Novell Documentation: Nsure Identity Manager 2.0 - Preparing to Use Identity Manager Password Synchronization and Universal Password

Preparing to Use Identity Manager Password Synchronization and Universal Password

In this section:

Switching Users from NDS Password to Universal Password

When you turn on Universal Password for a group of users by using a Password Policy, the user needs the Universal Password to be populated.

If you have previously been using Password Synchronization to update the NDS password, you need to plan for the transition of user's passwords. To switch to using Universal Password, you can do one of the following things to have your users create a Universal Password:

If you use the Novell Client (it is not required for Identity Manager Password Synchronization), roll out the new Novell Client that supports Universal Password. The next time users log in using the new Novell Client, the client captures the NDS password before it is hashed, and uses it to populate the Universal Password. (See Planning Login and Change Password Methods for your Users.)
If you are not using the Novell Client, have users log in to the iManager self-service console. That login method populates Universal Password. To access the iManager self-service console, go to /nps on your iManager server. For example, https://www.myiManager.com/nps.
Have users log in using through any service that is authenticating using a Universal Password enabled LDAP server. For example, a company portal.

Changing Passwords Using the iManager Self-Service Console or Novell Client

When a user changes a password in iManager, the iManager self-service console, and the Novell Client, the Advanced Password Rules from the Password Policy are displayed. This allows the user to create a compliant password without needing to guess at the rules.

Depending on how your password flow is set up, a user could change a password on a connected system and it would be synchronized to Identity Manager and other connected systems. However, the connected systems don't display the Advanced Password Rules when the user changes a password.

If you want to enforce Advanced Password Rules and avoid noncompliant passwords, it's best to require users to change the password only in the iManager self-service console or Novell Client, or at least make sure the Advanced Password Rules are well publicized for users.

On a connected system, the user is allowed to change the password without viewing the Password Policy rules, and might not remember the rules correctly. Only the policies of the connected system itself will be enforced when users first make the change. The following issues might occur for the user when creating a noncompliant password on a connected system, depending on your Identity Manager settings:

If you have enabled the setting that enforces the policy on passwords coming in to Identity Manager from connected systems, the user's new password won't be synchronized to eDirectory. If you have set Identity Manager to notify users of failure, they find out by e-mail that their password didn't synchronize.
If you also have set Identity Manager to replace noncompliant passwords on connected systems, the user cannot log in with the new password he or she chose on the connected system.
Identity Manager resets the password on the connected system to the Distribution Password, which is probably the last compliant password the user created.

Preparing to Use Universal Password

Most of the information you need is in "Deploying Universal Password" in the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide.

In addition, keep in mind the following:

eDirectory 8.7.1 or later is required for using Universal Password. NetWare 6.5 is not required, and the NetWare documentation has been updated to reflect this.
Identity Manager Password Synchronization relies on both Universal Password and another new kind of password, the Distribution Password, which is the repository from which Identity Manager distributes passwords to connected systems. Like Universal Password, policies can be enforced on the Distribution Password.
The DirXML iManager plug-ins, which ship with Identity Manager, include the new Password Management plug-ins that let you create Password Policies. These plug-ins let you determine how you want Universal Password to be synchronized with NDS Password, Simple Password, and Distribution Password.
These plug-ins replace the ones for Universal Password that shipped with NetWare 6.5. They are described in Managing Passwords by Using Password Policies.
eDirectory 8.6.2 can't be used for the tree that Identity Manager is using. However, eDirectory 8.6.2 is supported for a subset of password synchronization features, so it can be used for other trees if you are not yet ready to upgrade your whole environment.
One way to reduce the impact when you are upgrading software for deploying Universal Password is to create a separate tree for Identity Manager as an identity vault. Many environments already use an identity vault for DirXML and the drivers.
Universal Password gives you new capabilities that were not supported with previous password management tools, such as enforcement of Password Policies and the ability to use special characters.
It's very important to update the Novell Client and other utilities, to avoid having the NDS Password get out of sync with the Universal Password (sometimes referred to as "password drift"). See Planning Login and Change Password Methods for your Users.
The latest version of the Novell Client supports Universal Password, can populate it for a user when you first enable Universal Password for that user, and can display and enforce password policies when users are changing passwords.
A connected system does not display the Advanced Password Rules that you create in a Password Policy. At this time, neither does the Novell Client, although it enforces them.
Instead, it's best to require users to change the password only in the iManager self-service console.

If you allow users to change their passwords on a connected system or by using the latest version of the Novell Client, help users be successful in creating a compliant password by making sure your Password Policy rules are well publicized for your users.
For administrators and help desk users, make them aware that ConsoleOne^® supports Universal Password only if it is used on a NetWare^® 6.5 server or later, or is used on a machine that has the latest Novell Client.
Make sure administrators and help desk users understand the implications of using utilities that support only NDS Password. These utilities can be used to log in, but they should not be used to change passwords. This measure avoid "password drift," a situation in which the NDS Password gets out of sync with the Universal Password.
The Novell Modular Authentication Services (NMAS) 2.3 Administration Guide references a TID that lists utilities and their support for Universal Password.

Replica Planning and Password Policies

Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, and drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica. To get the results you expect from Password Synchronization, make sure the containers that are in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.

Setting Up E-Mail Notification

To use the e-mail notification feature, you must do the following:

Use the Notification Configuration task in iManager to set up the e-mail server
Use the Notification Configuration task in iManager to customize the e-mail templates if desired.
Make sure that eDirectory users have the Internet EMail Address attribute populated.

Follow the instructions in Configuring E-Mail Notification.