24.3 Managing Login and Post-Login Methods and Sequences

This section describes how to install, set up, and configure login and post-login methods and sequences for NMAS.

NMAS provides multiple login methods to choose from, based on the three login factors (password, physical device or, and biometric authentication).

NMAS includes support for a number of login and post-login methods from OpenText and from third-party authentication developers. Some methods require additional hardware and software. Make sure that you have all of the necessary hardware and software for the methods you will use.

NMAS includes several login methods in the software build. Other login methods are available from third-party vendors.

See the OpenText Partners Web site for a list of OpenText eDirectory partners. Some partners develop third-party login methods.

24.3.1 Ways of Installing a Login Method

You have three ways of installing a login method for use in OpenText eDirectory:

nmasinst utility (Linux and Windows), which allows you to install login methods into OpenText eDirectory.
OpenText Identity Console (Linux and Windows), which allows you to install login and post-login methods into OpenText eDirectory.

Using the nmasinst Utility to Install a Login Method

From the server console command line, enter:

nmasinst -addmethod admin.context treename config.txt_path [-h hostname[:port]] [-w password|file:<filename>|env:<environment_variable>] [-checkversion] [-d]

admin.context: The admin name and context.
treename: The name of the OpenText eDirectory tree where you are installing the login method.
config.txt_ path - The complete or relative path to the config.txt file of the login method. A config.txt file is provided with each login method.
[-h hostname[:port]]: (Optional) The hostname and port of the server. Use this if OpenText eDirectory is not running on the default port. You can also specify the IP address. OpenText eDirectory 9.2 supports both IPv4 and IPv6 addresses. For example:
- IPv4: -h 127.0.0.1:8443
- IPv6: -h [2001:db8::6]:8443
[-w password|file:<filename>|env:<environment_variable>]: This option allows you to specify the password using one of the following methods:
- On the command line. For example: -w n
- Through a file. For example: -w file:/tmp/passwd
- Through an environment variable. For example: -w env:PASSWD
[-checkversion]: This option reports an error if the installed method version is the same or newer than the method version being installed.
[-d]: Delete methods for unsupported platforms.

If the login method already exists, nmasinst updates it.

Using OpenText Identity Console to Install a Login or Post-Login Method

Launch OpenText identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
On the OpenText Identity Console home page > Authentication Management > Login Methods and Sequences.
Click Login Methods tab.
Click install Login methods
Browse for and select the login method (.zip) file you want to install, then click Next.
Follow the installation wizard to completion.

24.3.2 Updating Login and Post-Login Methods

When a login method vendor provides an update for a login or post-login method, you can update the method by doing the following:

Using the nmasinst Utility to Update a Login Method

Use the same procedure you used to install a login method with the nmasinst utility (see Using the nmasinst Utility to Update a Login Method). Include the path to the new config.txt file and the login method is updated.

Using OpenText Identity Console to Update a Login Method

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
On the Authentication Management tile > Login Methods.
Select the login method you want to update.
On the login method property page, click Update Method.
Follow the update wizard to completion.

24.3.3 Managing Login Sequences

When you install a login, you are asked if you want to create a login sequence that uses only the login method you are installing. If you answer yes, a login sequence is created for you that contains just the one login method.

You can also manually create and manage login sequences. After login and post-login methods are installed, you can view, add, modify, or delete login sequences by using OpenText Identity Console. Login sequences are not created when methods are modified or updated.

In NMAS, you can set up multiple login and post-login methods per sequence. You must have at least one login method selected to be able to select a post-login method.

When multiple methods are selected for a sequence, they are executed in the order they are listed. Login methods are executed first, then post-login methods.

A login sequence can be an And or an Or sequence. An And sequence is successful if all of the login methods successfully validate the identity of the user. An Or sequence only requires that one of the login methods validate the identity of the user for the login to be successful.

The post-login methods are only executed if the login is successful, regardless of the And/Or relationship.

After a sequence is created, you can authorize users to use the new sequence to log in to OpenText eDirectory.

Creating a New Login Sequence by Using OpenText Identity Console

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
Click Authentication Management > Login Method Sequences.
Click Create and specify a name for the new login sequence.

All available methods are listed under Available Login Methods and Available Post-Login Methods.
Select the Sequence Type from the list.

If you select And, a user must log in using every login method that makes up the login sequence. If you select Or, the user only needs to log in using one of the login methods that makes up the login sequence.
Use the arrows to add each desired method to the sequence.

