This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links

Version management

Difference between version and

At line 1 added 88 lines
!!!Overview
We have run into several clients that would like to be able to populate the answers to the [NSPM] [challenge-response] questions from known values of attributes on the user entries for [Novell's Challenge Response System]
Below is An [example] is for user self-registration. We worked on a project with a University that had personal information about their students and wanted them to be able to self-register. The user would go to a WEB site where they could answer questions based on previously supplied information. Some attributes like:
* SSN
* Student ID Number
* Mother's Maiden Name
* (you get the idea)
Then the user would be asked to set their password of their choosing and answer a new set of challenge questions.
Novell, in our humble opinion, has done a very poor job of exposing any reasonable methods to perform these methods to customers or developers for reasons unknown. Most solutions are then cobbled together out of necessity to find a way to fulfil these needs. Not that these "cobbled" together methods do not work, but they could be done much more efficiently if Novell would provide published APIs to accomplish these customer desires.
!! [Methods to Set NSPM Challenge-Responses]
We have tried to gather some [Methods to Set NSPM Challenge-Responses] and provide some insight as to how the different methods work.
We have also done several [Methods to Set NSPM Challenge-Responses] for clients that were specific to the clients but this allowed us to gain insight on how the struggles to find [Methods to Set NSPM Challenge-Responses].
With some java code and some modifications to the ChallengeSet, we were able to make this happen.
!!!There are a couple of limitations
If you want to push mapped attribute values to a specified user you there are a couple of items that need to be followed:
* Only Admin-defined questions - The ChallengeSet assigned to a user's Policy MUST ONLY contain Admin-defined questions.
* ChallengeSet modification - The ChallengeSet object in eDirectory must be manually modified outside of the iManager ChallengeResponse plugin after creation (ie. ConsoleOne or LDAP)
* SSL for LDAP must be properly configured for the computer that the applications is run and the LDAP server you are using.
Specifically there are two attributes on the ChallengeSet object that contain XML blobs that require modification each are shown below.
!!XML blobs
Each of these attributes are identical XML blobs (except for the parent element name).
For each Question child of the AdminDefined element, you MUST ADD the AttributeMapping attribute as shown below.
! [nsimRandomQuestions]
The [nsimRandomQuestions] might be defined like:
{{{
<RandomQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2"><![CDATA[What is your title?]]></Question>
</AdminDefined>
</RandomQuestions>
}}}
We need to add an XML attribute "AttributeMapping" with the LDAP name of the attribute to each of the "RandomQuestions". Following modification it would look like:
{{{
<RandomQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2" AttributeMapping="title"><![CDATA[What is your title?]]></Question>
</AdminDefined>
</RandomQuestions>
}}}
! [nsimRequiredQuestions]
The [nsimRequiredQuestions] might be defined like:
{{{
<RequiredQuestions>
<UserDefined MaxLength="255" MinLength="2"/>
<AdminDefined>
<Question MaxLength="255" MinLength="2"><![CDATA[What is your social Security Number?]]></Question>
<Question MaxLength="255" MinLength="2"><![[CDATA]What is your surname?]]</Question>
</AdminDefined>
</RequiredQuestions>
}}}
We need to add an XML attribute "AttributeMapping" with the LDAP name of the attribute to each of the "RandomQuestions". Following modification it would look like:
{{{
<RequiredQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2" AttributeMapping="ssn"><![[CDATA][What is your social Security Number?]]</Question>
<Question MaxLength="255" MinLength="2" AttributeMapping="sn"><![[CDATA][What is your surname?]]</Question>
</AdminDefined>
</RequiredQuestions>
}}}
!! Be Careful
Make sure your changes are complete (including double-quotes around the attribute value) or the document will throw a JDOM exception upon reading from the wrapper.
!!! Credits
Much of the code and concepts are taken from various articles appearing on Novell WEB site including:
* [Attribute Mapping for Password Self-Service|http://www.novell.com/coolsolutions/feature/16001.html]
!! [Novell's Challenge Response System]
Some details on [Novell's Challenge Response System].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]