This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Simple Password
Simple Password

Version management

Difference between version and

At line 1 added 157 lines
!!!Simple Password
The simple password is an login method made available as part of [NMAS] (Novell Modular Authentication Service). [NMAS] users can access the network using a variety of authentication methods including smart card methods (smart card/ token readers), biometric methods (fingerprint, retinal scan, etc) or password methods (nds password, simple password, enhanced password).
The simple password is an encrypted password (encrypted through the NMAS engine), and is stored in the directory as an attribute of the user. Simple passwords can be created/ managed through iManager, ConsoleOne or NetWare Remote Manager. (See tid TID 10064790 How to create SIMPLE PASSWORDS)
The simple password was originally implemented to allow administrators to import users and passwords (clear text and hashed) from foreign systems such as Linux or Unix systems and iPlanet*. !! ONE-WAY-HASH Passwords
A [one-way-hash|http://en.wikipedia.org/wiki/Cryptographic_hash_function] where if you know the clear-text value of the password you could recreate the hash value; But, if you have the hash you can not obtain the clear-text value.
The most popular algorithms are:
* [Message-Digest algorithm 5 (MD5)|MD5]
* [Secure Hash Algorithm (SHA)|Secure Hash Algorithm]
!!! Why you should use the [{$pagename}] ?
We have used the simple password to:
* Method to maintain existing passwords when we migrate users from other LDAP servers that use common one-way hash algorithms. In password sync scenarios where we need to put a password from other LDAP servers that use common one-way hash algorithms or when we need to write passwords to other systems that can not do native LDAP authentication.
* Supports case sensitivity. (Was important before 8.8.x)
!!! Things You Should Know About Simple Password
Normally, most Edirectory logins will attempt authentication to the NDS password first, then fail to the [{$pagename}]. As the NDS password does not enforce case sensitivity and the [{$pagename}] will, normally be the same, you may need to "remove" the NDS password to obtain case sensitivity or to force the Simple password to be used.
Almost no Authentication controls are enforced when using the Simple Password.
* No PasswordExpirationTime
* No Intruder Detection
!!! Setting the [{$pagename}]
For the 8.5, 8.6 and 8.7.0 release of NDS eDirectory allows the storage and validation of passwords hashed with the following hashing algorithms: SHA, MD5, and Unix Crypt.
!! Simple Password and Edirectory 8.8.x
With Simple Password and Edirectory 8.8.x there were some changes in that the user does NOT have a [nspmPasswordPolicy] assigned (or activated via Container, partition, tree) that enables Universal Password. Easiest way to accomplish that is to assign the policy directly to the user.
The user can bind (submitting the clear-text value of the [{$pagename}]) to the server. Upon a successful bind, assuming the password policy is configured to, will set the NDS and [Universal Password] and IDM does pick up the password change.
As well as the storing and validation of password that are clear text. With LDAP the normal mechanism for setting the password is via the userpassword attribute. However the Novell LDAP server only supports the ability to add clear text passwords via the [{$pagename}] attribute.
The [{$pagename}] allows the ability to add userpasswords that have been hashed by universal hashing algorithms.
The question you may have is how do we determine whether the password, especially in the case of the clear text password, should be a Universal or Simple or a NDS eDirectory Password?
In LDAP this done via a [SupportedControl]. LDAP controls are ways to expand the meaning of an LDAP operation.
When the following LDAP control is specified with an LDAP operation that contains a userpassword attribute then the server will try and add the password as a Universal Password:
||control||OID||Is critical?||Value
|Simple Password Request: |2.16.840.1.113719.1.27.101.5|false|none
|Simple Password Reply|2.16.840.1.113719.1.27.101.5 | |
!! [Sample Java Code to Set Simple Password|JavaCodeSetSimplePassword]
We wrote some [Sample Java Code to Set Simple Password|JavaCodeSetSimplePassword]
