3.4 Creating Password Policies

  1. Make sure you have completed the steps in Section 3.3, Prerequisite Tasks for Using Password Policies.

    These steps prepare you to use all the features of password policies.

  2. In iManager, in the Roles and Tasks view, click Passwords > Password Policies.

  3. Click New to create a new password policy.

  4. Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.

    See the online help for information about each step, as well as the information in Section 3.0, Managing Passwords by Using Password Policies and in Section 4.0, Password Self-Service.

3.4.1 Advanced Password Rules

Figure 3-2 shows the first section of the advanced password rules:

Figure 3-2 Advanced Password Rules

Change Password

  • Allow user to initiate password change

    This allows the user to use the password self-service features (see Section 4.0, Password Self-Service).

  • Do not expire the user’s password when the administrator sets the password

    This option requires the user to go and change his or her password. This feature allows you to override the default. The default in eDirectory, when password expiration is set, is to expire the user’s password when the administrator sets the password.

  • Require unique passwords

    When this option is selected, the user is prevented from changing the password to one that is already in the history list. For example, if you specify 3, the user’s previous three passwords are stored. If a user tries to change the password and reuse one that is in the history list, the password policy rejects the password and the user is prompted to specify a different one.

    You can specify how unique passwords are enforced by using one of the following two values:

    • Remove password from history list after a specified number of days (0-365) and a specified history list size (1-255).

      If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.

      For example, if you specify 30 and the user's previous password was “mountains99”, that password remains in the history list for 30 days. During that time, if the user tries to change his or her password and reuse “mountains99,” the password policy rejects that password and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the password policy allows it to be reused.

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list before the number of days specified for removal from the history list, the password policy rejects the password and the user is prompted to specify a different one.

      If Require unique passwords is selected and you select Remove password from history list after a specified number of days (0-365) but don’t specify a number of days, the password is on the history list for 8 times the value set in the Number of days before password expires (0-365) field. If neither field has a value, the password is on the history list for 365 days.

      If you specify a password history list size and a number of days, and the number of passwords in the password history list size has been met, the user cannot change his or her password unless the password has expired. An administrator can change or set a user password even if the password list size has been met.

      After one or more passwords expire in the password history list, the list is no longer full, and a user is again able to change his or her password. This limitation is included to prevent users from changing their passwords so many times that a password is no longer included in the password history list, and they can re-use it.

      If a password history list size is not specified, the password history is never full.

    • Remove password from history list when the list is full and a specified history list size (1-255).

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. This option works on a first-in, first-out basis, where the oldest passwords are removed from the history list first. For example, when a user creates a new password that is not currently in the history list, the oldest password in the history list is removed if the history list is full.

      If this option is selected, you should also select the minimum password lifetime option.

Password Lifetime

  • Number of days before password can be changed (0-365)

    For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it. The password policy does not allow the Universal Password to be changed by the user before that time has elapsed.

  • Number of days before password expires (0-365)

    For example, if this value is set to 90, a user's password expires 90 days after it has been set. If grace logins are not enabled, the user cannot log in after a password has expired, and administrator assistance is needed to reset the password. However, if you enable grace logins, the user can log in with the expired password the specified number of times. Also, if you have not selected the Limit Grace Logins option, unlimited grace logins are allowed.

    NOTE:A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works in much the same way as the feature previously provided for NDS password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, the password is automatically expired if you have enabled the setting to expire passwords in the password policy. For this particular feature, the number of days is not important, but this setting must be enabled. Selecting the Do Not Expire User’s Password When the Administrator Sets the Password option overrides this security enhancement.

    • Limit the number of grace logins allowed (0-254)

      When the password expires, this value indicates how many times a user is allowed to log in to eDirectory by using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory. Also, if you have not selected the Limit Grace Logins option, unlimited grace logins are allowed.

Password Exclusions

  • Exclude the following passwords

    This allows you to manually type the passwords you want to exclude. You can exclude only specific words, not a pattern or an eDirectory attribute.

    For NMAS 3.1.3 and later, the strings in the exclude list cannot be contained in the password and the comparison is case-insensitive. For example, if test is in the exclude list, then the following cannot be passwords: Test, TEST, ltest, test1, and latest.

    Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against “dictionary attacks” on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.

  • Exclude passwords that match attribute values

    This allows you to select User object attributes that you want to exclude from being used as passwords. For example, if you add the Given Name attribute to the list and the Given Name attribute contained the value of Frank, then frank, frank1, 1frank, etc. could not be used as the password.

    Use the plus and minus buttons to add and delete attribute values from the list.

Figure 3-3 Advanced Password Rules Continued

Password Syntax

  • Use Microsoft complexity policy

    This allows you to use the Microsoft* Complexity Policy. If you select this option, several options on the Advanced Password Rules page are set to meet the criteria of the Microsoft Complexity Policy. These options include:

    • Minimum password length is 6

    • Maximum password length is 128

    • The password must contain at least one character from three of the four types of character (uppercase, lowercase, numeric, and special)

      • Uppercase characters include all uppercase characters in the Basic Latin and the Latin-1 character sets.

      • Lowercase characters include all lowercase characters in the Basic Latin and the Latin-1 character sets.

      • Numeric characters are 1, 2, 3, 4, 5, 6, 7, 8, 9, 0.

      • Special characters are all other characters.

      Use this option if you must synchronize passwords between eDirectory and Microsoft Active Directory.

