26.3 Deploying Universal Password

26.3.1 Step 1: Identify Your Need for Universal Password

If you answer yes to any of the following questions, you should plan to deploy and use Universal Password:

  • Do you plan to have international users access NetIQ Web-based services or use the Novell Client for Windows to access Novell file and print services?

  • Do you plan to use NetIQ Identity Manager, with its enhanced password policy and password synchronization capabilities?

26.3.2 Step 2: Make Sure Your Security Container Is Available

NMAS relies on storing global policies to the eDirectory tree, which is effectively the security domain. The security policies must be available to all servers in the tree.

NMAS places the authentication policies and login method configuration data in the Security container that is created off the [Root] partition. This information must be readily accessible to all servers that are enabled for NMAS. The purpose of the Security container is to hold global policies that relate to security properties such as login, authentication, and key management.

eDirectory 9.0 provides security container caching. This feature caches the security container data on local servers so NMAS doesn’t need to access the Security container with every attempted login. See the Security Object Caching.

With NMAS and eDirectory 8.8.x and later, we recommend that you create the Security container as a separate partition and that the container be widely replicated. This partition should be replicated as a Read/Write partition only on those servers in your tree that are highly trusted.

WARNING:Because the Security container contains global policies, be careful where writable replicas are placed, because these servers can modify the overall security policies specified in the eDirectory tree. In order for users to log in with NMAS, replicas of the User objects and security container must be on the NMAS server.

For additional information, see TID3393169.

26.3.3 Step 3: Verify That Your SDI Domain Key Servers Are Ready for Universal Password

You must verify that the SDI Domain Key servers meet minimum configuration requirements and have consistent keys for distribution and use by other servers within the tree. These steps are crucial. If you don't follow them as outlined, you could cause serious password issues on your system when you turn on Universal Password.

  1. At a Windows server command prompt, run sdidiag.exe.

    sdidiag.exe is not shipped with eDirectory. Once installed, run sdidiag.exe. The file is available as part of a security patch () associated with TID 2974092.

  2. Log in as an Administrator by entering the server (full context), the tree name, the user name, and the password.

  3. Check to make sure all your servers are using 168-bit keys for 3DES tree key and 256-bit keys for AES 256-bit tree key.

    Follow the instructions in TID 3364214 to ensure that this requirement is met.

  4. Enter the command CHECK -v >> installation folder\sdinotes.txt.

    The output to the screen displays the results of the CHECK command.

  5. If no problems are found, go to Step 4: Check the Tree for SDI Key Consistency.

    or

    Follow the instructions written to the installation folder\sdinotes.txt file to resolve any configuration and key issues, then continue with Step 6.

  6. Verify that the SDI Domain Key Servers are running NICI 3.0.

    If the version is earlier, upgrade eDirectory to 9.0, which upgrades NICI to 3.0:

  7. (Optional) Re-run the SDIDIAG CHECK command. See Step 4.

For more information on using SDIDIAG, see TID 3364214.

Adding or Removing an SDI Domain Key Server

To remove a server as an SDI Domain Key Server, complete the following procedure:

  1. sdidiag.exe is not shipped with eDirectory. sdidiag.exe can be downloaded from the Novell download site. Once downloaded, run sdidiag.exe.

  2. Log in as an administrator with management rights over the Security container and the W0.KAP.Security objects by entering the server (full context), the tree name, the user name, and the password.

  3. Enter the command RS -s servername.

    For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.

To add a server as an SDI Domain Key Server, complete the following procedure:

  1. From a Windows server, open a command prompt box and run sdidiag.exe.

  2. Log in as an Administrator by entering the server (full context), the tree name, the user name, and the password.

  3. Enter the command AS -s servername.

    For example, if server1 exists in container PRV in the organization Novell within the Novell_Inc tree, you would type .server1.PRV.Novell.Novell_Inc. for the servername.

26.3.4 Step 4: Check the Tree for SDI Key Consistency

Verify that all instances of cryptographic keys are consistent throughout the tree. To ensure that each server has the cryptographic keys necessary to securely communicate with the other servers in the tree:

  1. At a Windows server command prompt, run sdidiag.exe.

  2. Enter the command CHECK -v >> sys:system\sdinotes.txt -n container DN.

    For example, if user Bob exists in container USR in the organization Acme within the Acme_Inc tree, you would type .USR.Acme.Acme_Inc. for the container distinguished name (DN).

    This reports if there are any key consistency problems among the various servers and the Key Domain servers.

