We were been asked by several companies to reduce their help desk calls that were based on password changes and password reset requests.
We have written several custom password management applications including some that work with Novell's Challenge-Response implementation.
We have also implemented methods to allow pre-population of the Novell's Challenge-Response implementation form values on the user's attributes.
One of the most interesting of the clients requirement was to display the password to the user if they forgot their password.
Why display the Password?#The client uses Lotus Notes Client which has the ID file stored on the local hard drive of each user. the client uses the Lotus Notes password tool that will take the password from the local Windows Client and set the Lotus Notes password on the local ID file.
The client has a Novell IDM infrastructure that synchronizes passwords from LDAP (eDirectory) to and form Active Directory. There are many other password stores in which passwords are synchronized from their LDAP to the other password stores. Some of the password stores are: RACF, DB2, Oracle, a Point Of Sale system and Retail Management System.
If the user would change the password from LDAP, then the Lotus Notes ID file password would no longer be in-sync with the rest of the users passwords.
In addition, provided the user answered their challenge-response questions correctly, the client wanted to un-lock the user's account within Active Directory if the account was locked.
The Client's Primary user platform (97%) was Windows XP. A few MACs and a few Linux users were also present.
Overview#One of the larger challenges for password self service is the lack of a password usually prevents the user from accessing any application. That is, if the user can not login to their desktop, how can they run an application or even a browser?
Novell (and I assume others) provide methodologies to allow the user to access a browser prior to logging into the desktop. Novell implements the Client Login Extension.
Novell's eDirectory implements a supportedSASLMechanisms=NMAS_LOGIN. This method allows a user to perform a SASL bind to LDAP. When the user submits their challenge responses to the LDAP server and if the submitted responses are correct, then the user has an authenticated connection to the LDAP server.
This allows the user to retrieve their current password.
We have further enhanced this offering and can provide it to your organization for a reasonable cost. See Automated Password Self Service