14.2 Authentication Services

14.2.1 Overview of Authentication Services

This section provides specific overview information for the following key OES components:

NetIdentity Agent

The NetIdentity Agent works with NetIQ eDirectory authentication to provide background eDirectory authentication to NetStorage through a secure identity “wallet” on the workstation.

NetIdentity Agent browser authentication is supported only by Windows Internet Explorer.

The Client for Open Enterprise Server provides authentication credentials to NetIdentity, but it does not obtain authentication credentials from NetIdentity because it is not a Web-based application.

NetIdentity Agent requires

  • XTier (NetStorage) on the OES server included in the URL for the Web-based applications.

  • The NetIdentity agent installed on the workstations.

For more information on using the NetIdentity agent, see the NetIdentity Administration Guide for NetWare 6.5.

NetIQ Modular Authentication Services (NMAS)

NetIQ Modular Authentication Services (NMAS) lets you protect information on your network by providing various authentication methods to NetIQ eDirectory on NetWare, Windows, and UNIX networks.

These login methods are based on three login factors:

  • Password

  • Physical device or token

  • Biometric authentication

For example:

  • You can have users log in through a password, a fingerprint scan, a token, a smart card, a certificate, a proximity card, etc.

  • You can have users log in through a combination of methods to provide a higher level of security.

Some login methods require additional hardware and software. You must have all of the necessary hardware and software for the methods to be used.

NMAS software consists of the following:

  • NMAS server components: Installed as part of OES.

  • The NMAS Client: Required on each Windows workstation that will be authenticating using NMAS.

Support for Third-Party Authentication Methods

Client for Open Enterprise Server distributions include a number of NMAS login methods.

For more information on how to use NMAS, see Understanding eDirectory’s Authentication Framework in the NetIQ eDirectory Administration Guide.

Password Support in OES

In the past, administrators have needed to manage multiple passwords (simple password and NDS passwords) because of password differences. Administrators have also needed to deal with keeping the passwords synchronized.

In OES you have the choice of retaining your current password maintenance methods or deploying Universal Password to simplify password management. For more information, see Managing Passwords in the NetIQ eDirectory Administration Guide.

All Micro Focus products and services are being developed to work with extended character (UTF-8 encoded) passwords. For a current list of products and services that work with extended characters, see TID 3065822 .

The password types supported in eDirectory are summarized in Table 14-7.

Table 14-7 eDirectory Password Types

Password Type



The NDS password is stored in a hash form that is non-reversible in eDirectory. Only the NDS system can make use of this password, and it cannot be converted into any other form for use by any other system.


The AFP and CIFS users have Universal Password policies assigned by default. More information about password policy planning is available in Section L.0, Coordinating Password Policies Among Multiple File Services.


The simple password provides a reversible value stored in an attribute on the User object in eDirectory. NMAS securely stores a clear-text value of the password so that it can use it against any type of authentication algorithm. To ensure that this value is secure, NMAS uses either a DES key or a triple DES key (depending on the strength of the Secure Domain Key) to encrypt the data in the NMAS Secret and Configuration Store.

The simple password was originally implemented to allow administrators to import users and hashed passwords from other LDAP directories such as Active Directory and iPlanet.

The limitations of the simple password are that no password policy (minimum length, expiration, etc.) is enforced. Also, by default, users do not have rights to change their own simple passwords.


Universal Password (UP) enforces a uniform password policy across multiple authentication systems by creating a password that can be used by all protocols and authentication methods.

Universal Password is managed in iManager by the Secure Password Manager (SPM), a component of the NMAS module installed on OES servers. All password restrictions and policies (expiration, minimum length, etc.) are supported.

All the existing management tools that run on clients with the UP libraries automatically work with the Universal Password.

Universal Password is not automatically enabled unless you install AFP, CIFS, or Domain Services for Windows on an OES server.

The Client for Open Enterprise Server supports the Universal Password. It also supports the NDS password for older systems in the network. The Client for Open Enterprise Server automatically upgrades to use Universal Password when UP is deployed.

For more information, see Deploying Universal Password in the NetIQ eDirectory Administration Guide.

14.2.2 Authentication Coexistence and Migration

For authentication and security coexistence and migration information, see Section 19.0, Security and Section 20.0, Certificate Management in this guide.