3.4 Creating Password Policies

  1. Make sure you have completed the steps in Section 3.3, Prerequisite Tasks for Using Password Policies.

    These steps prepare you to use all the features of password policies.

  2. In iManager, click Passwords > Password Policies.

  3. Click New to create a new password policy.

  4. Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.

    See the online help for information about each step, as well as the information in Section 3.0, Managing Passwords by Using Password Policies and in Section 4.0, Password Self-Service.

3.4.1 Advanced Password Rules

Figure 3-1 shows the first section of the advanced password rules:

Figure 3-1 Advanced Password Rules

Change Password

  • Allow user to initiate password change

    This allows the user to use the password self-service features (see Section 4.0, Password Self-Service).

  • Do no expire the user’s password when the administrator sets the password

    The default in eDirectory, when password expiration is set, is to expire the user’s password when the administrator sets the password. This requires the user to go and change his or her password. This feature lets you to override the default.

  • Require unique passwords

    You can specify how unique passwords are enforced by using one of the following two values.

    • Remove password from history list after a specified number of days (0-365) and a specified history list size (1-255).

      If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.

      For example, if you specify 30 and the user's previous password was “mountains99”, that password remains in the history list for 30 days. During that time, if the user tries to change his or her password and reuse “mountains99”, the password policy rejects that password and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the password policy allows it to be reused.

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list before the number of days specified for removal from the history list, the password policy rejects the password and the user is prompted to specify a different one.

      If Require unique passwords is selected and you select Remove password from history list after a specified number of days (0-365) but don’t specify a number of days, the password will be on the history list for 8 times the value set in the Number of days before password expires (0-365) field. If neither field has a value, the password will be on the history list for 365 days.

    • Remove password from history list when the list is full and a specified history list size (1-255).

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. This field will prevent a user from changing his or her password if the history list is full. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list, the password policy rejects the password and the user is prompted to specify a different one.

Password Lifetime

  • Number of days before password can be changed (0-365)

    For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it. The password policy does not allow the Universal Password to be changed by the user before that time has elapsed.

  • Number of days before password expires (0-365)

    For example, if this value is set to 90, a user's password expires 90 days after it has been set. If grace logins are not enabled, the user cannot log in after a password has expired, and administrator assistance is needed to reset the password. However, if you enable grace logins, described in the next item, the user can log in with the expired password the specified number of times.

    NOTE:A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works in much the same way as the feature previously provided for NDS® Password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security the password is automatically expired if you have enabled the setting to expire passwords in the password policy. For this particular feature, the number of days is not important, but this setting must be enabled.

    • Limit the number of grace logins allowed (0-254)

      When the password expires, this value indicates how many times a user is allowed to log in to eDirectory using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory.

Password Exclusions

  • Exclude the following passwords

    This allows you to manually type in the passwords you want to exclude. Also, you can exclude only specific words, not a pattern or an eDirectory attribute.

    The passwords that you exclude are case insensitive, so if you specify the word “test” as a word that cannot be used as a password, then “Test” and “TEST” are also excluded.

    HINT:Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.

  • Exclude passwords that match attribute values

    This allows you to select User object attributes that you want to exclude from being used as passwords. For example, if you add the Given Name attribute to the list and the Given Name attribute contained the value of Frank, then frank, frank1, 1frank, etc. could not be used as the password.

    Use the Plus and Minus buttons to add and delete attribute values from the list.

Figure 3-2 Advanced Password Rules Continued

Password Syntax

  • Use Microsoft complexity policy

    This allows you to use the Microsoft Complexity Policy. By selecting this option, several options on the Advanced Password Rules page will be set to meet the criteria of the Microsoft Complexity Policy. These options include:

    • Minimum password length is 6

    • Maximum password length is 128

    • The password must contain at least one character from each of the four types of character (uppercase, lowercase, numeric, and special)

      • Uppercase characters include all uppercase character in the Basic Latin and the Latin-1 character sets.

