A.4 Universal Password

  • Because the Security container contains global policies, you should be careful where you place writable replicas. Some servers can modify the overall security policies specified in the eDirectory tree. In order for users to log in with NMAS, replicas of the User objects and security container must be on the NMAS server.

  • If a Password policy is assigned to a container that is not a partition root, that policy is only effective for the user objects in the container, and not for user objects in subcontainers.

  • If a Password policy is assigned to a container that is a partition root, that policy is effective for all users in the partition that do not have these values assigned to the user object or to the object's parent container.

  • If a Password policy is assigned to a Login policy, that policy is effective for all users in the tree that do not have these values assigned to the user object, to the object's parent container, or to the object's partition root.

  • When the NDS Password is migrated to the Universal Password during a user login, the password expiration time might be changed in the following circumstances:

    NOTE:This section only applies to NMAS 3.2x and earlier. For NMAS 3.3 and later, password expiration time is not updated when the NDS password is migrated to the Universal Password unless the “Verify whether existing passwords comply with the password policy (verification occurs on login)” password policy rule is set to “true”.

    • If the password expiration time (calculated by adding the time that the NDS Password was set with the Password policy password expiration interval) is sooner than the user's current password expiration, the password expiration time is set to the calculated value.

    • If the password policy does not have a password expiration interval, the user's password expiration time attribute is removed.

  • Password policies can be configured to allow the user or a password administrator to read the Universal Password by using documented NMAS LDAP extensions. These options should not be enabled unless required for your specific installation. If you require user passwords to be readable, you should configure the Password policy to only allow selected users to read the passwords.

  • You should configure a password policy to synchronize to the Distribution Password only if Identity Manager Password Synchronization is being used to synchronize passwords between connected systems.

    For more information on sychronizing passwords between connected systems using Identity Manager Password Synchronization, see the NetIQ Identity Manager 4.0.2 Password Management Guide.

  • You should only configure a password policy to synchronize to the Simple Password only if:

    • You have servers that hold a writable replica of user objects

    • Users access those servers using Native File Access Protocols such as CIFS and AFP.

  • When advanced password rules are enabled for a password policy, the legacy password rules on the User object are ignored, and are updated to match the password policy rules when users change their passwords or log in.

  • The password exclusion rules (password history, excluded passwords, and disallowed attribute vales) are not enforced when NMAS is used to generate random passwords.

  • When selecting password rules, you should balance the requirements for hard-to-guess passwords with hard-to-remember passwords.

  • When an administrator specifies that the NDS Password is to be removed, the result is that the NDS Password Hash is set to a random value that is unknown to anyone but eDirectory. There might or might not be a password value that could be hashed to that random value.

  • XML Password Complexity

    • If there are duplicate rule tags, the most restrictive rule is used (others are ignored) for checking passwords against the policy and for random password generation.

    • The ViolationsAllowed and NumberOfCharactersToEvaluate rule set attributes are ignored for random password generation.

    • Only the first policy in an XML policy is used for random password generation.

For additional information on Universal Password security, see the NetIQ Password Management 3.3.2 Administration Guide.