A Forum reader recently asked:
“We’re implementing the Unix driver to Solaris10 with IDM 3.5. Everything works great except the length of the password set in Solaris. The Solaris system has been modified to allow greater than 8-character passwords by modifying the /etc/security/policy.conf file to use MD5 encryption instead of the native Unix. Passwords can be changed to greater than 8 characters with the usual passwd command, but the driver script uses the nxpwdpa command, which apparently doesn’t use the password configuration file to allow the greater length. Despite much searching, we can’t find any information on how we can force the driver to use the same encryption, thus allowing longer passwords. There’s reference in the globals.sh to using nxutil for the MD5/Cypt generator, or is this unrelated to this issue? Is there a way for IDM to use the defined encryption so that longer passwords can be used?”
And here’s the response from Jeremy Grieshop …
For NIS, the nxpwdpa updates the password on the local passwd/shadow map. If you specify the “-m” flag for this call, it should use md5 style passwords. In globals, set DASHMD5=-m and the call to nxpwdpa will use the flag:
# finally, update the password $SETPASSWORD -n $DASHMD5 $loginName $YPSHADOW <<DO_NOT_EDIT $password DO_NOT_EDIT
The crypt configuration is in /etc/security/policy.conf. The globals.sh should look here and set DASHMD5 based on its content.
Without NIS, it works the same way, with the -m parameter. You can put the “-m” in the script itself. By placing it in globals.sh, it updates both the add-user.sh and modify-password.sh, where SETPASSWORD is called. The globals.sh just provides a single place where properties that may be shared by multiple scripts. That way, minimal search and replace is done, and the scripts are easier to maintain.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.