Importing hashed passwords into Universal Password

  • 7004916
  • 24-Nov-2009
  • 26-Apr-2012

Environment


Novell eDirectory 8.8.5 for All Platforms
Novell Modular Authentication Service (NMAS) version 3.3.1

Situation

Universal Password, by design, does not support importing passwords in hashed format (like SHA-1 or SSHA). In order to import hashed passwords it is necessary to set the Simple Password instead.

Previous versions of NMAS did not allow setting the Simple Password if a user has a policy assigned that enables Universal Password. With the release of NMAS 3.3.1 this restriction has been lifted and is a configurable parameter in the password policy.

Resolution

With the release of NMAS 3.3.1 a new configuration option called SPM_ALLOW_SPWD_SET (0x00000008) was added, which specifies that the Simple Password can be set even when Universal Password is enabled. For this option to work it is necessary that the option to synchronize the Simple Password with the Universal Password is enabled in the Universal Password Policy.

At the moment of writing this TID, the current Universal Password plugin (Novell iManager Password Management,
version 10.7.20090527) did not provide a control to set/unset this value. To set this flag you need to use iManager to modify the Password Policy Object directly as follows:

Directory Administration --> Modify Object --> Choose the Universal Password policy that you want to modify --> Go to the General tab --> Edit the nspmConfigurationOptions attribute and add 8 to the value that is present there --> Press Apply or OK to save your changes

Note that once this option is enabled, you can subtract 8 from the value for nspmConfigurationOptions attribute to disable this feature.

Once the policy has been defined and applied to a user, it is possible to set the Simple Password for a user that has a Universal Password policy enabled. At the moment of setting the Simple Password, the Universal Password attributes, password hint, reminder, and password changed time are deleted and in the next successful login, the provided password will be validated against the hash and  will be used to set the Universal Password.

In order for the Simple Password to be used in this login, it is necessary that the preferred login sequence for the user be set to"Simple Password". Otherwise, when the user attempts to log in, the"NDS" sequence is used and the hashed password is not used to validate the user's credentials.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.