This section describes how to install, set up, and configure login and post-login methods and sequences for NMAS.
NMAS provides multiple login methods to choose from, based on the three login factors (password, physical device or , and biometric authentication).
NMAS includes support for a number of login and post-login methods from NetIQ and from third-party authentication developers. Some methods require additional hardware and software. Make sure that you have all of the necessary hardware and software for the methods you will use.
NMAS includes several login methods in the software build. Other login methods are available from third-party vendors.
See the NetIQ Partners Web site for a list of eDirectory partners. Some partners develop third-party login methods.
You have three ways of installing a login method for use in NetIQ eDirectory:
nmasinst utility (Linux and Windows), which allows you to install login methods into eDirectory.
NetIQ iManager (Linux and Windows), which allows you to install login and post-login methods into eDirectory.
From the server console command line, enter:
nmasinst -addmethod admin.context treename config.txt_path [-h hostname[:port]] [-w password|file:<filename>|env:<environment_variable>] [-checkversion] [-d]
admin.context: The admin name and context.
treename: The name of the eDirectory tree where you are installing the login method.
config.txt_ path - The complete or relative path to the config.txt file of the login method. A config.txt file is provided with each login method.
[-h hostname[:port]]: (Optional) The hostname and port of the server. Use this if eDirectory is not running on the default port. You can also specify the IP address. eDirectory 9.1 supports both IPv4 and IPv6 addresses. For example:
IPv4: -h 127.0.0.1:8443
IPv6: -h [2001:db8::6]:8443
[-w password|file:<filename>|env:<environment_variable>]: This option allows you to specify the password using one of the following methods:
On the command line. For example: -w n
Through a file. For example: -w file:/tmp/passwd
Through an environment variable. For example: -w env:PASSWD
[-checkversion]: This option reports an error if the installed method version is the same or newer than the method version being installed.
[-d]: Delete methods for unsupported platforms.
If the login method already exists, nmasinst updates it.
Launch NetIQ iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Login Methods.
Click New.
Browse for and select the login method (.zip) file you want to install, then click Next.
Follow the installation wizard to completion.
When a login method vendor provides an update for a login or post-login method, you can update the method by doing the following:
Use the same procedure you used to install a login method with the nmasinst utility (see Using the nmasinst Utility to Update a Login Method). Include the path to the new config.txt file and the login method is updated.
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Login Methods.
Click the login method you want to update.
On the login method property page, click Update Method.
Follow the update wizard to completion.
When you install a login, you are asked if you want to create a login sequence that uses only the login method you are installing. If you answer yes, a login sequence is created for you that contains just the one login method.
You can also manually create and manage login sequences. After login and post-login methods are installed, you can view, add, modify, or delete login sequences by using iManager. Login sequences are not created when methods are modified or updated.
In NMAS, you can set up multiple login and post-login methods per sequence. You must have at least one login method selected to be able to select a post-login method.
When multiple methods are selected for a sequence, they are executed in the order they are listed. Login methods are executed first, then post-login methods.
A login sequence can be an And or an Or sequence. An And sequence is successful if all of the login methods successfully validate the identity of the user. An Or sequence only requires that one of the login methods validate the identity of the user for the login to be successful.
The post-login methods are only executed if the login is successful, regardless of the And/Or relationship.
After a sequence is created, you can authorize users to use the new sequence to log in to eDirectory.
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
From the Roles and Tasks menu, click NMAS > NMAS Login Sequences.
Click New and specify a name for the new login sequence.
All available methods are listed under Available Login Methods and Available Post-Login Methods.
Select the Sequence Type from the drop-down list.
If you select And, a user must log in using every login method that makes up the login sequence. If you select Or, the user only needs to log in using one of the login methods that makes up the login sequence.
Use the horizontal arrows to add each desired method to the sequence.
If you are using multiple methods, use the vertical arrows to change the execution order.
The Sequence Grade field displays the grade for the login sequence. For And sequences, the sequence grade is the union of the grades of the login methods. For Or sequences, the sequence grade is the intersection of the method grades.
Click Finish to save the login sequence.
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Login Sequences.
Click a login sequence name.
The sequence grade and sequence type are displayed and the login and post-login methods are listed. All of the available methods appear in the Available Login Methods and Available Post-Login Methods lists.
Select an action:
To change the sequence type, use the drop-down list next to sequence type.
To add or remove login or post-login methods from a sequence, use the left-arrow and right-arrow.
NOTE:You must have at least one login method selected in order to select a post-login method.
To change the sequence order of the login methods, use the up-arrow and down-arrow.
To exit without saving changes, click Cancel.
IMPORTANT:Login sequences that don't have a method associated with them are not saved.
Click Apply or OK.
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Login Sequences.
Select the login sequence you want to delete, then click Delete.
Click Apply or OK.
Authorized and default login sequences can be assigned to a user, a container, a partition root, or the login policy object. NMAS searches for the authorized or default login sequences for a user by attempting to read the attributes from first the User object, then the container of the user object, then the partition root of the user object, and finally the login policy object.
The attributes found with the User object supersede any attributes found with container, partition root, or login policy object. If a login sequence has been assigned to a partition root, that login sequence applies to all the users under that partition root only if a login sequence has not already been individually assigned to specific users.
Also, a login sequence assigned to a container applies only to the users with unassigned sequences in that container, and not to the users in subcontainers of that container.
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Users, select the user you want to authorize the login sequences for, then click the NMAS tab.
Authorize or de-authorize a login sequence for a user by selecting the login sequence and clicking Authorize or De-authorize.
Click Apply or OK.
To set a default login sequence so that users are not required to specify a login sequence when logging in:
Launch iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Users, select the user you want to set the default login sequence for, then click the NMAS tab.
Select an authorized login sequence, then click Make Default.
The sequence you select will be the default login sequence. If a user attempts to log in without using a login sequence, this default login sequence is used.
Click Apply or OK.
NOTE:If a workstation is unable to execute the user’s default login sequence, the NDS password login method is used.
For more information on how to assign login sequences, see Assigning Login Sequences.
The NMAS iManager plug-ins does not allow you to delete a login method if that method is part of any login sequence. The default installation of a login method creates a login sequence containing only that method. As a result, most methods exist in at least one sequence.
NOTE:nmasinst does not have an option to remove NMAS methods. It must be done through iManager.
To delete a login method, you must complete the following two procedures:
To use iManager to remove the login method for any login sequence:
In iManager, click NMAS > NMAS Login Sequences.
For each sequence in the NMAS Login Sequences list:
Click the sequence name.
Verify that the login method you will be deleting is not listed in the Login Methods or Post-Login Methods lists.
If the login method is listed as one of the selected methods, you can move it from the list by selecting it and clicking the left-arrow.
When the login method has been removed from all login sequences, you can then delete it. See Deleting the Login Method.
To use iManager to delete the login method:
In iManager, click NMAS > NMAS Login Methods.
Select the login method or methods you want to delete.
Click Delete, then click Yes.
Launch NetIQ iManager.
Authenticate to the eDirectory tree as an administrator or a user with administrative rights.
On the Roles and Tasks menu, click NMAS > NMAS Login Sequences.
Select the login sequence you want to delete.
Click Delete, then click Yes.