24.7 Other Administrative Tasks

24.7.1 Using the Policy Refresh Rate Command

You can configure NMAS to refresh the cached NMAS login policy from the NMAS login policy stored in the Security container at scheduled intervals instead of upon every login attempt. This configuration is set per server by using the NMAS policy refresh rate command.

NOTE:The server accesses the Security container once during startup to cache the policy. Then, based on the configured intervals, the server attempts to access the Security container to refresh the policy.

The policy refresh rate command has the following syntax:

nmas RefreshRate minutes

where minutes is the number of minutes between each attempt to check if the cached NMAS login policy needs to be updated.

For information on how the policy refresh rate command can be invoked for each NMAS Server platform, see Invoking NMAS Commands.

24.7.2 Using the LoginInfo Command

With NMAS 3.2 or later, you can turn off automatic updating of certain user object login attributes by using the LoginInfo <numb> command. You might want to do this manually if automatically updating attributes causes problems. The following sections further explain this functionality:

NMAS Login for LDAP Bind

NMAS login is enabled for LDAP Bind by default with eDirectory 9.2. When NMAS login is enabled, eDirectory automatically updates user object login attributes after the user has authenticated. The following is a non-exhaustive list of login attributes that are updated:

  • Login Time

  • Network Address

  • Last Login Time

To disable NMAS based login for LDAP, refer Disabling the NMAS Based Logins for LDAP.

Problems Caused by Automatically Updating User Object Login Attributes

The automatic updating of user object login attributes can lead to the following problems:

  • High utilization

  • Unresponsiveness

  • Client time-outs seen on busy authentication servers, especially in LDAP environments

If you are experiencing these problems, you might want to regulate when the login attributes are updated. For information on how to do this, see Using the LoginInfo Command to Control LoginInfo Attributes When Attributes are Updated.

Using the LoginInfo Command to Control LoginInfo Attributes When Attributes are Updated

To control when login attributes are updated, execute the nmas LoginInfo <num> command.

The value for <num> is as follows:

  • 0 or off: Do not update any login attributes.

  • 1: Only update attributes that are required by intruder detection.

  • 2: Update all login attributes except unused user password policy attributes.

  • 3 or on: Update all login attributes.

For information on how to invoke the LoginInfo command for each NMAS Server platform, see Invoking NMAS Commands.

Using the sasUpdateLoginInfo and sasUpdateLoginTimeInterval Attribute

The sasUpdateLoginInfo attribute controls the updates of LoginInfo attributes.

The sasUpdateLoginTimeInterval attribute controls the update of the Login Time attribute of a user for a specified interval.

The sasUpdateLoginInfo attribute can have the following values:

  • 0 or off: Do not update any login attributes.

  • 1: Only update attributes that are required by intruder detection.

  • 2: Update all login attributes except unused user password policy attributes.

  • 3 or on: Update all login attributes.

The sasUpdateLoginTimeInterval attribute can have values from 0 to 1440 minutes (that is, one day).

  • If the value is 0, the Login Time and Last Login Time attributes are updated for every successful login.

  • If the value is between 1 and 1440 minutes, the Login Time attribute is updated after the specified interval. The Last Login Time attribute will not be updated.

NOTE:The Login Time attribute is not updated on consecutive successful logins during the interval. However, if there is a login failure during the interval followed by successful login, the Login Time attribute will be updated. The interval time from the successful login is counted.

The sasUpdateLoginTimeInterval attribute is effective only if the sasUpdateLoginInfo attribute value is set to 2 or 3.

The attributes can be specified for the following objects in the order of precedence (user having the highest precedence).

  • User

  • Container of the user

  • Partition root

  • Login Policy

If the sasUpdateLoginInfo and sasUpdateLoginTimeInterval are set on the Login Policy object, the setting becomes effective after the next policy refresh cycle. If the attributes are not set for the user, container, partition root, or Login Policy, the value set on a server using command line is used to maintain backward compatibility.

Following is an example to set the attribute values on the eDirectory server:

#cat nmas.config (The nmas.config file must be in the same directory as the dib directory.)
nmas LoginInfo 2
nmas UpdateLoginTimeInterval 30

To set attributes value at the partition root:

  1. To add the attributes to the Tree, go to iManager > Schema > Add Attribute > Tree Root.

  2. Use the arrow to move the required attribute from Available optional attribute list to Optional attribute list.

To set the values of the attribute at partition root, run the ldapmodify command and the following commands at the command line or using an ldif file:

dn:T=< tree name>
changetype:modify
add:sasUpdateLoginTimeInterval
sasUpdateLoginTimeInterval:35

dn:T=< tree name>
changetype:modify
add:sasUpdateLoginInfo
sasUpdateLoginInfo: 2

You can edit the sasUpdateLoginInfo or sasUpdateLoginTimeInterval attribute values for user, container, and Login Policy objects using iManager or an ldif file.