    • The values of the following user attributes can not be contained in the password: CN, Given Name, Surname, Full Name, and displayName.

  • Use Novell syntax

    This allows you to use the Novell syntax for the password policy.

Password Length

  • Minimum number of characters in password (1-512)

  • Maximum number of characters in password (1-512)

Repeating Characters

  • Minimum number of unique characters (1-512)

  • Maximum number of times a specific character can be used (1-512)

  • Maximum number of times a specific character can be repeated sequentially (1-512)

Case Sensitive

In eDirectory 8.7.1 and 8.7.3, you needed to use the Novell Client for case sensitivity to work. In eDirectory 8.8 or later, you can make your passwords case sensitive for all the clients that are upgraded to eDirectory 8.8. See the eDirectory 8.8 Administration Guide for more information.

With Allow the passwords to be case sensitive selected, you have four options:

  • Allow the password to be case sensitive

    • Minimum number of uppercase characters required in the password (1-512)

    • Maximum number of uppercase characters allowed in the password (1-512)

    • Minimum number of lowercase characters required in the password (1-512)

    • Maximum number of lowercase characters allowed in the password (1-512)

When Allow the password to be case sensitive is not selected, the passwords are case insensitive and you have two options:

  • Minimum number of alphabetic characters allowed in password (1-512)

  • Maximum number of alphabetic characters allowed in password (1-512)

IMPORTANT:Passwords are stored with case, and are synchronized between systems with case sensitivity, even though the Allow passwords to be case sensitive option is not selected. The case of password characters is ignored if the Allow the password to be case sensitive option is not selected.

Figure 3-4 Advanced Password Rules Final

Numeric Characters

  • Allow numeric characters in the password

    • Disallow numeric as first character

    • Disallow numeric as last character

    • Minimum number of numerals in password (1-512)

    • Maximum number of numerals in password (1-512)

Special Characters

Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. (The alphabetic characters are a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.)

  • Allow special characters in the password

    • Disallow a special character as first character

    • Disallow a special character as last character

    • Minimum number of special characters (1-512)

    • Maximum number of special characters (1-512)

  • Allow non-US ASCII characters

    This allows the password to have characters outside of the Basic Latin character set (also known as extended characters).

3.4.2 Universal Password Configuration Options

The following figure shows an example of the Universal Password configuration options:

Figure 3-5 Configuration Options

  • Enable Universal Password

    Enables Universal Password for this policy. You must enable Universal Password if you want to use the other password policy features.

  • Enable the Advanced Password Rules

    Enables the Advanced Password Rules found on the Advanced Password Rules page for this policy. These advanced password rules help secure your environment by giving you control over password lifetime and what the password can contain.

  • Universal Password Synchronization

    • Remove the NDS password when setting Universal Password

      If this option is selected, the NDS password is disabled when the Universal Password is set. Also, when the NDS password is set, the NDS password hash is set to a random value that is not known except to eDirectory. There might or might not be a password that could be hashed to the random value.

    • Synchronize NDS password when setting Universal Password

      If this option is selected, and the Universal Password is set, the NDS password is set at the same time and with the same password.

    • Synchronize Simple Password when setting Universal Password

      Provided solely for backward compatibility with NetWare 6.0 servers that contain AFP/CIFS users. If you have NetWare 6.0 servers in the tree that contain AFP/CIFS users, you should select this option.

      NOTE:The setting of this option does not affect your ability to import user passwords by using ICE.

      If this option is selected, and the Universal Password is set, the Simple Password is set at the same time and with the same password.

    • Synchronize Distribution Password when setting Universal Password

      Determines whether the Identity Manager Metadirectory engine can retrieve or set a user’s Universal Password in eDirectory.

      If this option is selected, and the Universal Password is set, the Distribution Password is set at the same time and with the same password.

      The Distribution Password can be used with Identity Manager to perform password synchronization to connected systems. This option also allows the Metadirectory engine to retrieve a user’s Universal Password in eDirectory.

  • Universal Password Retrieval

    • Allow user agent to retrieve password

      Determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If this option is not selected, the corresponding feature is dimmed on the Forgotten Password page in the Password Policy.

      This option allows users to retrieve their own passwords by using NMAS LDAP extensions.

    • Allow admin to retrieve passwords

      Lets you retrieve users' passwords by using a third-party product or service that uses this functionality.

      This option is not recommended with NMAS 3.2 and later. Instead you should use the Password ACL option to assign password read rights to specific objects (such as the SAMBA or freeRADIUS service objects) that need this ability to perform their functions.

      If Allow admin to retrieve passwords is selected, then users that have either the write privilege to the target object’s ACL attribute or the read and/or write privilege to the target object’s password management attribute can retrieve the target object’s password.

    • Allow the following to retrieve passwords

      Lets you insert an object that has the ability to retrieve passwords.

      NOTE:We recommend that you do not enable the Allow Admin to retrieve password option. Instead, assign the password Read privilege to the objects that need to read the password (for example, the Radius or Samba service objects). Then, set an inherited rights filter to the Password Policy object that only allows a trusted user to manage the Password Policy object.

  • Authentication

    • Verify whether existing passwords comply with the password policy (verification occurs on login)

      If this option is selected and users log in through iManager or the iManager self-service console, their existing passwords are checked to make sure they comply with the Advanced Password Rules in the users’ password policy. If an existing password does not comply, users are required to change it.