This section contains specific information related to security with NetIQ Modular Authentication Services. It contains the following subsections:
NetIQ has not evaluated the security methodologies of partner login methods. Although the partner products might have qualified for the NetIQ Yes, Tested & Approved or NetIQ Directory Enabled logos, those logos relate to general product interoperability only.
If authorized login sequences, default login sequences, authorized clearances, or default clearances are assigned to a container that is not a partition root, the policy is only effective for user objects in the container, and not for user objects in subcontainers.
If authorized login sequences, default login sequences, authorized clearances, or default clearances are assigned to a container that is a partition root, the policy is effective for all users in the partition that do not have these values assigned to the user object or to the object's parent container.
If authorized login sequences, default login sequences, authorized clearances, or default clearances are assigned to a Login policy, that policy is effective for all users in the tree that do not have these values assigned to the user object, to the object's parent container, or to the object's partition root.
When users are assigned passwords or other guessable login secrets such as challenge question responses, you should enable intruder detection to slow down or prevent intruders from guessing the login secrets.
By default, failed login attempts are delayed by three seconds. This delay is intended to slow down the attempts of intruders to guess passwords. The length of the failed login delay is configurable. You should use the default of three seconds.
Login policies such as intruder detection, network address restrictions, and time of day restrictions are enforced for all login sequences. For example, the login policies are enforced when the forgotten password self-service feature of several NetIQ products invokes the challenge/response login method.
You should enable NMAS™ Auditing so that you can track login attempts and changes in configuration.
Using the policy refresh rate command to check if the cached password policy needs to be refreshed on defined intervals instead of during each login causes a delay in the application of login policy changes.
The LoginInfo command can be used to disable updating login-related attributes during login. These attributes include the intruder detection attributes. Disabling the update of these login-related attributes improves login performance. However, disabling the update of these attributes might lessen the security of the system.
The intruder detection policy can be set on the user object’s direct container or on the user object’s partition root. NMAS checks the parent container first for an intruder detection policy. If no policy is found, then the partition root is checked for an intruder detection policy.
When you are upgrading a login method, nmasinst replaces a newer version with the older version unless the -checkversion option is used.
Although nmasinst provides an option to specify the password on the command line, it is not recommended because the password could be compromised. With eDirectory 9.0, nmasinst allows you to retrieve a password from either file or an environment variable.
Because the Security container contains global policies, you should be careful where you place writable replicas. Some servers can modify the overall security policies specified in the eDirectory tree. In order for users to log in with NMAS, replicas of the User objects and security container must be on the NMAS server.
If a Password policy is assigned to a container that is not a partition root, that policy is only effective for the user objects in the container, and not for user objects in subcontainers.
If a Password policy is assigned to a container that is a partition root, that policy is effective for all users in the partition that do not have these values assigned to the user object or to the object's parent container.
If a Password policy is assigned to a Login policy, that policy is effective for all users in the tree that do not have these values assigned to the user object, to the object's parent container, or to the object's partition root.
The password expiration time is not updated when the NDS password is migrated to the Universal Password unless the “Verify whether existing passwords comply with the password policy (verification occurs on login)” password policy rule is set to “true”.
Password policies can be configured to allow the user or a password administrator to read the Universal Password by using documented NMAS LDAP extensions. These options should not be enabled unless required for your specific installation. If you require user passwords to be readable, you should configure the Password policy to only allow selected users to read the passwords.
You should configure a password policy to synchronize to the Distribution Password only if Identity Manager Password Synchronization is being used to synchronize passwords between connected systems.
For more information on sychronizing passwords between connected systems using Identity Manager Password Synchronization, see the NetIQ Identity Manager 4.5 Password Management Guide.
You should only configure a password policy to synchronize to the Simple Password only if:
You have servers that hold a writable replica of user objects
Users access those servers using Native File Access Protocols such as CIFS and AFP.
When advanced password rules are enabled for a password policy, the legacy password rules on the User object are ignored, and are updated to match the password policy rules when users change their passwords or log in.
The password exclusion rules (password history, excluded passwords, and disallowed attribute vales) are not enforced when NMAS is used to generate random passwords.
When selecting password rules, you should balance the requirements for hard-to-guess passwords with hard-to-remember passwords.
When an administrator specifies that the NDS Password is to be removed, the result is that the NDS Password Hash is set to a random value that is unknown to anyone but eDirectory. There might or might not be a password value that could be hashed to that random value.
XML Password Complexity
If there are duplicate rule tags, the most restrictive rule is used (others are ignored) for checking passwords against the policy and for random password generation.
The ViolationsAllowed and NumberOfCharactersToEvaluate rule set attributes are ignored for random password generation.
Only the first policy in an XML policy is used for random password generation.
For additional information on Universal Password security, see Section 26.0, Managing Passwords.
You should make the Security Domain Infrastructure (SDI) key, also known as the tree key, a Triple DES key (3DES). The SDI key can be checked and upgraded by using the SDIDiag utility. See in the Section 26.0, Managing Passwords.
eDirectory 9.0 onwards, AES 256 tree key is also supported. For more information, see Creating an AES 256-Bit Tree Key.