mselan Absent Member.
Absent Member.
649 views

password + user certificate authentication


Hi,

The customer has purchased NOWS and is now looking for enhanced security
for their administrators.

1. Is it possible with out of the box eDirectory+NMAS to set up
password+user certificate authentication (not smard card, .pfx
certificate from public CA) ?
2. If so, is it possible to define "graded auth", so if the
administrator authenticates with password only it has less rights as if
he uses certificate also ?

Thanks,
Mare


--
mselan
------------------------------------------------------------------------
mselan's Profile: https://forums.netiq.com/member.php?userid=814
View this thread: https://forums.netiq.com/showthread.php?t=54241

Labels (1)
0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: password + user certificate authentication

Hello,

I think graded authentication was only available on NetWare.

I know you can do certificate authentication over LDAP against
eDirectory without a smart card, I've done it with the OpenLDAP client
tools, there is also a Cool Solution article about it.

I've also done it using a Java application that used the UnboundID LDAP
SDK, the important thing is that your client application supports the
EXTERNAL SASL method and that you can specify the client certificate
information.

I don't know how it works and if it works with NCP based tools such as
iManager/iMonitor/ConsoleOne.

If you want a backwards compatible two factor authentication you can
enable the NMAS HOTP method which is pretty straightforward (see the docs).

Your administrators will then login using their password + one time
password, the OTP can come from for example the free smartphone apps
Google Authenticator or FreeOTP.

Note that you can't use intruder detection with iManager and the HOTP
method, that's because iManager tries to perform a LDAP login in the
background after the primary NCP login, it tries to do that using your
now expired OTP and will then lock the account.

Regarding client certificates, you can also setup Tomcat for iManager to
require client certificates so that a user has to have a valid
certificate to access the iManager application (doesn't help since a
user can download iManager workstation unless the eDirectory NCP port is
firewalled so it can't be accessed from the client LAN).

-alekz


On 2015-09-07 11:54, mselan wrote:
>
> Hi,
>
> The customer has purchased NOWS and is now looking for enhanced security
> for their administrators.
>
> 1. Is it possible with out of the box eDirectory+NMAS to set up
> password+user certificate authentication (not smard card, .pfx
> certificate from public CA) ?
> 2. If so, is it possible to define "graded auth", so if the
> administrator authenticates with password only it has less rights as if
> he uses certificate also ?
>
> Thanks,
> Mare
>
>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.