Simple Password

Simple Password#

The simple password is an login method made available as part of NMAS (Novell Modular Authentication Service). NMAS users can access the network using a variety of authentication methods including smart card methods (smart card/ token readers), biometric methods (fingerprint, retinal scan, etc) or password methods (nds password, simple password, enhanced password).

The simple password is an encrypted password (encrypted through the NMAS engine), and is stored in the directory as an attribute of the user. Simple passwords can be created/ managed through iManager, ConsoleOne or NetWare Remote Manager. (See tid TID 10064790 How to create SIMPLE PASSWORDS)

The simple password was originally implemented to allow administrators to import users and passwords (clear text and hashed) from foreign systems such as Linux or Unix systems and iPlanet*.

ONE-WAY-HASH Passwords#

A one-way-hash where if you know the clear-text value of the password you could recreate the hash value; But, if you have the hash you can not obtain the clear-text value.

The most popular algorithms are:

Why you should use the Simple Password ?#

We have used the simple password to:
  • Method to maintain existing passwords when we migrate users from other LDAP servers that use common one-way hash algorithms. In password sync scenarios where we need to put a password from other LDAP servers that use common one-way hash algorithms or when we need to write passwords to other systems that can not do native LDAP authentication.
  • Supports case sensitivity. (Was important before 8.8.x)

Things You Should Know About Simple Password#

Normally, most Edirectory logins will attempt authentication to the NDS password first, then fail to the Simple Password. As the NDS password does not enforce case sensitivity and the Simple Password will, normally be the same, you may need to "remove" the NDS password to obtain case sensitivity or to force the Simple password to be used.

Almost no Authentication controls are enforced when using the Simple Password.

  • No PasswordExpirationTime
  • No Intruder Detection

Setting the Simple Password#

For the 8.5, 8.6 and 8.7.0 release of NDS eDirectory allows the storage and validation of passwords hashed with the following hashing algorithms: SHA, MD5, and Unix Crypt.

Simple Password and Edirectory 8.8.x#

With Simple Password and Edirectory 8.8.x there were some changes in that the user does NOT have a nspmPasswordPolicy assigned (or activated via Container, partition, tree) that enables Universal Password. Easiest way to accomplish that is to assign the policy directly to the user.

The user can bind (submitting the clear-text value of the Simple Password) to the server. Upon a successful bind, assuming the password policy is configured to, will set the NDS and Universal Password and IDM does pick up the password change.

As well as the storing and validation of password that are clear text. With LDAP the normal mechanism for setting the password is via the userpassword attribute. However the Novell LDAP server only supports the ability to add clear text passwords via the Simple Password attribute.

The Simple Password allows the ability to add userpasswords that have been hashed by universal hashing algorithms.

The question you may have is how do we determine whether the password, especially in the case of the clear text password, should be a Universal or Simple or a NDS eDirectory Password?

In LDAP this done via a SupportedControl. LDAP controls are ways to expand the meaning of an LDAP operation.

When the following LDAP control is specified with an LDAP operation that contains a userpassword attribute then the server will try and add the password as a Universal Password:

controlOIDIs critical?Value
Simple Password Request: 2.16.840.1.113719.
Simple Password Reply2.16.840.1.113719.

Sample Java Code to Set Simple Password#

We wrote some Sample Java Code to Set Simple Password

Example C code#

The following is C code on how to set this control with an LDAP operation:
#define LDAP_SIMPLE_PASS "2.16.840.1.113719." 


LDAPControl *requestCtrls[2];
requestCtrls[0] = (LDAPControl *)calloc(1, sizeof (LDAPControl));
if (NULL == requestCtrls[0])

requestCtrls[0]->ldctl_oid = (char *) malloc(strlen(LDAP_SIMPLE_PASS) + 1);

if (NULL == requestCtrls[0]->ldctl_oid)
strcpy(requestCtrls[0]->ldctl_oid, LDAP_SIMPLE_PASS);
requestCtrls[0]->ldctl_iscritical = FALSE;
requestCtrls[0]->ldctl_value.bv_val = NULL;
requestCtrls[0]->ldctl_value.bv_len = 0;
requestCtrls[1] = NULL;


int err = ldap_add_ext(Ldap, dn, attrs, requestCtrls, NULL, &msgid);
if (err != LDAP_SUCCESS)

LDIF Examples#

You can also specify this control via an LDIF file. LDIF is defined by RFC 2849 “LDAP Data Interchange Format http://www.ietf.org/rfc/rfc2849.txt? Using the LDIF Example the following shows how this can be accomplished:

We found this LDIF to work for us reliably on a complete modify on an already available user, which set the correct values (we use md5 here):

dn: cn=SVAL0011,ou=Active,ou=People,ou=Identities,o=Organization
control: 2.16.840.1.113719. false
changetype: modify
replace: sasDefaultLoginSequence
sasDefaultLoginSequence: Simple Password
replace: nspmPasswordPolicyDN
nspmPasswordPolicyDN: cn=testsimplepassword,cn=Password Policies,cn=Security
replace: userPassword
userPassword: {md5}idqBLKKBPp82J6bMsH4jVQ==

These are some other options that may work if the user does NOT have a nspmPasswordPolicy assigned (or activated via Container, partition, tree) that enables Universal Password.

   control: 2.16.840.1.113719. false
   objectclass: inetorgperson
   sn: Doe
   title: programmer
   userpassword: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=

Using ICE#

# This works The -l forces ICE to use simple password
# ice -lice.log -v -SLDIF -fC:\mydata\jim\clients\novell\cnn\ldifs\simplepassword.ldif -v -c -a -DLDAP -s10.165.131.55 -p636 -dcn=admin,ou=administration,dc=willeke,dc=com -wsecret -LC:\mydata\jim\MYTTREE-CA.der -B -l -v
# sa3tHJ3/KuYvI = password
version: 1

dn: cn=testuser101,ou=people,dc=turner,dc=com
changeType: modify
add: userpassword
userpassword: {crypt}sa3tHJ3/KuYvI

If this switch is specified all LDAP operations in the LDIF file will have this control applied to to the server knows which hash was used the definition is used as defined in RFC 2307 Using LDAP as a Network Information Service for defining different hashes within the userpassword attributes. The following is the definition from this RFC: userPassword values MUST be represented by following syntax:

   passwordvalue = schemeprefix encryptedpassword
   schemeprefix = "{" scheme "}"
   scheme = "crypt" / "md5" / "sha" / altscheme
   altscheme = "x-" keystring
   encryptedpassword = encrypted password
The encrypted password contains of a plaintext key hashed using the algorithm scheme. Below is an example of a userPassword attribute:
userPassword: (crypt)X5/DBrWPOQQaI

The value of this example of a userpassword is a password hashed by the Unix Crypt hash then base 64 encoded so it could be represented as text.

How to change the NMAS Simple Password with LDAP

Remove Simple Password#

There are occasions when the simple password is populated there may be conflicts on the use of the NDS or Universal Password. To avoid these problems, you can remove the simple password.

WARNING It is possible non-Simple Password values are in there as well (though probably not unless you are using some advanced NMAS stuff like biometrics, tokens, or the like).

Delete the SAS:Login Configuration and SAS:Login Configuration Key attributes.


dn: cn=user,o=novell,dc=org
changetype: modify
delete: sasloginconfiguration
delete: sasloginconfigurationkey

Migrating Simple Passwords To UniversalPassword#

Some information you might need when Migrating Simple Passwords To UniversalPassword.

More Information#

There might be more information for this subject on one of the following: