LDAPWiki: Implementing Universal Password

Overview#

A How To on Implementing Universal Password

Universal Password is more of a framework for managing passwords called NSPM.

Below is a document Novell wrote to help you through the Universal Password implementation process.

You may also want to take a look at the Universal Password deployment web page

How to deploy Universal Password as a container admin:

Create Universal Password Policy
Test the Policy
Export the Policy from the Security Container
Import the edited LDIF to your container
Assign rights to the policy
Test the created, exported, edited and imported Policy
Universal Password Policy Assignment
Editing a moved Policy
Universal Password Diagnostic Utility
More Information

Create Universal Password Policy #

The first step in deploying Universal Passwords is to create a Universal Password Policy. This policy will dictate the rules (e.g. Password Quality, expiration, history, etc.) for the Universal Password.

By default all Universal Password policies are stored in the Security Container off of the root of the tree. Since Container admins do not have the necessary rights to create password policies in the Security Container, the password policy will either need to be created in a test tree, or with the help of root Admins, in the tree.

Using iManager:

Using iManager login to a tree with root admin credentials
Expand the "Passwords" tasks, in the left hand "Roles and Tasks" frame.
Click on Password Policies This will read the Security Container for existing Password Policies and display them in a list in the right hand frame.
Click the "New" button. You will then be prompted to name the policy.
Name the policy and give it a description. You may also provide a Password Change Message to be displayed when using newer versions of the Novell Client.
Click Next. You will then be able to turn on Universal Password with this policy (default) or leave it turned off. Leave UP turned on.
Click the "View Options" button to display Universal Passwords options.
The Universal Password Synchronization and Retrieval options are then displayed.
- If you check the box for "Remove the NDS password when setting Universal Password" only NMAS methods will be able to login. Other non-NMAS methods (e.g. older Novell clients) that use the NDS password will not be able to login.
- "Synchronize NDS password when setting Universal Password" is checked by default. If you check the "Remove NDS password..." option, this option becomes invalid. If you uncheck this box, the NDS password will not be synchronized when the Universal Password is set (e.g. set Universal Password with 4.9 client, the NDS password will be different, thus the different NDS Password would be needed to login with the 4.8 client).
- Depending on your environment you may wish to add the "Synchronize Simple Password when setting Universal Password" option (e.g. if you use Netware 6.0 AFP).
- The "Allow user agent to retrieve password" option allows the use of the Forgotten Password features.
- The "Allow admin to retrieve passwords" permits the use of third-party products that could retrieve the password from eDirectory.
- "The Synchronize Distribution Password when setting Universal Password" option determines whether the DirXML engine can retrieve or set a user's Universal Password in eDirectory.
- The "Verify whether existing passwords comply with the password policy (verification occurs on login)" will check existing passwords against the applied policy, if users login via iManager or the iManager self-service console. * You will then be prompted for the "Advanced Password Rules". Be very careful when setting these rules. If, for example, password synchronization is in place, using these rules, it is possible to create a stricter Universal Password than the connected system (e.g. these rules could be stricter than the Kerberos password, and break the synchronization). Click Next. * You will be asked if you want to enable the Forgotten Password feature. If you are using ID Provisioning, with the password web-change page, you likely do not need to enable this feature, and can leave the default "No (skip to Step 7). Click Next. * You will be prompted to Assign this newly created policy. Password Policies can be assigned to users, containers or to the tree. You can either assign the policy now to a test user, or click Next and assign the policy later. Click Next. * The "Password Policy Summary" is displayed. This shows the results of the selections you have made in the creation of this policy. If all the selections are correct, click Finish to save the policy, or back to make modifications.

Test the Universal Password Policy#

After creating the policy, but before exporting it from the Security Container, test the policy on a test user account. First assign the policy to a test user via iManager or manually adding the necessary attribute to the test user.

Using iManager:

Using iManager login to a tree with root admin credentials
Expand the "Passwords" tasks, in the left hand "Roles and Tasks" frame.
Click on Password Policies - This will read the Security Container for existing Password Policies and display them in a list in the right hand frame.
Highlight the policy you wish to assign and click "Edit..."
You will be presented with the Password Policy Summary. Click on the "Policy Assignment" tab.
Use the Object Selector to Browse to the user object whom will be assigned to the policy. Click "Apply".

Manually add the Universal Password policy attribute using Console One:

Navigate to the user object whom will be assigned to the policy.
Open the properties of the user object, go to the "Other" tab.
Click the "Add" button, highlight the "nspmPasswordPolicyDN" attribute and click "OK".
The Attribute entry will be added, but will have not value assigned. Click the browse button to select the Password Policy to be assigned.
nspmPasswordPolicyDN: cn=policy-name,ou=ou-name,ou=ou-name,dc=willeke,dc=com

With the policy assignment in place, test the effectiveness of the password policy. Test with the same methodologies in production use (e.g. Client32, AFP, NetStorage, etc).

Export the Policy from the Security Container#

After creating and testing the policy, the policy will need to be exported from the Security Container where it was created. The export is the first step in moving the policy from the Security Container to a place within the unit's own container (where it can be managed, and changed if needed at a later time).

How To export#

One easy way to export the policy is to use a LDAP browser/editor. One such tool can be found here: http://www.novell.com/coolsolutions/tools/13765.html

Using the LDAP browser, connect to the tree, and navigate to and highlight the policy to be exported.
From the LDIF menu select export. Enter a name for the LDIF file and click "Export".
The exported Password Policy should now be in a text file at the name and path provided.

After exporting the policy to an LDIF file, it will need to be edited to reflect where it's new location is going to be within the tree. Using a plain text editor open up the LDIF file and edit the "dn" entry to reflect it's location to be. For example:

	dn: cn=test-policy-name, ou=Password-Policies, ou=test, dc=willeke,dc=com

Import the edited LDIF to your container#

After creating and testing the policy and then exporting and editing the LDIF, the policy can be imported into the tree.

How To Import#

Using the LDAP browser, connect to the tree and from the LDIF menu select Import.
Navigate to and select the policy that was exported and edited with the new DN

Assign rights to the Policy#

When Universal Password Policies live in the Security Container, the policies inherit rights from the Security Container. These rights enable the Password Policy to be reported to the user. When the Password Policy is exported and then imported to another location in the tree, these rights are lost and need to be manually added to the policy in it's new location.

The rights needed to the policy are:

	All Attributes
		Compare
		Read

	Entry
		Browse

We suggest assigning these rights to the container where the user objects reside (and also directly to a test user if the test user does not reside in the same container as the other users).

Test the created, exported, edited and imported Policy#

After creating and testing, exporting, editing and importing the Policy, the policy needs to be tested with a test user in the production environment. Assign the policy to a test user via iManager or manually adding the necessary attribute to the test user.

Using iManager:#

Using iManager login to a tree with root admin credentials
Expand the "Passwords" tasks, in the left hand "Roles and Tasks" frame.
Click on Password Policies This will read the Security Container for existing Password Policies and display them in a list in the right hand frame.
Highlight the policy you wish to assign and click "Edit..."
You will be presented with the Password Policy Summary. Click on the "Policy Assignment" tab.
Use the Object Selector to Browse to the user object whom will be assigned to the policy. Click "Apply".

Manually add the Universal Password policy attribute using Console One:

Navigate to the user object whom will be assigned to the policy.
Open the properties of the user object, go to the "Other" tab.
Click the "Add" button, highlight the "nspmPasswordPolicyDN" attribute and click "OK". Note: The list is sorted by capitalization first.
The Attribute entry will be added, but will have not value assigned. Click the browse button to select the Password Policy to be assigned.
nspmPasswordPolicyDN: cn=policy-name,ou=ou-name,ou=ou-name,dc=willeke,dc=com

With the policy assignment in place, test the effectiveness of the password policy. Test with the same methodologies in production use (e.g. Client32, AFP, NetStorage, etc).

Universal Password Policy Assignment #

If the policy works as expected, it can then be assigned on a broader scale.Universal Password policies can be assigned to containers or user(s). Assign the policy via iManager or manually adding the necessary attribute to the container or desired user(s).

Editing a moved Policy#

If it becomes necessary to edit a Password Policy which has been moved out of the Security Container, you can not use the Passwords->Password Policies task because it is hard coded to look inside Security Container for policies, you can not browse to other locations. To edit a moved policy, using iManager:

Click the "View Objects" icon in the tool bar at the top of the page (it looks like a box with a magnifying glass hovering over it)
Navigate to the Password Policy object and select it by clicking on it in the list. A pop-up window should appear, select "Modify Object"
The property pages for the Password Policy will open up in the right side frame.
Edit the policy as desired.
- Note: At this time there is a bug with the "View Objects" frame; the pop-up does not appear when using Firefox.

Universal Password Diagnostic Utility#

After deploying a Universal Password policy, during testing it will likely be useful to check the status of the passwords and/or the password policy which is in force.

DIAGPWD allows an administrator to view what Universal Password Policy is associated to a user and whether the Simple, NDS and Universal Passwords are synched.

More Information#

In addition to the Universal Password deployment web page

mentioned above, some other pages you may find helpful are: