How to implement 2FA to authenticate against eDirectory

Hi everybody,

I try to evaluate new authentication methods for our users, but I don't really know where to start.The more I read about it, the more compölicated it gets. For example: What's the difference between Advanced authentication methods and NMAS authentication methods?

Currently we use only username/password authentication. The goal is to achieve a higher security level using 2FA, but without complicating it. E. g. using a physical token and/or smartcard and/or OTP.

I'd like to install a testlab with different methods, but I can't find how to get it working. The only howto I found was about yubikey and OTP and using the HOTP NMAS login method. 

Are there any howtos or step-by-step instructions how to use e. g. physical rfid token or smartcards to authenticate against eDirectory?

Thanks in advance!



  • The confusion between NMAS and NAAF is easy to explain.

    NAAF is a web based technology that integrates with other web based products to add on MFA onto these other products. (If you cannot natively integrate it, but can reverse proxy it, then you can use Netiq Access Manager to control access to the app and have NAM integrate with NAAF and require MFA).

    Some thick clients support MFA as well. 

    To access eDirectory you have 2 raw methods. NCP and LDAP.

    The Client of OES or Client32 or Novell Client or whatever the heck it is called today is an NCP (over IP these days, alas IPX is long gone. I kind of liked IPX) client.  This would be one way to do MFA.

    I am pretty sure NAAF integrates with Client32.

    Or you could use an NMAS method that Client32 supports to implement the MFA.

    LDAP is trickier, since it is hard to do somoe of the MFA steps in LDAP so that is pretty rare.

    So instead of asking for MFA for eDir, how about you specify what you use to access eDir and maybe that will make it easier to answer


  • Thank you for your answer.

    We use Client for Open Enterprise Server (aka Novell Client) to legitimate users with conventional username/password authentication (NCP) and ZCM for local Windows Workstation authentication (LDAP).

    We want to rise the security level, so we thought about MFA. To evaluate the best method, I would do some testing in the lab with RFID tokens, Smartcards, maybe software certificates and fingerprints. I am now at the very beginning of this project and try to figure out what the requirements are and what I have to do to meet these. As I was used to I was looking for a step by step giude in the Novell documentation, but this did not really help as I have no clue about NMAS and developing login methods. I was hoping for ready-to-use configurations...



  • There are commercial NMAS methods (Vasco and others) but I think they are fading away.

    In the near term, NetIQ Advanced Authentication Framework (NAAF) is probaly the way to go.  I am pretty sure it integrates with Client32/Client for OES.


  • I know OES got integration with AA in May 2019. So ensure you have a last version.

    I can help with the configuration of the AA side in a remote session, but I never saw how it's integrated with OES. OES team is supporting it.

  • Thank you for your offer.

    It seems that I underestimated this topic a bit. I think I will contact microfocus sales team, it's their job to tell me what I need

    But I will give AA a try in my lab.

    Thank you all