      • Lowercase characters include all lowercase character in the Basic Latin and the Latin-1 character sets.

      • Numeric characters are 1, 2, 3, 4, 5, 6, 7, 8, 9, 0

      • Special characters are all other characters

      Use this option if you have to synchronize passwords between eDirectory and Microsoft Active Directory.

    • The values of the following user attributes can not be contained in the password: CN, Given Name, Surname, Full Name, and displayName.

  • Use Novell syntax

    This allows you to use the Novell syntax for the password policy.

Password Length

  • Minimum number of characters in password (1-512)

  • Maximum number of characters in password (1-512)

Repeating Characters

  • Minimum number of unique characters (1-512)

  • Maximum number of times a specific character can be used (1-512)

  • Maximum number of times a specific character can be repeated sequentially (1-512)

Case Sensitive

In eDirectory 8.7.1 and 8.7.3, you needed to use the Novell Client for case sensitivity to work. In eDirectory 8.8 or later, you can make your passwords case sensitive for all the clients that are upgraded to eDirectory 8.8. See the eDirectory 8.8 Admininstration Guide for more information.

  • Allow the password to be case sensitive

  • Minimum number of uppercase characters required in the password (1-512)

  • Maximum number of uppercase characters allowed in the password (1-512)

  • Minimum number of lowercase characters required in the password (1-512)

  • Maximum number of lowercase characters allowed in the password (1-512)

Figure 3-3 Advanced Password Rules Final

Numeric Characters

  • Allow numeric characters in the password

    • Disallow numeric as first character

    • Disallow numeric as last character

    • Minimum number of numerals in password (1-512)

    • Maximum number of numerals in password (1-512)

Special Characters

Special characters are the characters that are not numbers (0-9) and are not alphabetic characters. (The alphabetic characters are a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.)

  • Allow special characters in the password

    • Disallow a special character as first character

    • Disallow a special character as last character

    • Minimum number of special characters (1-512)

    • Maximum number of special characters (1-512)

  • Allow non-US ASCII characters

    This allows the password to have characters outside of the Basic Latin character set (also known as extended characters).

3.4.2 Universal Password Configuration Options

The following figure shows an example of the advanced password rules:

  • Enable Universal Password

    Enables Universal Password for this policy. You must enable Universal Password if you want to use the other Password Policy features.

  • Enable the Advanced Password Rules

    Enables the Advanced Password Rules found on the Advanced Password Rules page for this policy. These advanced password rules help secure your environment by giving you control over password lifetime and what the password can contain.

  • Universal Password Synchronization

    • Remove the NDS password when setting Universal Password

      If this option is selected, the NDS password is disabled when the Universal Password is set.

    • Synchronize NDS password when setting Universal Password

      If this option is selected, setting the Universal Password in applications such as the Novell Client also changes the NDS password.

    • Synchronize Simple Password when setting Universal Password

      Provided solely for backward compatibility with NetWare 6.0 servers that contain AFP/CIFS users. If you have NetWare 6.0 servers in the tree that contain AFP/CIFS users, you should select this option.

      NOTE:The setting of this option does not affect your ability to import user passwords using ICE.

    • Synchronize Distribution Password when setting Universal Password

      Determines whether the DirXML® engine can retrieve or set a user’s Universal Password in eDirectory.

  • Universal Password Retrieval

    • Allow user agent to retrieve password

      Determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If this option is not selected, the corresponding feature is grayed out on the Forgotten Password page in the Password Policy.

    • Allow admin to retrieve passwords

      Lets you retrieve users' passwords using a third-party product or service that uses this functionality.

  • Authentication

    • Verify whether existing passwords comply with the password policy (verification occurs on login)

      If this option is selected, when users log in through iManager or the iManager self-service console, their existing passwords are checked to make sure they comply with the Advanced Password Rules in the users’ Password Policy. If an existing password does not comply, users are required to change it.