Overview#Novell has failed or decided not to document this attribute
We assume it is part of the SASDFMAttributeTypes is defined as:
- OID of 2.16.840.1.113722.214.171.124.1.0.4
- NAME: SASLoginSecretKey
- SYNTAX: 126.96.36.199.4.1.14188.8.131.52.40
- USAGE: DirectoryOperation
- Extended Flags:
- Used as MUST in:
- Used MAY in:
We believe that this attribute contains the challenges only after the user has provided responses. This can then be used to present the user with the challenges that they have previously provided responses to change their responses or change the "userDefined" challenges.
This can not, AFAWK, be used to present the challenges to the user for answer as it is the entire list of challenges.
When using the com.novell.security.nmas.mgmt.NMASChallengeResponseMgr.getChallengeQuestions(java.lang.String sTreeName, java.lang.String sUserDN) we think this is the attribute that is read. The response from the method is shown below:
<!-- Typical challenges as they appear on the user entry believed to be stores in the sASLoginSecretKey Attribute which is encrypted --> <Challenges GUID="1224508498298" RandomQuestions="2"> <Challenge Define="Admin" Type="Required" MinLength="4" MaxLength="4">Your Pin (4 digit code)</Challenge> <Challenge Define="Admin" Type="Random" MinLength="2" MaxLength="255">What is your childhood pet's name</Challenge> <Challenge Define="Admin" Type="Random" MinLength="2" MaxLength="255">Mothers Maiden Name</Challenge> <Challenge Define="User" Type="Random" MinLength="4" MaxLength="128">Best spouse?</Challenge> <Challenge Define="User" Type="Random" MinLength="2" MaxLength="255">Best Lover?</Challenge> </Challenges>
The XML GUID attribute appears to be a timestamp (ie value/1000 = UNIX Timestamp) and should be compared to the nsimChallengeSetGUID on the nspmPasswordPolicy for the User to determine if the challenges on the user entry are older than the challenges in the nsimChallengeSet.
All we know, encrypted further information tbd. Do you know? Tell us please.