Environment
Novell Modular Authentication Service (NMAS) version 3.1.3
Novell eDirectory 8.7.3.9 for All Platforms
Novell eDirectory 8.8.1 for All Platforms
Novell Identity Manager 3.5
Situation
The schema files are provided with the Netware build of ss204 in the SECURITY\NMAS\files\schema directory. They can also be obtained from the Identity Manager 3.5 media. They are not present in the Security Services build for other platforms.
Resolution
The new attributes
that NMAS will start to use on version 3.1.3 are the
following:
- pwdChangedTime
Time stamp of last time the entry's password was changed.
- pwdAccountLockedTime
Timestamp of time that the account was locked by intruder detection.
- pwdFailureTime
Timestamps of the consecutive login failures.
- nspmAdminsDoNotExpirePassword
When set to TRUE the user's password is not expired when the administrator sets the password.
When set to to FALSE or does not exist then the password expiration configuration as defined by the password policy is enforced.
- pwdInHistory
Specifies the maximum number of used passwords stored in the nspmPasswordHistory attribute. If this attribute exists then the values of the nspmPasswordHistoryLimit, the nspmPasswordHistoryExpiration, and the Password Unique Required are ignored
- nspmDoNotExpirePassword
If TRUE the user's password will not expire.
If FALSE or does not exist the password expiration configuration as
defined by the password policy associated with the user
will be enforced.
Besides the addition of these attributes, the Excluded Passwords
list is now able to handle wildcards.
Another modification made to the schema with the files specified
above was the following change in containment:
nspmPasswordPolicyContainer is now contained in "Country","Domain", "Locality", "Organization", and "Organizational
Unit".
nsimChallengeSet is now contained in "Country", "Domain","Locality", "Organization", and "Organizational Unit".
nspmPasswordPolicy is now contained in "Country".
Additional Information
The addition of the pwdInHistory integer attribute to the
nspmPasswordPolicy class is a change from the approach that was
previously in use by the password history implemented in Universal
Password. Until this version the only way to implement a history
limit was to restrict this list in time and size. The list was a
linear list and if the history size limit was set too low, it would
be possible to run out of space and the user would get a "History
full" error.
With the new feature it's possible to limit just how many passwords
will be stored (for example, the last 10 passwords the user used).
The behavior of the list is now that of a circular list, the older
entries will be removed as new entries are stored.
In order to administer these new features it's necessary to use
iManager with the Identity Manager 3.5 plug-in. Notice that this
plug-in is not backwards compatible with previous versions of IDM
3.0.1. If you have previous versions of IDM in your environment,
consider installing the new plug-in to an instance of Mobile
iManager (workstation based version of iManager).