Novell Home

Creating a Custom XML Universal Password Policy

Novell Cool Solutions: Feature
By Brett Berger

Digg This - Slashdot This

Posted: 7 Feb 2007
 

Introduction

The majority of those using Universal Password are happy with feature sets included in Novell Modular Authentication Service (NMAS) and the Password Management iManager plug-in. The Password Management iManager plug-in provides the flexibility to configure a Password Policy which meets the needs of your organization.

However, what happens when the Password Management iManager plug-in doesn't give you the flexibility you need?

The answer: You can create your own customized XML Universal Password Policy. Until now, this has been an undocumented feature in the NMAS 3.x code base. Customization of a Universal Password policy isn't for everyone. As mentioned above, the majority of users will have their needs fulfilled by the Password Management iManager plug-in. However, if you can't create the policy you need, it might be worth considering a customized Universal Password policy.

This document covers the following areas:

  • Schema of creating customized XML Universal Password Policies
  • Examples of customized XML Universal Password Policies (with explanations)
  • How to enable and create these policies
  • Explanation and definitions of all of the available elements and attributes
  • Known issues

Schema of a Customized XML Universal Password Policy

ComplexityPolicies

Contains one, or more password policy elements. The password is valid if it meets the requirements of one or more of the password policies.

Policy

Contains one or more Ruleset elements. The password meets the policy if the password complies to all of the rule sets in the policy.

RuleSet

Contains one or more rule elements. It may also contain a ViolationsAllowed attribute which describes the number of rules in the Ruleset that can be violated by the password, with the password still meeting the requirements of the rule set. Note: ViolationsAllowed is not required.

Rule

May have the following attributes:

MinPwdLen, MaxPwdLen, MinUppercase, MaxUppercase, MinLowercase, MaxLowercase, MinNumeric, MaxNumeric, MinSpecial, MaxSpecial, MaxRepeated, MaxConsecutive, MinUnique, UppercaseFirstCharDisallowed, UppercaseLastCharDisallowed, LowercaseFirstCharDisallowed, LowercaseLastCharDisallowed, FirstCharNumericDisallowed, LastCharNumericDisallowed, FirstCharSpecialDisallowed, LastCharSpecialDisallowed, ExtendedCharDisallowed.

All attributes are optional and described in detail at the bottom of this document.

Format of Policy

<ComplexityPolicies>
  <Policy>
    <RuleSet>
       <Rule/>
    </RuleSet>
  </Policy>
</ComplexityPolicies>

The complexity policy XML only describes password syntax rules. In other words, it describes what characters can be used in the password. The password policy rules that are not syntax rules are not included in the complexity policy XML.

For example, you can set the "Password Unique Required", "Password Lifetime", "Password Expiration Interval", and "Login Grace Limit" attributes to the desired values via the iManager Password Management Plug-ins.

Examples of Customized XML Universal Password Policies (with explanations)

Example #1

<ComplexityPolicies> 
  <Policy> 
    <RuleSet> 
	 <Rule MinPwdLen="6"/>
      <Rule MinNumeric="1"/> 
      <Rule MinSpecial="1"/> 
    </RuleSet> 
  </Policy> 
  <Policy> 
    <RuleSet> 
	 <Rule MinPwdLen="6"/>
      <Rule MinNumeric="2"/> 
    </RuleSet> 
  </Policy> 
  <Policy> 
    <RuleSet> 
	 <Rule MinPwdLen="6"/>
      <Rule MinSpecial="2"/> 
    </RuleSet> 
  </Policy> 
 </ComplexityPolicies> 

In this example multiple Policies are defined. The password meets the Complexity Policy if the password complies to all of the rule sets in the policy. In this case, since there are 3 policies within the Complexity Policy, the password must comply with one of the three policies. If there is more than one policy, the multiple policies are treated as "OR's" - Policy1 or Policy2 or Policy3.

In this example, the password must be:

  • At least 6 characters long, with 1 number and 1 special character
  • OR at least 6 characters long, with 2 numbers
  • OR least 6 characters long, with 2 special characters.

Any of these 3 options would satisfy the Complexity Policy.

Example #2 - Microsoft "3 of 4" Password Policy

<ComplexityPolicies>
  <Policy>
    <RuleSet>
      <Rule MinPwdLen="6"/>
    </RuleSet>
    <RuleSet ViolationsAllowed="1">
      <Rule MinUppercase="1"/>
      <Rule MinLowercase="1"/>
      <Rule MinNumeric="1"/>
      <Rule MinSpecial="1"/>
    </RuleSet>
  </Policy>
</ComplexityPolicies>

This policy has a minimum password length of 6 characters. The four requirements are:

  • Minimum of one uppercase character
  • Minimum of one lowercase character
  • Minimum of one numeric character
  • Minimum of one special character

Note that only 3 of these 4 characters must be in the password for the password to comply with the Password policy.

Note: The ability to mimic the Microsoft Password policy has been a popular enough request to make a change to the Password Management iManager plug-in. This new feature in the Password Management iManager plug-in is targeted to be released with the Identity Manager 3.5 release. Until the new Password Management iManager plug-in is released, you can use the above XML policy to create your own custom policy.

Enabling and Creating Custom Policies

Prerequisites

1. Apply Security Services 2.0.3 (or greater). Search for ?Security Services? from http://download.novell.com

The Security Services patch lays down the schema files, however it does not extend the schema.

2. Extend schema for the following files: NMAS.SCH, NPSM.SCH, and NSIMPM.SCH

Creating a Customized XML Universal Password Policy

1. Log in to iManager.

2. Select Passwords Role > Password Policies task.

3. Select New.

4. Name the Password Policy and click Next.

5. Select the Universal Password options you want and click Next.

6. Add rules to the Password Policy, with the desired Change Password and Password Lifetime options.

Note: Do not set or change the rest of the Password syntax rules, such as Password Length, Repeating Characters, etc. The presence of the npsmComplexityRules attribute (which you will add later with the customized XML Universal Password Policy inside this of this attribute) will override any Password syntax rules set on a Password Policy.

7. Enable the Forgotten Password feature (decide if this will be turned on).

8. Assign the Password Policy to a test user for now.

9. Click Next.

10. Accept the Summary of the Password Policy and click Finish.

Adding the Customized XML Password Policy

Now that we have a Password Policy created, we need to edit it and add the Customized XML Password Policy.

1. Log in to iManager.

2. Select the Directory Administration Role, then the Modify Object task.

3. Browse to and select the newly created Password Policy | OK.

4. Select the General tab.

5. On the General tab, under Unvalued Attributes, select the nspmComplexityRules attribute and move it to the Valued Attributes side.

When you select and move this attribute, another dialog asks for the customized XML Universal Password Policy you created.

6. Type or copy and paste your customized XML Universal Password Policy into the dialog box.

7. Click OK and then Apply.

At this point, your customized XML Universal Password Policy has been created.

Definition and Explanation of Available Elements and Attributes

Definition

<!ELEMENT ComplexityPolicies (Policy+)>
<!ELEMENT Policy (RuleSet+)>
<!ELEMENT RuleSet (Rule+)>
<!ELEMENT Rule (EMPTY) >

<!ATTLIST RuleSet ViolationsAllowed CDATA #IMPLIED>
<!ATTLIST Rule MinPwdLen CDATA #IMPLIED>
<!ATTLIST Rule MaxPwdLen CDATA #IMPLIED>
<!ATTLIST Rule MinUppercase CDATA #IMPLIED>
<!ATTLIST Rule MaxUppercase CDATA #IMPLIED>
<!ATTLIST Rule MinLowercase CDATA #IMPLIED>
<!ATTLIST Rule MaxLowercase CDATA #IMPLIED>
<!ATTLIST Rule MinNumeric CDATA #IMPLIED>
<!ATTLIST Rule MaxNumeric CDATA #IMPLIED>
<!ATTLIST Rule MinSpecial CDATA #IMPLIED>
<!ATTLIST Rule MaxSpecial CDATA #IMPLIED>
<!ATTLIST Rule MaxRepeated CDATA #IMPLIED>
<!ATTLIST Rule MaxConsecutive CDATA #IMPLIED>
<!ATTLIST Rule MinUnique CDATA #IMPLIED>
<!ATTLIST Rule UppercaseFirstCharDisallowed CDATA #IMPLIED>
<!ATTLIST Rule UppercaseLastCharDisallowed CDATA #IMPLIED>
<!ATTLIST Rule LowercaseFirstCharDisallowed CDATA #IMPLIED>
<!ATTLIST Rule LowercaseLastCharDisallowed CDATA #IMPLIED>
<!ATTLIST Rule FirstCharNumericDisallowed CDATA #IMPLIED>
<!ATTLIST Rule LastCharNumericDisallowed CDATA #IMPLIED>
<!ATTLIST Rule FirstCharSpecialDisallowed CDATA #IMPLIED>
<!ATTLIST Rule LastCharSpecialDisallowed CDATA #IMPLIED>
<!ATTLIST Rule ExtendedCharDisallowed CDATA #IMPLIED>

