Disabling Login Update Attribute for NDS and NMAS Logins



By: smamatha

April 6, 2009 11:11 am

Reads: 316

Comments:3

Rating:0

Problem:

I need to disable login update for NDS and NMAS logins.

Solution:

By default login update will be enabled in eDirectory. In order to disable login update, use iMonitor as mentioned below for NDS logins (Step 1 to Step 2) and follow Step 3 for NMAS logins.

Step 1. Login to iMonitor using https://ip address of eDirectory server: https port/nds and provide the admin credentials and click on login.

Click to view.

Figure 1: Showing iMonitor login page

Step 2. Go to Agent Configurations -> Login Settings -> uncheck “Login Update Enabled” and submit.

Click to view.

Figure 2: Showing the Agent configuration.

Click to view.

Figure 3: Showing the Login Settings.

Click to view.

Figure 4: Showing the check box to disable the Login Update.

Step 3: Login update attribute for nmas logins can be turned off by executing the command “nmas LoginInfo 1″.

Below are the steps to disable the login update on each platform.

NetWare:

The command “nmas LoginInfo 1″ should be added near the end of the autoexec.ncf. Unload and load ds after adding this command in the autoexec.ncf. The command can also be executed at the NetWare console.

Windows:

When NMAS is started, it processes the commands in the file nmas.cfg . The nmas.cfg file must have the command “nmas LoginInfo 1″ and should be in the same directory as the dib files which is usually c:/novell/nds/dibfiles. This command can also be executed from the Novell® eDirectoryTM Services console by selecting nmas.dlm, typing the command in the Startup Parameters field, then clicking Configure. Restart eDirectory after making adding the command in the nmas.cfg file.

Linux/Solaris/AIX/HPUX:
Create a file nmas.config and add the command “nmas LoginInfo 1″.

When NMAS is started, it processes the commands in the file nmas.config.The nmas.config file must be in the same directory as the dib directory. For example, if the dib directory path is “/var/opt/novell/eDirectory/data/dib” then the nmas.config file path would be “/var/opt/novell/eDirectory/data/nmas.config”. Restart ndsd after adding this command in the nmas.config. File permissions on this file should be set to at least 644. NMAS uses the same uid that ndsd uses so the owner should be root, unless it is a non root install. Then of course the owner should be the same user/uid that is running ndsd.

Note: Setting the NMAS LoginInfo to 0 does not update any login attributes and 1 updates only attributes required by intruder detection. It is recommend to use “nmas LoginInfo 1″.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

3 Comments

  1. By:geoffc

    Interesting article but several key points would help clarify it much more.

    1) What is Login Update? I have a guess, but it would be easier if it were just defined as part of the article.

    2) What are the consequences of disabling it? (I.e. What else uses/relies on it and might not like it?)

    3) What is a use case for disabling it? (I have a guess, if my guess on point 1 is correct).

    My guess is that Login Update has to do with whether a client connection writes back to eDirectory something like the Last Login Time attribute, and maybe more. (Be nice to get a list of what is affected by this change).

    If that is the case, then I could see high performance LDAP applications wanting this set to boost throughput. If every bind had to write several times to the DIB, then you get a hard physical limit, based on the number of writes your hardware can handle. Whereas, if the server is only doing reads, they can mostly come out of cache, which is hugely faster than writing.

    But all that is a guess. Could you please clarify?

  2. By:paul44000

    See the last part of TID 3479868, which has been modified to state that on Linux servers the line in nmas.config should be
    LoginInfo 1
    and not
    nmas LoginInfo 1
    which is what needs to be typed in at the command line (though this is only available on netware and not Linux based OES)

  3. By:jwilleke

    We would still like to know what attributes are updated during a normal login and how the settings for sasUpdateLoginTimeInterval and sasUpdateLoginInfo effect the attributes.

    Thanks

Comment