Knowledge Partner
Knowledge Partner
232 views

New NMAS support for AD password Complexity

NMAS in eDir 8.8.7 has a bug fix for the MS password complexity.

I am not sure if this included the sAMAccount name as a substring of the
password test, and the tokenized displayName values. (actually, reading
the bug, yes it does).

But regardless, does User App's password change page honour these new
settings. (Might be they just added Unicode support so it is now 3/5
really not 3/4).

https://bugzilla.novell.com/show_bug.cgi?id=385614

Does it try to explain them to the user as it does the normal complexity
patterns?

Also, does the web UI apply the policy before submitting the password,
or does it just try to set the password and if NMAS rejects it, then
report it?
Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: New NMAS support for AD password Complexity

On 06/01/2012 08:45 AM, Geoffrey Carman wrote:
> NMAS in eDir 8.8.7 has a bug fix for the MS password complexity.
>
> I am not sure if this included the sAMAccount name as a substring of the
> password test, and the tokenized displayName values. (actually, reading
> the bug, yes it does).
>
> But regardless, does User App's password change page honour these new
> settings. (Might be they just added Unicode support so it is now 3/5
> really not 3/4).
>
> https://bugzilla.novell.com/show_bug.cgi?id=385614
>
> Does it try to explain them to the user as it does the normal complexity
> patterns?
>
> Also, does the web UI apply the policy before submitting the password,
> or does it just try to set the password and if NMAS rejects it, then
> report it?

Greetings Geoffrey,
The new AD 2008 MS Complexity will only be supported with the 402
release of UserApp. If you attempt to utilize this (from eDir 887) with
any prior release of the UA it will not work correctly and that will be
the expected behavior.

--
Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: New NMAS support for AD password Complexity


> Greetings Geoffrey,
> The new AD 2008 MS Complexity will only be supported with the 402
> release of UserApp. If you attempt to utilize this (from eDir 887) with
> any prior release of the UA it will not work correctly and that will be
> the expected behavior.


Bah humbug! Why can you not backport support for something into the 5
year old 3.50 code base! You guys are slacking... 🙂

Thanks, appreciate knowing that. So seriously though, how will it
display in the UI to the user? Possible to get a screen shot maybe?

0 Likes
Knowledge Partner
Knowledge Partner

Re: New NMAS support for AD password Complexity

On 01.06.2012 14:55, Steven Williams wrote:
> On 06/01/2012 08:45 AM, Geoffrey Carman wrote:
>> NMAS in eDir 8.8.7 has a bug fix for the MS password complexity.

...
> The new AD 2008 MS Complexity will only be supported with the 402
> release of UserApp.


My interpretation of the published MS docs regarding MS password
complexity is that this 3/5 logic was introduced with windows 2003 server.

This is based on this technote
http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx

Why is this considered by NetIQ as an AD 2008+ change?

Also, as this bug isn't public, can someone confirm what is fixed by
this bug? Is it just the "Any Unicode character that is categorized as
an alphabetic character but is not uppercase or lowercase. This includes
Unicode characters from Asian languages." category?

I can't see how the sAMAccountName check or the delimiter parsed
displayName checks can be enforced by NMAS as it's possible to map any
attribute to displayName or CN via a customised IDM driver.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: New NMAS support for AD password Complexity

On 6/1/2012 9:10 PM, Alex McHugh wrote:
> On 01.06.2012 14:55, Steven Williams wrote:
>> On 06/01/2012 08:45 AM, Geoffrey Carman wrote:
>>> NMAS in eDir 8.8.7 has a bug fix for the MS password complexity.

> ..
>> The new AD 2008 MS Complexity will only be supported with the 402
>> release of UserApp.

>
> My interpretation of the published MS docs regarding MS password
> complexity is that this 3/5 logic was introduced with windows 2003 server.
>
> This is based on this technote
> http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
>
> Why is this considered by NetIQ as an AD 2008+ change?
>
> Also, as this bug isn't public, can someone confirm what is fixed by
> this bug? Is it just the "Any Unicode character that is categorized as
> an alphabetic character but is not uppercase or lowercase. This includes
> Unicode characters from Asian languages." category?
>
> I can't see how the sAMAccountName check or the delimiter parsed
> displayName checks can be enforced by NMAS as it's possible to map any
> attribute to displayName or CN via a customised IDM driver.


It looks like the Unicode support (3/5) and the name parts stuff.

It looks like it uses first, last, and full name. Which actually covers
the vast majority of cases. while you could put anything in
displayName in AD, it most usually is built from name parts. So using
the individual name parts is probably the closest you can come.

Also, CN as sAMAccountname is usually a safe bet (maybe uid as well).

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.