New NMAS features available with Security Services 2.0.4

  • 3432478
  • 01-Jun-2007
  • 26-Apr-2012


Novell Security Services 2.0.4 (a.k.a. ss204)
Novell Modular Authentication Service (NMAS) version 3.1.3
Novell eDirectory for All Platforms
Novell eDirectory 8.8.1 for All Platforms
Novell Identity Manager 3.5


After installing Security Services 2.0.4 (ss204) and MANUALLY extending the schema with the files nmas.sch, nspm.sch and nsimpm.sch, NMAS will provide additional functionality by making use of the attributes mentioned below.
The schema files are provided with the Netware build of ss204 in the SECURITY\NMAS\files\schema directory. They can also be obtained from the Identity Manager 3.5 media. They are not present in the Security Services build for other platforms.


The new attributes that NMAS will start to use on version 3.1.3 are the following:

  • pwdChangedTime

Time stamp of last time the entry's password was changed.

  • pwdAccountLockedTime

Timestamp of time that the account was locked by intruder detection.

  • pwdFailureTime

Timestamps of the consecutive login failures.

  • nspmAdminsDoNotExpirePassword

When set to TRUE the user's password is not expired when the administrator sets the password.

When set to to FALSE or does not exist then the password expiration configuration as defined by the password policy is enforced.

  • pwdInHistory

Specifies the maximum number of used passwords stored in the nspmPasswordHistory attribute. If this attribute exists then the values of the nspmPasswordHistoryLimit, the nspmPasswordHistoryExpiration, and the Password Unique Required are ignored

  • nspmDoNotExpirePassword

If TRUE the user's password will not expire.

If FALSE or does not exist the password expiration configuration as defined by the password policy associated with the user will be enforced.

Besides the addition of these attributes, the Excluded Passwords list is now able to handle wildcards.

Another modification made to the schema with the files specified above was the following change in containment:

nspmPasswordPolicyContainer is now contained in "Country","Domain", "Locality", "Organization", and "Organizational Unit".

nsimChallengeSet is now contained in "Country", "Domain","Locality", "Organization", and "Organizational Unit".

nspmPasswordPolicy is now contained in "Country".

Additional Information

The addition of the pwdInHistory integer attribute to the nspmPasswordPolicy class is a change from the approach that was previously in use by the password history implemented in Universal Password. Until this version the only way to implement a history limit was to restrict this list in time and size. The list was a linear list and if the history size limit was set too low, it would be possible to run out of space and the user would get a "History full" error.
With the new feature it's possible to limit just how many passwords will be stored (for example, the last 10 passwords the user used). The behavior of the list is now that of a circular list, the older entries will be removed as new entries are stored.

In order to administer these new features it's necessary to use iManager with the Identity Manager 3.5 plug-in. Notice that this plug-in is not backwards compatible with previous versions of IDM 3.0.1. If you have previous versions of IDM in your environment, consider installing the new plug-in to an instance of Mobile iManager (workstation based version of iManager).