The new PasswordFetch class offers the ability to retrieve passwords from eDirectory when they are not supplied via the original authentication Method. This diagram shows the high level interaction:



In this setup example, the following lists the environment configuration:

  • SLES 12 ( –
  • eDirectory 9 (t=EDIR-TREE)
  • Universal Password Enabled
  • Objects under container: o=DATA
  • Apache running for with SSL enabled
  • Windows Server 2012 ( –
  • Active Directory (dc=ad,dc=domain,dc=com)
  • Domain Controller Server Certificate signed by EDIR-TREE for IDM purposes and AD LDAPS enablement
  • Objects under container: ou=DATA,dc=ad,dc=domain,dc=com
  • Novell Access Manager 4
  • Administration Console & Identity Provider on SLES 12 x64 ( –
  • Linux Access Gateway ( –
  • The LAG protects the iDP, so the Base URL is
  • Windows 10
  • Active Directory Member
  • Internet Explorer 11
  • EDIR-TREE Self Signed Certificate Authority imported into Computer Trusted Roots Store
  • * added to IE’s Local Intranet sites

User Stores

Active Directory

Create the User for Kerberos (we will also use this user for NAM Store Access, so give it sufficient domain access).


The User Login Name must be HTTP/ followed by the Access Manager Base URL domain (i.e. HTTP/


For this next screen, you will need to enable Advanced Features in MMC.


Now we need to export the Kerberos Key Tab file:



Create the test user in ou=IDENTITIES,o=DATA and allow IDM to synchronise the user to Active Directory. This will result in:

  • eDirectory Account: cn=bwalter,ou=IDENTITIES,o=DATA
  • Active Directory Account: cn=Ben Walter,ou=IDENTITIES,ou=DATA,dc=ad,dc=domain,dc=com

IDM will write back the DirXML-ADContext value of cn=Ben Walter,ou=IDENTITIES,ou=DATA,dc=ad,dc=domain,dc=com to the cn=bwalter,ou=IDENTITIES,o=DATA object (we will use this attribute as part of the PasswordFetch class).

Access Manager iDP

First, we’ll apply the fix for TID7004020 to avoid frame issues with any backend apps. Edit the /opt/novell/nids/lib/webapp/jsp/top.jsp file and change top.location.href='<%=url%>'; to location.href='<%=url%>'; (this is all that is required if you use the new login versus the legacy login).

Next, we create the primary store which will be Active Directory.


Next, we need to create the eDirectory store for the PasswordFetch class to use.


Next, we create the Kerberos Class called “Kerberos”. In the Properties, we add the following values to match with Active Directory:


The bcsLogin.conf looks like: { required

While here, we also create the PasswordFetch Class called “PasswordFetch”. In the Properties, we add the following values:


So, when the Kerberos Token is received by the iDP from the client, it validates with the ticket cache then searches AD (based on userPrincipalName in the token – bwalter@AD.DOMAIN.COM), this returns the DN of the user object (cn=Ben Walter,ou=IDENTITIES,ou=DATA,dc=ad,dc=domain,dc=com). To find the equivalent user in eDirectory, we use this to search for them from the DirXML-ADContext value.

11:20:29 A122EB70 LDAP: ( Search request:
   base: "o=DATA"
   scope:2 dereference:3 sizelimit:0 timelimit:0 attrsonly:0
   filter: "(&(objectClass=Person)(DirXML-ADContext=cn=Ben Walter,ou=IDENTITIES,ou=DATA,dc=ad,dc=domain,dc=com))"
   attribute: "GUID"
   attribute: "fullname"

For each Class, we create a Method:

The Kerberos Method uses the Active Directory Store.


The PasswordFetch Method uses the eDirectory Store.


The options to Overwrite User values means that the LDAP DN will be that of eDirectory, not Active Directory (should it be needed).

Now we create the Contract to be utilised:



Because we told the PasswordFetch Method to overwrite the user values, any policy should use the eDirectory values for LDAP. i.e.:


Internal/External Scenario

Consider the situation where your business has one Access Manager solution for both Internal and External resources. The Internal resources utilise the method described above for single sign on, but what about External Users? They have no Kerberos token to send through!

What we need to do is provide a “fallback” class for External Users so they are prompted to authenticate when no Kerberos Token is received. Kerberos Method Properties Example:


The Catch! The iDP still needs an authentication header passed to the Kerberos Contract, even if its empty, otherwise it errors requiring authentication. To do this, the external clients must be configured like internal clients (i.e. setting Internet Explorer to enable Integrated Login and add the domain to the Intranet Sites, or setting the network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris in Firefox)

More articles on my Website.

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


Apr 11, 2011
10:20 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow