3.2 Planning for Password Policies

The following are discussed in this section:

3.2.1 Planning How to Assign Password Policies in the Tree

We recommend that you assign a default policy to the whole tree and assign any other policies you use as high up in the tree as possible, to simplify administration.

NMAS determines which password policy is in effect for a user. See Section 3.5, Assigning Password Policies to Users for more information.

3.2.2 Planning the Rules for Your Password Policies

You can use the Advanced Password Rules in a password policy to enforce your business policies for passwords.

Keep in mind that only the Novell Client (4.9 SP2) and the iManager self-service console (iManager 2.0.2) display the password rules from the password policy. If your users will be changing their passwords through the LDAP server or on a connected system, you need to make the password rules readily available to users to help them be successful in creating a compliant password.

If you are using Password Synchronization, keep in mind that you must make sure that the users who are assigned password policies match with the users you want to participate in Password Synchronization for connected systems. Password policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

3.2.3 Planning Login and Change Password Methods for your Users

There are several different ways a user can log in or change a password. For all of them, you need to upgrade your environment to eDirectory 8.7.3 or later with the associated LDAP server, NMAS 2.3 or later, and iManager 2.0.2 or later. For more information about upgrading to support Universal Password, see Section 2.0, Deploying Universal Password.

This section explains the additional requirements for supporting Universal Password in each case:

Novell Client

If you are using the Novell Client, upgrade it to version 4.9 SP2 or later.

Keep in mind that using the Novell Client is not required, because users can log in through the iManager self-service console or other company portals depending on your environment. Also, the Novell Client is no longer required for Password Synchronization on Active Directory or NT.

The following table describes the differences between Novell Client versions in regard to Universal Password and gives suggestions for handling legacy Clients.

Novell Client version

Login

Change Password

Earlier than 4.9

Does not go through NMAS, so it doesnot support Universal Password.

Instead, it logs in directly using the NDS Password.

Changes the NDS Password directly, insteadof going through NMAS.

If you are using Universal Password, this can create a problemcalled “password drift,“ meaning that the NDS Passwordand the Universal Password are not kept synchronized. To preventthis, you have three options:

  • Upgrade all the clients to version4.9 or later.
  • Block legacy clients from changing passwords, using anattribute value on a container. With this solution, legacy clientscan still log in, but they cannot change the password. Passwordchanges must be done using a later Client or iManager. See Preventing Legacy Novell Clients fromChanging Passwords.
  • Use the Password Policy setting. Remove the NDS Passwordwhen Setting Universal Password. This is a rather drastic measure,because it prevents both login and password change using NDS Password.

4.9

Supports Universal Password.

Enforces password policy rules for UniversalPassword.

If a user tries to create a password that is not compliant, thepassword change is rejected. However, the list of rules is not displayedto the user.

4.9 SP2

Supports Universal Password.

Enforces password policy rules for UniversalPassword.

In addition, it displays the rules to the users to help them createcompliant passwords.

iManager 2.02 and Virtual Office

iManager 2.02 and Virtual Office provide Password Self-Service, so users can reset passwords and set up Forgotten Password Self-Service if the password policy provides it. The iManager self-service console is accessible to users on your iManager 2.02 server using a URL such as https://www.servername.com/nps (for example, https://www.myiManager.com/nps).

  • Make sure users have a browser that supports iManager 2.0.2 or later.
  • We recommend that in your password policies you select Synchronize NDS Password When Setting Universal Password. It is the default setting.
  • Make sure you have the NMAS Simple Password login method installed. You can install it when you install eDirectory or you can manually install it afterward.

Other Protocols

As noted earlier, make sure that eDirectory, LDAP server, NMAS, and iManager are upgraded to support Universal Password.

For information about using AFP, CIFS, and other protocols with Universal Password, see Section 2.0, Deploying Universal Password.

Connected Systems

If you are using Identity Manager Password Synchronization, make sure the following requirements are met so that user password changes are successful.

  • The DirXML® driver for the system has been upgraded to Identity Manager format.
  • The DirXML driver configuration includes the new Password Synchronization Policies.
  • The Password Synchronization settings specify that Universal Password should be used, and Distribution Password as well if bidirectional Password Synchronization is desired.
  • Password filters have been deployed on the connected system to capture passwords, if necessary.

For more information, see the Novell Nsure Identity Manager Administration Guide.

Preventing Legacy Novell Clients from Changing Passwords

For versions of the Novell Client earlier than to 4.9, login and password changes go straight to the NDS Password instead of through NMAS, so Universal Password is not supported.

If you are using Universal Password, using legacy Clients to change passwords can create a problem called password drift, meaning that the NDS Password and the Universal Password are not kept synchronized.

To prevent this issue, one option is to block password changes from Clients earlier than version 4.9. This is done using an eDirectory attribute on a partition root container, class, or object. The attributes are part of the schema in eDirectory 8.7.3 or later and are not supported on eDirectory 8.7.0 or earlier.

The method used by legacy Clients to change the NDS Password is called NDAP password management. The following list explains how you can use an attribute to disable NDAP password management at the partition level. You can still enable it per class or per object if necessary, using other attributes.

  • ndapPartitionPasswordMgmt:For partition-level containers. If the attribute is not present or the value is not set at the partition level, then NDAP password management is enabled.

    To disable NDAP password management, add this attribute to the partition and set it to 0. To enable it again, set the attribute to 1.

    You can use the other attributes listed below to let classes or objects use NDAP password management even if it is disabled at the partition level. However, if NDAP password management is enabled at the partition level, then NDAP password management is enabled for all objects in that partition regardless of the class and entry level policies.

  • ndapClassPasswordMgmt: For a class. If you add this attribute to a class definition, the class can use NDAP password management even if the partition-level policy specifies that it is disabled. The presence of this attribute is what enables is NDAP password management; the value is not important.

  • ndapPasswordMgmt: For a specific object. If you add this attribute to a specific object and set the value to 1, the object can use NDAP password management even if the partition or class specifies that it is disabled.

    A setting of 0 disables NDAP password management, but only if it is also disabled at the partition level.

IMPORTANT:  Remember that eDirectory 8.7.0 and earlier does not support this feature. If a tree exists with an eDir 8.7.3 or later server and an eDir 8.7.0 or earlier server, and the two servers share a partition, disabling NDAP password management on that partition will have unreliable results. The 8.7.3 server enforces the setting, preventing legacy Clients from changing the NDS Password; however, the 8.7.0 server does not enforce the setting. So if a user tries to change the NDS Password via the 8.7.0 server, the change succeeds.