Example:

#cat changesasUpdateLoginInfo.ldif
dn: cn=user1,o=org
change type: modify
replace: sasUpdateLoginInfo
sasUpdateLoginInfo: 1

#cat changesasUpdateLoginTimeInterval.ldif
dn: cn=user1,o=org
changetype: modify
replace: sasUpdateLoginTimeInterval
sasUpdateLoginTimeInterval: 60

The setting disables the update of Login Time attribute of user1 for 60 minutes from the previous update of the attribute.

To specify the sasUpdateLoginInfo and sasUpdateLoginTimeInterval attributes from iManager:

  1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button

  2. Click Directory Administration > Modify Object.

  3. Specify the name and context of a container or login policy object, then click OK.

  4. On the General tab, select Other and then select sasUpdateLoginTimeInterval from Unvalued Attributes list.

  5. Use the arrow button to move sasUpdateLoginTimeInterval from Unvalued Attributes list to the Valued Attributes list, then click Apply.

24.7.3 Disabling the NMAS Based Logins for LDAP

The NMAS login is enabled by default in eDirectory 9.2. To disable the NMAS login, set NDSD_TRY_NMASLOGIN_FIRST to false.

To disable NMAS based login for LDAP on Windows, Right-click My Computer and select Properties. In the Advanced tab click Environment Variables. Under System Variables, add the variable and set the value to false.

NOTE:You must add all the environment variables required for the eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory on RHEL 7.x and SLES 12.x platforms.

24.7.4 Invoking NMAS Commands

How you invoke an NMAS command differs depending on what platform you are running. The following platforms are supported:

Windows

When NMAS is started, it processes the commands in the nmas.cfg file. The nmas.cfg file must be in the same directory as the dib files, which are usually in c:/novell/nds/dibfiles.

or

After NMAS has been started, use the following procedure:

  1. In the NetIQ eDirectory Services console, select nmas.dlm.

  2. Type the command in the Startup Parameters field.

  3. Click Configure.

Linux

When NMAS is started, it processes the commands in the nmas.config file. The nmas.config file must be in the same directory as the dib directory. For example, if the .dib directory path is /var/opt/novell/eDirectory/data/dib, then the nmas.config file path is /var/opt/novell/eDirectory/data/nmas.config.

24.7.5 Setting the Delay Time for Failed Login Attempts

  1. Install the NMAS plug-in into iManager.

    The NMAS plug-in can be downloaded from the Novell Download site

  2. In iManager, on the Roles and Tasks menu, click Directory Administration > Modify Object.

  3. Browse for and select the Login Policy object, then click OK.

  4. Click the NMAS tab, then click Settings.

  5. Type the number of seconds you want the login screen to be delayed between failed login attempts, then click OK.

24.7.6 Using DSTrace

You can use the DSTrace utility to get trace information from NMAS.

For information on how to capture an NMAS client trace, see TID # 3331372.

For information on how to capture an NMAS server trace, see TID # 3815371.

24.7.7 Disabling and Uninstalling the NMAS Client

To disable the NMAS Client:

  1. On the workstation, right-click the Red N.

  2. Click Novell Client Properties.

  3. Click the Advanced Login tab.

  4. From the Parameter Groups list, select NMAS Authentication.

  5. Under Setting, select Off.

  6. Click OK.

To uninstall the NMAS Client, use the Add/Remove Programs option of the Windows Control Panel.

NOTE:Disabling or removing NMAS does not remove support for changing the Universal Password from the Novell Client for Windows.

24.7.8 Auditing NMAS Events

There are two products you can use to audit NMAS events:

  • NetIQ Audit Secure Logging Server

    You can use the NetIQ Audit Secure Logging Server to install the nmas_en.lsc file. This file is located in the following directories:

    Windows: novell\nds

    Linux: /opt/novell/eDirectory/lib64/nds-schem

    For information on installing and managing NetIQ Audit, see the NetIQ Audit online documentation.

  • NetIQ Sentinel

You also need to enable NMAS Audit by using the NMAS 9.0 or later plug-in for iManager. Perform the following steps to enable NMAS audit with Platform Agent.

  1. Install the NMAS 9.0 or later plug-in into iManager.

    You can download the NMAS 9.0 or later plug-in from the Software License and Download portal.

  2. In iManager, on the Roles and Tasks menu, click Directory Administration > Modify Object.

  3. Browse for and select the Login Policy object, then click OK.

  4. Click the NMAS tab, then click Settings.

  5. Click the box next to Enable auditing, then click OK.

Using External Certificates with NetIQ Audit

To use an external certificate with NMAS and NetIQ Audit, you must first convert the certificate into two .pem files with the following names:

  • nmascert.pem: This is the file containing the certificate.

  • nmaskey.pem: This is the file containing the private key.

These files need to be copied to the following directories on each platform for each NMAS server in the system:

  • Linux: /etc

  • Windows: the return from GetWindowsDirectory (typically c:\windows)

NMAS provides the nmascert.pem and the nmaskey.pem files to the NetIQ Audit platform agent when the log is open, if they exist. If the files don’t exist, NMAS provides the internal certificate and key to the NetIQ Audit platform agent.

Using XDAS for Auditing NMAS Events

NMAS events can be audited using XDAS. For more information, see Auditing with XDAS.