This section provides information on setting up and managing Password Self-Service.
You can reduce help desk costs by setting up self-service so users can recover from forgotten passwords or reset their passwords while viewing the rules you have specified in the password policy.
You manage the policy for Password Self-Service by using one of the following:
Most of this chapter describes how to manage password self-service using iManager.
Identity Manager User Application
For information on managing password self-service with the Identity Manager User Application, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.
Users access the Password Self-Service features by using one of the following:
Identity Manager User Application portlet
For information on using password self-service with Identity Manager User Application, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.
For information on using password self-service with the Novell Client, see “Using Forgotten Password Self-Service” in the Novell Client for Windows Administration Guide.
Although you can use some Password Self-Service features without deploying Universal Password, we recommend that you prepare your environment and turn on Universal Password so you can use all the features of password policies.
The Novell Client also takes advantage of Password Self-Service features. See “Using Forgotten Password Self-Service” in the Novell Client for Windows Administration Guide.
The following sections describe how to manage forgotten passwords using iManager.
For information on managing forgotten passwords by using the Identity Manager User Application, see Password Management Configuration in the NetIQ Identity Manager 4.5 Password Management Guide.
To enable users to recover from a forgotten password without contacting the help desk, enable the Forgotten Password feature. As the following figure illustrates, you encounter this option while using the Password Policy Wizard to create a password policy. For more information on the Password Policy Wizard, see To create a challenge set while using the Password Policy Wizard:
Figure 26-6 Enable Forgotten Password
You can also enable Forgotten Password on an existing password policy:
In iManager, click> .
Click the name of the policy.
Select, select or create a challenge set, specify an action, select the option, then click .
A challenge set is a set of questions that a user answers to prove his or her identity, instead of using a password. The challenge set is assigned to a password policy and is used as part of a password policy's method of authentication. Users’ answers to these challenge questions are case insensitive.
You can use challenge sets as part of providing Forgotten Password self-service for users. Requiring a user to answer challenge questions before receiving forgotten password help provides an additional level of security.
When you create a password policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a challenge set and specify that users must answer the challenge set questions before obtaining forgotten password help. You also specify what action takes place to help users after they answer the questions, such as displaying a password hint to the user. These self-service features are available to users through iManager. Your choices are explained in Selecting a Forgotten Password Action.
In iManager, click> .
Type a name in thefield, select a container for the challenge set to be created in, then select or create challenge questions.
To select a default question in the challenge set, select its check box.
To edit a question or the number of characters (minimum or maximum) allowed for responses, click the question.
To create a question and add it to the challenge set, click.
User Defined: If you select this option, users can create their own challenge question.
NMAS stores a user's user-defined questions and responses in eDirectory.
Required Questions: Questions in this list always appear when a user uses Password Self-Service.
Random Questions: Questions in this list appear only once as a complete set, when the user sets up Forgotten Password by answering the challenge set questions for the first time. When the user later needs to use Forgotten Password, only a few of the questions are presented for the user to answer. The number of random questions that appear depends on the number that you specify.
In iManager, launch the Wizard by clicking> > .
In Step 4, clickto enable Forgotten Password.
In Step 5, select Require a Challenge Set and then click New challenge set.
To use an existing challenge set, browse for and select it.
Specify the container you want the challenge set created in. Type a name in thefield, then click .
Select or create required or random challenge questions.
If you don't want to create new questions, select existing ones.
To enable users to add their own questions, select.
To create a new question:
Select, click , specify a language from the drop-down menu, type the question, then click .
Select whether the question is required or random.
Specify minimum and maximum characters required, then click
Specify the number of random question, then click.
Complete the remaining steps in the Password Policy Wizard.
In iManager, click> .
Click the name of a policy.
Browse for and select an existing challenge set or create a new one and then select the new one.
To create a new one:
In the Challenge Sets dialog box, click.
In the Challenge Sets dialog box, name the challenge set, specify a container to create the challenge set in, select or add required or random questions, then specify the number of random questions to ask.
In iManager, click> .
Click the name of the policy.
Select an action.
Allow User to Reset Password: After answering the challenge set questions to prove his or her identity, the user is allowed to change to a new password. Because the user has authenticated through answering the challenge questions, the user is allowed to change the password without being required to provide the old password. To use this option, you must require a challenge set, and the user must have previously set up Forgotten Password in the iManager portal by answering the challenge set questions.
E-mail Current Password to User: After answering the challenge set questions to prove his or her identity, the user receives the current password in an e-mail. To use this option, you must do the following:
Enable Universal Password for the policy. It is found inunder .
Enable theoption, found in under .
Set up e-mail notification as described in Configuring E-Mail Notification for Password Self-Service.
Also, the user must have previously set up Forgotten Password in iManager by answering the challenge set questions.
E-mail Hint to User: The user receives the password hint in an e-mail. To use this option, you must set up e-mail notification as described in Configuring E-Mail Notification for Password Self-Service.
Also, the user must have previously set up Forgotten Password in iManager by providing a password hint.
Show Hint on Page: The user is shown the password hint in the iManager portal. To use this option, the user must have previously set up Forgotten Password in iManager by providing a password hint.
If you specify a Forgotten Password action that requires password hint, the user can enter a hint that is a reminder of the password.
The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hints. Password hints can significantly reduce help desk calls.
For security, password hints are checked to make sure they do not contain the user's actual password. However, a user could still create a password hint that gives too much information about the password.
To increase security when using password hints:
Allow access to the nsimHint attribute only on the nds-cluster-config server used for Password Self-Service.
Remind users to create password hints that only they would understand. The Password Change Message in the password policy is one way to do that. See Adding a Password Change Message.
The Secure Hint attribute (nsimPasswordReminder) is more secure because it is not publicly readable. It requires the user to answer challenge questions before the hint is displayed.
The challenge/response requirement is set in the Forgotten Password section of the Password Policy properties.
If you choose not to use a password hint, make sure you don't use it in any of the password policies.
Clicking the https://www.servername.com/nps by default) does not work for the user unless the following conditions are met:link when logging in to the portal (
The administrator has set up a password policy with Forgotten Password enabled.
The user has set up challenge questions or a password hint, if either of them is specified in the Forgotten Password setting.
For some Forgotten Password actions, the user must do some setup before using the Forgotten Password self-service. For example, if the password policy specifies that a challenge set is used to allow a user to prove identity, and if the forgotten password action is to e-mail a password hint to the user, the user must first answer challenge-set questions and create a password hint before being able to use Forgotten Password Self-Service.
Users can initiate setting up these features in the portal, or you can require that users set them up by using post-authentication services, which are pages displayed when users log in to the portal.
To prompt users to set up these features at login time, select theoption in the Password Policies interface at the bottom of the Forgotten Password page. This is selected by default when you create a policy.
Figure 26-7 Password Policy
To let users set up Forgotten Password at a time of their choice, you need to give them the URL for the portal, such as https://www.my_iManager_server.com/nps.
There are two ways the user's part of the configuration can be accomplished:
The administrator can require the user to set up Forgotten Password features after a successful login by selecting the https://www.servername.com/nps by default). This is called post-authentication setup.option to force the user to configure challenge questions or a hint upon authentication. If this option is selected, but a user does not have questions or a hint set up, Forgotten Password configuration gadgets are displayed to the user the next time he or she logs in through the portal (
When users log in through the iManager portal, iManager gives them access to the gadgets for setting up or changing challenge sets and password hints for Forgotten Password Self-Service. This is the same place where users can initiate a password change. They can access the following gadgets here:
Answer Challenge Questions
Change Password (Universal)
The user can initiate changing these at any time. But if a hint or challenge set is not required for the user's password policy, the user cannot set them up. The page displays a message indicating that the options are not accessible.
To see specific examples of how these user options look in each application (iManager 2.02 or later, User Application portlet, and Novell Client), refer to the documentation for each application as outlined in Overview of Password Self-Service.
If you create or change a password policy, you can require users to change existing passwords that don't comply the next time they log in through the portal.
To do this, set an option in the password policy by using thetab under . The option is called . By default, this option is turned off when you create a new password policy. The following figure illustrates the page where you set this option:
Figure 26-8 Requiring Existing Passwords to Comply
If this option is set, the next time users log in through the portal, their passwords are checked for compliance with the password policy. If the password does not comply, a page similar to the following is displayed, and the user is not allowed to log in without changing the password.
Figure 26-9 Change Password
After you have installed the iManager plug-ins that shipped with Identity Manager, the https://www.servername.com/nps by default), as illustrated in the following figure.link shows up in the iManager portal (
Figure 26-10 Forgotten Password in iManager
A similar link is displayed when authenticating through the Novell Client.
If a user clicks this link, the following page is displayed, asking for the user name:
Figure 26-11 Forgotten Password in Virtual Office and Novell Client
After the user name is entered, the Forgotten Password settings determine what the user sees.
For example, if the administrator specified in the password policy that a challenge set is used, a page similar to the following is displayed. The user must then answer challenge set questions to prove his or her identity.
Figure 26-12 Forgotten Password Challenge Questions
If the Administrator specified that the Forgotten Password action is, a page similar to the following is displayed:
Figure 26-13 Forgotten Password Hint
If the Administrator specified that the Forgotten Password action isor , a message is displayed saying that the password or hint has been e-mailed.
