5.4 Preparing to Use Identity Manager Password Synchronization and Universal Password

5.4.1 Switching Users from NDS Password to Universal Password

When you turn on Universal Password for a group of users by using a password policy, the user needs the Universal Password to be populated.

If you have previously been using Password Synchronization to update the NDS password, you need to plan for the transition of users’ passwords. To switch to using Universal Password, you can do one of the following to have your users create a Universal Password:

  • If you use the Novell Client, roll out the Novell Client that supports Universal Password.

    The Novell Client is not required for Identity Manager Password Synchronization.

    After you roll out the Novell Client, the next time users log in by using the Novell Client, it captures the NDS password before it is hashed, and uses it to populate the Universal Password. (See “Planning Login and Change Password Methods for your Users” in the Password Management guide.)

  • If you are not using the Novell Client, have users log in to the iManager self-service console. That login method populates Universal Password. To access the iManager self-service console, go to /nps on your iManager server. For example, https://www.myiManager.com/nps.

  • Have users log in by using any service that authenticates by using a Universal-Password-enabled LDAP server. For example, log in through a company portal.

5.4.2 Helping Users Change Passwords

When a user changes a password in iManager, the iManager self-service console, or the Novell Client, the Advanced Password Rules from the NMAS password policy are displayed. Viewing the rules enables the user to create a compliant password without needing to guess at the rules.

Depending on how your password flow is set up, a user could change a password on a connected system, and the password would be synchronized to Identity Manager and other connected systems. However, the connected systems don't display the Advanced Password Rules when the user changes a password.

If you want to enforce Advanced Password Rules and avoid noncompliant passwords, it's best to require users to change the password only in the iManager self-service console or Novell Client, or at least make sure that the Advanced Password Rules are well publicized for users.

On a connected system, the user is allowed to change the password without viewing the password policy rules. Therefore, the user might not remember the rules correctly. Only the policies of the connected system itself are enforced when users first make the change. The following issues might occur for the user when creating a noncompliant password on a connected system, depending on your Identity Manager settings:

  • If you have enabled the setting that enforces the policy on passwords coming in to Identity Manager from connected systems, the user's new password won't be synchronized to the Identity Vault. If you have set Identity Manager to notify users of failure, they find out by e-mail that their password didn't synchronize.

  • If you also have set Identity Manager to replace noncompliant passwords on connected systems, the user cannot log in on the connected system by using the new password that he or she chose.

    Identity Manager resets the password on the connected system to the Distribution Password, which is probably the last compliant password that the user created.

5.4.3 Preparing to Use Universal Password

To prepare to use Universal Password, refer to “Deploying Universal Password” in the Password Management Administration Guide . Most of the information that you need is in that chapter.

In addition, keep in mind the following:

  • eDirectory 8.7.1 or later is required for using Universal Password. NetWare® 6.5 is not required.

  • Identity Manager Password Synchronization relies on both Universal Password and the Distribution Password. The Distribution Password is the repository from which Identity Manager distributes passwords to connected systems. As with Universal Password, NMAS policies can be enforced on the Distribution Password.

  • The Identity Manager iManager plug-ins, which ship with Identity Manager, include the Password Management plug-ins. These plug-ins enable you to create password policies and determine how you want Universal Password to be synchronized with NDS Password, Simple Password, and Distribution Password.

    These plug-ins replace the plug-ins for Universal Password that shipped with NetWare 6.5. They are described in “Managing Passwords by Using Password Policies” in the Password Management Administration Guide .

  • eDirectory 8.6.2 can't be used for the tree that Identity Manager is using. However, eDirectory 8.6.2 is supported for a subset of password synchronization features. Therefore, you can use eDirectory 8.6.2 for other trees if you are not yet ready to upgrade your entire environment.

  • One way to reduce the impact when you are upgrading software for deploying Universal Password is to create a separate tree for Identity Manager as an Identity Vault. Many environments already use an Identity Vault for Identity Manager and the drivers.

  • Universal Password gives you capabilities, such as enforcement of password policies and the ability to use special characters, that were not supported with previous password management tools.

  • It's very important to update the Novell Client and other utilities, to avoid having the NDS Password get out of sync with the Universal Password (sometimes referred to as “password drift”). See “Planning Login and Change Password Methods for Your Users” in the Password Management Administration Guide .

  • The latest version of the Novell Client supports Universal Password, can populate Universal Password for a user when you first enable Universal Password for that user, and can display and enforce NMAS password policies when users are changing passwords.

  • A connected system does not display the Advanced Password Rules that you create in a password policy. At this time, neither does the Novell Client, although it enforces them.

    It's best to require users to change the password only in the iManager self-service console.

    If you allow users to change their passwords on a connected system or by using the latest version of the Novell Client, help users be successful in creating a compliant password by making sure your password policy rules are well publicized for your users.

  • Make sure that administrators and help desk understand that ConsoleOne® supports Universal Password only if it is used on a NetWare® 6.5 server or later, or is used on a machine that has the latest Novell Client.

  • Make sure administrators and help desk users understand the implications of using utilities that support only NDS Password. These utilities can be used to log in, but they should not be used to change passwords. This measure avoids password drift.

    The Novell Modular Authentication Services (NMAS) 3.0 Administration Guide references a TID that lists utilities and their support for Universal Password.

5.4.4 Matching Containers

NMAS password policies are assigned with a tree-centric perspective. In contrast, Password Synchronization is set up per driver. Drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica.

To get the results you expect from Password Synchronization, make sure that the containers that are in a master or read/write replica on the server running the drivers for Password Synchronization match the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

5.4.5 Setting Up E-Mail Notification

To use the e-mail notification feature, you must do the following:

  • Use the Notification Configuration task in iManager to set up the e-mail server.

  • Use the Notification Configuration task in iManager to customize the e-mail templates if desired.

  • Make sure that the Identity Vault users have the Internet EMail Address attribute populated.

Follow the instructions in Section 5.12, Configuring E-Mail Notification.