HOTP is an HMAC-based one-time password (OTP) algorithm. An OTP is a password that is valid for only one login session or transaction. An OTP provides better performance than the traditional (static) passwords because there are less chances of security attacks associated with it. A potential intruder who records an OTP that has been used to log into a service or to conduct a transaction, cannot manipulate it because it has already been used once and is no longer valid.Every OTP based authentication requires an OTP server and an OTP client (hardware/software token). Implementation of OTP based authentication in NMAS is based on the RFC 4226 standard. Traditionally, the NDS password that was individually presented to the server is now appended to the OTP to enhance the password based authentication by retaining all the client components and their user interface.The authentication to eDirectory server is done through the HOTP feature by using LDAP-based login or NetWare Core Protocol (NCP)-based login.
Set the NDSD_TRY_NMASLOGIN_FIRST environment variable to true.
For more information, refer to the How to Make Your Password Case-Sensitive
section in the NetIQ eDirectory 8.8 SP8 What’s New Guide.
An HOTP-enabled user can perform LDAP bind by concatenating the NDS password with the HOTP value.
For example,
ldapsearch -D cn=user1,o=novell -w secret40338314 -h 164.99.91.165 -p 389 -b "o=novell" -s sub -LLL dn
A HOTP-ready/enabled user can perform NCP login by concatenating the NDS Password with the HOTP value by using any of the following utilities:
ndslogin
For example,
ndslogin user1.org -h org.com -p secret40338314
iMonitor
iManager (replace the existing libnmasclnt.so file in the iManager-installed location)
NOTE:iManager plug-ins that perform LDAP authentication will fail if used by HOTP-enabled users.