Environment
Novell Modular Authentication Service (NMAS) 3.2.0.0
Situation
With NMAS 3.2 and later, it is possible to control the update
of Login Related attributes on a per server basis using the
LoginInfo configuration setting in the nmas.config file or directly
on the Netware console.
This TID gives more information on how the Login Attribute updates can be controlled on a per user basis. This is desirable in situations where update of Login Attributes is desired (for instance, for intruder detection) for normal users accessing eDirectory. However, a set of users like LDAP application administrative users repeatedly login a large number of times and generate unnecessary replication traffic and no additional benefit is seen from updating Login attributes for these users.
This could also be beneficial in cases where a graded control over the attribute update is desired for distinct groups of users. For instance, intruder detection related attributes need to be updated for all users, but for a smaller subset of users all login attributes need to be modified.
This setting also finds application in simple delineation of update control. For instance, updates need to be disabled for all users in one container or for all users associated to a particular password policy
This TID gives more information on how the Login Attribute updates can be controlled on a per user basis. This is desirable in situations where update of Login Attributes is desired (for instance, for intruder detection) for normal users accessing eDirectory. However, a set of users like LDAP application administrative users repeatedly login a large number of times and generate unnecessary replication traffic and no additional benefit is seen from updating Login attributes for these users.
This could also be beneficial in cases where a graded control over the attribute update is desired for distinct groups of users. For instance, intruder detection related attributes need to be updated for all users, but for a smaller subset of users all login attributes need to be modified.
This setting also finds application in simple delineation of update control. For instance, updates need to be disabled for all users in one container or for all users associated to a particular password policy
Resolution
For details on controlling updates of Login Attributes on a per
server basis using the LoginInfo configuration setting, refer the
following link in the NMAS Administration Guide.
https://www.novell.com/documentation/nmas33/admin/?page=/documentation/nmas33/admin/data/ahefojr.html
For controlling these updates on a per user basis, a schema update is required to add the attribute "sasUpdateLoginInfo". This update is available from the nmas.sch schema file provided with the latest NMAS packages.
sasUpdateLoginInfo attribute can have the following values:
0 or off: Do not update any login attributes.
1: Only update attributes that are required by intruder detection.
2: Update all login attributes except unused user password policy attributes.
3 or on: Update all login attributes.
iManager or LDIF files can be used to populate this attribute on the desired user objects as per requirements.
It is very important to note that the various settings will take into effect only if the logins flow via NMAS. This simply means that the environment variable NDSD_TRY_NMASLOGIN_FIRST needs to be explicitly set to true to verify the behavior changes.
Note that the "sasUpdateLoginInfo" attribute is added as an optional to the following object classes - ndsLoginProperties, ndsContainerLoginProperties and SAS: Login Policy.
This allows the attribute to be configured on a user, on a container, on a partition root and on the login policy itself. The order of precedence for association is the following: User, Parent Container, Partition Root and Login Policy. This, in turn, allows greater flexibility in controlling these updates in bigger distributed environments based on administrative needs.
Also note that control of login updates for traditional NDS logins still remains on a per server basis using iMonitor -> Agent Configuration --> Login Settings.
https://www.novell.com/documentation/nmas33/admin/?page=/documentation/nmas33/admin/data/ahefojr.html
For controlling these updates on a per user basis, a schema update is required to add the attribute "sasUpdateLoginInfo". This update is available from the nmas.sch schema file provided with the latest NMAS packages.
sasUpdateLoginInfo attribute can have the following values:
0 or off: Do not update any login attributes.
1: Only update attributes that are required by intruder detection.
2: Update all login attributes except unused user password policy attributes.
3 or on: Update all login attributes.
iManager or LDIF files can be used to populate this attribute on the desired user objects as per requirements.
It is very important to note that the various settings will take into effect only if the logins flow via NMAS. This simply means that the environment variable NDSD_TRY_NMASLOGIN_FIRST needs to be explicitly set to true to verify the behavior changes.
Note that the "sasUpdateLoginInfo" attribute is added as an optional to the following object classes - ndsLoginProperties, ndsContainerLoginProperties and SAS: Login Policy.
This allows the attribute to be configured on a user, on a container, on a partition root and on the login policy itself. The order of precedence for association is the following: User, Parent Container, Partition Root and Login Policy. This, in turn, allows greater flexibility in controlling these updates in bigger distributed environments based on administrative needs.
Also note that control of login updates for traditional NDS logins still remains on a per server basis using iMonitor -> Agent Configuration --> Login Settings.
Additional Information
The official NMAS documentation will soon be updated to provide
similar details on this attribute and its uses.