Inheritance with Universal Password
Novell Cool Solutions: Feature
By Akos Szechy
Digg This -
Posted: 21 Jun 2006
There are many articles covering the different features, functions of Universal Password (UP). This one provides you an overview of how password policy inheritance works with UP.
InheritanceAs you probably know, with UP you can set up passwords based on different criteria. These criteria are defined in the Universal Password Policy (UPP). The UPP policies are stored in the Security container, in a special container called Password Policies. Before eDirectory 8.8, this caused several tree walking issues, as the Security container is part of the [Root] partition by default, which usually not replicated to every site. With eDirectory 8.8 this is not an issue any more, as you have the External reference caching feature (for more information, please visit
You need to use iManager - or and LDIF file - to manage password policies. In iManager you must have the Passwords role, where you will find the different tasks to manage UP.
A policy can be assigned to 4 levels:
- User Level
- Container level
- Partition Level
- Default password policies
The policies are implicit policies, so they don't inherit settings from each other. For example, you cannot set the "Minimum number of characters in password" setting on the Container level and the "Maximum number of characters in password" at the User level - these settings cannot be combined. (In that case, only the "Maximum number of characters in password" would take place.)
First, let's discuss the different levels.
If you assign the UPP to the User object, you basically require the user to use that policy, even if a different policy is defined at any other level.
If you assign a UPP to a container object, the UPP will inherited by every object under that container, but NOT under the sub-containers. Also, as discussed earlier, the User Level policy assignment takes priority on the container level setting; therefore, the container level policy setting will take effect only on users without direct policy assignments.
If you assign a UPP to a partition root object (an object that represents a partition boundary), the UPP will inherited by every object in the partition - that is, to every container AND sub-container of the partition root object. The same applies here: container- and user-level password policies take priority over partition-level policies.
Default Password Policies
If no partition-, container- or user-level policies are specified, the NMAS-enabled client will look for password policies in the Password Policies container in the Security container at the top of the tree. Default password policies are created by some products (such as Identity Manager).
The UPP-object assignment is a two-way relationship. There is an attribute pointing from the Policy to the assigned object, and there is an attribute pointing back from the associated object to the policy. With this two-way relationship, eDirectory can be sure that the assignment will be found from any direction.
The policy-to-object assignment is used when iManager checks who is assigned to the given policy. In this case, the "nsimAssignments" attribute is used, which contains the list of objects that this object is assigned to. As you can see in the figure below, the Akos_FL_Policy is assigned to the fl.akos container.
Figure 1 - Policy and container assignment
The object-to-policy assignment is used when you check the View Policy Assignments task of the Passwords role in iManager. Basically, here you check the assigned policy for a user object. In this situation, the nspmPasswordPolicyDN attribute is used, which points to the Password policy object (as you can see below - for our example, the fl.akos container):
Figure 2 - Object to policy assignment
In summary, the following flowchart shows what happens during a login process regarding Universal Password policies:
Figure 3 - UP flow for login process
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com