This section describes other administrative tasks for NMAS:
You can configure NMAS to refresh the cached NMAS login policy from the NMAS login policy stored in the Security container at scheduled intervals instead of upon every login attempt. This configuration is set per server by using the NMAS policy refresh rate command.
NOTE:The server accesses the Security container once during startup to cache the policy. Then, based on the configured intervals, the server attempts to access the Security container to refresh the policy.
The policy refresh rate command has the following syntax:
nmas RefreshRate minutes
where minutes is the number of minutes between each attempt to check if the cached NMAS login policy needs to be updated.
For information on how the policy refresh rate command can be invoked for each NMAS Server platform, see Invoking NMAS Commands.
With NMAS 3.2 or later, you can turn off automatic updating of certain user object login attributes by using the LoginInfo <numb> command. You might want to do this manually if automatically updating attributes causes problems. The following sections further explain this functionality:
NMAS login is enabled for LDAP Bind by default with eDirectory 9.0. When NMAS login is enabled, eDirectory automatically updates user object login attributes after the user has authenticated. The following is a non-exhaustive list of login attributes that are updated:
Login Time
Network Address
Last Login Time
To disable NMAS based login for LDAP, refer Disabling the NMAS Based Logins for LDAP.
The automatic updating of user object login attributes can lead to the following problems:
High utilization
Unresponsiveness
Client time-outs seen on busy authentication servers, especially in LDAP environments
If you are experiencing these problems, you might want to regulate when the login attributes are updated. For information on how to do this, see Using the LoginInfo Command to Control LoginInfo Attributes When Attributes are Updated.
To control when login attributes are updated, execute the nmas LoginInfo <num> command.
The value for <num> is as follows:
0 or off: Do not update any login attributes.
1: Only update attributes that are required by intruder detection.
2: Update all login attributes except unused user password policy attributes.
3 or on: Update all login attributes.
For information on how to invoke the LoginInfo command for each NMAS Server platform, see Invoking NMAS Commands.
The sasUpdateLoginInfo attribute controls the updates of LoginInfo attributes.
The sasUpdateLoginTimeInterval attribute controls the update of the Login Time attribute of a user for a specified interval.
The sasUpdateLoginInfo attribute can have the following values:
0 or off: Do not update any login attributes.
1: Only update attributes that are required by intruder detection.
2: Update all login attributes except unused user password policy attributes.
3 or on: Update all login attributes.
The sasUpdateLoginTimeInterval attribute can have values from 0 to 1440 minutes (that is, one day).
If the value is 0, the Login Time and Last Login Time attributes are updated for every successful login.
If the value is between 1 and 1440 minutes, the Login Time attribute is updated after the specified interval. The Last Login Time attribute will not be updated.
NOTE:The Login Time attribute is not updated on consecutive successful logins during the interval. However, if there is a login failure during the interval followed by successful login, the Login Time attribute will be updated. The interval time from the successful login is counted.
The sasUpdateLoginTimeInterval attribute is effective only if the sasUpdateLoginInfo attribute value is set to 2 or 3.
The attributes can be specified for the following objects in the order of precedence (user having the highest precedence).
User
Container of the user
Partition root
Login Policy
If the sasUpdateLoginInfo and sasUpdateLoginTimeInterval are set on the Login Policy object, the setting becomes effective after the next policy refresh cycle. If the attributes are not set for the user, container, partition root, or Login Policy, the value set on a server using command line is used to maintain backward compatibility.
Following is an example to set the attribute values on the eDirectory server:
#cat nmas.config (The nmas.config file must be in the same directory as the dib directory.) nmas LoginInfo 2 nmas UpdateLoginTimeInterval 30
To set attributes value at the partition root:
To add the attributes to the Tree, go to iManager > Schema > Add Attribute > Tree Root.
Use the arrow to move the required attribute from Available optional attribute list to Optional attribute list.
To set the values of the attribute at partition root, run the ldapmodify command and the following commands at the command line or using an ldif file:
dn:T=< tree name> changetype:modify add:sasUpdateLoginTimeInterval sasUpdateLoginTimeInterval:35 dn:T=< tree name> changetype:modify add:sasUpdateLoginInfo sasUpdateLoginInfo: 2
You can edit the sasUpdateLoginInfo or sasUpdateLoginTimeInterval attribute values for user, container, and Login Policy objects using iManager or an ldif file.
