5.4 Preventing Legacy Novell Clients from Accessing eDirectory 8.8 Server

In eDirectory 8.7.1 and 8.7.3, you were able to prevent the legacy Novell clients from setting or changing the NDS password. With eDirectory 8.8, you can also prevent them from logging in to eDirectory 8.8 and verifying the passwords.

To allow or disallow the legacy Novell clients from using eDirectory 8.8, you need to configure NDS login either through iManager or LDAP.

This section includes the following information:

5.4.1 Need for Preventing Legacy Novell Clients from Accessing eDirectory 8.8 Server

The passwords of the legacy Novell clients are not case-sensitive. Therefore, in eDirectory 8.8 and later, when you want to enforce the use of case-sensitive passwords, you might need to block the legacy clients from accessing the directory.

In versions earlier than Novell Client 4.9, Universal Password was not supported. This was because login and password changes went straight to NDS password instead of to NMAS. Now, if you are using Universal Password, changing passwords through legacy clients can create a problem called “password drift”. This means that the NDS password and Universal Password are not synchronized. To prevent this issue, one option is to block password changes from clients earlier than version 4.9.

Refer to the next section, Managing NDS Login Configurations, for more information on how to block the legacy clients from accessing eDirectory 8.8 eDirectory 8.8 server.

5.4.2 Managing NDS Login Configurations

By configuring the NDS login, you can allow or disallow the legacy Novell clients from accessing the eDirectory server. You can manage NDS login configurations through iManager and LDAP.

In eDirectory 8.8 and later, you can configure the setting and changing of passwords through LDAP as well as iManager.

This section includes information on the following:

NDS Configurations at Different Levels

You can configure NDS login at one or all the following levels:

  • Partition level

  • Object level

If you do not specify the configuration at any of the levels, NDS login configuration is enabled at all the levels.

The object level configuration always overrides the partition level configuration. This is described in the following table:

Table 5-1 NDS Configuration

Configuration at Object Level

Configuration at Partition Level

Configuration

Not Specified

Enabled

Enabled

Enabled

Not Specified

Enabled

Not Specified

Disabled

Disabled

Disabled

Not Specified

Disabled

Enabled

Enabled

Enabled

Enabled

Disabled

Enabled

Disabled

Enabled

Disabled

Disabled

Disabled

Disabled

At all the levels (object and partition) you can configure NDS login for the following:

  • Logging in to the directory using an NDS password or verifying the NDS password

  • Setting a new password and changing the existing password

Logging In to the Directory or Verifying the NDS Password

Login/verify NDS password means:

  • Logging in to the directory using an NDS password.

  • Verifying the existing password in the directory.

Login/verify NDS password is enabled by default. When you disable the login/verify key, you will not be able to log in to the latest version of eDirectory or verify the passwords. You can enable or disable login/verify NDS password at partition and object levels. If login/verify is disabled, you will not be able to set or change NDS passwords.

You can configure login/verify NDS password through iManager and LDAP. For more information, refer to Managing NDS Configurations Through iManager and Managing NDS Configurations Through LDAP.

Setting a New Password or Changing the NDS Password

Set/change an NDS password means

  • Setting a new password for an object.

  • Changing the existing password for an object.

Set/change NDS password is enabled by default. When you disable the set/change key, you will not be able to set a new password or change the existing password in eDirectory. You can enable or disable set/change NDS password at partition and object levels. If login/verify is disabled, you will not be able to set/change passwords.

Earlier you were able to set/change of NDS passwords through LDAP only. Now you can do it through iManager also. For more information, refer to Managing NDS Configurations Through iManager and Managing NDS Configurations Through LDAP.

Managing NDS Configurations Through iManager

This section includes the following information:

You can turn on the login/verify key or set/change key in NDS login configuration.

Enabling/Disabling NDS Configuration for a Partition

To enable NDS login for pre-eDirectory 8.8 clients:

  1. In iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select NMAS > Universal Password Enforcement.

  3. In the Universal Password Enforcement plug-in, select NDS Configuration for a Partition.

  4. Follow the instructions in the NDS Configuration for a Partition wizard to configure the login and password management at a partition level.

    Help is available throughout the wizard.

Enabling/Disabling NDS Configuration for an Object

To enable NDS login for pre-eDirectory 8.8 clients:

  1. In iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select NMAS > Universal Password Enforcement.

  3. In the wizard, select NDS Configuration for an Object.

  4. Follow the instructions in the NDS Configuration for an Object wizard to configure the login and password management at an object level.

    Help is available throughout the wizard.

Managing NDS Configurations Through LDAP

IMPORTANT:We strongly recommend you to use iManager for managing NDS configurations and not LDAP.

You can manage NDS configurations through LDAP using an eDirectory attribute on a partition root container or object. The attributes are a part of the schema in eDirectory 8.7.1 or later, and are not supported on eDirectory 8.7 or earlier.

The method used by legacy clients to configure the NDS login configurations is called NDAP login management and the method used for NDS password configurations is called NDAP password management.

This section provides information on:

Enabling/Disabling NDS Configuration for a Partition

Login and Verify Password Management

Use the ndapPartitionLoginMgmt attribute to enable or disable NDS login and verify password management for a partition.

ndapPartitionLoginMgmt Attribute Value

Description

Not present or not specified

NDAP login management is enabled.

0

NDAP login management is disabled.

1

NDAP login management is enabled.

Set and Change NDS Password

Use the ndapPartitionPasswordMgmt attribute to enable or disable the setting and changing of an NDS password for a partition.

ndapPartitionPasswordMgmt Attribute Value

Description

Not present or not specified

NDAP password management is enabled.

0

NDAP password management is disabled.

1

NDAP password management is enabled.

Enabling/Disabling NDS Configurations for an Object

Login and Verify NDS Password

Use the ndapLoginMgmt attribute to enable or disable NDS login and verify management for an object.

ndapLoginMgmt Attribute Value

Description

Not present or not specified

NDAP login management depends on the configuration at the partition level.

0

NDAP login management is disabled if it is disabled at the partition level.

1

NDAP login management is enabled irrespective of the configuration setting at the partition level.

Set and Change NDS Password

Use the ndapPasswordMgmt attribute to enable or disable the setting and changing of an NDS password for an object.

ndapPasswordMgmt Attribute Value

Description

Not present or not specified

NDAP password management depends on the configuration at the partition level.

0

NDAP password management is disabled if it is disabled at the partition level.

1

NDAP password management is enabled irrespective of the configuration setting at the partition level.

NOTE:For more information on creating and managing priority sync policies, refer to the Using LDAP Tools on Linux and NetIQ Import Conversion Export Utility in the NetIQ eDirectory 8.8 SP8 Administration Guide.

5.4.3 Partition Operations

When you split a partition, the NDS configurations are not inherited by the child partition. When you merge partitions, the NDS configurations of the parent are retained by the resultant partition.

5.4.4 Enforcing Case-Sensitive Passwords in a Mixed Tree

If a tree exists with an eDirectory 8.8 or later server and an eDirectory 8.7 or earlier server, and the two servers share a partition, disabling NDS login configuration on that partition will have unreliable results. The 8.8 server will enforce the setting, preventing legacy clients from accessing the directory. However, the 8.7 server will not enforce the setting, so you can access the directory through the 8.7 server.