NEW: Support for Novell Access Manager 3.1
Here’s how the Static token-based authentication method works:
a) The authentication method asks the user name and the password from the user.
b) The credentials are checked against the user store.
c) If the credentials are valid, the user is prompted to enter a specific token. The values of the tokens are stored in attributes in the user store.
d) If the token that the user entered is matching against the corresponding token in the user store, authentication is successful.
The tokens can be hand-out to the users via mail or via a card.
Figure 1 – Static token-based authentication process
1. Get the BA Authentication modules here:
2. Go to the Identity server.
3. Copy ba-idp-auth.jar to /var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib
4. Copy the JSP’s to /var/opt/novell/tomcat4/webapps/nidp/jsp
You’ll need to create a new Authentication Class.
1. For the Java class, choose other.
2. For the Java class, path type: com.novell.ba.idpauth.TokenLogin
3. For the properties, refer to the table and the examples below.
4. Create Authentication Methods and Contracts as described in http://www.novell.com/documentation/novellaccessmanager/adminguide/data/b1tvhkg.html
Figure 2 – Token Login, General tab
Figure 3 – Token Login, Properties tab
|Property Name||Default Value||Description|
|numberTokens||MUST EXIST||The number of tokens stored in the User Store.
|nameTokens||MUST EXIST||The prefix for the name of the attributes where the tokens are stored.
ex: LoginToken. This will result in 24 attributes, starting from “LoginToken1” to “LoginToken24”.
|useEncryption||n/a||If this property is present and not null, encryption is enabled. The entered value will be hashed with SHA and then converted to a base64 string. The result will be compared with the value in eDirectory.
|debug||n/a||If this property is present and not null, debug is enabled.
I won’t go into much detail on troubleshooting here. There’s only one important thing you need to know: if you enabled debug in the Properties tab, you need to use the following command in bash:
?tail -f /var/opt/novell/tomcat4/logs/catalina.out | grep BADEBUG?
If you don’t find any BADEBUG entries, check to see if the jar is present on the server and if the Authentication method has been set up correctly. If you see these entries, they will tell what is going wrong:
No token attributes are found in the user object:
BADEBUG - method doPhase1 called BADEBUG - Handled Status BADEBUG - method doPhase2 called BADEBUG - Missing or Duplicate Token
User entered wrong token:
BADEBUG - method doPhase1 called BADEBUG - Handled Status BADEBUG - method doPhase2 called BADEBUG - compare: 2222222222 AND F543TR BADEBUG - Token Failed
BADEBUG - method doPhase1 called BADEBUG - Handled Status BADEBUG - method doPhase2 called BADEBUG - compare: F543TR AND F543TR BADEBUG - Authentication Success
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.