Introduction: NMAS, IDM 3.5, and “3 of 4”
Recently, a new version of NMAS was released along with Novell Identity Manager (IDM) 3.5. This release included fixes from previous versions, as well as a couple of new features in response to customer requests. Besides being able to put password policies anywhere in the tree, you can create a less-secure password policy that matches a default Microsoft password policy. The rules implemented by Microsoft are referred to as “three of four,” meaning three of the four requirements for a password must be met for the password to be valid. This is in contrast to a password policy from Novell which, if four requirements were in place, would need all four to be met for the password to be valid. Having this functionality will allow passwords to flow to and from Active Directory (AD) more easily in a default setup. As a note, the latest IDM or Universal Password plugins must be used in iManager 2.6 to create this type of policy.
While this alone is certainly an interesting addition to NMAS functionality, there is also the potential to move beyond a static three-of-four policy as well. Currently, this is not technically supported and the normal iManager interface does not, at least as of now, provide a way to do this. A new attribute on a password policy called ‘nspmComplexityRules’ (when accessed via LDAP) is actually filled with XML implementing the new rules. Exporting a three-of-four policy looks like the following via LDAP:
<ldif> # 3of4, Password Policies, Security dn: cn=3of4,cn=Password Policies,cn=Security nspmAdminsDoNotExpirePassword: FALSE nspmComplexityRules:: PENvbXBsZXhpdHlQb2xpY2llcz48UG9saWN5PjxSdWxlU2V0PjxSdWxl IE1pblB3ZExlbj0iNiIgLz48UnVsZSBNYXhQd2RMZW49IjEyOCIgLz48L1J1bGVTZXQ+PFJ1bGVTZ XQgVmlvbGF0aW9uc0FsbG93ZWQ9IjEiPjxSdWxlIE1pblVwcGVyY2FzZT0iMSIgLz48UnVsZSBNaW 5Mb3dlcmNhc2U9IjEiIC8+PFJ1bGUgTWluTnVtZXJpYz0iMSIgLz48UnVsZSBNaW5TcGVjaWFsPSI xIiAvPjwvUnVsZVNldD48L1BvbGljeT48L0NvbXBsZXhpdHlQb2xpY2llcz4= nsimPwdRuleEnforcement: FALSE nsimForgottenAction:: PEZvcmdvdHRlblBhc3N3b3JkPjxFbmFibGVkPmZhbHNlPC9FbmFibGVk PjxTZXF1ZW5jZT48QXV0aGVudGljYXRpb24+PCFbQ0RBVEFbXV0+PC9BdXRoZW50aWNhdGlvbj48Q WN0aW9uPjwvQWN0aW9uPjwvU2VxdWVuY2U+PC9Gb3Jnb3R0ZW5QYXNzd29yZD4= nsimForgottenLoginConfig: TRUE nspmExtendedCharactersAllowed: TRUE nspmDisallowedAttributeValues: cn nspmDisallowedAttributeValues: displayName nspmDisallowedAttributeValues: Full Name nspmDisallowedAttributeValues: Given Name nspmDisallowedAttributeValues: Surname nspmConfigurationOptions: 852 passwordUniqueRequired: FALSE passwordAllowChange: TRUE objectClass: nspmPasswordPolicy objectClass: Top description: Default microsoft password policy decreasing security. cn: 3of4 </ldif>
Notice the long value in nspmComplexityRules. If you take that value, join all the lines together, and then decode it with a Base64 decoder, you get the following:
<RuleSet> <Rule MinPwdLen="6" /> <Rule MaxPwdLen="128" /> </RuleSet> <RuleSet ViolationsAllowed="1"> <Rule MinUppercase="1" /> <Rule MinLowercase="1" /> <Rule MinNumeric="1" /> <Rule MinSpecial="1" /> </RuleSet> </Policy>
Modifying the Rules
These rules can also be modified directly via the normal eDirectory tools, avoiding the need to export, convert, change, convert, and then import again.
1. Browse to the policy.
2. Open the policy’s properties.
3. Go to the Other tab and modify the attribute there.
4. Click Apply to apply the changes.
1. Go to the Directory Administration and choose Modify Object. Modifying the object from the normal Passwords role will not work because the ‘Other’ sub-tab is not available.
2. Browse to the Password Policy and choose it to be modified.
3. Go to the General tab and then to the Other sub-tab.
4. Choose the attribute and click ‘Edit’ to make changes.
5. Click Apply to see the confirmation that changes were saved.
At this point it is fairly simple to see what is taking place. Rules are embedded in this XML stating that a password must be from 6 to 128 characters, inclusive, and that they must include at least one upper case, lower-case, numeric, and special character. Also, there is one “Violation” allowed, which makes the three-of-four part work.
This opens up a few possibilities for more customization that would not otherwise be there. For instance, if you wanted to have a two-of-four rule, or a one-of-four, that could be done. Also, it is possible to increase the minimum number of characters in each category (lowercase, uppercase, numeric, and special) as well as the minimum and maximum lengths of the password. With changes made to the XML, the new rules must be imported back into the password policy.
Taking the XML with the ViolationsAllowed set to ‘2’ and Base64 encoding it results in the following string:
This can then be reimported with the following LDIF file (contents) via ICE or ldapmodify:
dn: cn=3of4,cn=Password Policies,cn=Security changetype: modify replace: nspmComplexityRules nspmComplexityRules:: PENvbXBsZXhpdHlQb2xpY2llcz48UG9saWN5PjxSdWxlU2V0PjxSdWxlIE1pblB3ZExlbj0iNiIgLz48UnVsZSBNYXhQd2RMZW49IjEyOCIgLz48L1J1bGVTZXQ+PFJ1bGVTZXQgVmlvbGF0aW9uc0FsbG93ZWQ9IjEiPjxSdWxlIE1pblVwcGVyY2FzZT0iMSIgLz48UnVsZSBNaW5Mb3dlcmNhc2U9IjEiIC8+PFJ1bGUgTWluTnVtZXJpYz0iMSIgLz48UnVsZSBNaW5TcGVjaWFsPSIxIiAvPjwvUnVsZVNldD48L1BvbGljeT48L0NvbXBsZXhpdHlQb2xpY2llcz4=
With this done, password changes should only require two of the four rules to be followed. Other customizations follow the same set of steps and allow for some interesting ways to re-increase security for this type of policy.
ldapmodify and ldapsearch, which can be used to import and export (respectively) policies, are part of most default OS distributions. Microsoft Windows is an exception to this rule, but there are versions of ldapsearch and ldapmodify available for Windows as online downloads. ldapsearch and ldapmodify also are part of ConsoleOne when the eDirectory 8.7 snapins are added (available from download.novell.com). Other LDAP browsers, such as LDAP Browser/Editor, are freely available and work on multiple platforms.
Note: iManager 2.6 and the IDM 3.5 plugins are available from download.novell.com
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.