!! [Example] C code
The following is C code on how to set this control with an LDAP operation:
{{{
#define LDAP_SIMPLE_PASS "2.16.840.1.113719.1.27.101.5"
...
LDAPControl *requestCtrls[2];
requestCtrls[0] = (LDAPControl *)calloc(1, sizeof (LDAPControl));
if (NULL == requestCtrls[0])
return(LDAP_NO_MEMORY);
requestCtrls[0]->ldctl_oid = (char *) malloc(strlen(LDAP_SIMPLE_PASS) + 1);
if (NULL == requestCtrls[0]->ldctl_oid)
return(LDAP_NO_MEMORY);
strcpy(requestCtrls[0]->ldctl_oid, LDAP_SIMPLE_PASS);
requestCtrls[0]->ldctl_iscritical = FALSE;
requestCtrls[0]->ldctl_value.bv_val = NULL;
requestCtrls[0]->ldctl_value.bv_len = 0;
requestCtrls[1] = NULL;
...
int err = ldap_add_ext(Ldap, dn, attrs, requestCtrls, NULL, &msgid);
if (err != LDAP_SUCCESS)
}}}
!! LDIF [Examples]
You can also specify this control via an LDIF file. LDIF is defined by RFC 2849 “LDAP Data Interchange Format http://www.ietf.org/rfc/rfc2849.txt? Using the LDIF [Example] the following shows how this can be accomplished:
We found this LDIF to work for us reliably on a complete modify on an already available user, which set the correct values (we use md5 here):
%%prettify
{{{
dn: cn=SVAL0011,ou=Active,ou=People,ou=Identities,o=Organization
control: 2.16.840.1.113719.1.27.101.5 false
changetype: modify
replace: sasDefaultLoginSequence
sasDefaultLoginSequence: Simple Password
-
replace: nspmPasswordPolicyDN
nspmPasswordPolicyDN: cn=testsimplepassword,cn=Password Policies,cn=Security
-
replace: userPassword
userPassword: {md5}idqBLKKBPp82J6bMsH4jVQ==
}}} /%
These are some other options that may work if the user does NOT have a [nspmPasswordPolicy] assigned (or activated via Container, partition, tree) that enables Universal Password.
{{{
dn:cn=jane,o=container
control: 2.16.840.1.113719.1.27.101.5 false
objectclass: inetorgperson
sn: Doe
title: programmer
userpassword: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
}}}
!!Using ICE
{{{
# This works The -l forces ICE to use simple password
# ice -lice.log -v -SLDIF -fC:\mydata\jim\clients\novell\cnn\ldifs\simplepassword.ldif -v -c -a -DLDAP -s10.165.131.55 -p636 -dcn=admin,ou=administration,dc=willeke,dc=com -wsecret -LC:\mydata\jim\MYTTREE-CA.der -B -l -v
# sa3tHJ3/KuYvI = password
version: 1
dn: cn=testuser101,ou=people,dc=turner,dc=com
changeType: modify
add: userpassword
userpassword: {crypt}sa3tHJ3/KuYvI
}}}
If this switch is specified all LDAP operations in the LDIF file will have this control applied to to the server knows which hash was used the definition is used as defined in [RFC 2307 Using LDAP as a Network Information Service|http://www.ietf.org/rfc/rfc2307.txt] for defining different hashes within the userpassword attributes. The following is the definition from this RFC: userPassword values MUST be represented by following syntax:
{{{
passwordvalue = schemeprefix encryptedpassword
schemeprefix = "{" scheme "}"
scheme = "crypt" / "md5" / "sha" / altscheme
altscheme = "x-" keystring
encryptedpassword = encrypted password
}}}
The encrypted password contains of a plaintext key hashed using the algorithm scheme. Below is an example of a userPassword attribute:
{{{
userPassword: (crypt)X5/DBrWPOQQaI
}}}
The value of this example of a userpassword is a password hashed by the Unix Crypt hash then base 64 encoded so it could be represented as text.
[How to change the NMAS Simple Password with LDAP|http://support.novell.com/cgi-bin/search/searchtid.cgi?/10066348.htm]!! Remove Simple Password
There are occasions when the simple password is populated there may be conflicts on the use of the NDS or Universal Password. To avoid these problems, you can remove the simple password.
__WARNING__ It is possible non-Simple Password values are in there as well (though probably not unless you are using some advanced NMAS stuff like biometrics, tokens, or the like).
Delete the SAS:Login Configuration and SAS:Login Configuration Key attributes.
LDIF:
{{{
dn: cn=user,o=novell,dc=org
changetype: modify
delete: sasloginconfiguration
-
delete: sasloginconfigurationkey
}}}!!! [Migrating Simple Passwords To UniversalPassword|Migrating Passwords To UniversalPassword]
Some information you might need when [Migrating Simple Passwords To UniversalPassword|Migrating Passwords To UniversalPassword].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop