Issues to Watch For

• In a mixed environment of Novell Client software prior to the Novell Client for Windows NT/2000/XP version 4.9 or the Novell Client for Windows 95/98 version 3.4 (including Native File Access servers on NetWare 5.1 and NetWare 6), if passwords are changed from those older systems, only the older values will be changed, driving the NDS and/or the simple password out of synchronization with the Universal password. This might be an issue only for users who log in to their account from both older Novell Client workstations (prior to Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 v3.4) and from newer Novell Client workstations (Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 version 3.4). If so, the problem will only occur if users are either using international characters in passwords or if they change the password from the older workstation.
• When you disable a user's NDS password, the NDS password is set to an arbitrary value that is unknown to the user. The following describes how some login methods handle this change.
  • The Simple Password method is not disabled if the NDS password is disabled. The Simple Password method uses the Universal Password if it is enabled and available. Otherwise, it uses the simple password. If Universal Password is enabled but not set, then the Simple Password method sets the Universal Password with the simple password.
  • The Enhanced Password method is not disabled when the NDS password is disabled. The enhanced password does not use the Universal Password for login. However, it can be configured to set the Universal Password, if the Universal Password is enabled, when the user changes the enhanced password.
  • The NDS Password method is not disabled when the NDS password is disabled. The NDS Password method will use the Universal Password if it is enabled and available. Otherwise, it will use the NDS password. If the Universal Password is enabled but not set, then the NDS Password method will set the Universal Password with the NDS password.
• A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works basically the same way as the feature previously provided for NDS Password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security the password is automatically expired if you have enabled the setting to expire passwords in the Password Policy. The setting in the Password Policy is in Advanced Password Rules, named "Number of days before password expires (0-365)." For this particular feature, the number of days is not important, but the setting must be enabled.
• After Implementing Universal Passwords, Some Applications Fail to Load

  After implementing UP, NDPS, ZEN, NILE (SSL connections), and SLPDA may not work. This is an application problem; the auto-generated passwords created by these applications violate password policies.

  The workaround is described in TID 10092957, and a patch will soon be available.

• NDS Password Settings Are Replaced by New Password Policies

  If you create a Password Policy (currently only possible using Identity Manager 2) and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create Password Policies.

  For example, if you had a setting for the number of grace logins that you were using with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the Password Policy.