In this section:
We recommend that you assign a default policy to the whole tree, and assign any other policies you use as high up in the tree as possible, to simplify administration.
NMAS determines which Password Policy is in effect for a user. See Assigning Password Policies to Users for more information on how to assign password policies to users.
You can use the Advanced Password Rules in a password policy to enforce your business policies for passwords.
Keep in mind that only the Novell Client (4.9 SP2) and the iManager self-service console display the password rules from the Password Policy. If your users will be changing their passwords through the LDAP server or on a connected system, you need to make the password rules readily available to users to help them be successful in creating a compliant password.
If you are using Password Synchronization, keep in mind that you must make sure that the users who are assigned Password Policies match with the users you want to participate in Password Synchronization for connected systems. Password Policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned Password Policies with Universal Password enabled. Assigning a Password Policy to a partition root container ensures that all users in that container and subcontainers are assigned the Password Policy.
There are several different ways a user can log in or change a password.
For all of them, you need to upgrade your environment to eDirectory 8.7.1 or later with the associated LDAP server, NMAS 2.3 or later, and iManager 2.0.2 or later. For more information about upgrading to support Universal Password, see "Deploying Universal Password" in the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide.
This section explains the additional requirements for supporting Universal Password in each case.
Upgrade the Novell Client to version 4.9 SP2 or later, if you are using the Client.
Keep in mind that using the Novell Client is not required, because users can log in through the iManager self-service console or other company portals depending on your environment. Also, the Novell Client is no longer required for Password Synchronization on AD or NT.
The following table describes the differences in Novell Client versions in regard to Universal Password, and gives suggestions for how to handle legacy Clients.
Novell Client version | Login | Change Password |
---|---|---|
before 4.9 |
Does not go through NMAS, so it does not support Universal Password. Instead, it logs in directly using the NDS Password. |
Changes the NDS Password directly, instead of going through NMAS. If you are using Universal Password, this can create a problem called "password drift," meaning that the NDS Password and the Universal Password are not kept synchronized. To prevent this, you have three choices:
|
4.9 |
Supports Universal Password. |
Enforces Password Policy rules for Universal Password. If a user tries to create a password that is not compliant, the password change is rejected. However, the list of rules is not displayed to the user. |
4.9 SP2 |
Supports Universal Password. |
Enforces Password Policy rules for Universal Password. In addition, it displays the rules to the user to help them create compliant passwords. |
The iManager self-service console provides Password Self-Service, so users can reset passwords and set up Forgotten Password Self-Service if the Password Policy provides it. The iManager self-service console is accessible to users on your iManager server using a URL such as https://www.servername.com/nps. For example, https://www.myiManager.com/nps.
As noted above, make sure that eDirectory, LDAP server, NMAS, and iManager are upgraded to support Universal Password.
For information about using AFP, CIFS, and other protocols with Universal Password, see "Deploying Universal Password" in the Novell Modular Authentication Services (NMAS) 2.3 Administration Guide.
If you are using Identity Manager Password Synchronization, make sure the following requirements are met so that user password changes are successful.
For more information, see Password Synchronization across Connected Systems.
For versions of the Novell Client previous to 4.9, login and password changes go straight to the NDS Password instead of through NMAS, so Universal Password is not supported.
If you are using Universal Password, using legacy Clients to change passwords can create a problem called "password drift," meaning that the NDS Password and the Universal Password are not kept synchronized.
To prevent this issue, one option is to block password changes from Clients older than version 4.9. This is done using an eDirectory attribute on a partition root container, class, or object. The attributes are part of the schema in eDirectory 8.7.1 or later, and are not supported on eDirectory 8.7.0 or earlier.
The method used by legacy Clients to change the NDS Password is called NDAP password management. The following list explains how you can use an attribute to disable NDAP password management at the partition level. You can still enable it per class or object if necessary, using other attributes.
ndapPartitionPasswordMgmt. For partition-level containers. If the attribute is not present or the value is not set at the partition level, then NDAP password management is enabled.
To disable NDAP password management, add this attribute to the partition and set it to 0. To enable it again, set the attribute to 1.
You can use the other attributes listed below to let classes or objects use NDAP password management even if it is disabled at the partition level. However, if NDAP password management is enabled at the partition level, then NDAP password management is enabled for all objects in that partition regardless of the class and entry level policies.
ndapClassPasswordMgmt. For a class. If you add this attribute to a class definition, the class can use NDAP password management even if the partition-level policy specifies that it is disabled. (The presence of this attribute is what enables is NDAP password management; the value is not important.)
ndapPasswordMgmt. For a specific object. If you add this attribute to a specific object and set the value to 1, the object can use NDAP password management even if the partition or class specifies that it is disabled.
A setting of 0 disables NDAP password management, but only if it is also disabled at the partition level.
IMPORTANT: Remember that eDirectory 8.7.0 or earlier does not support this feature. If a tree exists with an eDir 8.7.1 server or later and an eDir 8.7.0 server or earlier, and the two servers share a partition, disabling NDAP password management on that partition will have unreliable results. The 8.7.1 server enforces the setting, preventing legacy Clients from changing the NDS Password. However, the 8.7.0 server does not enforce the setting, so if a user tries to change the NDS Password via the 8.7.0 server, the change succeeds.