Password management is a core eDirectory feature that can be enhanced by adding DirXML/Identity Manager.
A Challenge Set is a set of questions that can be answered by a user to prove his or her identity, instead of using a password.
When you create a Password Policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a Challenge Set and require that users answer the Challenge Set questions before obtaining password help.
To create a Challenge Set:
In Roles and Tasks, select > .
Click .
Type a .
Select , then click .
IMPORTANT:You can manage Challenge Sets and Password Policies from iManager 2.5, but the forgotten password self-provisioning portal where users go if they have forgotten their passwords is not supported on iManager 2.5. Users must access an iManager 2.0.2 server to access the self-provisioning portal.
Make sure you have completed the steps in Prerequisites for Using Password Policies. The information there prepares you to use all the features of Password Policies.
In Roles and Tasks, select > .
Click to create a new Password Policy.
Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.
See the online help for information about each step, as well as the information in Managing Passwords by Using Password Policies and in Password Self-Service in the eDirectory Deployment Guide.
You can assign a Password Policy to users in eDirectory by assigning the policy to the whole tree (using the Login Policy object), specific partitions or containers, or specific users. To simplify administration, assign a default policy to the whole tree, and assign any other policies you use as high up in the tree as possible.
A policy is not in effect until you assign it to one or more objects. You can assign a password policy to the following objects:
We recommend that you create a default Password Policy for all users in the tree, which you do by creating a policy and assigning it to the Login Policy object. The Login Policy object is located in the Security container just below the root of the tree.
If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers. To determine whether a container is a partition root, browse for the container and note whether a partition icon is displayed beside it.
Only one policy is effective for a user at a time. Novell Modular Authentication Services (NMAS) determines which policy is effective for a user by looking for policies in the following order, and applying the first one it finds.
NOTE:Special Password Policies are automatically created for Driver Set objects.
Universal Password is the new password capability in eDirectory 8.7.3. You must enable Universal Password for your users if you want to use Advanced Password Rules, Password Synchronization, and many of the Forgotten Password features. To allow you or help desk personnel to set the Universal Password for a user, an iManager plug-in is provided. This plug-in displays the Advanced Password Rules from the users’ Password Policy, to help you or a help desk user create a compliant Universal Password.
Universal Password allows or provides:
Universal Password is managed by the Secure Password Manager (SPM), a component of the NMAS™ module (nmas.nlm on NetWare). To set it:
In Roles and Tasks, select > .
Specify a user for the Universal Password change text box and click .
The current setting for the user should read Disabled.
Select .
Click .
IMPORTANT:When you enable Universal Password on a container, it is enabled on all existing subcontainers as well. If you enable Universal Password at the Tree level, all subcontainers you create after enabling Universal Password will be enabled for Universal Password. However, if you enable Universal Password on a container below the Tree level, such as an Organization (O) or an Organizational Unit (OU), and then create a new subcontainer, you must enable Universal Password on that subcontainer. It is not automatically enabled.
E-mail Server Options lets you specify the e-mail server settings.
In Roles and Tasks, select >.
Type the Host Name and From settings for your e-mail notification server.
Select and supply the credentials.
Click .
You can customize these templates with your own text. The name of the template indicates what it is used for.
In Roles and Tasks, select > .
A list of templates appears, including the following:
Edit the templates. If you want to add any replacement tags, some additional tasks might be required. Follow the instructions in Adding Your Own Replacement Tags to E-Mail Notification Templates in the eDirectory Administration Guide.
Restart DirXML drivers that need to be updated with the changes.
The driver reads the templates and SMTP server information only at startup time.
For more information see Setting Up E-mail Templates in the eDirectory Administration Guide.