24.5 History of NetIQ Passwords

In the past, administrators have had to manage multiple passwords (simple password, NDS password, enhanced password) because of password limitations. Administrators have also needed to deal with keeping the passwords synchronized.

  • NDS Password: The older NDS password is stored in a hash form that is non-reversible. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system.

  • Simple Password: The simple password was originally implemented to allow administrators to import users and passwords (clear text and hashed) from foreign LDAP directories such as Active Directory* and iPlanet*.

    The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced.

  • Enhanced Password: The enhanced password (no longer supported), the forerunner of Universal Password, offers some password policies, but its design is not consistent with other passwords. It provides a one-way synchronization and it replaces the simple or NDS password.

Universal Password was created to address these password problems. It provides:

  • One password for all access to eDirectory.

  • Enables the use of extended characters in password.

  • Enables advanced password policy enforcement.

  • Allows synchronization of passwords from eDirectory to other systems.

Universal Password is managed by the Secure Password Manager, a component of the NMAS module. Secure Password Manager simplifies the management of password-based authentication schemes across a wide variety of NetIQ, Novell, and NetIQ partner products. The management tools only expose one password and do not expose all of the behind-the-scenes processing for backwards compatibility.

Secure Password Manager and the other components that manage or make use of Universal Password are installed as part of the eDirectory install. However, Universal Password is not enabled by default. Because all APIs for authentication and setting passwords are moving to support Universal Password, all the existing management tools, when run on clients with these new libraries, automatically work with the Universal Password.

NOTE:The Password Management plug-in is available for download at the Downloads Web site.

The Novell Client supports the Universal Password. It also continues to support the NDS password for older systems in the network. The Novell Client has the capability of automatically migrating the NDS password to the Universal Password at the time of the first login.

The password expiration time is not updated when the NDS password is migrated to the Universal Password unless the “Verify whether existing passwords comply with the password policy (verification occurs on login)” password policy rule is set to “true”.

For more information about deploying and managing Universal Password, see Section 26.0, Managing Passwords.