In eDirectory 8.7.1 and 8.7.3, you were able to prevent the legacy Novell clients from setting or changing the NDS password. With eDirectory 8.8, you can also prevent them from logging in to eDirectory 8.8 and verifying the passwords.
To allow or disallow the legacy Novell clients from using eDirectory 8.8, you need to configure NDS login either through iManager or LDAP.
This section includes the following information:
The passwords of the legacy Novell clients are not case-sensitive. Therefore, in eDirectory 8.8 and later, when you want to enforce the use of case-sensitive passwords, you might need to block the legacy clients from accessing the directory.
In versions earlier than Novell Client 4.9, Universal Password was not supported. This was because login and password changes went straight to NDS password instead of to NMAS. Now, if you are using Universal Password, changing passwords through legacy clients can create a problem called “password drift”. This means that the NDS password and Universal Password are not synchronized. To prevent this issue, one option is to block password changes from clients earlier than version 4.9.
Refer to the next section, Managing NDS Login Configurations, for more information on how to block the legacy clients from accessing eDirectory 8.8 eDirectory 8.8 server.
By configuring the NDS login, you can allow or disallow the legacy Novell clients from accessing the eDirectory server. You can manage NDS login configurations through iManager and LDAP.
In eDirectory 8.8 and later, you can configure the setting and changing of passwords through LDAP as well as iManager.
This section includes information on the following:
You can configure NDS login at one or all the following levels:
Partition level
Object level
If you do not specify the configuration at any of the levels, NDS login configuration is enabled at all the levels.
The object level configuration always overrides the partition level configuration. This is described in the following table:
Table 5-1 NDS Configuration
Configuration at Object Level |
Configuration at Partition Level |
Configuration |
---|---|---|
Not Specified |
Enabled |
Enabled |
Enabled |
Not Specified |
Enabled |
Not Specified |
Disabled |
Disabled |
Disabled |
Not Specified |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
Disabled |
Enabled |
Disabled |
Enabled |
Disabled |
Disabled |
Disabled |
Disabled |
At all the levels (object and partition) you can configure NDS login for the following:
Logging in to the directory using an NDS password or verifying the NDS password
Setting a new password and changing the existing password
Login/verify NDS password means:
Logging in to the directory using an NDS password.
Verifying the existing password in the directory.
Login/verify NDS password is enabled by default. When you disable the login/verify key, you will not be able to log in to the latest version of eDirectory or verify the passwords. You can enable or disable login/verify NDS password at partition and object levels. If login/verify is disabled, you will not be able to set or change NDS passwords.
You can configure login/verify NDS password through iManager and LDAP. For more information, refer to Managing NDS Configurations Through iManager and Managing NDS Configurations Through LDAP.
Set/change an NDS password means
Setting a new password for an object.
Changing the existing password for an object.
Set/change NDS password is enabled by default. When you disable the set/change key, you will not be able to set a new password or change the existing password in eDirectory. You can enable or disable set/change NDS password at partition and object levels. If login/verify is disabled, you will not be able to set/change passwords.
Earlier you were able to set/change of NDS passwords through LDAP only. Now you can do it through iManager also. For more information, refer to Managing NDS Configurations Through iManager and Managing NDS Configurations Through LDAP.
This section includes the following information:
You can turn on the login/verify key or set/change key in NDS login configuration.
To enable NDS login for pre-eDirectory 8.8 clients:
In iManager, click the Roles and Tasks button .
Select NMAS > Universal Password Enforcement.
In the Universal Password Enforcement plug-in, select NDS Configuration for a Partition.
Follow the instructions in the NDS Configuration for a Partition wizard to configure the login and password management at a partition level.
Help is available throughout the wizard.
To enable NDS login for pre-eDirectory 8.8 clients:
In iManager, click the Roles and Tasks button .
Select NMAS > Universal Password Enforcement.
In the wizard, select NDS Configuration for an Object.
Follow the instructions in the NDS Configuration for an Object wizard to configure the login and password management at an object level.
Help is available throughout the wizard.
IMPORTANT:We strongly recommend you to use iManager for managing NDS configurations and not LDAP.
You can manage NDS configurations through LDAP using an eDirectory attribute on a partition root container or object. The attributes are a part of the schema in eDirectory 8.7.1 or later, and are not supported on eDirectory 8.7 or earlier.
The method used by legacy clients to configure the NDS login configurations is called NDAP login management and the method used for NDS password configurations is called NDAP password management.
This section provides information on:
Login and Verify Password Management
Use the ndapPartitionLoginMgmt attribute to enable or disable NDS login and verify password management for a partition.
ndapPartitionLoginMgmt Attribute Value |
Description |
---|---|
Not present or not specified |
NDAP login management is enabled. |
0 |
NDAP login management is disabled. |
1 |
NDAP login management is enabled. |
Set and Change NDS Password
Use the ndapPartitionPasswordMgmt attribute to enable or disable the setting and changing of an NDS password for a partition.
ndapPartitionPasswordMgmt Attribute Value |
Description |
---|---|
Not present or not specified |
NDAP password management is enabled. |
0 |
NDAP password management is disabled. |
1 |
NDAP password management is enabled. |
Login and Verify NDS Password
Use the ndapLoginMgmt attribute to enable or disable NDS login and verify management for an object.
ndapLoginMgmt Attribute Value |
Description |
---|---|
Not present or not specified |
NDAP login management depends on the configuration at the partition level. |
0 |
NDAP login management is disabled if it is disabled at the partition level. |
1 |
NDAP login management is enabled irrespective of the configuration setting at the partition level. |
Set and Change NDS Password
Use the ndapPasswordMgmt attribute to enable or disable the setting and changing of an NDS password for an object.
ndapPasswordMgmt Attribute Value |
Description |
---|---|
Not present or not specified |
NDAP password management depends on the configuration at the partition level. |
0 |
NDAP password management is disabled if it is disabled at the partition level. |
1 |
NDAP password management is enabled irrespective of the configuration setting at the partition level. |
NOTE:For more information on creating and managing priority sync policies, refer to the Using LDAP Tools on Linux
and NetIQ Import Conversion Export Utility
in the NetIQ eDirectory 8.8 SP8 Administration Guide.
When you split a partition, the NDS configurations are not inherited by the child partition. When you merge partitions, the NDS configurations of the parent are retained by the resultant partition.
If a tree exists with an eDirectory 8.8 or later server and an eDirectory 8.7 or earlier server, and the two servers share a partition, disabling NDS login configuration on that partition will have unreliable results. The 8.8 server will enforce the setting, preventing legacy clients from accessing the directory. However, the 8.7 server will not enforce the setting, so you can access the directory through the 8.7 server.