26.5 Managing Passwords by Using Password Policies

You can use password policies to increase security by setting rules for how users create their passwords. You can also decrease help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords.

The following is discussed in this section:

For information on Forgotten Password Self-Service and Reset Password Self-Service, see Password Self-Service.

26.5.1 Overview of Password Policy Features

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end-user passwords. NMAS enables you to enforce password policies that you assign to users in eDirectory.

Password policies can also include Forgotten Password Self-Service features, to reduce help desk calls for forgotten passwords. Another self-service feature is Reset Password Self-Service, which lets users change their passwords while viewing the rules the administrator has specified in the password policy. Users access these features through the Identity Manager User Application or iManager self-service console.

Using a password policy requires you to enable Universal Password for your users if you want to use advanced password rules, password synchronization, and many of the Forgotten Password features. For information on deploying Universal Password, see Deploying Universal Password.

You create password policies by using the Password Policy Wizard. In iManager, click Passwords > Password Policies > New. For more information on creating password policies, see Creating Password Policies.

26.5.2 Planning for Password Policies

Planning How to Assign Password Policies in the Tree

We recommend that you assign a default policy to the whole tree and assign any other policies you use as high up in the tree as possible, to simplify administration.

NMAS determines which password policy is in effect for a user. See Assigning Password Policies to Users for more information.

Planning the Rules for Your Password Policies

You can use the Advanced Password Rules in a password policy to enforce your business policies for passwords.

Keep in mind that the Novell Client (4.9.1), Identity Manager User Application, and the iManager self-service console display the password rules from the password policy. If your users will be changing their passwords through the LDAP server or on a connected system, you need to make the password rules readily available to users to help them be successful in creating a compliant password.

If you are using Identity Manager Password Synchronization, keep in mind that you must make sure that the users who are assigned password policies match with the users you want to participate in Password Synchronization for connected systems. Password policies are assigned with a tree-centric perspective. By contrast, Password Synchronization is set up per driver, on a per-server basis. To get the results you expect from Password Synchronization, make sure the users that are in a read/write or master replica on the server running the drivers for Password Synchronization match with the containers where you have assigned password policies with Universal Password enabled. Assigning a password policy to a partition root container ensures that all users in that container and subcontainers are assigned the password policy.

Advanced Password Rules

Advanced Password Rules let you define the following criteria for the Universal Password:

  • The lifetime of a password: Password policies provide the same policy features eDirectory has offered in the past, so you can specify how often a password must be changed and whether it can be reused.

  • What a password contains: You can require a combination of letters, numbers, uppercase or lowercase letters, and special characters. You can exclude passwords that you don’t feel are secure, such as your company name. You can also require a certain number of characters in a password be “new,” unused in previous passwords, and configure the number of password policy violations allowed in a specified password.

To use Advanced Password Rules in a password policy, you must enable Universal Password. If you don't enable Universal Password for a policy, the password restrictions set for the NDS® password are enforced instead.

NOTE:When you create a password policy and enable Universal Password, the Advanced Password Rules are enforced, instead of any existing password settings for NDS Password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.

For example, if you have a setting for the number of grace logins that you use with the NDS Password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the password policy.

If you later disable Universal Password in the password policy, the existing password settings that you had are no longer ignored. They would be enforced for the NDS password.

NMAS 3.1 and later replaces the NDS password setting on the user object with corresponding password policy settings. For example, if the number of grace logins for the user object is 4, and it is 5 for the password policy, when the user logs in or changes the password, the number of grace logins for the user object changes to 5.

Enforcing Policies

When you assign a password policy to users in the tree, any password changes going forward must comply with the Advanced Password Rules in that policy. In Novell Client 4.9 SP2 or later, the rules are also displayed. In both methods of access, a noncompliant password is rejected. NMAS is the application that enforces these rules.

You can specify in the policy that existing passwords are checked for compliance and users are required to change existing noncompliant passwords. A password is marked as expired when the check for compliance option is enabled and the password does not satisfy the password policy rules.

You can also specify that when users authenticate through a portal, they are prompted to set up any Forgotten Password features you have enabled. This is called post-authentication services. For example, if you want users to create a Password Hint that can be e-mailed to them when they forget a password, you can use post-authentication services to prompt users to create a Password Hint at login time.

The post-authentication setting is the last option on the Forgotten Password property page.

Planning Login and Change Password Methods for your Users

There are several different ways a user can log in or change a password. For more information about upgrading to support Universal Password, see Deploying Universal Password.

This section explains the additional requirements for supporting Universal Password in each case:

Novell Client

If you are using the Novell Client, upgrade it to version 4.9 SP2 or later.

Keep in mind that using the Novell Client is not required, because users can log in through the iManager self-service console or other company portals depending on your environment. Also, the Novell Client is no longer required for Password Synchronization on Active Directory.

The following table describes the differences between Novell Client versions in regard to Universal Password and gives suggestions for handling legacy Novell Clients.

Table 26-1 Universal Password with legacy Novell Clients

Novell Client Version

Login

Change Password

Earlier than 4.9

Does not go through NMAS, so it does not support Universal Password. Instead, it logs in directly using the NDS password.

Changes the NDS Password directly, instead of going through NMAS.

If you are using Universal Password, this can mean that the NDS password and the Universal Password are not kept synchronized. To prevent this, you have three options:

  • Upgrade all the clients to version 4.9 or later.

  • Block legacy clients from changing passwords by using an attribute value on a container. With this solution, legacy clients can still log in, but they cannot change the password. Password changes must be done using a later Novell Client or iManager.

  • Use the password policy setting for Remove the NDS Password when Setting Universal Password. This is a drastic measure, because it prevents both login and password change through the NDS password.

4.9

Supports Universal Password.

Enforces password policy rules for Universal Password.

If a user tries to create a password that is not compliant, the password change is rejected. However, the list of rules is not displayed to the user.

4.9 SP2 or later

Supports Universal Password.

Enforces password policy rules for Universal Password.

In addition, it displays the rules to the users to help them create compliant passwords.

Identity Manager User Application and iManager

Identity Manager User Application and iManager provide Password Self-Service, so users can reset passwords and set up Forgotten Password Self-Service if the password policy provides it. For information about configuring Password Self-Service, see Password Self-Service.

  • We recommend that in your password policies you accept the default setting of Synchronize NDS password when setting Universal Password.

Other Protocols

Make sure that eDirectory, LDAP server, NMAS, and iManager are upgraded to support Universal Password.

For information about using AFP, CIFS, and other protocols with Universal Password, see Deploying Universal Password.

Connected Systems

If you are using Identity Manager Password Synchronization, make sure the following requirements are met so that user password changes are successful:

  • Any Identity Manager drivers for the system have been upgraded to Identity Manager format.

  • The Identity Manager driver configuration includes the new Password Synchronization policies.

  • The Password Synchronization settings should specify that Universal Password is to be used, as well as the Distribution Password if bidirectional Password Synchronization is desired.

  • Password filters have been deployed on the connected system to capture passwords, if necessary.

For more information, see “Connected System Support for Password Synchronization” in the NetIQ Identity Manager 4.5 Password Management Guide.

26.5.3 Prerequisite Tasks for Using Password Policies

If you want to take advantage of all the features of password policies, you need to complete some steps to prepare your environment.

  1. Upgrade your environment to support Universal Password.

    For more information, see Deploying Universal Password.

  2. Upgrade your client environment to support Universal Password.

    See Planning Login and Change Password Methods for your Users and Deploying Universal Password.

  3. If you have not run the iManager Configuration Wizard previously when you set up iManager, either as part of the iManager install or post-installation, you must run it. For information on how to run the iManager Configuration Wizard, see the “Role-Based Services” section in the NetIQ iManager Administration Guide.

    IMPORTANT:After you run the iManager Configuration Wizard, iManager runs in RBS mode. This means that administrators do not see any tasks unless they have assigned themselves to specific roles. Make sure you assign administrators to roles to give them access to all the iManager tasks.

  4. Install the NetIQ iManager Password Management plug-in.

    This is available for download at the Software License and Download portal.

