3.3 Prerequisite Tasks for Using Password Policies

If you want to take advantage of all the features of password policies, you need to complete some steps to prepare your environment.

  1. Upgrade your environment to support Universal Password.

    For more information, see Section 2.0, Deploying Universal Password.

  2. Upgrade your client environment to support Universal Password.

    See Section 3.2.3, Planning Login and Change Password Methods for your Users and Section 2.0, Deploying Universal Password.

  3. If you have not run the iManager Configuration Wizard previously when you set up iManager (either as part of the iManager install or post-installation), you must run it.

    IMPORTANT:  After you run the iManager Configuration Wizard, iManager runs in RBS mode. This means that administrators do not see any tasks unless they have assigned themselves to specific roles. Make sure you assign administrators to roles to give them access to all the iManager tasks.

  4. Install the Password Management plug-ins.

    This is available for download at the Novell Free Download Site.

  5. Make sure that SSL is configured between the iManager Web server and eDirectory, even if they are running on the same machine.

    This is a requirement for NMAS 2.3 or later, and for Step 6.

  6. Make sure the LDAP Group-Server object in eDirectory is configured to require TLS for simple bind.

    This is the default setting when you configure iManager. Requiring TLS for simple bind is strongly recommended for Password Self-Service functionality, and is required for using the iManager task Passwords > Set Universal Password.

    If you are requiring TLS for simple bind, no additional configuration is needed for the LDAP SSL port.

    IMPORTANT:  If you choose not to require TLS for simple bind, this means that users are allowed to log in to the iManager self-service console using a clear-text password.

    You can use this option, but another step is required.

    By default, the Password Self-Service functionality assumes that the LDAP SSL port is the one specified in the System.DirectoryAddress setting in the PortalServlet.properties file. If your LDAP SSL port is different, you must indicate the correct port by adding the following key pair to the PortalServlet.properties file:


    For example, if you are running Tomcat, you would add this keypair in the PortalServlet.properties file in the tomcat\webapps\nps\WEB_INF directory.

  7. To enable e-mail notification for Forgotten Password features, complete the steps in Section 4.6, Configuring E-Mail Notification for Password Self-Service.

    You must set up the SMTP server and customize the e-mail templates.

  8. (NetWare 6.5 users only) If you have previously set up Universal Password for use with NetWare 6.5, complete the steps in Section 3.3.1, (NetWare 6.5 only) Re-Creating Universal Password Assignments.

You are now ready to use all the features of password policies. Create policies as described in Section 3.4, Creating Password Policies.

3.3.1 (NetWare 6.5 only) Re-Creating Universal Password Assignments

If you have previously set up Universal Password for use with NetWare 6.5, you must remove the old password policies and use the new plug-ins and password policies.

  • The NMAS plugins that were used in NetWare 6.5 for Universal Password are no longer available. Instead you use Passwords > Password Policies, which offers more features.
  • The first time you use the Password Policies in the new plug-ins, you see three policy objects in the list that cannot be edited:
    • Universal Passsword On
    • Universal Passsword Off
    • Universal Passsword On - S

    These objects were used for the NetWare 6.5 implementation of Universal Password. To take advantage of the additional benefits of password policies provided by Identity Manager, you need to remove them.

    The following figure shows an example:

Example of password policies from NetWare 6.5 use of Universal Password

To remove the old policy objects and re-create your policies using password policies:

  1. Decide where you want Universal Password enabled in your tree.

    • If you want it turned on for the same containers as when you set up Universal Password the first time with the NetWare 6.5 plug-ins, continue with Step 2.
    • If you want it turned on everywhere in your tree, simply create a new password policy with Universal Password enabled and assign it to the Login Policy object. Then continue with Step 4 to remove the old policies.
  2. Find out where in the tree you had previously enabled Universal Password when you set it up using the plug-ins that shipped with NetWare 6.5.

    This step is necessary because the plug-ins do not display where the assignments were made using the old plug-ins. Instead, you find by searching the tree.

    1. Search the tree for objects that have the nspmPasswordPolicyDN attribute populated with one of the following values:

      • Universal Password On
      • Universal Password On - S
    2. Make a note of all the containers that are the results of the search. These are the containers where Universal Password is turned on.

  3. If you want Universal Password assigned in the same containers where you had assigned it previously, create one or more new password policies with Universal Password enabled and assign them to the same containers.

    Refer to the list of containers from Step 2, to make sure your assignments match.

  4. Go to Passwords > Password Policies and remove the policy objects that remain from the first NetWare 6.5 implementation:

    • Universal Password Off
    • Universal Password On
    • Universal Password On - S

After removing the old policy objects, you can use new password policies to meet your password needs.