nsimChallengeSet Attributes#

Each nsimChallengeSet has the following attributes:
  • cn - Name of the nsimChallengeSet
  • description - Description of NsimChallengeSet
  • nsimRequiredQuestions - single-valued - An XML string describing the required questions the user would need to answer.
  • nsimRandomQuestions - single-valued - An XML string describing the random questions the user would need to answer.
  • nsimNumberRandomQuestions - Determines the number of questions that the user will be presented.
  • nsimMinResponseLength - the minimum length of an acceptable answer to this challenge. (We highly recommend that this be set as an "empty" result is possible without this being set to 1 or greater.
  • nsimMaxResponseLength - the maximum length of an acceptable answer to this challenge.

Challenges and responses are stored in the NMAS config and secret stores. NMAS provides client management APIs to read and write from the config store, but they only write to the secret store. Only LSM's can read from the secret store. Also everything that is stored to these stores has an associated tag name. When storing the challenges and responses the challenges are stored in the config store as an XML string. This XML string for our sample looks like:

Challenge Questions#

Question Author#

The "Question Author" is a XML tag <AdminDefined> or <UserDefined> within the XML fragment(s) stored in either the nsimRequiredQuestions or nsimRandomQuestions attribute of the nsimChallengeSet.

User Authors the Question (User defined)#

The user creates the question. This happens when the user sets up Forgotten Password Self-Service. Each user's question and answer are unique. The user defined questions, regardless of if it is in the nsimRequiredQuestions or the nsimRandomQuestions, are in the XML fragment as an empty tag with only Only the XML attributes MaxLength and MinLength are defined (which is the User Response Character Length). So if there were two UserDefined questions they might appear as shown below.
<UserDefined MaxLength="255" MinLength="2"/>
<UserDefined MaxLength="128" MinLength="4"/>

Administrator Author the Question (Administrator Defined)#

Administrator creates the question. Each user provides a customized answer.

Question Type#

Required Questions#

The nsimChallengeSet attribute nsimRequiredQuestions holds an XML fragment that defines the Required Questions. When the user is challenged, the Required Questions will always be presented regardless of if the question is "User Defined" or "Administrator Defined".

nsimRequiredQuestions #

<!-- Typical Challenges as they appear in the LDAP Attribute nsimRandomQuestions within the ChallengeSet entry in clear text -->
<RandomQuestions>
	<AdminDefined>
		<Question MaxLength="255" MinLength="2">
			<![CDATA[Who is your favorite author]]>
			<display xml:lang="en" default="true">
				<![CDATA[Who is your favorite author]]>
			</display>
		</Question>
		<Question MaxLength="255" MinLength="2">
			<![CDATA[Name of your High School]]>
			<display xml:lang="en" default="true">
				<![CDATA[Name of your High School]]>
			</display>
		</Question>
	</AdminDefined>
</RandomQuestions>

Random Questions#

When the user is challenged, the defined number (nsimNumberRandomQuestions) of "Random Questions" presented regardless of if the question is "User Defined" or "Administrator Defined".

nsimRandomQuestions#

<!-- Typical Challenges as they appear in the LDAP Attribute nsimRequiredQuestions within the ChallengeSet entry in clear text -->
<RequiredQuestions>
	<UserDefined MaxLength="255" MinLength="2"/>
	<AdminDefined>
		<Question MaxLength="255" MinLength="2">
			<![CDATA[What is your mother's maiden name]]>
			<display xml:lang="en" default="true">
				<![CDATA[What is your mother's maiden name]]>
			</display>
		</Question>
	</AdminDefined>
</RequiredQuestions>

Modification of nsimChallengeSet #

Since Novell has not provided any documentation on this objectClass we are making some assumptions.

If the nsimChallengeSet is modified after association to any nspmPasswordPolicy(s), then the nsimChallengeSetGUID should be updated on each nspmPasswordPolicy that is using the nsimChallengeSet.

What we see. When using iManager (2.7) and we associate a nsimChallengeSet to a nspmPasswordPolicy, the nsimChallengeSetGUID on the nspmPasswordPolicy is set as 1235234082497. When this value is divided by 1000, then the value 1235234082 converts as a UNIX timestamp for the time the nsimChallengeSet was associated to the nspmPasswordPolicy.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-12) was last changed on 26-Nov-2015 17:41 by jim