    IMPORTANT:If you upgrade to the latest version of the NetIQ iManager Password Management plug-in without first upgrading eDirectory and then try to modify or create a password policy, iManager displays an error.

  5. Configure SSL between the iManager Web server and eDirectory, even if they are running on the same computer.

  6. Configure the LDAP Group-Server object in eDirectory to require TLS for simple bind.

    This is the default setting when you configure iManager. Requiring TLS for simple bind is strongly recommended for Password Self-Service functionality, and is required for using the iManager task Passwords > Set Universal Password.

    If you are requiring TLS for simple bind, no additional configuration is needed for the LDAP SSL port.

    IMPORTANT:If you choose not to require TLS for simple bind, this means that users are allowed to log in to the iManager self-service console by using a clear-text password.

    You can use this option, but another step is required.

    By default, the Password Self-Service functionality assumes that the LDAP SSL port is the one specified in the System.DirectoryAddress setting in the PortalServlet.properties file. If your LDAP SSL port is different, you must indicate the correct port by adding the following key pair to the PortalServlet.properties file:

    LDAPSSLPort=your_port_number

    For example, if you are running Tomcat, you would add this key pair in the PortalServlet.properties file in the tomcat\webapps\nps\WEB_INF directory.

  7. To enable e-mail notification for Forgotten Password features, complete the steps in Configuring E-Mail Notification for Password Self-Service.

    You must set up the SMTP server and customize the e-mail templates.

You are now ready to use all the features of password policies. Create policies as described in Creating Password Policies.

26.5.4 Creating Password Policies

Use the Password Policy Wizard in iManager to create new password policies.

See the online help for information about each step in the wizard, as well as the information in Managing Passwords by Using Password Policies and in Password Self-Service.

  1. Make sure you have completed the steps in Prerequisite Tasks for Using Password Policies.

    These steps prepare you to use all the features of password policies.

  2. In iManager, in the Roles and Tasks view, click Passwords > Password Policies.

  3. Click New to create a new password policy.

  4. Follow the steps in the wizard to create Advanced Password Rules, Universal Password Configuration Options, and Forgotten Password selections for the policy.

  5. Assign the password policy to individuals, organizations, or your entire company, as necessary.

  6. Review the settings for the new policy and click Finish, then click Close to close the wizard.

Advanced Password Rules

Figure 26-1 shows the first section of the advanced password rules:

Figure 26-1 Advanced Password Rules

Password Syntax

You can specify one of three password syntax options to use for a password policy:

  • Use Microsoft complexity policy

  • Use Microsoft Server 2008 Password Policy

  • Use Novell syntax

WARNING:iManager allows you to create a policy using the Microsoft Server 2008 Password Policy type, regardless of the version of NMAS installed on your server. However, you must have NMAS 3.3.4 or later installed to use this option. If you have a previous version of NMAS installed, the new password policy does not function properly.

  • Use Microsoft complexity policy

    This setting allows you to use the Microsoft* Complexity Policy requirements. Use this option if you must synchronize passwords between eDirectory and Microsoft Active Directory.

    If you select this option for a policy, all users to which the policy is assigned must create passwords that meet the criteria of the Microsoft Complexity Policy as implemented in Universal Password. The criteria include:

    • Minimum password length is 6 characters.

    • Maximum password length is 128 characters.

    • The password must contain at least one character from three of the four types of character, uppercase, lowercase, numeric, and special:

      • Uppercase characters - all uppercase characters in the Basic Latin and the Latin-1 character sets.

      • Lowercase characters - all lowercase characters in the Basic Latin and the Latin-1 character sets.

      • Numeric characters - 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9.

      • Special characters - all other characters.

    • The values of the following user attributes can not be contained in the password: CN, Given Name, Surname, Full Name, and displayName.

    • The password cannot contain the full value of the CN user attribute for the eDirectory account. NMAS does not perform this check if the length of the attribute is less than three characters.

  • Use Microsoft Server 2008 Password Policy

    This setting allows you to use the Microsoft* Windows Server 2008 password policy complexity requirements. Use this option if you must synchronize passwords between eDirectory and Microsoft Active Directory.