Elements

ComplexityPolicies

Contains one or more password policy elements. The password is valid if it meets the requirements of one or more of the password policies.

Policy

Contains one or more rule set elements. The password meets the policy if the password complies to all of the rule sets in the policy.

RuleSet

Contains one or more rule elements. It also may have a ViolationsAllowed attributes which describes the number of rules in the rule set that can be violated by the password and the password still meets the requirements of the rule set.

Rule

May have the following attributes: MinPwdLen, MaxPwdLen, MinUppercase, MaxUppercase, MinLowercase, MaxLowercase, MinNumeric, MaxNumeric, MinSpecial, MaxSpecial, MaxRepeated, MaxConsecutive, MinUnique, UppercaseFirstCharDisallowed, UppercaseLastCharDisallowed, LowercaseFirstCharDisallowed, LowercaseLastCharDisallowed, FirstCharNumericDisallowed, LastCharNumericDisallowed, FirstCharSpecialDisallowed, LastCharSpecialDisallowed, ExtendedCharDisallowed. All attributes are optional.

Attributes

  • MinPwdLen - minimum number of characters that are required in the password
  • MaxPwdLen - maximum number of characters that are allowed in the password
  • MinUppercase - minimum number of uppercase characters that are required in the password
  • MaxUppercase - maximum number of uppercase characters that are allowed in the password
  • MinLowercase - minimum number of lowercase characters that are required in the password
  • MaxLowercase - maximum number of lowercase characters that are allowed in the password
  • MinNumeric - minimum number of numeric characters that are required in the password
  • MaxNumeric - maximum number of numeric characters that are allowed in the password
  • MinSpecial - minimum number of special characters that are required in the password
  • MaxSpecial - maximum number of special characters that are allowed in the password
  • MaxRepeated - maximum number of times a character is allowed in the password
  • MaxConsecutive - maximum number of times a character can be used consecutively the password
  • MinUnique - minimum number of different characters that are required in the password
  • UppercaseFirstCharDisallowed - specifies if uppercase characters are disallowed as the first character of the password
  • UppercaseLastCharDisallowed - specifies if uppercase characters are disallowed as the last character of the password
  • LowercaseFirstCharDisallowed - specifies if lowercase characters are disallowed as the first character of the password
  • LowercaseLastCharDisallowed - Specifies if lowercase characters are disallowed as the last character of the password
  • FirstCharNumericDisallowed - specifies if numeric characters are disallowed as the first character of the password
  • LastCharNumericDisallowed - specifies if numeric characters are disallowed as the last character of the password
  • FirstCharSpecialDisallowed - specifies if special characters are disallowed as the first character of the password
  • LastCharSpecialDisallowed - specifies if special characters are disallowed as the last character of the password
  • ExtendedCharDisallowed - specifies if extended characters are disallowed in the password

Character Type Definitions

  • Uppercase characters are as defined from the Latin-1 (code page 850).
  • Lowercase characters are also as defined from the Latin-1 (code page 850).
  • Numeric characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9.
  • Special characters are all characters that are not uppercase characters, lowercase characters, or numeric characters.
  • Extended characters are those not included in the 7-bit ASCII character set.

Known Issues

Creating and using customized XML Universal Password Polices has its limitations. Because the password policy is in an XML format, any client looking at the password policy will have difficulty reading the policy. However, the NMAS Server does properly enforce this customized XML Universal Password Policies.

The following applications have known issues with this policy:

  • Novell Client attempting to view the password policy through the Password Policy button
  • iManager setting the Universal Password via the Set Universal Password task. This task typically displays the Universal Password Settings so the user knows what the policy is and can set an appropriate password.
  • Any other utility that attempts to display the password policy


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell