Overview of Password Policy Features
A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end-user passwords. NsureTM Identity Manager takes advantage of NMASTM to enforce Password Policies that you assign to users in Novell® eDirectoryTM. Using Password Synchronization, you can also enforce Password Policies on connected systems, as explained in Password Synchronization across Connected Systems.
Password Policies also include Forgotten Password Self-Service features, to reduce help desk calls for forgotten passwords. Another self-service feature is Reset Password Self-Service, which lets users change their passwords while viewing the rules the administrator has specified in the Password Policy. Users access these features through the iManager self-service console.
Most features of password management require Universal Password to be enabled. Ideally, you would also integrate the iManager self-service console into your existing company portal, if you have one, to give users easy access to Forgotten Password Self-Service and Reset Password Self-service.
You create Password Policies using a wizard: in iManager, Password Management > Manage Password Policies > New.
The new Password Management features let you do the following:
- Enabling Universal Password
- Setting Advanced Password Rules
- Adding Your Own Password Change Message to Password Policies
- Providing Users with Forgotten Password Self-Service
- Providing Users with Reset Password Self-Service
- Assigning Policies to eDirectory Users
- Enforcing Policies in eDirectory
- Enforcing Policies on Connected Systems
- Viewing Which Password Policy Is in Effect for a User
- Setting Universal Password for a User
Enabling Universal Password
Universal Password is the new password capability in eDirectory 8.7.1. You must enable Universal Password for your users if you want to use Advanced Password Rules, Password Synchronization, and many of the Forgotten Password features.
A Password Policy lets you specify whether Universal Password is enabled. You can then assign the Password Policy to users (the whole tree, a container or partition, or specific user). Universal Password does not need to be on for the whole tree. Using different Password Policies, you can tailor your use of Universal Password to your needs. We recommend assigning Password Policies as high in the tree as possible to simplify administration.
Some additional planning is required to prepare your environment for Universal Password, such as upgrading the Novell ClientTM if you use it, and upgrading eDirectory.
You can also edit other Universal Password and NMAS settings in a Password Policy, such as whether NDS or Simple Password are synchronized with Universal Password.
The following figure shows an example of the property page where you specify Universal Password configuration options for a Password Policy.
Setting Advanced Password Rules
Advanced Password Rules let you define the following criteria for the Universal Password:
- Change password
- Allow the user to initiate password change
- Require unique passwords
You can specify how unique passwords are enforced by using one or both of the following two values.
- Limit the number of passwords to store in the history list (1-255)
If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. For example, if you specified 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list, the Password Policy rejects the password and the user is prompted to specify a different one.
- Limit the number of days to store a password in the history list (0-365)
If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.
For example, if you specified 30, and the user's previous password was "mountains99," that password would remain in the history list for 30 days. During that time, if the user tries to change his or her password and reuse "mountains99," the Password Policy rejects that password and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the Password Policy allows it to be reused.
- Password lifetime
- Number of days before the password can be changed (0-365)
For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it. The Password Policy does not allow the Universal Password to be changed by the user before that time has elapsed.
- Number of days before the password expires (0-365)
For example, if this value is set to 90, a user's password expires 90 days after it has been set. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. However, if you enable grace logins, described in the next item, the user can log in with the expired password the specified number of times.
NOTE: A security enhancement was added to NMASTM 2.3.4 regarding Universal Passwords changed by an administrator. It works in much the same way as the feature previously provided for NDS® Password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security the password is automatically expired if you have enabled the setting to expire passwords in the Password Policy. For this particular feature, the number of days is not important, but this setting must be enabled.
- Number of grace logins allowed after the password has expired (0-254)
When the password expires, this value indicates how many times a user is allowed to log in to eDirectory using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change his or her password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory.
- Number of days before the password can be changed (0-365)
- Password length
- Minimum number of characters in the password (1-512)
- Minimum number of characters in the password (1-512)
- Repeating characters
- Minimum number of unique characters (1-512)
- Maximum number of times a specific character can be used (1-512)
- Maximum number of times a specific character can be repeated sequentially (1-512)
- Case sensitivity
- Minimum number of uppercase characters required in the password (1-512)
- Maximum number of uppercase characters allowed in the password (1-512)
- Minimum number of lowercase characters required in the password (1-512)
- Maximum number of lowercase characters allowed in the password (1-512)
- Numeric characters
- Allow numeric characters in the password
- Disallow a numeric character as the first character
- Disallow a numeric character as the last character
- Minimum number of numerals in the password (1-512)
- Maximum number of numerals in the password (1-512)
- Special characters
Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. (The alphabetic characters are a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.)
