Overview of Password Policy Features

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end-user passwords. NsureTM Identity Manager takes advantage of NMASTM to enforce Password Policies that you assign to users in Novell® eDirectoryTM. Using Password Synchronization, you can also enforce Password Policies on connected systems, as explained in Password Synchronization across Connected Systems.

Password Policies also include Forgotten Password Self-Service features, to reduce help desk calls for forgotten passwords. Another self-service feature is Reset Password Self-Service, which lets users change their passwords while viewing the rules the administrator has specified in the Password Policy. Users access these features through the iManager self-service console.

Most features of password management require Universal Password to be enabled. Ideally, you would also integrate the iManager self-service console into your existing company portal, if you have one, to give users easy access to Forgotten Password Self-Service and Reset Password Self-service.

You create Password Policies using a wizard: in iManager, Password Management > Manage Password Policies > New.

The new Password Management features let you do the following:


Enabling Universal Password

Universal Password is the new password capability in eDirectory 8.7.1. You must enable Universal Password for your users if you want to use Advanced Password Rules, Password Synchronization, and many of the Forgotten Password features.

A Password Policy lets you specify whether Universal Password is enabled. You can then assign the Password Policy to users (the whole tree, a container or partition, or specific user). Universal Password does not need to be on for the whole tree. Using different Password Policies, you can tailor your use of Universal Password to your needs. We recommend assigning Password Policies as high in the tree as possible to simplify administration.

Some additional planning is required to prepare your environment for Universal Password, such as upgrading the Novell ClientTM if you use it, and upgrading eDirectory.

You can also edit other Universal Password and NMAS settings in a Password Policy, such as whether NDS or Simple Password are synchronized with Universal Password.

The following figure shows an example of the property page where you specify Universal Password configuration options for a Password Policy.


Configuration Options interface


Setting Advanced Password Rules

Advanced Password Rules let you define the following criteria for the Universal Password:

To use Advanced Password Rules in a Password Policy, you must enable Universal Password. If you don't enable Universal Password for a policy, the password restrictions set for NDS® Password are enforced instead.

NOTE:  When you create a Password Policy and enable Universal Password, the Advanced Password Rules are enforced instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create Password Policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the Password Policy.

If you later disabled Universal Password in the Password Policy, the existing password settings that you had are no longer ignored. They would be enforced for NDS Password.

The following figure shows an example of the property page where you specify Advanced Password Rules for a Password Policy.


Advanced Password Rules interface


Adding Your Own Password Change Message to Password Policies

See Adding Your Own Password Change Message to Password Policies.


Providing Users with Forgotten Password Self-Service

See Providing Users with Forgotten Password Self-Service.


Providing Users with Reset Password Self-Service

See Providing Users with Reset Password Self-Service.


Assigning Policies to eDirectory Users

You can assign a Password Policy to users in eDirectory by assigning the policy to the whole tree (using the Login Policy object), specific partitions or containers, or specific users.

We recommend that you assign a default policy to the whole tree, and assign any other policies you use as high up in the tree as possible, to simplify administration.

NMAS determines which Password Policy is in effect for a user. See Assigning Password Policies to Users for more information on how to assign password policies to users.

If you are using Password Synchronization, keep in mind that you must make sure that the users who are assigned Password Policies match up with the users you want to participate in Password Synchronization for connected systems. Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.

The following figure shows an example of the property page where you specify which object Password Policy is assigned to.


Assigning Password Policy to objects interface


Enforcing Policies in eDirectory

When you assign a Password Policy to users in the tree, any password changes going forward must comply with the Advanced Password Rules in that policy. In the browser, the password rules are displayed in the page where the user changes the password. In the Novell Client 4.9 SP2 or later, the rules are also displayed. In both methods, a noncompliant password is rejected. NMAS is the application that enforces these rules.

You can specify that existing passwords are checked for compliance and users are required to change existing noncompliant passwords.

You can also specify that when users authenticate through iManager or the iManager self-service console, they are prompted to set up any Forgotten Password features you have enabled. This is called post-authentication services. For example, if you want users to create a Password Hint that can be e-mailed to them when they forget a password, you can use post-authentication services to prompt users to create a Password Hint at login time.

The post-authentication setting is the last option in the Forgotten Password property page, as shown in the following figure.


Forgotten Password interface


Enforcing Policies on Connected Systems

If you are using Password Synchronization, settings are provided for each driver to let you enforce the Advanced Password Rules in a Password Policy.

You can do the following:

If you are using Advanced Password Rules and are using Identity Manager Password Synchronization, we recommend that you research the password policies for all the connected systems to make sure the Advanced Password Rules in the eDirectory Password Policy are compatible, so that passwords can be synchronized successfully.

Keep in mind that you must make sure that the users who are assigned Password Policies match with the users you want to participate in Password Synchronization for connected systems.

Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, and drivers are installed on a per-server basis and can manage only those users who are in a master or read/write replica. To get the results you expect from Password Synchronization, make sure the users that are in a master or read/write replica on the server running the drivers for Password Synchronization match with the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.

For more information on how you specify password flow, see Password Synchronization Settings You Create Using Global Configuration Values.


Viewing Which Password Policy Is in Effect for a User

In iManager, you can check to see which policy is in effect for a user. See Finding Out Which Policy a User Has.


Setting Universal Password for a User

To allow administrators or help desk personnel to set the Universal Password for a user, a new iManager plugin is provided. This plugin displays the Advanced Password Rules from the users' Password Policy, to help the administrator or help desk user create a compliant Universal Password. The Set Universal Password task is located in the Password Management role.