Follow the steps below to deploy Universal Password:
The following table outlines some Novell services and the password limitations they have. These limitations are addressed by Universal Password:
|
Service |
Description |
Limitations |
|---|---|---|
|
Novell Client for Windows* NT*/2000/XP versions earlier than 4.9 and Novell Client for Windows 95/98 versions earlier than 3.4. |
The Novell Client software for file and print services. Uses the NDS® password, which is based on the RSA public/private key system. |
|
|
Windows Native Networking (CIFS) in NetWare 6 and NetWare 5.1 (NFAP add-on pack for NetWare 5.1) |
Novell’s CIFS server as part of the Native File Access Protocols. It allows Windows clients to access Novell services using the built-in Windows Client Networking Services. |
|
|
Macintosh* Native Networking (AFP) in NetWare 6 and NetWare 5.1 (NFAP add-on pack for NetWare 5.1) |
Novell’s AFP server as part of the Native File Access Protocols. It allows Macintosh clients to access Novell services using the built-in Macintosh Client Networking Services. |
|
|
LDAP |
Novell’s LDAP services allow a user to bind using username and password across a Secure Sockets Layer (SSL) connection. |
|
|
LDAP User Import |
Uses ICE or other tools to import users from foreign directories into eDirectory. Passwords are also brought in. |
|
|
Web-Based Services |
Novell Web-based services (Apache Web server) authentications. This includes eGuide, Novell Portal Services, and other Web-based applications. |
|
|
RADIUS Services |
Novell RADIUS Authentication Services |
|
|
NetWare Remote Manager |
Novell’s Web-based server health and management interface. |
|
|
DirXML® Password Synchronization for Windows 1.0 and DirXML Starter Pack |
Enables synchronization of passwords for NT, Active Directory, and eDirectory accounts. |
|
If you answer yes to any of the following questions, you should plan to deploy and use Universal Password:
Do you currently use Native File Access and desire to enforce policies such as password expiration or password length?
Do you use or plan to use Native File Access (Windows or Macintosh)?
Do you plan to have international users access Novell Web-based services or use Novell Client for Windows to access Novell file and print services?
Do you plan to use Novell Nsure® Identity Manager 2 or 3, powered by DirXML, with its enhanced password policy and password synchronization capabilities?
Do you plan to use Nterprise™ Branch Office™ 2.0?
NMAS relies on storage of policies that are global to the eDirectory tree, which is effectively the security domain. The security policies must be available to all servers in the tree.
NMAS places the authentication policies and login method configuration data in the Security container that is created off of the [Root] partition. This information must be readily accessible to all servers that are enabled for NMAS. The purpose of the Security container is to hold global policies that relate to security properties such as login, authentication, and key management.
With NMAS, we recommend that you create the Security container as a separate partition and that the container be widely replicated. This partition should be replicated as a Read/Write partition only on those servers in your tree that are highly trusted.
eDirectory 8.8 provides security container caching. This feature caches the security container data on local servers so NMAS doesn’t have to access the Security container with every attempted log in. See the eDirectory 8.8 Administration Guide for more information.
WARNING:Because the Security container contains global policies, be careful where writable replicas are placed, because these servers can modify the overall security policies specified in the eDirectory tree. In order for users to log in with NMAS, replicas of the User objects and security container must be on the NMAS server.
For additional information, see Novell TID 10091343.
Verify that the SDI Domain Key servers meet minimum configuration requirements and have consistent keys for distribution and use by other servers within the tree. These steps are crucial. If you don't follow them as outlined, you could cause serious password issues on your system when you turn on Universal Password.
At a NetWare server console, load sdidiag.nlm.
At a Windows server, open a command prompt box and run sdidiag.exe.
Sdidiag.nlm ships with NetWare 6.5 or later. Sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) associated with Novell TID 2966746.
Log in as an Administrator by entering the server (full context), the tree name, the username, and the password.
Check to make sure all you servers are using 168 bit keys.
Follow the instructions in Novell TID 10093969 to ensure this requirement is met.
Enter the command CHECK -v >> sys:system\sdinotes.txt.
The output to the screen displays the results of the CHECK command.
If no problems are found, go to Step 5: Upgrade at Least One Server in the Replica Ring to NetWare 6.5 or Later or eDirectory 8.7.3 or Later.
If problems are found, follow the instructions written to the sys:system\sdinotes.txt file to resolve any configuration and key issues. Continue with Step 2.
Verify that the SDI Domain Key Servers are running NICI 2.6. x or later.
