Overview#

We found these Schema Extensions in NetWare when Novell Secure Password Manager was first released.

Novell Secure Password Manager Schema provides some key information that we have not been able to locate since; So we keep this around.

NspmPasswordPolicy (Object Class)#

GeneralOID 2.16.840.1.113719.1.39.43.6.1 
Name nspmPasswordPolicy 
PropertiesSuperior Top 
Kind Structural (0x01) 
description
loginGraceLimit
nsimAssignments
nsimChallengeSetDN
nsimChallengeSetGUID
nsimForgottenAction
nsimForgottenLoginConfig
nsimPwdRuleEnforcement
nspmAdminsDoNotExpirePassword
nspmCaseSensitive
nspmChangePasswordMessage
nspmComplexityRules
nspmConfigurationOptions
nspmDisallowedAttributeValues
nspmExcludeList
nspmExtendedAsFirstCharacter
nspmExtendedAsLastCharacter
nspmExtendedCharactersAllowed
nspmLowerAsFirstCharacter
nspmLowerAsLastCharacter
nspmMaxConsecutiveCharacters
nspmMaxExtendedCharacters
nspmMaxLowerCaseCharacters
nspmMaxNumericCharacters
nspmMaxRepeatedCharacters
nspmMaxSpecialCharacters
nspmMaxUpperCaseCharacters
nspmMaximumLength
nspmMinExtendedCharacters
nspmMinLowerCaseCharacters
nspmMinNumericCharacters
nspmMinPasswordLifetime
nspmMinSpecialCharacters
nspmMinUniqueCharacters
nspmMinUpperCaseCharacters
nspmNumericAsFirstCharacter
nspmNumericAsLastCharacter
nspmNumericCharactersAllowed
nspmPasswordACL
nspmPasswordHistoryExpiration
nspmPasswordHistoryLimit
nspmPolicyPrecedence
nspmSpecialAsFirstCharacter
nspmSpecialAsLastCharacter
nspmSpecialCharactersAllowed
nspmUpperAsFirstCharacter
nspmUpperAsLastCharacter
passwordAllowChange
passwordExpirationInterval
passwordMinimumLength
passwordRequired
passwordUniqueRequired
pwdInHistory

Novell Secure Password Manager Schema Definitions#

This was derived from a Netware 6.x server some time ago.

However, there is a lot on information in regards to the Universal Password that we have not been able to find elsewhere.

-- Novell Secure Password Manager Schema Definitions
-- Novell Inc.
-- 1800 South Novell Place
-- Provo, UT 84606
--
-- Version=NMAS 2.2 2003 01 27
-- Copyright=(c) Copyright 2002, Novell, Inc.  All rights reserved
--
-- Object ID (OID) is registered with Internal Schema Registration
-- as of 15 Jan 1997.
--
-- OIDs Defined as Follows:
--   joint-iso-ccitt(2) country(16) us(840) organization(1)
--   Novell(113719) applications(1) SAS(39) NSPM(43)
--                                          NSPMAttributeType(4) attr#         
--                                          NSPMObjectClass(6)   class#

NSPMSchemaExtentions DEFINITIONS ::=
BEGIN

-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password User Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --

-- User specific secret key that is wrapped with Security Domain Key.
    "nspmPasswordKey" ATTRIBUTE ::=
    {
        Operation    ADD,
        SyntaxID     SYN_OCTET_STRING,
        Flags        {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
        ASN1ObjID    {2 16 840 1 113719 1 39 43 4 1}
    }

-- The current user password.  It is a null terminated unicode string encrypted with
-- the user specific secret key that is stored in the nspmPasswordKey attribute.
	"nspmPassword" ATTRIBUTE ::=
    {
        Operation    ADD,
        SyntaxID     SYN_OCTET_STRING,
        Flags        {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
        ASN1ObjID    {2 16 840 1 113719 1 39 43 4 2}
    }