    If you select this option for a policy, all users to which the policy is assigned must create passwords that meet the criteria of the Microsoft Windows Server 2008 Complexity Policy as implemented in Universal Password. If you select this option, several options on the Advanced Password Rules page are set to meet the criteria of the Complexity Policy. The criteria include:

    • Minimum password length is 7 characters, by default. You can configure the minimum password length in your environment using the Minimum number of characters in password (1-512) option. For more information about configuring the minimum number of characters, see Password Length.

    • Maximum password length is 512 characters.

    • The password must contain at least one character from three of the five types of character, uppercase, lowercase, numeric, non-alphanumeric characters, and other characters:

      • Uppercase characters - all uppercase European-language characters, with diacritical marks, as well as Greek and Cyrillic characters.

      • Lowercase characters - all lowercase European-language characters, with diacritical marks, as well as Greek and Cyrillic characters.

      • Numeric characters - 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9.

      • Non-alphanumeric characters - any of the following special characters: ( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? / _.

      • Other characters - any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.

    • The password cannot contain any word from the list of excluded passwords. NMAS does not perform this check if the length of the excluded password is less than three characters. For more information about excluding passwords, see Password Exclusions.

    • The password cannot contain the full value of the CN attribute or full or any part of the value of the Full Name attribute for the account, if the attribute contains at least three characters and is a single word. A part of the attribute value is defined as three or more consecutive characters delimited on both ends by the following characters: commas; periods; dashes; hyphens; underscores; spaces; pound signs; or tabs.

      NOTE:While using the Microsoft 2008 Password Policy, the CN and the displayName attributes are considered to be similar to the samAccountName and the displayName rule in AD.

    • The maximum number of complexity policy violations allowed in a password is 2 by default. You can configure the number of complexity violations allowed using the Maximum number of complexity policy violations in password (0-5) option. For more information about configuring the maximum violations allowed, see Password Complexity Violations.

  • Use Novell syntax

    This allows you to use the Novell syntax for the password policy. This option is selected by default. Standard settings for policies using Novell syntax include:

    • Minimum password length is 4 characters, by default. You can configure the minimum password length in your environment using the Minimum number of characters in password (1-512) option. For more information about configuring the minimum number of characters, see Password Length.

    • Maximum password length is 12 characters, by default. You can configure the maximum password length in your environment using the Maximum number of characters in password (1-512) option. For more information about configuring the maximum number of characters, see Password Length.

Password Syntax Precedence

If you modify the attributes of a password policy using Directory Administration or LDAP, outside of the iManager Password Management plug-in interface, you may set up a conflict between one or more of the password policy types. For example, you could use LDAP to enable both the Microsoft complexity policy and Microsoft Windows 2008 Password Policy types for the same policy.

In the event of a conflict, eDirectory uses the following order of precedence:

  • Microsoft Windows 2008 Password Policy

  • Microsoft complexity policy

  • Novell syntax

For more information about modifying password policies outside of the Password Management interface, see Modifying Password Policies Outside of the Password Policies Interface.

Change Password

  • Allow user to initiate password change

    This allows the user to use the password self-service features. This option is selected by default. For information about password self-service, see Password Self-Service.

  • Do not expire the user’s password when the administrator sets the password

    This option requires the user to go and change his or her password. This feature allows you to override the default. The default behavior in eDirectory, when password expiration is set, is to expire the user’s password when the administrator sets the password.

  • Require unique passwords

    When this option is selected, the user is prevented from changing the password to one that is already in the history list. If a user tries to change the password and reuse one that is in the history list, the password policy rejects the password and the user is prompted to specify a different one.

    You can specify how unique passwords are enforced by using one of the following two values:

    • Remove password from history list after a specified number of days (0-365) and a specified History list size (1-255).

      If you require unique passwords, you can specify how many days a previous password remains stored in the history list for comparison.

      For example, if you specify a limit of 30 days, and the user's previous password was “mountains99,” that password remains in the history list for 30 days. During that time, if the user tries to change his or her password and reuse “mountains99,” the password policy rejects that password, and the user is prompted to specify a different one. After the 30-day period, the old password is no longer stored for comparison, and the password policy allows it to be reused.

      If you require unique passwords, you can also indicate how many passwords are stored in the history list for comparison. For example, if you specify 3, then the user's previous three passwords are stored. If a user tries to change his or her password and reuse one that is in the history list before the number of days specified for removal from the history list, the password policy rejects the password, and the user is prompted to specify a different one.

      NOTE:

      • If the Use Microsoft Server 2008 Password Policy option is selected, the Require unique passwords option is also selected by default.

      • If Require unique passwords is selected and you select Remove password from history list after a specified number of days (0-365) but don’t specify a number of days, the password is on the history list for 8 times the value set in the Number of days before password expires (0-365) field, in the Password Lifetime section. If neither field has a value, the password is on the history list for 365 days.

      • If you specify a password history list size and a number of days, and the number of passwords in the password history list size has been met, the user cannot change his or her password unless the password has expired. An administrator can change or set a user password even if the password list size has been met.

      • After one or more passwords expire in the password history list, the list is no longer full, and a user is again able to change his or her password. This limitation is included to prevent users from changing their passwords so many times that a password is no longer included in the password history list, and they can re-use it.

      • If a password history list size is not specified, the password history is never full.

      • When comparing a specified password against previous passwords in the password history, eDirectory differs from Active Directory. If the size of the password history list is “N,” Active Directory compares a specified password against “N” previous passwords. However, eDirectory compares a specified password against “N+1” previous passwords.

    • Remove password from history list when the list is full and the number of passwords reaches the specified History list size (1-255).

      If you require unique passwords, you can indicate how many passwords are stored in the history list for comparison. This option works on a first-in, first-out basis, where the oldest passwords are removed from the history list first. For example, when a user creates a new password that is not currently in the history list, the oldest password in the history list is removed if the history list is full.

      NOTE:

      • If the Use Microsoft Server 2008 Password Policy option is selected, the Remove password from history list when the list is full option is also selected by default. With the Microsoft Server 2008 syntax enabled, the History list size range is 0-24 passwords.

      • If this option is selected, you should also select both the Number of days before password can be changed and Number of days before password expires options, with at least the minimum number of days for each.

      • If you specify a password history list size of 0, NMAS only compares any new password created by a user against that user’s current password.

  • Number of characters different from current password and passwords from history (0-6) and a specified number of characters.

    When this option is selected, the user must specify a password that includes at least as many “new” characters, characters unused in previous passwords, as specified in the setting. This option is selected by default.

    You can specify how unique the unused characters must be by using the following value:

    • Number of passwords in history to be considered for character exclusion (0-10) and a specified number of characters

      If you require a certain number of unused characters for any new password, you can specify how many previous passwords to consider when checking a password for previously-used characters.

      For example, if you specify a minimum of three new characters and specify that five previous passwords should be considered for character exclusion, and a user creates the new password “mountains99,” that password must include at least three characters not in any of the previous five passwords. If the user’s password two changes previous was “maintains99,” only two characters different from the new password, the password policy rejects that password, and the user is prompted to specify a different one.

    NOTE:

    • Both the Number of characters different from current password and passwords from history (0-6) and Number of passwords in history to be considered for character exclusion (0-10) options are selected by default. However, the values of both options are set to 0 by default.

    • If the value of the Number of characters different from current password and passwords from history (0-6) option is set to 0, the option is disabled.

    • If the value of the Number of passwords in history to be considered for character exclusion (0-10) option is set to 0, only the current password is considered when eDirectory checks for “new” characters.

    • These options require Universal Password to be enabled in the password policy.

Password Lifetime

  • Number of days before password can be changed (0-365)

    This option restricts the user from changing their Universal Password before the specified time has elapsed. For example, if this value is set to 30, a user must keep the same password for 30 days before he or she can change it.

  • Number of days before password expires (0-365)

    This option causes a user’s password to expire after a specified time has elapsed. For example, if this value is set to 90, a user's password expires 90 days after it has been set. If you enable grace logins, the user can log in with the expired password the specified number of times. Also, if you have not selected the Limit Grace Logins option, unlimited grace logins are allowed.

