3.2 Planning for Password Policies

3.2.1 Planning How to Assign Password Policies in the Tree

We recommend that you assign a default policy to the whole tree and assign any other policies you use as high up in the tree as possible, to simplify administration.

NMAS determines which password policy is in effect for a user. See Section 3.5, Assigning Password Policies to Users for more information.

3.2.2 Planning the Rules for Your Password Policies

You can use the Advanced Password Rules in a password policy to enforce your business policies for passwords.

Keep in mind that the Novell Client (4.9 SP2), Identity Manager User Application, and the iManager self-service console (iManager 2.0.2) display the password rules from the password policy. If your users will be changing their passwords through the LDAP server or on a connected system, you need to make the password rules readily available to users to help them be successful in creating a compliant password.

If you are using Identity Manager Password Synchronization, keep in mind that you must make sure that the users who are assigned password policies match with the users you want to participate in Password Synchronization for connected systems. Password policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

Advanced Password Rules

Advanced Password Rules let you define the following criteria for the Universal Password:

  • The lifetime of a password: Password policies provide the same policy features eDirectory has offered in the past, so you can specify how often a password must be changed, and whether it can be reused.

  • What a password contains: You can require a combination of letters, numbers, uppercase or lowercase letters, and special characters. You can exclude passwords that you don’t feel are secure, such as your company name.

To use Advanced Password Rules in a password policy, you must enable Universal Password. If you don't enable Universal Password for a policy, the password restrictions set for the NDS® password are enforced instead.

NOTE:When you create a password policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the password policy.

If you later disable Universal Password in the password policy, the existing password settings that you had are no longer ignored. They would be enforced for the NDS password.

NMAS 3.1 and later replaces the NDS password setting on the user object with corresponding password policy settings. For example, if the number of grace logins for the user object is 4, and it is 5 for the password policy, when the user logs in or changes the password, the number of grace logins for the user object changes to 5.

Enforcing Policies

When you assign a password policy to users in the tree, any password changes going forward must comply with the Advanced Password Rules in that policy. In the portal (iManager 2.02, Virtual Office, Identity Manager User Application, and eXtend™ Director), the password rules are displayed in the page where the user changes the password. In Novell Client™ 4.9 SP2 or later, the rules are also displayed. In both methods of access, a noncompliant password is rejected. NMAS is the application that enforces these rules.

You can specify in the policy that existing passwords are checked for compliance and users are required to change existing noncompliant passwords. A password is marked as expired when the check for compliance option is enabled and the password does not satisfy the password policy rules.

You can also specify that when users authenticate through a portal, they are prompted to set up any Forgotten Password features you have enabled. This is called post-authentication services. For example, if you want users to create a Password Hint that can be e-mailed to them when they forget a password, you can use post-authentication services to prompt users to create a Password Hint at login time.

The post-authentication setting is the last option on the Forgotten Password property page.

3.2.3 Planning Login and Change Password Methods for your Users

There are several different ways a user can log in or change a password. For all of them, you need to upgrade your environment to eDirectory 8.7.3 or later with the associated LDAP server, NMAS 2.3 or later, and iManager 2.0.2 or later. For more information about upgrading to support Universal Password, see Section 2.0, Deploying Universal Password.

This section explains the additional requirements for supporting Universal Password in each case:

Novell Client

If you are using the Novell Client, upgrade it to version 4.9 SP2 or later.

Keep in mind that using the Novell Client is not required, because users can log in through the iManager self-service console or other company portals depending on your environment. Also, the Novell Client is no longer required for Password Synchronization on Active Directory or NT.

The following table describes the differences between Novell Client versions in regard to Universal Password and gives suggestions for handling legacy Novell Clients.

Table 3-1 Universal Password with legacy Novell Clients

Novell Client Version


Change Password

Earlier than 4.9

Does not go through NMAS, so it does not support Universal Password. Instead, it logs in directly using the NDS password.

Changes the NDS Password directly, instead of going through NMAS.

If you are using Universal Password, this can mean that the NDS password and the Universal Password are not kept synchronized. To prevent this, you have three options:

  • Upgrade all the clients to version 4.9 or later.

  • Block legacy clients from changing passwords by using an attribute value on a container. With this solution, legacy clients can still log in, but they cannot change the password. Password changes must be done using a later Novell Client or iManager. See Preventing Legacy Novell Clients from Changing Passwords.

