Novell's Documentation#

As things change, you should always consult Novell's documentation and other resources. Our pages are not a substitute.

Creating New Password Policy#

Container to Create the Policy In#

Specify the container you want the policy to be created in.

Policy Name#

Type a name for the password policy.Describe the policy.

Password Change Message#

Provide a Password Change Message. The user sees this message when changing a password by using either of the following:
  • The iManager self-service console
  • The latest version of the Novell® Client that supports displaying the rules

default settings#

To create a policy based on the default settings select the check box. You skip to the Summary page of the wizard and view settings.

Keep in mind that a policy is not in effect until it has been assigned to an object.


Advanced Password Rules#

Advanced Password Rules help you secure your environment by giving you control over password details such as the following:

The lifetime of a password#

You can specify how frequently users must change passwords, and whether users can reuse passwords.

What a password contains#

You can require a combination of
  • letters
  • numbers
  • special characters - Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. The alphabetic characters are a-z, AZ, and alphabetic characters in the Latin-1 code page 850.
  • You can exclude passwords that you don't feel are secure, such as your company name.

NOTE: You can manage password syntax settings using either Novell syntax or the Microsoft Complexity Policy. For more information, see Managing Passwords by Using Password Policies.

Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.

If you are using Password Synchronization, we recommend that you do the following:

  • Research the password policies for all the connected systems.
  • Make sure that the Advanced Password Rules are compatible.

This procedure helps ensure that passwords are synchronized successfully. You can use Additional Password Synchronization settings to enforce the Advanced Password Rules for passwords that are changed on connected systems. (Select Passwords > Password Synchronization).

To make sure that existing Novell® Identity Vault passwords comply with the Advanced Password Rules you have set, specify that existing passwords must be validated when users log in through iManager. If the existing password does not comply, the user is required to change it. This option is useful if you are deploying a new password policy or changing the Advanced Password Rules for an existing policy. To enable this option, do one of the following:

  • In an existing policy, go to Universal Password > Configuration Options and select "Verify whether existing passwords comply with the password policy (verification occurs on login)."
  • In the wizard for creating a new policy, go to Select the Universal Password Options, click the View Options button, and select "Verify passwords comply with the password policy (verification occurs on login)."

To use the Advanced Password Rules, you must do the following:

  • Have Universal Password set up.
  • Enable Universal Password in the configuration for the policy.
  • Set up iManager.

NOTE:When you create a password policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for the NDS® Password option. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password option, when you enable Universal Password you need to re-create the grace logins setting in the Advanced

Password Rules in the password policy.#

If you later disabled Universal Password in the password policy, the existing password settings that you had are no longer ignored. They are enforced for the NDS Password option.

For more information, see the Novell Identity Manager Administration Guide.


Configuration Options#

Enable Universal Password#

Enabling Universal Password for a policy enables you to use options in the Password Policies feature. However, before you can enable Universal Password for a policy, you must do the following:
  • Meet the prerequisites for Universal Password in your environment.
  • Set up the iManager self-service console.
  • Recommend that users change their passwords by using the iManager self-service console.

To help users create compliant passwords, utilities (for example, the iManager self-service console and Novell Client 4.91 or later) display the Advanced Password Rules to users when they change their passwords. For more information, see the Novell Identity Manager Administration Guide.

Enable the Advanced Password Rules#

This option enables the password rules found in Advanced Password Rules. These rules help you secure your environment by giving you control over criteria, such as the lifetime of a password and what a password contains.

Universal Password Synchronization#

These options determine how Universal Password is synchronized within Novell eDirectory with other types of Identity Vault passwords.

If you are using Password Synchronization, keep in mind that you must consider both the settings on this page and the settings for publishing passwords to an Identity Vault from connected systems.

  • Select Passwords > Password Synchronization.
  • Search for drivers and click the driver name.
  • Select the Password Synchronization server variables page.
  • Make changes, then click OK.

Remove the NDS Password when Setting Universal Password#

If you select this option, the following occur:
  • The NDS password is disabled when the Universal Password is set.
  • Users are unable to use older methods or utilities (for example, a Novell Client earlier than version 4.9) that log in directly with the NDS password instead of communicating with NMAS.

Disabling the NDS password might be desirable if you want to force users to upgrade to a newer Novell Client that supports Universal Password and case sensitivity. However, it might not be desirable to enable this option in a password policy assigned to administrators or help desk users, because they wouldn't be able to log in by using some older Novell utilities that use only the NDS password.

If you select this option, the next option, "Synchronize NDS password when setting Universal Password," is dimmed because the NDS password is not being used at all.

Synchronize NDS Password when Wetting Universal Password#

If you select this option, setting the Universal Password also changes the NDS password.

If you don't select this option, setting the Universal Password does not change the NDS password. Applications that use the Universal Password could have a different password than applications that use the NDS password.

This option is dimmed if the NDS password is not being used at all.

Synchronize Simple Password when setting Universal Password#

This option is provided for the following:

  • Backward compatibility with NetWare® 6.0 servers that contain
    • AFP/CIFS users.
    • NetWare 6.0 servers in the tree that contain AFP/CIFS users, select this option.
  • Branch Office 2.0 User provisioning with Branch Office 2.0 requires Simple Password.
  • Compatibility with Novell and third-party clients using Simple Password. For example, you can use the Simple Password method on an NMAS client.

NOTE: The setting of this option does not affect your ability to use ICE to import user passwords.

Synchronize Distribution Password when Setting Universal Password#

This option (under Universal Password Retrieval in the the Wizard)) determines whether the metadirectory engine can retrieve or set a user's Universal Password in eDirectory.