-- The user distribution password.  It may or may not be the same value as the
-- user's current password It is a null terminated unicode string encrypted with
-- the user specific secret key that is stored in the nspmPasswordKey attribute.
	"nspmDistributionPassword" ATTRIBUTE ::=
    {
        Operation    ADD,
        SyntaxID     SYN_OCTET_STRING,
        Flags        {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
        ASN1ObjID    {2 16 840 1 113719 1 39 43 4 3}
    }

-- The user password history.  Each password is a null terminated unicode string encrypted
-- with the user specific secret key that is stored in the nspmPasswordKey attribute.
    "nspmPasswordHistory" ATTRIBUTE ::=
    {
        Operation	 ADD,
        SyntaxID	 SYN_OCTET_STRING,
        Flags		 {DS_HIDDEN_ATTR, DS_SYNC_IMMEDIATE},
        ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 4}
    }

-- This attribute indicates the number of times that the administrator set
-- user's the login credentials.
-- This is to support the non-reputation feature of Single Sign-on.
    "nspmAdministratorChangeCount" ATTRIBUTE ::=
    {
        Operation    ADD,
        SyntaxID     SYN_COUNTER,
        Flags        {DS_HIDDEN_ATTR, DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE},
        ASN1ObjID    {2 16 840 1 113719 1 39 43 4 5}
    }

-- Attribute on the login properties object (e.g., user object)
-- that specifies the effective Password Policy for the object
	"nspmPasswordPolicyDN" ATTRIBUTE ::=
	{
		Operation	ADD,
		SyntaxID	SYN_DIST_NAME,
		Flags		{DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 6}
	}


-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Policy Configuration Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --

-- The NSPM options flags:
-- 0x01 = On set password request the NDS password hash will be removed by SPM
-- 0x02 = On set password request the NDS password hash will not be set by SPM
-- 0x04 = On set password request the Simple password will not be set by SPM
-- 0x10 = Allow password retrieval by self
-- 0x20 = Allow password retrieval by admin
-- 0x40 = Allow password retrieval by password agents
-- 0x100 = Password enabled
-- 0x200 = Advanced password policy enabled
	"nspmConfigurationOptions" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 100}
	}

-- Administator defined message to be displayed when a user is prompted to change his password
	"nspmChangePasswordMessage" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_CE_STRING,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 102}
	}

-- The maximum number of passwords stored user password history.
	"nspmPasswordHistoryLimit" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 5}
	}

-- The minimum time in seconds that passwords are stored user password history.
	"nspmPasswordHistoryExpiration" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 6}
	}

-- The minimum time in seconds that the user is allowed to change his password again.
	"nspmMinPasswordLifetime" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 7}
	}


-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Syntax Attributes
-- -- -- -- -- -- -- -- -- -- -- -- --

-- Maximum number of characters
	"nspmMaximumLength" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 200}
	}

-- Minimum number of upper case characters required
	"nspmMinUpperCaseCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 201}
	}

-- Maximum number of upper case characters allowed
	"nspmMaxUpperCaseCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 202}
	}

-- Minimum number of lower case characters required
	"nspmMinLowerCaseCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 203}
	}

-- Maximum number of lower case characters allowed
	"nspmMaxLowerCaseCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 204}
	}

-- Numeric characters allowed flag.  Note that if this attribute
-- does not exist then numeric characters are allowed.

