3.4 Creating Password Policies

  1. Make sure you have completed the steps in Section 3.3, Prerequisite Tasks for Using Password Policies.

    These steps prepare you to use all the features of password policies.

  2. In iManager, click Passwords > Password Policies.

  3. Click New to create a new password policy.

  4. Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.

    See the online help for information about each step, as well as the information in Section 3.0, Managing Passwords by Using Password Policies and in Section 4.0, Password Self-Service.

3.4.1 Advanced Password Rules

The following figure shows an example of the advanced password rules:

Description: Advanced Password Rules interface
  • Change Password
    • Allow the user to initiate password change

      This allows the user to use the password self-service features (see Section 4.0, Password Self-Service).

    • Require unique passwords

      You can specify how unique passwords are enforced by using one or both of the following two values.

    • Limit the number of passwords to store in the history list (1-255)

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list, the password policy rejects the password and the user is prompted to specify a different one.

    • Limit the number of days to store a password in the history list (0-365)

      If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.

      For example, if you specify 30 and the user's previous password was “mountains99”, that password remains in the history list for 30 days. During that time, if the user tries to change his or her password and reuse “mountains99”, the password policy rejects that password and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the password policy allows it to be reused.

  • Password Lifetime
    • Number of days before the password can be changed (0-365)

      For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it. The password policy does not allow the Universal Password to be changed by the user before that time has elapsed.

    • Number of days before the password expires (0-365)

      For example, if this value is set to 90, a user's password expires 90 days after it has been set. If grace logins are not enabled, the user cannot log in after a password has expired, and administrator assistance is needed to reset the password. However, if you enable grace logins, described in the next item, the user can log in with the expired password the specified number of times.

      NOTE:  A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works in much the same way as the feature previously provided for NDS® Password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security the password is automatically expired if you have enabled the setting to expire passwords in the password policy. For this particular feature, the number of days is not important, but this setting must be enabled.

    • Number of grace logins allowed after the password has expired (0-254)

      When the password expires, this value indicates how many times a user is allowed to log in to eDirectory using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory.

  • Password Length
    • Minimum number of characters in the password (1-512)
    • Maximum number of characters in the password (1-512)
  • Repeating characters
    • Minimum number of unique characters (1-512)
    • Maximum number of times a specific character can be used (1-512)
    • Maximum number of times a specific character can be repeated sequentially (1-512)
  • Case sensitivity

    In eDirectory 8.7.1 and 8.7.3, you needed to use the Novell Client for case sensitivity to work. In eDirectory 8.8 or later, you can make your passwords case sensitive for all the clients that are upgraded to eDirectory 8.8. See the eDirectory 8.8 Admininstration Guide for more information.

    • Allow the password to be case sensitive
    • Minimum number of uppercase characters required in the password (1-512)
    • Maximum number of uppercase characters allowed in the password (1-512)
    • Minimum number of lowercase characters required in the password (1-512)
    • Maximum number of lowercase characters allowed in the password (1-512)
  • Numeric characters
    • Allow numeric characters in the password
    • Disallow a numeric character as the first character
    • Disallow a numeric character as the last character
    • Minimum number of numerals in the password (1-512)
    • Maximum number of numerals in the password (1-512)
  • Special characters

    Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. (The alphabetic characters are a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.)

    • Allow special characters in the password
    • Disallow a special character as the first character
    • Disallow a special character as the last character
    • Minimum number of special characters (1-512)
    • Maximum number of special characters (1-512)
  • Password exclusions

    The passwords that you exclude are case insensitive, so if you specify the word “test” as a word that cannot be used as a password, then “Test” and “TEST” are also excluded.

    At this time, the list of excluded passwords must be typed manually, one at a time. Also, you can exclude only specific words, not a pattern or an eDirectory attribute.

    HINT:  Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.

3.4.2 Universal Password Configuration Options

The following figure shows an example of the advanced password rules:

Description: graphic
  • Enable Universal Password

    Enables Universal Password for this policy. You must enable Universal Password if you want to use the other Password Policy features.

  • Enable the Advanced Password Rules

    Enables the Advanced Password Rules found on the Advanced Password Rules page for this policy. These advanced password rules help secure your environment by giving you control over password lifetime and what the password can contain.

  • Universal Password Synchronization
    • Remove the NDS password when setting Universal Password

      If this option is selected, the NDS password is disabled when the Universal Password is set.

    • Synchronize NDS password when setting Universal Password

      If this option is selected, setting the Universal Password in applications such as the Novell Client also changes the NDS password.

    • Synchronize Simple Password when setting Universal Password

      Provided solely for backward compatibility with NetWare 6.0 servers that contain AFP/CIFS users. If you have NetWare 6.0 servers in the tree that contain AFP/CIFS users, you should select this option.

      NOTE:  The setting of this option does not affect your ability to import user passwords using ICE.

    • Synchronize Distribution Password when setting Universal Password

      Determines whether the DirXML® engine can retrieve or set a user’s Universal Password in eDirectory.

  • Universal Password Retrieval
    • Allow user agent to retrieve password

      Determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If this option is not selected, the corresponding feature is grayed out on the Forgotten Password page in the Password Policy.

    • Allow admin to retrieve passwords

      Lets you retrieve users' passwords using a third-party product or service that uses this functionality.

  • Authentication
    • Verify whether existing passwords comply with the password policy (verification occurs on login)

      If this option is selected, when users log in through iManager or the iManager self-service console, their existing passwords are checked to make sure they comply with the Advanced Password Rules in the users’ Password Policy. If an existing password does not comply, users are required to change it.