4.1 Configuring Universal Passwords
NovellĀ® Kerberos KDC can be integrated with Universal Password so that there is a single password to authenticate to eDirectory and Kerberos. The eDirectory and Kerberos passwords are synchronized by using the Kerberos Password Agent.
4.1.1 Prerequisites
-
Enable Universal Password in eDirectory.
You can enable Universal Password at the tree, container, or user level.
For more information, refer the Deploying Universal Password section in Novell Password Management Administration Guide
-
Ensure that the option is enabled in the password policy at the level (tree, container, or user) that is in effect.
4.1.2 Integrating Universal Password with the Novell Kerberos KDC
To enable Universal Password, first enable it at the realm or user level, then set or modify the password as follows.
Enabling Universal Passwords at the Realm Level
Enable Universal Password at the time of creating the realm. Alternatively, after the realm is created, you can enable universal passwords by editing the realm.
You can use any of the methods to enable Universal Passwords:
Command Line
kdb5_ldap_util -H ldaps://ldap-server1.mit.edu -D cn=admin,o=org -r ATHENA.MIT.EDU create -subtrees o=org -up
kdb5_ldap_util -H ldaps://ldap-server1.mit.edu -D cn=admin,o=org -r ATHENA.MIT.EDU modify -up
NOTE:To disable Universal Password, use the above command with the -clearup option.
iManager
-
In Novell iManager, click the button
.
-
Click > .
If you are modifying the realm, click > .
Refer to the iManager online help for more information.
NOTE:If the Universal Password is configured for a principal, this configuration takes precedence over the realm level configuration.
Enabling Universal Password at the User Level
You can enable Universal Password for the principal at the time of creating the principal. Alternatively, after the principal is created, you can edit the principal.
Command Line
add_principal -x up=on -x dn=cn=alice,o=org alice
modify_principal -x up=on alice
NOTE:To disable Universal Password, use the above commands with up=off or up=clr options. To use the realm level configuration when the Universal Password option is enabled for the principal, use the above command with up=clr option.
iManager
-
In Novell iManager, click the button
.
-
Select > .
If you are modifying the realm, click > .
Refer to the iManager online help for more information.
Use the following table to check if Universal Password has been enabled for a user.
Table 4-1 Checking if Universal Password Is Enabled or Disabled
Ensure that the Kerberos Password Agent is loaded when Universal Password is enabled in Kerberos and eDirectory. If the Kerberos Password Agent is not running, the passwords are not synchronized when the Universal Password is changed in eDirectory. Additionally, when the password is changed by using cpw or kpasswd in Kerberos, the principal's Kerberos key version might not be consistent.
Setting or Modifying the Universal Password
When a new principal is added, Kerberos password and Universal Password are not synchronized. The Kerberos keys are generated from the password specified while adding the principal. For the Kerberos password to be the same as the Universal Password, the Universal Password of the user must be modified after the principal is created. You can set or modify the Universal Password either in eDirectory or Kerberos.
In Kerberos, if the principal is Universal password enabled and if kpasswd or cpw is used to change the Kerberos password, it modifies the Universal Password of the user with which the principal is associated. This also leads to synchronization of passwords for all the principals that are associated with that user and that have Universal Password enabled.