- Allow special characters in the password
- Disallow a special character as the first character
- Disallow a special character as the first character
- Minimum number of special characters (1-512)
- Maximum number of special characters (1-512)
- Password exclusions
The passwords that you exclude are case insensitive, so if you specify the word "test" as a word that cannot be used as a password, then "Test" and "TEST" are also excluded.
At this time, the list of excluded passwords must be typed manually, one at a time. Also, you can exclude only specific words, not a pattern or an eDirectory attribute.
NOTE: Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.
To use Advanced Password Rules in a Password Policy, you must enable Universal Password. If you don't enable Universal Password for a policy, the password restrictions set for NDS® Password are enforced instead.
NOTE: When you create a Password Policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create Password Policies.
For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the Password Policy.
If you later disabled Universal Password in the Password Policy, the existing password settings that you had are no longer ignored. They would be enforced for NDS Password.
The following figure shows an example of the property page where you specify Advanced Password Rules for a Password Policy.
Adding Your Own Password Change Message to Password Policies
See Adding Your Own Password Change Message to Password Policies.
Assigning Policies to eDirectory Users
You can assign a Password Policy to users in eDirectory by assigning the policy to the whole tree (using the Login Policy object), specific partitions or containers, or specific users.
We recommend that you assign a default policy to the whole tree, and assign any other policies you use as high up in the tree as possible, to simplify administration.
NMAS determines which Password Policy is in effect for a user. See Assigning Password Policies to Users for more information on how to assign password policies to users.
If you are using Password Synchronization, keep in mind that you must make sure that the users who are assigned Password Policies match up with the users you want to participate in Password Synchronization for connected systems. Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.
The following figure shows an example of the property page where you specify which object Password Policy is assigned to.
Enforcing Policies in eDirectory
When you assign a Password Policy to users in the tree, any password changes going forward must comply with the Advanced Password Rules in that policy. In the browser, the password rules are displayed in the page where the user changes the password. In the Novell Client 4.9 SP2 or later, the rules are also displayed. In both methods, a noncompliant password is rejected. NMAS is the application that enforces these rules.
You can specify that existing passwords are checked for compliance and users are required to change existing noncompliant passwords.
You can also specify that when users authenticate through iManager or the iManager self-service console, they are prompted to set up any Forgotten Password features you have enabled. This is called post-authentication services. For example, if you want users to create a Password Hint that can be e-mailed to them when they forget a password, you can use post-authentication services to prompt users to create a Password Hint at login time.
The post-authentication setting is the last option in the Forgotten Password property page, as shown in the following figure.
Enforcing Policies on Connected Systems
If you are using Password Synchronization, settings are provided for each driver to let you enforce the Advanced Password Rules in a Password Policy.
You can do the following:
- Decide whether Identity Manager should accept passwords published by a connected system, as a general rule.
- Enforce policy on passwords coming in from a connected system. If the password doesn't comply, Identity Manager does not accept it.
- Enforce policies on the connected system by resetting noncompliant passwords. If the password coming in to Identity Manager is noncompliant, Identity Manager can reject the password change to the identity vault, and it can also use the existing Identity Manager Distribution Password to reset the password on the connected system.
- Notify users when password synchronization is not successful. For example, if the user created a noncompliant password on a connected system and Identity Manager did not accept it, the user could be informed by e-mail so she knows the password change was not synchronized.
If you are using Advanced Password Rules and are using Identity Manager Password Synchronization, we recommend that you research the password policies for all the connected systems to make sure the Advanced Password Rules in the eDirectory Password Policy are compatible, so that passwords can be synchronized successfully.
Keep in mind that you must make sure that the users who are assigned Password Policies match with the users you want to participate in Password Synchronization for connected systems.
Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, and drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica. To get the results you expect from Password Synchronization, make sure the users that are in a master or read/write replica on the server running the drivers for Password Synchronization match with the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.
For more information on how you specify password flow, see Password Synchronization Settings You Create Using Global Configuration Values.
Viewing Which Password Policy Is in Effect for a User
In iManager, you can check to see which policy is in effect for a user. See Finding Out Which Policy a User Has.
Setting Universal Password for a User
To allow administrators or help desk personnel to set the Universal Password for a user, a new iManager plugin is provided. This plugin displays the Advanced Password Rules from the users' Password Policy, to help the administrator or help desk user create a compliant Universal Password. The Set Universal Password task is located in the Password Management role.