Environment
eDirectory 8.7.3
Universal Password
Universal Password
Situation
Universal Password policies are in place requiring users to provide
at least one uppercase or at least one lowercase character in their
password. However, when user authenticates via eDir 8.7.3 LDAP, it
ignores case.
Resolution
To enforce case sensitivity in LDAP, in iManager, edit the
Universal Password policy and go to "Configuration Options". Select
option to "Remove NDS Password During Password Synchronization".
This doesn't actually remove the key pair on the user, but notifies
NMAS that the NDS method is not available. The calls that LDAP uses
will then try the Simple Password method, which is case sensitive.
You may need to activate the policy option to synchronize the
simple password on password change in the configuration options as
well to make sure this password store is populated.
Additional Information
LDAP uses standard API calls to authenticate users, which in turn
access underlying NMAS calls. These NMAS calls use the NDS
authentication method first. The NDS method is not case-sensitive.
Both LDAP and the API calls must continue to work this way for
backward compatibility for older clients and apps that use the
standard NDS method.
When the NDS method is removed, if users authenticate directly to eDir via the Novell client, they must use the 4.9 client running NMAS 2.7 or newer. Older clients use the old NDS method, and they will fail to login. Also be aware that if you have multiple policies, you will have to enable the remove NDS password option for each policy.
When the NDS method is removed, if users authenticate directly to eDir via the Novell client, they must use the 4.9 client running NMAS 2.7 or newer. Older clients use the old NDS method, and they will fail to login. Also be aware that if you have multiple policies, you will have to enable the remove NDS password option for each policy.
This process
is not recommended; it has not been tested with any other Novell
Products. This option was provided as an interim option of
enforcing case-sensitive passwords with LDAP before the
availability of eDirectory 8.8. With Edirectory 8.8
authentications can happen directly with the Universal Password
instead of first going to NDS and then Simple. For more
information on this see tid10099787.
Formerly known as TID# 10094214