    NOTE:

    • If the Use Microsoft Server 2008 Password Policy option is selected, the Number of days before password can be changed and Number of days before password expires options are also selected by default. With the Microsoft Server 2008 syntax enabled, the range for both options is 0-999 days.

    • If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, the password is automatically expired if you have enabled the setting to expire passwords in the password policy. For this particular feature, the number of days is not important, but this setting must be enabled. Selecting the Do not expire the user’s password when the administrator sets the password option overrides this security enhancement.

    • Limit the number of grace logins allowed (0-254)

      When the password expires, this value indicates how many times a user is allowed to log in to eDirectory by using the expired password. If grace logins are not enabled, the user cannot log in after a password has expired, and he or she requires administrator assistance to reset the password. If the value is 1 or more, the user has a chance to log in additional times before being forced to change the password. However, if the user does not change the password before all the grace logins are used, he or she is locked out and is unable to log in to eDirectory. Also, if you have not selected the Limit the number of grace logins allowed option, unlimited grace logins are allowed.

Password Exclusions

  • Exclude the following passwords

    This allows you to manually specify the passwords you want to exclude. You can use this option to exclude specific words or single characters, not a pattern or an eDirectory attribute. You can also exclude passwords containing a specific special character, including a *, +, %, or space character. For example, if you add the character * to the list of excluded passwords, a user who tried to specify the password “Pa55w0rd*!” would receive an error saying that the specified password is invalid. This can be useful if you need to restrict users from specifying passwords containing special characters that cause issues with applications in your environment.

    For NMAS 3.1.3 and later, the strings in the exclude list cannot be contained in the password, and the comparison is case-insensitive. For example, if “test” is in the exclude list, then the following cannot be passwords: Test, TEST, ltest, test1, and latest.

    Keep in mind that password exclusions can be useful for a few words that you think would be security risks. Although an exclusion list feature is provided, it is not intended to be used for a long list of words, such as a dictionary. Long lists of excluded words can affect server performance. Instead of a long exclusion list to protect against “dictionary attacks” on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password.

  • Exclude passwords that match attribute values

    This allows you to select User object attributes that you want to exclude from being used as passwords. For example, if you add the Given Name attribute to the list, and the Given Name attribute contained the value of Frank, then neither frank, frank1, nor 1frank could be used as the password.

    NMAS does not perform this check if the length of the excluded password is less than three characters.

    Use the plus and minus buttons to add and delete attribute values from the list.

    NOTE:If the Use Microsoft complexity policy option is selected, the Exclude passwords that match attribute values option is also selected by default. With the Microsoft complexity policy syntax enabled, the list of attribute values to match is prepopulated with the following attributes: Common name; Display name; Full name; First name; and Last name.

Figure 26-2 Advanced Password Rules Continued

Password Length

  • Minimum number of characters in password (1-512)

  • Maximum number of characters in password (1-512)

    NOTE:

    • The maximum length for any password created using NMAS is 512 characters.

    • If the Use Microsoft complexity policy option is selected, neither the Minimum number of characters in password nor Maximum number of characters in password option is available.

    • If the Use Microsoft Server 2008 Password Policy option is selected, only the Minimum number of characters in password option is available. The option is selected by default.

    • If the Use Novell syntax option is selected, both the Minimum number of characters in password and Maximum number of characters in password options are also selected by default.

Password Complexity Violations

  • Maximum number of complexity policy violations in password (0-5)

    This option allows you, as an administrator, to configure the number complexity policy violations you want to allow in passwords in your environment. By default, the Microsoft Server 2008 Password Policy requires that a password include at least one character from three of the five types of character, uppercase, lowercase, numeric, non-alphanumeric characters, and other characters. Therefore, the default number of violations allowed is 2. For more information on policy requirements for Microsoft Server 2008 Password Policy, see Password Syntax.

