Related Tips & Info

eDirectory and Case Sensitive LDAP Passwords

descent
0 Likes
Before you read the rest of this dated article, read the documentation here:
Enforcing Case-Sensitive Universal Passwords - How to Make Your Password Case-Sensitive

Then ignore this article and follow the above directions!
Thanks to Aaron with NTS for clarifying. The xad directory that I mention in the article is part of the Domain Services for Windows on OES2.

###########################################################

Do you use case sensitive passwords with eDirectory 8.8 over LDAP? Are you sure? Turns out that /etc/init.d/ndsd appears to have an error.



I was recently working through some test scripts and thought that my eDirectory 8.8.3 was using case sensitive universal passwords over LDAP. To my surprise, it was not.



I did some digging and found that for Universal Password to be tried first via LDAP, the environment variable NDSD_TRY_NMASLOGIN_FIRST must be set to true in the /etc/init.d/ndsd startup script.



Reference:


http://www.novell.com/support/viewContent.do?externalId=3307424&sliceId=1

When I looked at that script what I found was the following:




79 if [ -d /opt/novell/xad/lib/nds-modules ]; then
80 NDSD_TRY_NMASLOGIN_FIRST=true
81 export NDSD_TRY_NMASLOGIN_FIRST
82 fi


The problem here is that /opt/novell/xad/lib/nds-modules doesn't exist so these values are never set. I'm not sure whether this is intentional or not, but I then searched for all files called nds-modules and the only one present in the file system was: /opt/novell/eDirectory/lib/nds-modules



With that info in hand I updated the ndsd start script to the following:




79 ##########CORRECTED########### if [ -d /opt/novell/xad/lib/nds-modules ]; then
80 if [ -d /opt/novell/eDirectory/lib/nds-modules ]; then
81 NDSD_TRY_NMASLOGIN_FIRST=true
82 export NDSD_TRY_NMASLOGIN_FIRST
83 fi


A restart of eDirectory and now my LDAP passwords are case sensitive.



While this is well documented in the above TID, I do wonder why this if statement is present, and why not make it the default.



Hope you find this helpful.


Tags:

Labels:

How To-Best Practice
Comment List
  • The TID was incorrect, and the script is correct.

    The reason that there are some situations where this environment variable is set by default is that some products which depend on eDirectory require it. The 'xad' reference is for Domain Services for Windows (DSfW) which is part of Open Enterprise Server 2. Current versions of the ndsd script also reference AFP as the AppleTalk File Protocol has a similar requirement. For backward compatibility Novell has not yet made this a default for all situations and as a result leaves it up to the administrator to set this per server.

    HOWEVER, this should NOT be set in /etc/init.d/ndsd directly as that file is owned by a package. The reason this is a problem is that subsequent eDirectory patches which include that package (most of them) will undo the setting leaving you in the situation where you were before making the change. To properly set things like this you should use the pre_ndsd_start script which is "sourced" before the ndsd script starts eDirectory. The TID has been updated, as have various other TIDs and documentation with the same incorrect recommendation. This same recommendation (do not modify package-owned files) applies to all files owned by all packages in any package-management system. There are usually ways to implement customizations in a way that will not be overwritten by later patches and those should be used in all cases.
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.