How does one create a user with a null password in iManager?

gathagan · ‎2015-02-11

I'm setting up LDAP authentication and need to create a user with a null password.

If you do not put a password in the password field when creating the user in iManager, a message pops up stating, No password has been defined for this user.

You are given a choice of:
Allow user to log in without a password
- or -
Do not allow user to log in without a password

If you choose Do not allow user to log in without a password, there are no complaints.

When I look at the properties of the newly-created user, however, I note that the "Require a password" checkbox is not filled in.
That would imply that the answer to the question posed during the user's creation is moot; either answer produces a user that can log in without a password.

I can then assign the Common Proxy password policy to the user, which does not dictate a minimum length for a password.

From that point forward, any attempts to leave the password field blank in iManager results in another pop-up message stating:
"Failure to enter a password will allow the user to login without a password."

That implies that no password exists for the user, as opposed to a null password.
Is that correct or are the public and private key for the user object still generated?

aburgemeister · ‎2015-02-12

If you do not specify a password, which is what happens when you select
the 'Do not allow user to log in without a password' option initially, the
user cannot login. A user with no password (meaning no password exists at
all, similar to a 'null' in programming) cannot login with a password
because, of course, they do not have a password.

If you specify a zero-length string as the password you are effectively
(and usually) creating a proxy user, for example to be used for the LDAP
service in eDirectory, and this user can login typing in a password (since
typing would imply one or more characters) but nevertheless there IS a
password, but it happens that it is zero-length, so typing nothing for the
password IS submitting the correct password. This is the option carried
out by eDirectory when you choose, 'Allow user to log in without a
password' (the prompt is a little misleading with its "without a password"
phrase).

Once you assign a UP policy you are telling the system that there SHOULD
be a password on the user (and with common proxy there definitely should
be, probably a strong one at that) so the only option now is whether or
not the password is zero-length or longer. Obviously longer is the
correct option for security reasons.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

gathagan · ‎2015-02-12

Thank you for the response, ab.

You're correct, the prompt is misleading.

The reason I specifically assigned the proxy user to the Common Proxy password policy:
I have a password policy for my organization that requires at least 6 characters in a password.
That policy is applied at the partition (o=<whatever>) level. As such, a null password violates my standard policy.

Since the Common Proxy policy does not specify a minimum password length, a null password meets the criteria of that policy and the system does not complain.

Anonymous_User · ‎2015-02-13

On Wed, 11 Feb 2015 23:06:02 +0000, gathagan wrote:

> I'm setting up LDAP authentication and need to create a user with a null
> password.

This gets tricky, if you have a tree-wide Universal Password policy in
place. First you create the user, with a password (which won't work for
the LDAP Proxy user), then you create a new UP policy where passwords are
disabled entirely, and assign it to the user, then you can remove the
password from the user you just created.

--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.

Administration

Linux