26.6 Enforcing Case-Sensitive Universal Passwords

In NetIQ eDirectory, you can enable Universal Password and make your password case-sensitive when you access the eDirectory server through the following clients and utilities:

  • Novell Client 4.9 and later

  • Administration utilities upgraded to eDirectory 9.0 or later

  • NetIQ iManager 3.0 or later, except when it is running on Windows

You can use any version of LDAP SDK to have case-sensitive passwords.

The following table lists the platforms on which case-sensitive password feature is supported:

Feature

Linux

Windows

Enforcing case-sensitive Universal Password

This chapter includes the following information:

26.6.1 Need for Case-Sensitive Passwords

Making the passwords case-sensitive adds to the security of the login to the directory. For example, if you have a password aBc that is case-sensitive, all the trials of login with the combinations like abc or Abc or ABC would fail.

In eDirectory, you can make your passwords case-sensitive for all the clients that are upgraded to eDirectory 9.0 or later.

By enforcing the use of case-sensitive passwords, you can prevent the legacy Novell Clients from accessing the eDirectory server.

26.6.2 How to Make Your Password Case-Sensitive

In eDirectory, you can make your passwords case-sensitive for all the clients by enabling Universal Password. Universal Password is disabled by default.

Prerequisites

By default LDAP and other server-side utilities use NDS login first and if this fails, use the Simple Password login. For the case-sensitive password feature to work, the login needs to happen through NetIQ Modular Authentication Service (NMAS). Therefore, you need to set the NDSD_TRY_NMASLOGIN_FIRST environment variable to true to make the case-sensitive password feature available. The NMAS login is enabled by default in eDirectory. To disable the NMAS login, set NDSD_TRY_NMASLOGIN_FIRST to false.

NOTE:Using NMAS for authentication increases the time taken for login.

Making Your Password Case-Sensitive

  1. Log in to eDirectory using the existing password.

    In the case of fresh install, the existing password is the one that you set while configuring eDirectory 9.1.

    For example, your password is “novell”.

    NOTE:This password is not case-sensitive.

  2. Enable Universal Password.

    For more information, refer to Deploying Universal Password.

  3. Log out of eDirectory.

  4. Log in to eDirectory using the existing password with the case you want.

    The password you give now will be case-sensitive.

    For example, you enter “NoVELL”.

    Your password is now “NoVELL”. Therefore, “novell” or any alternate capitalization combination other than “NoVELL” would be invalid.

If you are migrating to case-sensitive passwords, refer to Migrating to Case-Sensitive Passwords.

Any new password you set will be case-sensitive depending on which level (object or partition) you have enabled Universal Password.

Managing Case-Sensitive Passwords

You can manage the case sensitivity of your passwords by enabling or disabling Universal Password through iManager. For more information, refer to Deploying Universal Password.

26.6.3 Upgrading the Legacy Novell Clients and Utilities

The following are the latest versions of the Novell clients and NetIQ utilities:

  • Novell Client 4.9

  • Administration utilities with eDirectory 9.1

  • NetIQ iManager 3.0 and later

The clients and utilities that are earlier than the above mentioned versions are legacy Novell clients.

You can have case-sensitive passwords for the legacy Novell clients after upgrading them to their latest versions. eDirectory makes the migration from your existing passwords to case-sensitive passwords easy and flexible. For more information, see Migrating to Case-Sensitive Passwords.

In case you do not upgrade the legacy clients to their latest versions, these clients can be blocked from using eDirectory 9.1 at the server level.

Migrating to Case-Sensitive Passwords

Universal Password is disabled by default and, therefore, your existing passwords will not be affected until you enable Universal Password in iManager. For step-by-step instruction, refer to How to Make Your Password Case-Sensitive.

The following example explains the migration to case-sensitive passwords:

Login session 1: Universal Password is disabled by default.

  • You log in using your existing password. For example, suppose your password is netiq.

  • This password is not case-sensitive. Therefore, both netiq and NetIQ are valid passwords.

  • After you log in, you enable Universal Password. For more information, refer to Deploying Universal Password.

Login session 2: Universal Password was enabled in the previous session.

  • You log in using your existing password. For example, suppose you type the password as noVell.

  • When Universal Password is enabled, this password becomes case-sensitive. So you must remember how you typed the password this time.

Login session 3 and subsequent logins.

  • If you log in using the password netIQ, it is valid.

  • If you log in using the password NetIQ (or any other version except noVell), it is invalid.

26.6.4 For More Information

For more information on case-sensitive passwords, refer to the iManager online help.