For example, consider how Identity Manager Password Synchronization works with this option. If you select this option, the Universal Password and the Distribution Password used by Identity Manager are the same. Identity Manager obtains a user's password from the Identity Vault and synchronizes it with passwords in other connected systems.

If you deselect this option, Identity Manager is a conduit: it uses the Distribution Password to synchronize passwords among connected systems, but the password for the Identity Vault remains unique. This use of Password Synchronization is also referred to as "tunneling."

If you are using Password Synchronization, keep in mind that you must consider both the settings on this page and the settings for publishing passwords to Identity Manager from connected systems.

  • Select Passwords > Password Synchronization.
  • Search for drivers and click the driver name.
  • Select the Password Synchronization server variables page.
  • Make changes, then click OK.

Universal Password Retrieval#

Allow User Agent to Retrieve Password#

This option determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If you don't select this option, the corresponding feature is dimmed on the Forgotten Password tab in the password policy.

Allow Admin to Retrieve Password#

Select that box if you have a particular service that needs it.

Identity Manager does not have a need for administrators to retrieve passwords. However, some third-party services (for example, the Samba server and FreeRADIUS server that ship with Novell Open Enterprise Server) might take advantage of this option.

Authentication#

Verify Whether Existing Passwords Comply with the Password Policy (Verification Occurs on Login)

This option is useful if you are deploying a new password policy or changing the Advanced Password Rules for an existing policy, and you want to make sure that existing passwords comply with the new or changed rules.

If you select this option, when users log in, their existing passwords are analyzed to make sure that they comply with the Advanced Password Rules in the new or changed password policy. If an existing password does not comply, the user is required to change it.


Forgotten Password#

You can reduce help desk costs by setting up self-service for users who forget a password. These self-service features are available through a "Forgot your password?" link, which is displayed on the login page when users log in to any of the following:
  • The Identity Manager User Application (in Identity Manager 3 or later)
  • Novell® ClientTM 4.91 or later
  • Extend Director
  • The iManager self-service console (in iManager 2.0.2)
  • Virtual Office
  • Also see the Password Management Applications

Required for Forgotten Password Functions to Work#

To use Forgotten Password features, some setup might be required.

Universal Password#

Most of the Forgotten Password features require you to have Universal Password enabled in the password policy. It is enabled by default. If you don't enable Universal Password, only two Forgotten Password actions are available:
  • Displaying a hint to the user in the iManager self-service console
  • E-mailing a hint to the user

Using Challenge Sets and Password Hints#

If you use Challenge Sets, users must first provide answers to the Challenge Set questions before they can take advantage of Forgotten Password self-service. If you use Password Hints, users must create a Password Hint before using the service.

To make sure that users are prompted to enter this information when logging in to the portal, select the "Force user to configure Challenge Questions and/or Hint upon authentication" option on the assigned policy.

Novell Portal Services#

If you use Novell Portal Services, when you configure the portal (as part of iManager configuration), you specify one or more portal users containers. When you install the Password Self-service plug-ins, all the containers currently identified as portal users containers are given rights to the self-service gadgets.

If you later create a container that is outside the portal users container, users in that new container won't see the gadgets for Hint Setup, Answer Challenge Questions, or Change Password (Universal) when they are logged in to the iManager self-service console. To resolve this issue, assign the Password Self-service pages or gadgets to the new container. See the Novell Identity Manager Administration Guide for instructions.

For more information, see Novell's current Password Management Administration Guide.

Enable Forgotten Password#

Select this option to allow users to access Forgotten Password Self-service When you enable Forgotten Password, you must also specify whether a Challenge Set is required and what action you want to occur to help the user log in.

Challenge Set#

Require a Challenge Set:
  • Select this option.
  • Select a Challenge Set from the drop-down list.

For users to use Challenge Sets, you must have Universal Password enabled for the policy.

Specify the action to help the user log in.#

Allow User to Reset Password#

After answering the Challenge Set questions to prove identity, the user is allowed to change to a new password by using the Forgotten Password interface.

For the user to use this option, you must require a Challenge Set, and the user must have previously set up Forgotten Password by answering the Challenge Set questions.

E-mail Current Password to User#

After answering the Challenge Set questions to prove identity, the user receives the current password in an e-mail.

For the user to use this option, you must enable Universal Password for the policy and enable the "Allow user agent to retrieve password" option. Both options are found In iManager.

  • Select Passwords > Password Policies.
  • Select a policy, then click Edit.
  • Select Universal Password Configuration Options.
    • Select from a drop-down list or a tab, depending on your version of iManager and your browser.
  • Select the option, then click OK.

Also, the user must have previously set up Forgotten Password by answering the Challenge Set questions.

E-mail Hint to User#

The user receives the Password Hint in an e-mail. To use this option, the user must have previously set up Forgotten Password by providing a Password Hint.

Show Hint on Page#

The user is shown the Password Hint in iManager. To use this option, the user must have previously set up Forgotten Password by providing a Password Hint.

Authentication#

Force User to Configure Challenge Questions and/or Hint upon Authentication#

If you select this option, when a user logs in to iManager or the iManager self-service console, the user is required to configure the Forgotten Password feature. The user provides answers to the Challenge Set questions or creates a Password Hint.

This option is helpful because it makes sure that users are prepared to take advantage of Forgotten Password self-service when they need it, instead of calling the help desk.

This option is especially helpful if you change the Forgotten Password settings, because it requires users to update their Forgotten Password configurations.

??? Does this do anything outside of iManager?

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-5) was last changed on 05-Oct-2017 10:31 by jim