kab12312 Respected Contributor.
Respected Contributor.
459 views

Universal Password Question

Jump to solution
SLES 12 sp3 eDir 9.1.1

I have inherited a Tree and UP is configured. Used for LDAP authentication from various apps.

How do I tell if the case sensitivity option is working for passwords.. It is configured= True in the policy.



ndstrace snip:

11:48:22 10F41700 -1 LDAP: (172.16.254.87:50179)(0x13423:0x63) Empty attribute list implies all user attributes
11:48:22 10F41700 -1 LDAP: (172.16.254.87:50179)(0x13423:0x63) Sending search result entry "cn=34SPP,ou=PFA,ou=NA,o=INTL" to connection 0x81291500
11:48:22 10F41700 -1 LDAP: (172.16.254.87:50179)(0x13423:0x63) Sending operation result 0:"":"" to connection 0x81291500
11:48:22 248FD700 -1 LDAP: New cleartext connection 0x81d94000 from 172.16.254.87:56250, monitor = 0x2121b700, index = 144
11:48:22 302FF700 -1 LDAP: (172.16.254.87:56250)(0x0001:0x60) DoBind on connection 0x81d94000
11:48:22 302FF700 -1 LDAP: (172.16.254.87:56250)(0x0001:0x60) Bind name:cn=34SPP,ou=PFA,ou=NA,o=INTL, version:3, authentication:simple
11:48:22 302FF700 -1 NMAS: 1564475509: Destroy NMAS Session for reuse
11:48:22 302FF700 -1 NMAS: 1564475509: Create NMAS Session
11:48:22 302FF700 -1 NMAS: 1564475509: Proxy client address 172.16.254.87:56250
11:48:22 302FF700 -1 NMAS: 1564475509: Trying local password login shortcut for CN=34SPP.OU=PFA.OU=NA.O=INTL
11:48:22 302FF700 -1 NMAS: 1564475509: TCP client network address
11:48:22 302FF700 -1 NMAS: 1564475509: sasUpdateLoginTimeInterval is not set (or) invalid. Setting to global value = 0 mins
11:48:22 302FF700 -1 NMAS: 1564475509: UpdateLoginTimeInterval for object = 0 mins
11:48:22 302FF700 -1 NMAS: 1564475509: NMAS Audit with Audit PA not installed
11:48:22 302FF700 -1 NMAS: 1564475509: Local password login shortcut successful
11:48:22 302FF700 -1 NMAS: 1564475509: Client Session Destroy Request
11:48:22 302FF700 -1 NMAS: 1564475509: Destroy NMAS Session
11:48:22 302FF700 -1 NMAS: 1564475509: Aborted Session Destroyed (with MAF)
11:48:22 302FF700 -1 LDAP: (172.16.254.87:56250)(0x0001:0x60) Sending operation result 0:"":"" to connection 0x81d94000
11:48:22 1F869700 -1 LDAP: (172.16.148.178:49826)(0x47c96:0x63) DoSearch on connection 0x7fe8bc00
11:48:22 1F869700 -1 LDAP: (172.16.148.178:49826)(0x47c96:0x63) Search request:

Thank you!
Labels (1)
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution

Your initial post was about eDir 9.1.1 and that has the NMAS first login set already.

 

Then you asked about eDir 8.8 which also should have had it set during install.

 

0 Likes
11 Replies
kab12312 Respected Contributor.
Respected Contributor.

Re: Universal Password Question

Jump to solution
Actually it is working.

I do have a question about UP on a SLES 11 sp4 eDir 8.8sp server.

UP has been configured and case sensitivity option is set to True.

Documentation says to edit this file: /etc/init.d/ndsd and add
if [ -d /opt/novell/xad/lib/nds-modules -o -d /opt/novell/xad/lib64/nds-modules ]; then
NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST
fi
if [ -d /opt/novell/afptcpd ]; then
NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST
fi

I have done this.

There is also the pre_ndsd_start file in /opt/novell/eDirectory/sbin which does not have the entry.

The command: strings /proc/$(pgrep ndsd)/environ | grep NMASLOGIN returns nothing.

What am I missing.

