Make sure you have completed the steps in Section 3.3, Prerequisite Tasks for Using Password Policies.
These steps prepare you to use all the features of password policies.
In iManager, click Passwords > Password Policies.
Click New to create a new password policy.
Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.
See the online help for information about each step, as well as the information in Section 3.0, Managing Passwords by Using Password Policies and in Section 4.0, Password Self-Service.
The following figure shows an example of the advanced password rules:
This allows the user to use the password self-service features (see Section 4.0, Password Self-Service).
You can specify how unique passwords are enforced by using one or both of the following two values.
If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list, the password policy rejects the password and the user is prompted to specify a different one.
If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.
For example, if you specify 30 and the user's previous password was “mountains99”, that password remains in the history list for 30 days. During that time, if the user tries to change his or her password and reuse “mountains99”, the password policy rejects that password and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the password policy allows it to be reused.
For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it. The password policy does not allow the Universal Password to be changed by the user before that time has elapsed.
For example, if this value is set to 90, a user's password expires 90 days after it has been set. If grace logins are not enabled, the user cannot log in after a password has expired, and administrator assistance is needed to reset the password. However, if you enable grace logins, described in the next item, the user can log in with the expired password the specified number of times.
NOTE: A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works in much the same way as the feature previously provided for NDS® Password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security the password is automatically expired if you have enabled the setting to expire passwords in the password policy. For this particular feature, the number of days is not important, but this setting must be enabled.
When the password expires, this value indicates how many times a user is allowed to log in to eDirectory using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory.
In eDirectory 8.7.1 and 8.7.3, you needed to use the Novell Client for case sensitivity to work. In eDirectory 8.8 or later, you can make your passwords case sensitive for all the clients that are upgraded to eDirectory 8.8. See the eDirectory 8.8 Admininstration Guide for more information.
Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. (The alphabetic characters are a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.)
The passwords that you exclude are case insensitive, so if you specify the word “test” as a word that cannot be used as a password, then “Test” and “TEST” are also excluded.
At this time, the list of excluded passwords must be typed manually, one at a time. Also, you can exclude only specific words, not a pattern or an eDirectory attribute.
HINT: Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.
The following figure shows an example of the advanced password rules:
Enables Universal Password for this policy. You must enable Universal Password if you want to use the other Password Policy features.
Enables the Advanced Password Rules found on the Advanced Password Rules page for this policy. These advanced password rules help secure your environment by giving you control over password lifetime and what the password can contain.
If this option is selected, the NDS password is disabled when the Universal Password is set.
If this option is selected, setting the Universal Password in applications such as the Novell Client also changes the NDS password.
Provided solely for backward compatibility with NetWare 6.0 servers that contain AFP/CIFS users. If you have NetWare 6.0 servers in the tree that contain AFP/CIFS users, you should select this option.
NOTE: The setting of this option does not affect your ability to import user passwords using ICE.
Determines whether the DirXML® engine can retrieve or set a user’s Universal Password in eDirectory.
Determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If this option is not selected, the corresponding feature is grayed out on the Forgotten Password page in the Password Policy.
Lets you retrieve users' passwords using a third-party product or service that uses this functionality.
If this option is selected, when users log in through iManager or the iManager self-service console, their existing passwords are checked to make sure they comply with the Advanced Password Rules in the users’ Password Policy. If an existing password does not comply, users are required to change it.