    However, if you want to make your password policy more or less restrictive, you can modify the default number of violations allowed. For example, if you change the default setting to 1, all passwords must include at least one character from four of the five character types listed above. If the setting is 4, passwords must include a character from only one of the five character types.

    NOTE:The Maximum number of complexity policy violations in password (0-5) option is only available if you select the Use Microsoft Server 2008 Password Policy option. The option is selected by default.

Repeating Characters

  • Minimum number of unique characters (1-512)

  • Maximum number of times a specific character can be used (1-512)

  • Maximum number of times a specific character can be repeated sequentially (1-512)

    NOTE:If either the Use Microsoft complexity policy or Use Microsoft Server 2008 Password Policy options is selected, the Minimum number of unique characters, Maximum number of times a specific character can be used, and Maximum number of times a specific character can be repeated sequentially (1-512) options are unavailable.

Case Sensitive

In eDirectory, you can use the Allow the password to be case sensitive option to make your passwords case sensitive for all the clients that are upgraded to eDirectory 9.2.

NOTE:

  • The Allow the password to be case sensitive option is only available if you select the Use Novell syntax option. The option is selected by default.

  • If you have opted to disable the Universal Password, Case Sensitive option will be checked and disabled by default.

The Allow the password to be case sensitive option is only available if you select the Use Novell syntax option. The option is selected by default.

With Allow the password to be case sensitive selected, you have four options:

  • Allow the password to be case sensitive

    • Minimum number of upper case characters required in the password (1-512)

    • Maximum number of upper case characters allowed in the password (1-512)

    • Minimum number of lower case characters required in the password (1-512)

    • Maximum number of lower case characters allowed in the password (1-512)

When Allow the password to be case sensitive is not selected, the passwords are case insensitive, and you have two options:

  • Minimum number of alphabetic characters allowed in password (1-512)

  • Maximum number of alphabetic characters allowed in password (1-512)

IMPORTANT:Passwords are stored with case, and are synchronized between systems with case sensitivity, even though the Allow passwords to be case sensitive option is not selected. The case of password characters is ignored if the Allow the password to be case sensitive option is not selected.

Figure 26-3 Advanced Password Rules Final

Numeric Characters

  • Allow numeric characters in password

    • Disallow numeric as first character

    • Disallow numeric as last character

    • Minimum number of numerals in password (1-512)

    • Maximum number of numerals in password (1-512)

NOTE:The Allow numeric characters in password option is only available if you select the Use Novell syntax option. The option is selected by default.

Non-alphanumeric Characters

Non-alphanumeric characters are characters that are not numbers (0-9) or alphabetic characters. Alphabetic characters are defined as a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.

  • Allow non-alphanumeric characters in the password

    • Disallow non-alphanumeric character as first character

    • Disallow non-alphanumeric character as last character

    • Minimum number of non-alphanumeric characters (1-512)

    • Maximum number of non-alphanumeric characters (1-512)

  • Allow non-US ASCII characters

    This option allows a password to include characters outside of the Basic Latin character set, also known as extended characters.

NOTE:The Allow non-alphanumeric characters in the password option is only available if you select the Use Novell syntax option. The option is selected by default.

Non-alphabetic characters

Non-alphabetic characters are the characters that are not alphabetic characters. Alphabetic characters are defined as a-z, A-Z, and alphabetic characters in the Latin-1 code page 850.

  • Allow non-alphabetic characters in the password

    • Minimum number of non-alphabetic characters (1-512)

    • Maximum number of non-alphabetic characters (1-512)

NOTE:

  • The Allow non-alphabetic characters in the password option is only available if you select the Use Novell syntax option.

  • If you use the Allow non-alphabetic characters in the password option, ensure your policy does not unduly restrict possible passwords. For example, you can create a policy that requires multiple non-alphabetic characters or numerals but also limits the number of non-alphabetic characters allowed.

Modifying Password Policies Outside of the Password Policies Interface

In addition to creating, modifying, and assigning password policies using the iManager Password Management plug-in, you can modify policies outside of the Password Policies interface in one of the following ways:

  • Modify the policy object directly using the Directory Administration interface.

  • Modify the policy object directly using the ldapmodify command line tool.

