3.1 Overview of Password Policy Features

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing enduser passwords. NMAS™ enables you to enforce password policies that you assign to users in Novell® eDirectory™.

Password policies also include Forgotten Password Self-Service features, to reduce help desk calls for forgotten passwords. Another self-service feature is Reset Password Self-Service, which lets users change their passwords while viewing the rules the administrator has specified in the password policy. Users access these features through the iManager self-service console.

Most features of password management require Universal Password to be enabled. Ideally, you would also integrate the iManager self-service console into your existing company portal, if you have one, to give users easy access to Forgotten Password Self-Service and Reset Password Self-service. The iManager self-service console is available only with iManager 2.0.2.

You create Password Policies by using a wizard. In iManager, click Passwords > Password Policies > New.

Password Management lets you set the following:

3.1.1 Universal Password

Password Policy requires you to enable Universal Password for your users if you want to use Advanced Password Rules, Password Synchronization, and many of the Forgotten Password features.

For information on deploying Universal Password, see Section 2.0, Deploying Universal Password.

3.1.2 Advanced Password Rules

Advanced Password Rules let you define the following criteria for the Universal Password:

  • The lifetime of a password: Password Policies provide the same policy features eDirectory has offered in the past, so you can specify how often a password must be changed, and whether it can be reused.
  • What a password contains: You can require a combination of letters, numbers, upper- or lowercase letters, and special characters. You can exclude passwords that you don’t feel are secure, such as your company name.

To use Advanced Password Rules in a password policy, you must enable Universal Password. If you don't enable Universal Password for a policy, the password restrictions set for NDS® Password are enforced instead.

NOTE:  When you create a password policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the password policy.

If you later disabled Universal Password in the password policy, the existing password settings that you had are no longer ignored. They would be enforced for NDS Password.

3.1.3 Enforcement of Policies in eDirectory

When you assign a password policy to users in the tree, any password changes going forward must comply with the Advanced Password Rules in that policy. In the portal (iManager 2.02, Virtual Office, and eXtend Director), the password rules are displayed in the page where the user changes the password. In Novell Client™ 4.9 SP2 or later, the rules are also displayed. In both methods, a noncompliant password is rejected. NMAS is the application that enforces these rules.

You can specify in the policy that existing passwords are checked for compliance and users are required to change existing noncompliant passwords.

You can also specify that when users authenticate through a portal, they are prompted to set up any Forgotten Password features you have enabled. This is called post-authentication services. For example, if you want users to create a Password Hint that can be e-mailed to them when they forget a password, you can use post-authentication services to prompt users to create a Password Hint at login time.

The post-authentication setting is the last option on the Forgotten Password property page.