	"nspmNumericCharactersAllowed" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 205}
	}

-- Indicates if numeric characters are disallowed as the first character of a password.
-- Numeric characters are allowed if this attribute is missing.
	"nspmNumericAsFirstCharacter" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 206}
	}

-- Indicates if numeric characters are disallowed as the last character of a password.
-- Numeric characters are allowed if this attribute is missing.
	"nspmNumericAsLastCharacter" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 207}
	}

-- Minimum number of numeric characters required
	"nspmMinNumericCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 208}
	}

-- Maximum number of numeric characters allowed
	"nspmMaxNumericCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 209}
	}

-- Special characters allowed flag.  Note that if this attribute
-- does not exist then special characters are allowed.
	"nspmSpecialCharactersAllowed" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 210}
	}

-- Indicates if special characters are disallowed as the first character of a password.
-- Special characters are allowed if this attribute is missing.
	"nspmSpecialAsFirstCharacter" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 211}
	}

-- Indicates if special characters are disallowed as the last character of a password.
-- Special characters are allowed if this attribute is missing.
	"nspmSpecialAsLastCharacter" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 212}
	}

-- Minimum number of special characters required
	"nspmMinSpecialCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 213}
	}

-- Maximum number of special characters allowed
	"nspmMaxSpecialCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 214}
	}

-- Maximum number of times a character can appear in a password
	"nspmMaxRepeatedCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 215}
	}

-- Maximum number of times a character can appear consecutivly in a password
	"nspmMaxConsecutiveCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 216}
	}

-- Mimimum number of different characters must be in a password
	"nspmMinUniqueCharacters" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 217}
	}

-- Attribute values not allowed as a password or a portion of a password
	"nspmDisallowedAttributeValues" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_CE_STRING,
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 218}
	}

-- Strings that are not allowed as a password or a portion of a password
	"nspmExcludeList" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_STREAM,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 219}
	}

-- Case Sensitive comparison flag
	"nspmCaseSensitive" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 220}
	}

-- Used to determine which password policy takes precedence when
-- more than one password policy is associated with a user
	"nspmPolicyPrecedence" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_INTEGER,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 221}
	}

-- Extended characters allowed flag.  Note that if this attribute
-- does not exist then extended characters are allowed.
	"nspmExtendedCharactersAllowed" ATTRIBUTE ::=
	{
		Operation	 ADD,
		SyntaxID	 SYN_BOOLEAN,
		Flags		 {DS_SINGLE_VALUED_ATTR},
		ASN1ObjID	 {2 16 840 1 113719 1 39 43 4 222}
	}

-- -- -- -- -- -- -- -- -- -- -- -- --
-- Password Policy Agent Code Attributes
-- Executable code is stored for each supported OS platform
-- that will enforce the password policy.
-- -- -- -- -- -- -- -- -- -- -- -- --

-- Attribute on the Security Container that specifies the
-- container that contains all Password Policy Agent objects
	"nspmPolicyAgentContainerDN" ATTRIBUTE ::=
	{
		Operation	ADD,
		SyntaxID	SYN_DIST_NAME,
		Flags		{DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 300}
	}

-- Password Policy Agent NetWare code
	"nspmPolicyAgentNetWare" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 301}
	}

-- Password Policy Agent Windows Server code
	"nspmPolicyAgentWINNT" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 302}
	}

-- Password Policy Agent Solaris code
	"nspmPolicyAgentSolaris" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 303}
	}

-- Password Policy Agent Linux code
	"nspmPolicyAgentLinux" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 304}
	}

-- Password Policy Agent AIX code
	"nspmPolicyAgentAIX" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 305}
	}

-- Password Policy Agent HPUX code
	"nspmPolicyAgentHPUX" ATTRIBUTE ::=
	{
		Operation    ADD,
		SyntaxID     SYN_STREAM,
		Flags        {DS_PUBLIC_READ, DS_SINGLE_VALUED_ATTR},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 4 306}
	}


-- -------------------
-- Class Definitions
-- -------------------

-- The container that contains all Password Policy Agent objects
    "nspmPasswordPolicyContainer" OBJECT-CLASS ::=
    {
        Operation    ADD,
        Flags        {DS_CONTAINER_CLASS, DS_EFFECTIVE_CLASS},
        SubClassOf   {"Top"},
        ContainedBy  {"SAS:Security"},
        NamedBy      {"CN"},
        MustContain  {"CN"},
        MayContain   {"Description"},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 6 2}
    }
 