    The output to the screen displays the results of the CHECK command.

  3. If no problems are reported, you are ready to enable Universal Password. Go to Step 5: Enable Universal Password.

    or

    If problems are reported, follow the instructions in the sdinotes.txt file.

    In most cases, you are prompted to run the command RESYNC -T. This command can be repeated any time NMAS reports -1418 or -1460 errors during authentication with Universal Password.

    For more information on SDIDIAG options and operations, refer to the following:

26.3.5 Step 5: Enable Universal Password

  1. Start NetIQ iManager.

  2. Click Roles and Tasks > Passwords > Password Policies.

  3. Start the Password Policy Wizard by clicking New.

  4. Provide a name for the policy and click Next.

  5. Select Yes to enable Universal Password.

  6. Complete the Password Policy Wizard.

IMPORTANT:If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers. To determine whether a container is a partition root, browse for the container and note whether a partition icon is displayed beside it.

If you assign a policy to a container that is not the root of a partition, the policy assignment is inherited only by users in that specific container. It is not inherited by users that are in subcontainers. If you want the policy to apply to all users below a container that is not a partition root, you must assign the policy to each subcontainer individually.

26.3.6 Backward Compatibility

Universal Password is designed to supply backward compatibility to existing services. By default, passwords changed with this service can be synchronized to the simple and NDS passwords on the User object. You can choose which passwords you want to have synchronized by using the Password Management plug-in.

The exception to this is the use of international characters in passwords. Because the character translations are different for older clients, the actual values no longer match. We recommend that all Novell Client software be upgraded in order for full, system-wide international passwords to function properly.

The Novell NetWare Storage Management Services (SMS) infrastructure is used for NetIQ and third-party backup and restore applications. The system passwords used by these NetIQ and third-party products cannot contain extended characters if they are to function in a mixed environment.

NOTE:Refer to TID 3065822 to see which applications and services are Universal Password-capable, as well as which applications and services are extended character-capable. Many applications and services can use extended characters without Universal Password.

26.3.7 Password Administration

You can use the following methods to administer Universal Password:

  • iManager (Recommended): Administering passwords by using NetIQ iManager automatically sets the Universal Password to be synchronized to simple and NDS password values for backward compatibility. The NMAS task in iManager does allow for granular management of individual passwords and authentication methods that are installed and configured in the system.

    In iManager using the Password Management plug-in, you can use password policies to specify how Universal Password is synchronized with NDS, simple, and distribution passwords. In addition, an iManager task is provided that lets an Administrator set a user's Universal Password.

  • Third-party Applications: Third-party applications that are written to NetIQ Cross-Platform Libraries and that perform password management also set the Universal Password and synchronize other passwords if the newer libraries are installed on the Novell Client for Windows.

26.3.8 Issues to Watch For

  • When you disable a user’s NDS password, the NDS password is set to an arbitrary value that is unknown to the user. The following list describes how some login methods handle this change:

    • The simple password method is not disabled if the NDS password is disabled. The simple password method uses the Universal Password if it is enabled and available. Otherwise, it uses the simple password. If Universal Password is enabled but not set, then the simple password method sets the Universal Password with the simple password.

    • The enhanced password method is not disabled when the NDS password is disabled. The enhanced password does not use the Universal Password for login.

    • The NDS password method (Universal Password) is not disabled when the NDS password is disabled. The NDS password method uses the Universal Password if it is enabled and available. Otherwise, it uses the NDS password. If the Universal Password is enabled but not set, then the NDS Password method sets the Universal Password with the NDS password.

  • If an administrator changes a user's Universal Password, such as when creating a new user or in response to a help desk call, for security reasons the password is automatically expired if you have enabled the setting to expire passwords in the password policy. This is the Number of days before password expires (0-365) setting in the password policy under Advanced Password Rules. For this particular feature, the number of days is not important, but the setting must be enabled.

    NOTE:To overwrite this behavior, select the Do not expire the user’s password when the administrator sets the password option in the password policy.

  • If you create a password policy and enable Universal Password and enable Advanced Password Rules, the Advanced Password Rules are enforced instead of any existing password settings for NDS password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.

    For example, if you had a setting for the number of grace logins that you were using with the NDS password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the password policy.

    NMAS replaces the NDS password setting on the user object with corresponding password policy settings. For example, if the number of grace logins for the user object is 4, and it is 5 for the password policy, when the user logs in or changes the password, the number of grace logins for the user object changes to 5.