Decrypt nspmPasswordHistory and Question/Answers
We have been asked to move the existing password history and Question/Answer set's to another application so the users don't have to do so.
I am able to obtain the encrypted nspmPasswordHistory and sASLoginSecret attributes as well as the Server Key (via SDIDIAG). What is the process to actually decrypt the attributes using the server key?
I don't believe that is possible, I am certain it is not for the challenge answers because they are non-reversibly hashed, not encrypted. As far as I am aware, only nspmDistributionPassword is retrievable via a special LDAP extension (because it has to be).
Interestingly, nspmDistributionPassword is the Distribution Password and can be retreieved.
nspmPassword is the actual Universal Password, and also can be retrieved (at least in IDM. I think I asked Jim if he could get it in his tool and he did not think he could...)
There is no code in the nmas api to retrieve the password history: https://www.microfocus.com/documentation/edirectory-developer-documentation/novell-modular-authentication-service/
It's also very old (no code change since 2009) ...
There might be ways to get around this limitation, but that would require some debugging / hacking, which I'm not ready for 😉