Simple Password

The simple password is an login method made available as part of NMAS (Novell Modular Authentication Service). NMAS users can access the network using a variety of authentication methods including smart card methods (smart card/ token readers), biometric methods (fingerprint, retinal scan, etc) or password methods (nds password, simple password, enhanced password).

The simple password is an encrypted password (encrypted through the NMAS engine), and is stored in the directory as an attribute of the user. Simple passwords can be created/ managed through iManager, ConsoleOne or NetWare Remote Manager. (See tid TID 10064790 How to create SIMPLE PASSWORDS)

The simple password was originally implemented to allow administrators to import users and passwords (clear text and hashed) from foreign systems such as Linux or Unix systems and iPlanet*.

ONE-WAY-HASH Passwords

A one-way-hash where if you know the clear-text value of the password you could recreate the hash value; But, if you have the hash you can not obtain the clear-text value.

The most popular algorithms are:

• Message-Digest algorithm 5 (MD5)
• Secure Hash Algorithm (SHA)

Why you should use the simplepassword ?

We have used the simple password to:

• Method to maintain existing passwords when we migrate users from other LDAP servers that use common one-way hash algorithms. In password sync scenarios where we need to put a password from other LDAP servers that use common one-way hash algorithms or when we need to write passwords to other systems that can not do native LDAP authentication.
• Supports case sensitivity.

Things You Should Know About Simple Password

Things work differently on pre 8.8 Edirectory versions than on version 8.8. See LDAPEdirectory Passwords

Normally, most Edirectory logins will attempt authentication to the NDS password first, then fail to the simple password. As the NDS password does not enforce case sensitivity and the NDS password will, normally be the same, you may need to "remove" the NDS password to obtain case sensitivity or to force the Simple password to be used.

Almost no controls are enforced when using the Simple Password.

• No PasswordExpirationTime
• No Intruder Detection

Setting the Simple Password

For the 8.5, 8.6 and 8.7.0 release of NDS eDirectory allows the storage and validation of passwords hashed with the following hashing algorithms: SHA, MD5, and Unix Crypt.

SimplePassword with eDirectory 8.8.x

Some changes have taken place.

With 8.8.x you can NOT set a simplePassword value when a PasswordPolicy is assigned to the user. Here is the process we found to work:

• Set NDSD_TRY_NMASLOGIN_FIRST=true
• Set the Default login sequence for the "user" container to simple
• Import the encrypted password to the simplePassword with no password policy assigned to the users.
• Assign a password policy to the "user" container.

The user can bind using the clear-text value of the simple password. Upon a successful bind, assuming the password policy is configured to , will set the NDS and UP and IDM does pick up the password change.

As well as the storing and validation of password that are clear text. With LDAP the normal mechanism for setting the password is via the userpassword attribute. However the Novell LDAP server only supports the ability to add clear text passwords via the userpassword attribute. The Universal Password Method now allows the ability to add userpasswords that have been hashed by universal hashing algorithms.

The question you may have is how do we determine whether the password, especially in the case of the clear text password, should be a Universal Password or a NDS eDirectory Password?

In LDAP this done via an LDAP control. LDAP controls are ways to expand the meaning of an LDAP operation. For more information about Controls see the following documents:

• RFC 2251 Lightweight Directory Access Protocol
• RFC 2696 LDAP Control Extension for Simple Paged Results Manipulation
• RFC 2891 LDAP Control Extension for Server Side Sorting of Search Results

When the following LDAP control is specified with an LDAP operation that contains a userpassword attribute then the server will try and add the password as a Universal Password:

control	OID	Is critical?	Value
Simple Password Request:	2.16.840.1.113719.1.27.101.5	false	none
Simple Password Reply	2.16.840.1.113719.1.27.101.5

Sample C code

The following is C code on how to set this control with an LDAP operation:

#define LDAP_SIMPLE_PASS "2.16.840.1.113719.1.27.101.5" 

...

LDAPControl *requestCtrls[2];
requestCtrls[0] = (LDAPControl *)calloc(1, sizeof (LDAPControl));
if (NULL == requestCtrls[0])
return(LDAP_NO_MEMORY);

requestCtrls[0]->ldctl_oid = (char *) malloc(strlen(LDAP_SIMPLE_PASS) + 1);

if (NULL == requestCtrls[0]->ldctl_oid)
return(LDAP_NO_MEMORY);
strcpy(requestCtrls[0]->ldctl_oid, LDAP_SIMPLE_PASS);
requestCtrls[0]->ldctl_iscritical = FALSE;
requestCtrls[0]->ldctl_value.bv_val = NULL;
requestCtrls[0]->ldctl_value.bv_len = 0;
requestCtrls[1] = NULL;

...

int err = ldap_add_ext(Ldap, dn, attrs, requestCtrls, NULL, &msgid);
if (err != LDAP_SUCCESS)

Sample Java Code to Set Simple Password

LDIF Sample

You can also specify this control via an LDIF file. LDIF is defined by RFC 2849 “LDAP Data Interchange Format http://www.ietf.org/rfc/rfc2849.txt? Using the above LDIF example the following shows how this can be accomplished:

   dn:cn=jane,o=container
   control: 2.16.840.1.113719.1.27.101.5 false
   objectclass: inetorgperson
   sn: Doe
   title: programmer
   userpassword: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=

Using ICE

# This works The -l forces ICE to use simple password
# ice -lice.log -v -SLDIF -fC:\mydata\jim\clients\novell\cnn\ldifs\simplepassword.ldif -v -c -a -DLDAP -s10.165.131.55 -p636 -dcn=admin,ou=administration,dc=willeke,dc=com -wsecret -LC:\mydata\jim\MYTTREE-CA.der -B -l -v
# sa3tHJ3/KuYvI = password
version: 1

dn: cn=testuser101,ou=people,dc=turner,dc=com
changeType: modify
add: userpassword
userpassword: {crypt}sa3tHJ3/KuYvI

If this switch is specified all LDAP operations in the LDIF file will have this control applied to to the server knows which hash was used the definition is used as defined in RFC 2307 Using LDAP as a Network Information Service for defining different hashes within the userpassword attributes. The following is the definition from this RFC: userPassword values MUST be represented by following syntax:

   passwordvalue = schemeprefix encryptedpassword
   schemeprefix = "{" scheme "}"
   scheme = "crypt" / "md5" / "sha" / altscheme
   altscheme = "x-" keystring
   encryptedpassword = encrypted password

The encrypted password contains of a plaintext key hashed using the algorithm scheme. Below is an example of a userPassword attribute:

  userPassword: {crypt}X5/DBrWPOQQaI

The value of this example of a userpassword is a password hashed by the Unix Crypt hash then base 64 encoded so it could be represented as text.

How to change the NMAS Simple Password with LDAP

Remove Simple Password

There are occasions when the simple password is populated there maybe conflicts on the use of the NDS or Universal Password. To avoid these problems, you can remove the simple password.

WARNING It is possible non-Simple Password values are in there as well (though probably not unless you are using some advanced NMAS stuff like biometrics, tokens, or the like).

Delete the SAS:Login Configuration and SAS:Login Configuration Key attributes.

LDIF:

dn: cn=user,o=novell,dc=org
changetype: modify
delete: sasloginconfiguration
-
delete: sasloginconfigurationkey

Migrating Simple Passwords To UniversalPassword