Example:
#cat changesasUpdateLoginInfo.ldif dn: cn=user1,o=org change type: modify replace: sasUpdateLoginInfo sasUpdateLoginInfo: 1 #cat changesasUpdateLoginTimeInterval.ldif dn: cn=user1,o=org changetype: modify replace: sasUpdateLoginTimeInterval sasUpdateLoginTimeInterval: 60
The setting disables the update of Login Time attribute of user1 for 60 minutes from the previous update of the attribute.
To specify the sasUpdateLoginInfo and sasUpdateLoginTimeInterval attributes from iManager:
In NetIQ iManager, click the Roles and Tasks button
Click Directory Administration > Modify Object.
Specify the name and context of a container or login policy object, then click OK.
On the General tab, select Other and then select sasUpdateLoginTimeInterval from Unvalued Attributes list.
Use the arrow button to move sasUpdateLoginTimeInterval from Unvalued Attributes list to the Valued Attributes list, then click Apply.
The NMAS login is enabled by default in eDirectory 9.0. To disable the NMAS login, set NDSD_TRY_NMASLOGIN_FIRST to false.
To disable NMAS based login for LDAP on Windows, Right-click My Computer and select Properties. In the Advanced tab click Environment Variables. Under System Variables, add the variable and set the value to false.
NOTE:You must add all the environment variables required for the eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory on RHEL 7.x and SLES 12.x platforms.
How you invoke an NMAS command differs depending on what platform you are running. The following platforms are supported:
When NMAS is started, it processes the commands in the nmas.cfg file. The nmas.cfg file must be in the same directory as the dib files, which are usually in c:/novell/nds/dibfiles.
or
After NMAS has been started, use the following procedure:
In the NetIQ eDirectory Services console, select nmas.dlm.
Type the command in the Startup Parameters field.
Click Configure.
When NMAS is started, it processes the commands in the nmas.config file. The nmas.config file must be in the same directory as the dib directory. For example, if the .dib directory path is /var/opt/novell/eDirectory/data/dib, then the nmas.config file path is /var/opt/novell/eDirectory/data/nmas.config.
Install the NMAS plug-in into iManager.
The NMAS plug-in can be downloaded from the Novell Download site
In iManager, on the Roles and Tasks menu, click Directory Administration > Modify Object.
Browse for and select the Login Policy object, then click OK.
Click the NMAS tab, then click Settings.
Type the number of seconds you want the login screen to be delayed between failed login attempts, then click OK.
You can use the DSTrace utility to get trace information from NMAS.
For information on how to capture an NMAS client trace, see TID # 3331372.
For information on how to capture an NMAS server trace, see TID # 3815371.
To disable the NMAS Client:
On the workstation, right-click the Red N.
Click Novell Client Properties.
Click the Advanced Login tab.
From the Parameter Groups list, select NMAS Authentication.
Under Setting, select Off.
Click OK.
To uninstall the NMAS Client, use the Add/Remove Programs option of the Windows Control Panel.
NOTE:Disabling or removing NMAS does not remove support for changing the Universal Password from the Novell Client for Windows.
There are two products you can use to audit NMAS events:
NetIQ Audit Secure Logging Server
You can use the NetIQ Audit Secure Logging Server to install the nmas_en.lsc file. This file is located in the following directories:
Windows: novell\nds
Linux: /opt/novell/eDirectory/lib64/nds-schem
For information on installing and managing NetIQ Audit, see the NetIQ Audit online documentation.
NetIQ Sentinel
You also need to enable NMAS Audit by using the NMAS 9.0 or later plug-in for iManager. Perform the following steps to enable NMAS audit with Platform Agent.
Install the NMAS 9.0 or later plug-in into iManager.
You can download the NMAS 9.0 or later plug-in from the NetIQ Download site.
In iManager, on the Roles and Tasks menu, click Directory Administration > Modify Object.
Browse for and select the Login Policy object, then click OK.
Click the NMAS tab, then click Settings.
Click the box next to Enable auditing, then click OK.
To use an external certificate with NMAS and NetIQ Audit, you must first convert the certificate into two .pem files with the following names:
nmascert.pem: This is the file containing the certificate.
nmaskey.pem: This is the file containing the private key.
These files need to be copied to the following directories on each platform for each NMAS server in the system:
Linux: /etc
Windows: the return from GetWindowsDirectory (typically c:\windows)
NMAS provides the nmascert.pem and the nmaskey.pem files to the NetIQ Audit platform agent when the log is open, if they exist. If the files don’t exist, NMAS provides the internal certificate and key to the NetIQ Audit platform agent.
NMAS events can be audited using XDAS. For more information, see Auditing with XDAS.