
- DIGEST-MD5 SASL: DIGEST-MD5 SASL provides the IETF standard DIGEST-MD5 SASL Mechanism that validates a password hashed by the MD5 algorithm to be used for a LDAP SASL Bind Request. This option, by default, uses the Universal Password if enabled and set.
- Challenge-response: Challenge-response provides a way for a user to Authenticate using one or more responses to pre-configured nsimRandomQuestions or nsimRequiredQuestions.
NMAS Physical Device Authentication#NMAS developers and third-party authentication developers have written authentication modules for NMAS for several types of physical devices (something You Have):
with NMAS, a Smart Card can be used to establish an identity when authenticating to eDirectory.
NetIQ provides the NetIQ Enhanced Smart Card login method for the use of smart cards. The NetIQ Enhanced Smart Card login method is provided as part of the Identity Assurance Client. For more information, see the NetIQ Enhanced Smart Card Method 3.0 Installation and Administration Guide.
NMAS Development Info#
- wiki:Novell Modular Authentication Service
- NMAS Sample Code
- NDK: Novell Modular Authentication Services
- NMAS Error Codes
- NDS Login Methods
- Configuring GSSAPI With Edirectory
- LDAP Edirectory Passwords
More Information#There might be more information for this subject on one of the following:
- Authentication Protocol
- Edirectory Administrative Password Changes
- Glossary Of LDAP And Directory Terminology
- Graded Authentication Management Service
- Implementing Universal Password
- JAVA LDAP SDKs
- NDSD Loadable Module
- NDSTRACE Examples
- NMAS -1642
- Novell International Cryptographic Infrastructure
- Novell Modular Authentication Service
- Novell NetworkAddress
- NovellS Challenge Response System
- Secure Password Manager
- Security Domain Infrastructure
- Simple Password
- Universal Password
- XDAS For NMAS
- XDAS Issues
- XDAS Setup and Configuration