  • Use the password policy setting for Remove the NDS Password when Setting Universal Password. This is a drastic measure, because it prevents both login and password change through the NDS password.


Supports Universal Password.

Enforces password policy rules for Universal Password.

If a user tries to create a password that is not compliant, the password change is rejected. However, the list of rules is not displayed to the user.

4.9 SP2 or later

Supports Universal Password.

Enforces password policy rules for Universal Password.

In addition, it displays the rules to the users to help them create compliant passwords.

iManager 2.02 and Virtual Office

iManager 2.02 and Virtual Office provide Password Self-Service, so users can reset passwords and set up Forgotten Password Self-Service if the password policy provides it. The iManager self-service console is accessible to users on your iManager 2.02 server by using a URL such as https://www.servername.com/nps (for example, https://www.myiManager.com/nps).

  • Make sure users have a browser that supports iManager 2.0.2 or later.

  • We recommend that in your password policies you accept the default setting of Synchronize NDS Password When Setting Universal Password.

  • Make sure you have the NMAS Simple Password login method installed. You can install it when you install eDirectory or you can manually install it afterward.

Other Protocols

Make sure that eDirectory, LDAP server, NMAS, and iManager are upgraded to support Universal Password.

For information about using AFP, CIFS, and other protocols with Universal Password, see Section 2.0, Deploying Universal Password.

Connected Systems

If you are using Identity Manager Password Synchronization, make sure the following requirements are met so that user password changes are successful:

  • Any DirXML® drivers for the system have been upgraded to Identity Manager format.

  • The Identity Manager driver configuration includes the new Password Synchronization policies.

  • The Password Synchronization settings should specify that Universal Password is to be used, as well as the Distribution Password if bidirectional Password Synchronization is desired.

  • Password filters have been deployed on the connected system to capture passwords, if necessary.

For more information, see “Password Synchronization across Connected Systems” in the Novell Identity Manager 3.5.1 Administration Guide.

Preventing Legacy Novell Clients from Changing Passwords

For versions of the Novell Client earlier than 4.9, login and password changes go directly to the NDS Password instead of through NMAS, so Universal Password is not supported.

If you are using Universal Password, using a legacy Novell Client to change passwords can create a problem called password drift, meaning that the NDS password and the Universal Password are not kept synchronized.

To prevent this issue, one option is to block password changes from Novell Clients earlier than version 4.9. This is done by using an eDirectory attribute on a partition root container, class, or object. The attributes are part of the schema in eDirectory 8.7.3 or later and are not supported on eDirectory 8.7.0 or earlier.

The method used by legacy Novell Clients to change the NDS password is called NDAP password management. The following list explains how you can use an attribute to disable NDAP password management at the partition level. You can still enable it per class or per object if necessary by using other attributes.

  • ndapPartitionPasswordMgmt: For partition-level containers. If the attribute is not present or the value is not set at the partition level, then NDAP password management is enabled.

    To disable NDAP password management, add this attribute to the partition and set it to 0. To enable it again, set the attribute to 1.

    You can use the other attributes listed below to let classes or objects use NDAP password management even if it is disabled at the partition level. However, if NDAP password management is enabled at the partition level, then NDAP password management is enabled for all objects in that partition regardless of the class and entry level policies.

  • ndapClassPasswordMgmt: For a class. If you add this attribute to a class definition, the class can use NDAP password management even if the partition-level policy specifies that it is disabled. The presence of this attribute is what enables is NDAP password management; the value is not important.

  • ndapPasswordMgmt: For a specific object. If you add this attribute to a specific object and set the value to 1, the object can use NDAP password management even if the partition or class specifies that it is disabled.

    A setting of 0 disables NDAP password management, but only if it is also disabled at the partition level.

IMPORTANT:Remember that eDirectory 8.7.0 and earlier does not support this feature. If a tree exists with an eDirectory 8.7.3 or later server and an eDirectory 8.7.0 or earlier server, and the two servers share a partition, disabling NDAP password management on that partition has unreliable results. The 8.7.3 server enforces the setting, preventing legacy Novell Clients from changing the NDS password; however, the 8.7.0 server does not enforce the setting. If a user tries to change the NDS Password via the 8.7.0 server, the change succeeds.