Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual page 174

Password Support in OES 2
In the past, administrators have needed to manage multiple passwords (simple password, NDS
passwords, Samba passwords) because of password differences. Administrators have also needed to
deal with keeping the passwords synchronized.
In OES you have the choice of retaining your current password maintenance methods or deploying
Universal Password to simplify password management. For more information, see the
Password Management 3.3.1 Administration
All Novell products and services are being developed to work with extended character (UTF-8
encoded) passwords. For a current list of products and services that work with extended characters,
see Novell TID 3065822 (http://www.novell.com/support/
search.do?cmd=displayKC&docType=kc&externalId=3065822&sliceId=1&docTypeID=DT_TID_
1_1&dialogID=77556590&stateId=0%200%2077560425).
The password types supported in eDirectory are summarized in
Table 16-7
Password Type
NDS
Novell AFP and
Novell CIFS
Samba
Simple
174 OES 2 SP3: Planning and Implementation Guide
eDirectory Password Types
Description
The NDS password is stored in a hash form that is nonreversible in eDirectory. Only
the NDS system can make use of this password, and it cannot be converted into any
other form for use by any other system.
In OES 2, AFP and CIFS users have Universal Password policies assigned by
default. More information about password policy planning is available in
"Coordinating Password Policies Among Multiple File Services," on page
In OES 2, Samba users have a Universal Password policy assigned by default.
OES 2 also supports the Samba hash password if desired. However, you must
choose to not deploy Universal Password if you want to use the Samba hash
password. Choosing the Samba password requires that users always remember to
synchronize it when changing their eDirectory password.
For more information, see
Administration Guide.
The simple password provides a reversible value stored in an attribute on the User
object in eDirectory. NMAS securely stores a clear-text value of the password so that
it can use it against any type of authentication algorithm. To ensure that this value is
secure, NMAS uses either a DES key or a triple DES key (depending on the strength
of the Secure Domain Key) to encrypt the data in the NMAS Secret and
Configuration Store.
The simple password was originally implemented to allow administrators to import
users and hashed passwords from other LDAP directories such as Active Directory
and iPlanet*.
The limitations of the simple password are that no password policy (minimum length,
expiration, etc.) is enforced. Also, by default, users do not have rights to change their
own simple passwords.
Guide.
Table
"Samba Passwords" in the
Novell
16-7.
Appendix K,
287.
OES2 SP3: Samba