To import Challenge Response Passwords into eDirectory is somewhat challenging and not at all well documented.

Below is using a previous Cool Solution or example code in a more useful way. It takes a bit of setup to get working, but once it’s going the process of importing the Challenge Response passwords in is a trivial one.

First. You need to trust the SSL Certificate of your LDAP Server since the NMAS Method uses LDAP from within the IDM Driver. First export out the public key (not private key) of the “SSL Certificate IP” or whichever certificate is assigned to the LDAP Server using iManager to a Base64 file format. Then on the IDM server use KeyTool to import it.

cd /opt/novell/eDirectory/lib(maybe 64 if you are running 64bit)/nds-modules/jre
bin/keytool -importcert -trustcacerts -alias idmcert -keystore lib/security/cacerts -storepass changeit -file LDAPCERT.B64

Only change LDAPCERT.B64 to whatever is the Base64 name of the file your exported.

Then you can import in the attached Challenge Response Import.xml into Designer. There is also a bug in designer that prevents loading up XML in a ECMAScript, so you also need to open the ChallengeResponseES.TXT into your favorite text editor, then paste that over the top of the ChallengeResponse ECMAScript included in the driver.

The last step is to put the NMASToolkit.jar into the /opt/novell/eDirectory/lib/dirxml/classes directory so that IDM knows where to load it. Change this depending on the platform you are working on.

After you have imported the SSL Certificate into your keystore and put in NMASToolkit.jar, you will need to restart eDirectory to get the changed picked up.

Then you can have a CSV file with the following Files:

CN,FullName,Count (number of questions and answers),Question1,Answer1,Question2,Answer2………

And it will import them into the driver, and call the ECMAScript, and over write any existing challenge & response questions and answers the user had set.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Feb 3, 2011
11:46 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow