Overview#
We have run into several clients that would like to be able to populate the answers to the NSPM challenge-response questions from known values of attributes on the user entries for Novell's Challenge Response SystemBelow is An example is for user self-registration. We worked on a project with a University that had personal information about their students and wanted them to be able to self-register. The user would go to a WEB site where they could answer questions based on previously supplied information. Some attributes like:
- SSN
- Student ID Number
- Mother's Maiden Name
- (you get the idea)
Then the user would be asked to set their password of their choosing and answer a new set of challenge questions.
Novell, in our humble opinion, has done a very poor job of exposing any reasonable methods to perform these methods to customers or developers for reasons unknown. Most solutions are then cobbled together out of necessity to find a way to fulfil these needs. Not that these "cobbled" together methods do not work, but they could be done much more efficiently if Novell would provide published APIs to accomplish these customer desires.
Methods to Set NSPM Challenge-Responses#
We have tried to gather some Methods to Set NSPM Challenge-Responses and provide some insight as to how the different methods work.We have also done several Methods to Set NSPM Challenge-Responses for clients that were specific to the clients but this allowed us to gain insight on how the struggles to find Methods to Set NSPM Challenge-Responses.
With some java code and some modifications to the ChallengeSet, we were able to make this happen.
There are a couple of limitations#
If you want to push mapped attribute values to a specified user you there are a couple of items that need to be followed:- Only Admin-defined questions - The ChallengeSet assigned to a user's Policy MUST ONLY contain Admin-defined questions.
- ChallengeSet modification - The ChallengeSet object in eDirectory must be manually modified outside of the iManager ChallengeResponse plugin after creation (ie. ConsoleOne or LDAP)
- SSL for LDAP must be properly configured for the computer that the applications is run and the LDAP server you are using.
Specifically there are two attributes on the ChallengeSet object that contain XML blobs that require modification each are shown below.
XML blobs#
Each of these attributes are identical XML blobs (except for the parent element name).For each Question child of the AdminDefined element, you MUST ADD the AttributeMapping attribute as shown below.
nsimRandomQuestions #
The nsimRandomQuestions might be defined like:
<RandomQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2"><![CDATA[What is your title?]]></Question>
</AdminDefined>
</RandomQuestions>
We need to add an XML attribute "AttributeMapping" with the LDAP name of the attribute to each of the "RandomQuestions". Following modification it would look like:
<RandomQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2" AttributeMapping="title"><![CDATA[What is your title?]]></Question>
</AdminDefined>
</RandomQuestions>
nsimRequiredQuestions#
The nsimRequiredQuestions might be defined like:
<RequiredQuestions>
<UserDefined MaxLength="255" MinLength="2"/>
<AdminDefined>
<Question MaxLength="255" MinLength="2"><![CDATA[What is your social Security Number?]]></Question>
<Question MaxLength="255" MinLength="2"><![[CDATA]What is your surname?]]</Question>
</AdminDefined>
</RequiredQuestions>
We need to add an XML attribute "AttributeMapping" with the LDAP name of the attribute to each of the "RandomQuestions". Following modification it would look like:
<RequiredQuestions>
<AdminDefined>
<Question MaxLength="255" MinLength="2" AttributeMapping="ssn"><![[CDATA][What is your social Security Number?]]</Question>
<Question MaxLength="255" MinLength="2" AttributeMapping="sn"><![[CDATA][What is your surname?]]</Question>
</AdminDefined>
</RequiredQuestions>