Thank you!!
0 Likes
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution
I'd guess you neither have /opt/novell/xad/lib/nds-modules nor /opt/novell/xad/lib64/nds-modules on the system and consequently do not get the variable set. The statement should go to pre_ndsd_start anyway.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: Universal Password Question

Jump to solution
mathiasbraun;2500928 wrote:
Basically like this
https://www.netiq.com/documentation/edir88/pwm_administration88/data/brvwgsv.html


Does this look correct:
  source /opt/novell/eDirectory/bin/ndspath > /dev/NULL
vardir=`ndsconfig get | grep "n4u.server.vardir" | cut -f2 -d=`
if test -s $vardir/eDirlastver.txt
then
lasteDirVer=`cat $vardir/eDirlastver.txt | awk -F"N*.*v" '{ print $2}' | cut -c 1-3`
lasteDirPrintVer=`cat $vardir/eDirlastver.txt `
eDirVer=`/opt/novell/eDirectory/sbin/ndsd --version | awk -F"N*.*v" '{ print $2}' | cut -c 1-3`
eDirPrintVer=`/opt/novell/eDirectory/sbin/ndsd --version `
if [ $eDirVer -lt $lasteDirVer ]
then
logger "eDirectory is stopped. It is downgraded from $lasteDirPrintVer to $eDirPrintVer. To complete the upgrade, refer to Upgrading eDirectory after an OES Upgrade section of the OES Installation Guide."
echo "`date '+%b %d %T'` eDirectory is stopped. It is downgraded from $lasteDirPrintVer to $eDirPrintVer. To complete the upgrade, refer to Upgrading eDirectory after an OES Upgrade section of the OES Installation Guide." >> $vardir/../log/ndsd.log
exit 1
elif [ $eDirVer -eq $lasteDirVer ]
then
lasteDirMinVer=`cat $vardir/eDirlastver.txt | awk -F"N*.*v" '{ print $2}' | cut -c 5`
eDirMinVer=`/opt/novell/eDirectory/sbin/ndsd --version | awk -F"N*.*v" '{ print $2}' | cut -c 5`
if [ $eDirMinVer -lt $lasteDirMinVer ]
then
logger "eDirectory is downgraded from $lasteDirPrintVer to $eDirPrintVer. It is recommended to update the server with the available OES patches."
echo "`date '+%b %d %T'` eDirectory is downgraded from $lasteDirPrintVer to $eDirPrintVer. It is recommended to update the server with the available OES patches." >> $vardir/../log/ndsd.log
fi
fi
fi
NDSD_TRY_NMASLOGIN_FIRST=true
export NDSD_TRY_NMASLOGIN_FIRST
0 Likes
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution
Absolutely. You'll have to bounce ndsd to make this effective. Afterwards
strings /proc/$(pgrep ndsd)/environ | grep NMASLOGIN
should return
NDSD_TRY_NMASLOGIN_FIRST=true
Highlighted
kab12312 Respected Contributor.
Respected Contributor.

Re: Universal Password Question

Jump to solution
Thank you! Approved to configure at lunch time. I'll post back. Thank you!!
0 Likes
kab12312 Respected Contributor.
Respected Contributor.

Re: Universal Password Question

Jump to solution

It is working. However the developers password reset app is not honoring the password history list.  A password change is working.  I am compelled to believe it is in their app.  They are using ldapchai.

Also, this is driving me crazy from the ndstrace logs.  Can you tell me what it means.  In particular the MAF entry.

NMAS Audit with Audit PA not installed
NMAS Audit with XDAS not installed
Local password verify shortcut successful
Client Session Destroy Request
Destroy NMAS Session
Aborted Session Destroyed (with MAF)

Thank you!!

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution

The NMAS trace is very verbose. Every session you will see similar messages.

 

There are three different audit modules, PA (Platform Agent), XDAS and CEF (current one).  So you have 1 of 3 loaded. Non-error message.

Not sure what the MAF entry refers to, other than it is normal.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution

The NMAS trace is very verbose. Every session you will see similar messages.

 

There are three different audit modules, PA (Platform Agent), XDAS and CEF (current one).  So you have 1 of 3 loaded. Non-error message.

Not sure what the MAF entry refers to, other than it is normal.

JoeSullivan Frequent Contributor.
Frequent Contributor.

Re: Universal Password Question

Jump to solution

My input and experience on this is, the policy for history is only enforced if the USER changes the password, not an administrator. The reasoning behind this is, you as an admin should not be clued into the end user's password history. 

I would imagine this policy comes into effect whenever the supervisor rights are granted.

Joe

 

Knowledge Partner
Knowledge Partner

Re: Universal Password Question

Jump to solution

Your initial post was about eDir 9.1.1 and that has the NMAS first login set already.

 

Then you asked about eDir 8.8 which also should have had it set during install.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.