-- Password Policy Agent object
    "nspmPolicyAgent" OBJECT-CLASS ::=
    {
        Operation    ADD,
        Flags        {DS_EFFECTIVE_CLASS},
        SubClassOf   {"Top"},
        ContainedBy  {"nspmPasswordPolicyContainer"},
        NamedBy      {"CN"},
        MustContain  {"CN"},
        MayContain   {"Description",
						"nspmPolicyAgentNetWare",
						"nspmPolicyAgentWINNT",
						"nspmPolicyAgentSolaris",
						"nspmPolicyAgentLinux",
						"nspmPolicyAgentAIX",
						"nspmPolicyAgentHPUX"
					 },
		ASN1ObjID    {2 16 840 1 113719 1 39 43 6 3}
    }

    "nspmPasswordPolicy" OBJECT-CLASS ::=
	{
        Operation    ADD,
        Flags        {DS_EFFECTIVE_CLASS},
        SubClassOf   {"Top"},
        ContainedBy  {"nspmPasswordPolicyContainer", "Domain", "Locality", "Organization", "Organizational Unit"},
        NamedBy      {"CN"},
        MustContain  {"CN"},
        MayContain   {"Description",
						"nspmPolicyPrecedence",
						"nspmConfigurationOptions",
						"nspmChangePasswordMessage",
						"Password Expiration Interval",
						"Login Grace Limit",
						"nspmMinPasswordLifetime",
						"Password Unique Required",
						"nspmPasswordHistoryLimit",
						"nspmPasswordHistoryExpiration",
						"Password Allow Change",
						"Password Required",
						"Password Minimum Length",
						"nspmMaximumLength",
						"nspmCaseSensitive",
						"nspmMinUpperCaseCharacters",
						"nspmMaxUpperCaseCharacters",
						"nspmMinLowerCaseCharacters",
						"nspmMaxLowerCaseCharacters",
						"nspmNumericCharactersAllowed",
						"nspmNumericAsFirstCharacter",
						"nspmNumericAsLastCharacter",
						"nspmMinNumericCharacters",
						"nspmMaxNumericCharacters",
						"nspmSpecialCharactersAllowed",
						"nspmSpecialAsFirstCharacter",
						"nspmSpecialAsLastCharacter",
						"nspmMinSpecialCharacters",
						"nspmMaxSpecialCharacters",
						"nspmMaxRepeatedCharacters",
						"nspmMaxConsecutiveCharacters",
						"nspmMinUniqueCharacters",
						"nspmDisallowedAttributeValues",
						"nspmExcludeList",
						"nspmExtendedCharactersAllowed"
					},
		ASN1ObjID    {2 16 840 1 113719 1 39 43 6 1}
	}

-- --------------------------------
-- Modification of Existing Classes
-- --------------------------------

	"ndsLoginProperties" OBJECT-CLASS ::=
	{
		Operation	MODIFY,
		MayContain	{	
						"nspmPasswordKey",
						"nspmPassword",
						"nspmDistributionPassword",
						"nspmPasswordHistory",
						"nspmAdministratorChangeCount",
						"nspmPasswordPolicyDN"
					}
	}

	"Group" OBJECT-CLASS ::=
	{
		Operation	MODIFY,
		MayContain	{
						"nspmPasswordPolicyDN"
					}
	}

	"ndsContainerLoginProperties" OBJECT-CLASS ::=
	{
		Operation	MODIFY,
		MayContain	{
						"nspmPasswordPolicyDN"
					}
	}

    "SAS:Login Policy" OBJECT-CLASS ::=
	{
		Operation	MODIFY,
		MayContain	{
						"nspmPasswordPolicyDN"
					}
	}

   "SAS:Security" OBJECT-CLASS ::=
   {
        Operation	MODIFY,
		MayContain	{
						"nspmPolicyAgentContainerDN"
					}
   }

END



More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 30-Jan-2015 11:06 by jim