You can set up the password policy to allow users to reset their own passwords. How this is exposed to the user depends on which application they use to accomplish this task. See Overview of Password Self-Service for documentation links to the different applications.
Although users can change their passwords whenever they choose to, they typically use the same passwords as long as possible. To increase security, you can use a password policy to require them to change it. That policy can contain a Password Change Message and the password rules. Whenever users change a password, they see this message along with the rules.
To edit the password policy and create this message:
In iManager, click> .
Click the name of the password policy you want to add a message to.
Type the message you want users to see, then click.
The iManager role named Notification Configuration lets you specify the e-mail server and customize the templates for e-mail notifications.
E-mail templates are provided to allow Password Synchronization and Password Self-Service to send automated e-mails to users.
You don't create the templates. Instead, they are provided by the application that uses them. The e-mail templates are Template objects in eDirectory, and they are placed in the Security container, usually found at the root of your tree. Although they are eDirectory objects, you should edit them only through the iManager interface.
This is a modular framework. As new applications are added that use e-mail templates, the templates can be installed along with the applications that use them.
Identity Manager provides templates for Password Synchronization and Forgotten Password notifications. You control whether e-mail messages are sent, based on your choices in the iManager interface.
For Forgotten Password, e-mail notifications are sent only if you choose to use one of the Forgotten Password actions that causes an e-mail to be sent: e-mail password to user or e-mail password hint to user.
The following information is discussed in this section:
Make sure that your eDirectory users have the Internet EMail Address attribute populated.
In iManager, click> .
Specify the following information:
Name you want to appear in the From field of the e-mail message, such as “Administrator”
User name and password for authenticating to the server, if necessary
Customize the e-mail templates as described in Setting Up E-Mail Templates for Notification.
After the e-mail server is set up, e-mail messages can be sent by the applications that use them, if you are using the features that cause messages to be sent.
You can customize these templates with your own text. The name of the template indicates what it is used for. Email templates offer language support.
In iManager, click> . A list of templates appears.
Edit the templates as desired.
Keep in mind that if you want to add any replacement tags, some additional tasks might be required.
To verify that the features are set up correctly, complete the following as part of testing Password Self-Service:
Create a policy with the following characteristics. For information on how to accomplish this, see, Creating or Editing Challenge Sets.
Enable Forgotten Password
Require Challenge Set
Select the option to verify that the challenge response and hint are configured on login
Assign the password policy to a container with at least one user you can use to test with. This user is the user who has the e-mail address indicated on the User object in the Internet EMail Address attribute.
Make sure you have another user to test with who does not have a password policy assigned.
To test password self-service, use the Identity Manager User Application. For information on how to do this, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.
For Windows users, test password self-service using the Novell Client. For information on how to do this, see “Using Forgotten Password Self-Service” in the Novell Client for Windows Administration Guide.
Most of the procedures in the Password Self-Service section assume that you are using the Password Self-Service features on an iManager 2.0.2 server, which is the last version of iManager to support password self-service. If you have a version of iManager later than 2.0.2, you can only perform password self-service through NetIQ’s User Application. For more information on performing password self-service using NetIQ’s User Application, see “Using the Identity Self-Service Tab” in the NetIQ Identity Manager Roles Based Provisioning Module 4.5 User Application User Guide.
Refer to the following table for instructions on how Password Self-Service features can be used with portal products, including products other than iManager.
When users log in to the iManager portal at https://iManager_server_IP_address/nps, they are prompted to take action through a series of post-authentication pages if conditions such as the following are true:
The user password doesn't comply with Advanced Password Rules in the password policy
The password policy requires Challenge Questions when using Forgotten Password Self-Service and the user has not configured these questions
The password policy is using Forgotten Password with Display Password Hint as the action and the user has not created a hint
For example, these prompts are necessary to make sure that the user can use Forgotten Password Self-Service. If the password policy requires users to answer Challenge Questions and the user has never configured them initially, the user can't access Forgotten Password Self-Service. If the user has not created a password hint, the user can't retrieve it to help in remembering the password.
Because other portal products won't automatically provide the post-authentication features, you need to make sure that users log in to the iManager portal at least once to create compliant passwords and complete password management setup, and then again whenever you make changes to Password Policies.
To use Challenge Response questions, make sure that you are using a browser that iManager 2.02 supports.
If you don't have SSL set up properly, you won't be able to log in to iManager or the portal. If you can log in successfully to iManager and you are requiring TLS for Simple Bind, SSL is set up properly and you can rule out SSL-related issues when troubleshooting Password Self-Service.