We recommend that NetWare 6.5 or later or eDirectory 8.7.3 or later be installed on your SDI Domain Key servers.
To find out if NICI 2.6. x is installed on these servers:
At the server console, enter the NetWare command M NICISDI.NLM.
The version must be 264 xx. xx or later.
If the version is earlier, you must do one of the following:
Update the servers' NICI to version 2.6. x, which requires eDirectory 8.7.3 or later.
You can download NICI from the Novell Free Download site. Select NICI from the Product or Technology drop-down list, then click Search.
Update the SDI Domain Key servers to NetWare 6.5 or later or eDirectory 8.7.3 or later.
Remove the servers as SDI Domain Key Servers and add a NetWare 6.5 or eDirectory 8.7.3 or later server.
To remove a server as an SDI Domain Key Server
1. At a NetWare server console, load sdidiag.nlm.
At a Windows server, open a command prompt box and run sdidiag.exe.
NOTE:Sdidiag.nlm ships with NetWare 6.5 or later. Sdidiag.exe ships with the Windows version of eDirectory 8.7.3 or later. Both files are available as part of a security patch (sdidiag21.exe) associated with Novell TID 2966746.
2. Log in as an administrator that has management rights over the Security container and the W0.KAP.Security objects by entering the server (full context), the tree name, the user name, and the password.
3. Enter the command RS -s servername .
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
To add a server as an SDI Domain Key Server
1. From a NetWare server console, load sdidiag.nlm.
From a Windows server, open a command prompt box and run sdidiag.exe.
2. Log in as an Administrator by entering the server (full context), the tree name, the user name, and the password.
3. Enter the command AS -s servername
For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.
(Optional) After completing one of the options above, you might want to rerun the SDIDIAG check command.
See Step 1.d.
NOTE:For more information on SDIDIAG, see Novell TID 10088626.
Identify the container that holds the User objects of those users who will be using Universal Password.
Find the partition that holds that container and the User objects.
Identify at least one server that holds a writable replica of the partition.
Upgrade that server to NetWare 6.5 or later or eDirectory 8.7.3 or later.
You do not need to upgrade all servers in your tree in order to enable Universal Password; however, we recommend that you upgrade them all as soon as possible. Plan to upgrade the servers that hold writable replicas first, followed by those with read-only replicas or no replicas. This allows Universal Password support for services on all those servers.
IMPORTANT:If you have LDAP and CIFS (Windows Native Networking) and/or AFP (Macintosh Native Networking) servers that you want to use Universal Password, you must upgrade those servers to NetWare 6.5.
Verify that all instances of cryptographic keys are consistent throughout the tree. Sdidiag ensures that each server has the cryptographic keys necessary to securely communicate with the other servers in the tree.
At a NetWare server console, load sdidiag.nlm.
At a Windows server, open a command prompt box and run sdidiag.exe.
Enter the command CHECK -v >> sys:system\sdinotes.txt -n container DN .
For example, if user Bob exists in container USR in the organization Acme within the Acme_Inc tree, you would type .USR.Acme.Acme_Inc. for the container DN.
This reports if there are any key consistency problems among the various servers and the Key Domain servers.
The output to the screen displays the results of the CHECK command.
If no problems are reported, you are ready to enable Universal Password. Go to Step 7: Enable Universal Password.
If problems are reported, follow the instructions in the sdinotes.txt file.
In most cases, you are prompted to run the command RESYNC -T. This command can be repeated any time NMAS reports -1418 or -1460 errors during authentication with Universal Password.
For more information on SDIDIAG options and operations, refer to Novell TID 10081773.
To turn on Universal Password, do the following:
Start Novell iManager.
Click Roles and Tasks > Passwords > Password Policies.
Start the Password Policy Wizard by clicking New.
Provide a name for the policy and click Next.
Select Yes to enable Universal Password.
Complete the Password Policy Wizard.
IMPORTANT:If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers. To determine whether a container is a partition root, browse for the container and note whether a partition icon is displayed beside it.
If you assign a policy to a container that is not the root of a partition, the policy assignment is inherited only by users held in that specific container. It is not inherited by users that are held in subcontainers. If you want the policy to apply to all users below a container that is not a partition root, you must assign the policy to each subcontainer individually.
You can deploy the Novell Client for Windows version 4.91, but the client does not take advantage of these services until you enable Universal Password on the server (see Step 7: Enable Universal Password).
The new Novell Client software automatically starts using the Universal Password. Users see no differences in the client, except with case-sensitive passwords.
NOTE:Novell Client 4.9.1 includes NMAS Client 3.0.