If you are using multiple methods, use the vertical arrows to change the execution order.

The Sequence Grade field displays the grade for the login sequence. For And sequences, the sequence grade is the union of the grades of the login methods. For Or sequences, the sequence grade is the intersection of the method grades.
Click Create to save the login sequence.

Modifying a Login Sequence

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
Go to the Authentication Management tile > Login Method Sequences.
Click Login Method Sequences. The sequence Name, Grade, Authorized and Default lists are displayed, and the Login Methods and Post-Login methods are listed.
Select an action:
1. Click to create login method Sequence. Specify the Name and Sequence Type drop down value to be created. All the available methods appear in the Available > Login Methods and Available Post-Login Methods lists.
2. Click to modify the existing login method Sequence.
  
  NOTE:You must have at least one login method selected in order to select a post-login method.
To change the sequence order of the Login Methods, use the up-arrow and down-arrow.
To change the Sequence Type, use the drop-down list next to Sequence Type.
Click Save or click Cancel to exit without saving changes.

IMPORTANT:Login sequences that don't have a method associated with them are not saved.
Click OK.

Deleting a Login Sequence

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
Go to Authentication Management > Login Method Sequences.
Select the Login Sequence you want to delete, then click Delete to delete or remove the login method Sequence.

If one or more login sequences still use the login method, a warning message appears.
Click OK.

24.3.4 Authorizing Login Sequences for Users

Assigning Login Sequences

Authorized and default login sequences can be assigned to a user, a container, a partition root, or the login policy object. NMAS searches for the authorized or default login sequences for a user by attempting to read the attributes from first the User object, then the container of the user object, then the partition root of the user object, and finally the login policy object.

The attributes found with the User object supersede any attributes found with container, partition root, or login policy object. If a login sequence has been assigned to a partition root, that login sequence applies to all the users under that partition root only if a login sequence has not already been individually assigned to specific users.

Also, a login sequence assigned to a container applies only to the users with unassigned sequences in that container, and not to the users in subcontainers of that container.

Authorizing a Login Sequence

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
go to Authentication Management tile > Login Method Sequences.
Select Login Sequence, click Authorize Login Sequence Method to authorize or click Unauthorize Login Sequence Method to unauthorize the selected login method sequence. Or click down – arrow to authorize or unauthorize the sequence and click upside -down arrow to reorder the sequence list.

Under Default list, only authorized Login Sequence Methods can be set to Default. You can use this toggle icon to perform this action.

24.3.5 Setting Default Login Sequences

To set a default login sequence so that users are not required to specify a login sequence when logging in:

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
go to Authentication Management tile > Login Method Sequences.
Select an authorized login sequence under Default list, then click .

The sequence you select will be the default login sequence. If a user attempts to log in without using a login sequence, this default login sequence is used.

NOTE:If a workstation is unable to execute the user’s default login sequence, the NDS password login method is used.

For more information on how to assign login sequences, see Assigning Login Sequences.

24.3.6 Deleting a Login Method

The NMAS in OpenText Identity Console does not allow you to delete a login method if that method is part of any login sequence. The default installation of a login method creates a login sequence containing only that method. As a result, most methods exist in at least one sequence.

NOTE:nmasinst does not have an option to remove NMAS methods. It must be done through OpenText Identity Console.

To delete a login method, you must complete the following two procedures:

Removing the Login Method from Any Login Sequence

To use OpenText Identity Console to remove the login method for any login sequence:

On the OpenText Identity Console home page > click Authentication Management > Login Method Sequences.
For each sequence in the Login Method Sequences list:
1. Click the sequence name.
2. Verify that the login method you will be deleting is not listed in the Login Methods or Post-Login Methods lists.
3. If the login method is listed as one of the selected methods, you can move it from the list by selecting it and clicking the left-arrow.

When the login method has been removed from all login sequences, you can then delete it. See Deleting the Login Method.

Deleting the Login Method

To use OpenText Identity Console to delete the login method:

On the OpenText Identity Console home page > click Authentication Management > Login Methods.
Select the login method or methods you want to delete.
Click Delete, then click OK.

24.3.7 Deleting a Login Sequence

Launch OpenText Identity Console.
Authenticate to the OpenText eDirectory tree as an administrator or a user with administrative rights.
Go to Authentication Management > Login Method Sequences.
Select the Login Sequence you want to delete, then click Delete to delete or remove the login method Sequence.

If one or more login sequences still use the login method, a warning message appears.
Click OK.