How to control updates of login attributes for eDirectory NMAS logins

  • 7006492
  • 23-Jul-2010
  • 26-Apr-2012


Novell Modular Authentication Service (NMAS)


With NMAS 3.2 and later, it is possible to control the update of  Login Related attributes on a per server basis using the LoginInfo configuration setting in the nmas.config file or directly on the Netware console.

This TID gives more information on how the Login Attribute updates can be controlled on a per user basis. This is desirable in situations where update of  Login Attributes is desired (for instance, for intruder detection) for normal users accessing eDirectory. However, a set of users like LDAP application administrative users repeatedly login a large number of times and generate unnecessary replication traffic and no additional benefit is seen from updating Login attributes for these users.

This could also be beneficial in cases where a graded control over the attribute update is desired for distinct groups of users. For instance, intruder detection related attributes need to be updated for all users, but for a smaller subset of users all login attributes need to be modified.

This setting also finds application in simple delineation of update control. For instance, updates need to be disabled for all users in one container or for all users associated to a particular password policy


For details on controlling updates of Login Attributes on a per server basis using the LoginInfo configuration setting, refer the following link in the NMAS Administration Guide.

For controlling these updates on a per user basis, a schema update is required to add the attribute "sasUpdateLoginInfo". This update is available from the nmas.sch schema file provided with the latest NMAS packages.

sasUpdateLoginInfo attribute can have the following values:

0 or off: Do not update any login attributes.
1: Only update attributes that are required by intruder detection.
2: Update all login attributes except unused user password policy attributes.
3 or on: Update all login attributes.

iManager or LDIF files can be used to populate this attribute on the desired user objects as per requirements.

It is very important to note that the various settings will take into effect only if the logins flow via NMAS. This simply means that the environment variable NDSD_TRY_NMASLOGIN_FIRST needs to be explicitly set to true to verify the behavior changes.

Note that the "sasUpdateLoginInfo" attribute is added as an optional to the following object classes - ndsLoginProperties, ndsContainerLoginProperties and SAS: Login Policy.
This allows the attribute to be configured on a user, on a container, on a partition root and on the login policy itself.  The order of precedence for association is the following: User, Parent Container, Partition Root and Login Policy. This, in turn, allows greater flexibility in controlling these updates in bigger distributed environments based on administrative needs.

Also note that control of login updates for traditional NDS logins still remains on a per server basis using iMonitor -> Agent Configuration --> Login Settings.

Additional Information

The official NMAS documentation will soon be updated to provide similar details on this attribute and its uses.