16.2 Authentication Services

This section briefly discusses the following topics:

16.2.1 Overview of Authentication Services

This section provides specific overview information for the following key OES components:

For more authentication topics, see Access, Authenticate, Log in in the OES online documentation.

NetIdentity Agent

In OES 2, the NetIdentity Agent works with Novell eDirectory authentication to provide background authentication to Windows Web-based applications that require eDirectory authentication through a secure identity “wallet” on the workstation. Applications access the eDirectory credentials without prompting users for a username and password.

The NetIdentity Agent supports applications running on OES 2 server platforms as follows:

  • OES 2 Linux: NetStorage

  • OES 2 NetWare: NetStorage and iPrint (if authentication is required)

NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.

The Novell Client provides authentication credentials to NetIdentity, but it does not obtain authentication credentials from NetIdentity because it is not a Web-based application.

NetIdentity Agent requires

  • XTier (NetStorage) on the OES 2 server presented in the URL for the Web-based applications.

  • The NetIdentity agent installed on the workstations.

For more information on using the NetIdentity agent, see the NetIdentity Administration Guide for NetWare 6.5.

Novell Modular Authentication Services (NMAS)

Novell Modular Authentication Services (NMAS™) lets you protect information on your network by providing various authentication methods to Novell eDirectory on NetWare, Windows, and UNIX networks.

These login methods are based on three login factors:

  • Password

  • Physical device or token

  • Biometric authentication

For example:

  • You can have users log in through a password, a fingerprint scan, a token, a smart card, a certificate, a proximity card, etc.

  • You can have users log in through a combination of methods to provide a higher level of security.

Some login methods require additional hardware and software. You must have all of the necessary hardware and software for the methods to be used.

NMAS software consists of the following:

  • NMAS server components: Installed as part of OES 2.

  • The NMAS Client: Required on each Windows workstation that will be authenticating using NMAS.

Support for Third-Party Authentication Methods

Novell Client distributions include a number of NMAS login methods.

Other third-party methods are available for download. For information on the available third-party login methods, see the NMAS Partner’s Web site. Each method has a readme.txt file or a readme.pdf file that includes specific installation and configuration instructions.

More Information

For more information on how to use NMAS, see the Novell Modular Authentication Services 3.3 Administration Guide.

Password Support in OES 2

In the past, administrators have needed to manage multiple passwords (simple password, NDS® passwords, Samba passwords) because of password differences. Administrators have also needed to deal with keeping the passwords synchronized.

In OES you have the choice of retaining your current password maintenance methods or deploying Universal Password to simplify password management. For more information, see the Novell Password Management 3.2 Administration Guide.

All Novell products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, see Novell TID 3065822 .

The password types supported in eDirectory are summarized in Table 16-7.

Table 16-7 eDirectory Password Types

Password Type

Description

NDS

The NDS password is stored in a hash form that is nonreversible in eDirectory. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system.

Novell AFP and Novell CIFS

In OES 2, AFP and CIFS users have Universal Password policies assigned by default. The same policy can be used for both services, as shown in Creating a UP Policy to Support Both AFP and CIFS in the OES 2 SP2: Lab Guide for Linux and Virtualized NetWare. More information about password policy planning is available in Coordinating Password Policies Among Multiple File Services in the OES 1 Readme.

Samba

In OES 2, Samba users have a Universal Password policy assigned by default.

OES 2 also supports the Samba hash password if desired. However, you must choose to not deploy Universal Password if you want to use the Samba hash password. Choosing the Samba password requires that users always remember to synchronize it when changing their eDirectory password.

For more information, see Samba Passwords in the OES2 SP2: Samba Administration Guide.

Simple

The simple password provides a reversible value stored in an attribute on the User object in eDirectory. NMAS securely stores a clear-text value of the password so that it can use it against any type of authentication algorithm. To ensure that this value is secure, NMAS uses either a DES key or a triple DES key (depending on the strength of the Secure Domain Key) to encrypt the data in the NMAS Secret and Configuration Store.

The simple password was originally implemented to allow administrators to import users and hashed passwords from other LDAP directories such as Active Directory and iPlanet*.

The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced. Also, by default, users do not have rights to change their own simple passwords.

Universal

Universal Password (UP) enforces a uniform password policy across multiple authentication systems by creating a password that can be used by all protocols and authentication methods.

Universal Password is managed in iManager by the Secure Password Manager (SPM), a component of the NMAS module installed on OES 2 servers. All password restrictions and policies (expiration, minimum length, etc.) are supported.

All the existing management tools that run on clients with the UP libraries automatically work with the Universal Password.

Universal Password is not automatically enabled unless you install Novell AFP, Novell CIFS, Domain Services for Windows, or Novell Samba on an OES 2 Linux server. You can optionally choose to have the Samba hash password stored separately. This requires, however, that users always synchronize the Samba password when changing their eDirectory password.

The Novell Client supports the Universal Password. It also supports the NDS password for older systems in the network. The Novell Client automatically upgrades to use Universal Password when UP is deployed.

For more information, see Deploying Universal Password in the Novell Password Management 3.2 Administration Guide.

16.2.2 Planning for Authentication

For planning topics, see the Access, Authenticate, Log in in the OES online documentation.

16.2.3 Authentication Coexistence and Migration

For authentication and security coexistence and migration information, see Section 21.0, Security and Section 22.0, Certificate Management in this guide.

16.2.4 Configuring and Administering Authentication

For a list of configuration and administration topics, see Access, Authenticate, Log in in the OES online documentation.