LDAP Not Enforcing Case-Sensitive Passwords

  • 3402667
  • 08-Sep-2006
  • 16-Mar-2012

Environment

eDirectory 8.7.3
Universal Password

Situation

Universal Password policies are in place requiring users to provide at least one uppercase or at least one lowercase character in their password. However, when user authenticates via eDir 8.7.3 LDAP, it ignores case.

Resolution

To enforce case sensitivity in LDAP, in iManager, edit the Universal Password policy and go to "Configuration Options". Select option to "Remove NDS Password During Password Synchronization". This doesn't actually remove the key pair on the user, but notifies NMAS that the NDS method is not available. The calls that LDAP uses will then try the Simple Password method, which is case sensitive. You may need to activate the policy option to synchronize the simple password on password change in the configuration options as well to make sure this password store is populated.

Additional Information

LDAP uses standard API calls to authenticate users, which in turn access underlying NMAS calls. These NMAS calls use the NDS authentication method first. The NDS method is not case-sensitive. Both LDAP and the API calls must continue to work this way for backward compatibility for older clients and apps that use the standard NDS method.
When the NDS method is removed, if users authenticate directly to eDir via the Novell client, they must use the 4.9 client running NMAS 2.7 or newer. Older clients use the old NDS method, and they will fail to login. Also be aware that if you have multiple policies, you will have to enable the remove NDS password option for each policy.

This process is not recommended; it has not been tested with any other Novell Products. This option was provided as an interim option of enforcing case-sensitive passwords with LDAP before the availability of eDirectory 8.8. With Edirectory 8.8 authentications can happen directly with the Universal Password instead of first going to NDS and then Simple. For more information on this see tid10099787.
Formerly known as TID# 10094214