However, it is not recommended that you manipulate password policies outside of the Password Policies interface, as this manipulation might cause issues in your environment if all attributes are not properly set. If you set multiple policy types for a single policy, for example, only the “highest” policy type in the order of precedence takes effect, and eDirectory ignores any policy rules for the “lower” policy types applied. For more information about password policy type precedence, see Password Syntax Precedence.

In addition, if you change the type of a password policy from the Microsoft Server 2008 Password Policy type to the Microsoft complexity policy type without using the Password Policies interface, iManager does not delete the existing Microsoft Server 2008 Password Policy attribute (nspmAD2K8Syntax) in the policy object. Instead, iManager sets the value of the attribute to False. In this situation, eDirectory ignores all policies and rules set for either policy type.

Another issue can occur when you use LDAP to modify specific rules for a policy. If you modify a policy so that two rules conflict, eDirectory applies a rule that is selected or is set to True in the policy instead of a conflicting rule that is not selected or is set to False.

For example, you can create a policy and then modify that policy to both not allow numeric characters and allow non-alphabetic characters. Because the value of the nspmNonAlphaCharactersAllowed attribute is set to True, all non-alphabetic characters are allowed, including numeric characters, even though the nspmNumericCharactersAllowed is set to False.

Random Password Generation

Instead of specifying a particular password, users can also request a randomly-generated password. Randomly-generated passwords automatically conform to the complexity requirements and other restrictions of the password policy assigned to the user.

Randomly-Generated Microsoft Server 2008 Passwords

Randomly-generated passwords for Microsoft Server 2008 Password Policy policies differ in the following ways from randomly-generated passwords using other password policy types:

  • If a user is assigned a password policy that uses the Microsoft Server 2008 Password Policy type and requests a randomly-generated password, NMAS generates the password based on the number of password complexity violations allowed for the policy.

  • If the number of password complexity violations allowed is set to the maximum value of 5, any randomly-generated password consists only of uppercase or lowercase alphabetic characters.

  • If the configured password complexity requirements are extremely strict, even randomly-generated passwords may not be valid for the password policy.

  • The maximum length of any randomly-generated Microsoft Server 2008 Password Policy password is 16 characters, unless the minimum length configured in the policy is more then 16 characters. If the minimum length is more than 16, the length of the generated password is the minimum length set in the policy. For example, if the minimum length of a password is set to 20 characters using a Microsoft Server 2008 policy, the randomly-generated password is always 20 characters long.

Universal Password Configuration Options

The following figure shows an example of the Universal Password configuration options:

Figure 26-4 Configuration Options

  • Enable Universal Password

    Enables Universal Password for this policy. You can choose to either enable or disable Universal Password.

  • Enable the Advanced Password Rules

    Enables the Advanced Password Rules found on the Advanced Password Rules page for this policy. These advanced password rules help secure your environment by giving you control over password lifetime and what the password can contain.

  • Password Synchronization

    • Remove the NDS password when setting Universal Password

      If this option is selected, the NDS password is disabled when the Universal Password is set. Also, when the NDS password is set, the NDS password hash is set to a random value that is not known except to eDirectory. There might or might not be a password that could be hashed to the random value.

    • Synchronize NDS password when setting Universal Password

      If this option is selected, and the Universal Password is set, the NDS password is set at the same time and with the same password.

    • Synchronize Simple Password when setting Universal Password

      NOTE:The setting of this option does not affect your ability to import user passwords by using ICE.

      If this option is selected, and the Universal Password is set, the Simple Password is set at the same time and uses the same password.

    • Synchronize Distribution Password when setting Universal Password

      Determines whether the Identity Manager Metadirectory engine can retrieve or set a user’s Universal Password in eDirectory.

      If this option is selected, and the Universal Password is set, the Distribution Password is set at the same time and uses the same password.

      The Distribution Password can be used with Identity Manager to perform password synchronization to connected systems. This option also allows the Metadirectory engine to retrieve a user’s Universal Password in eDirectory.

  • Universal Password Retrieval

    NOTE:If you have opted to disable Universal Password, the following options will be disabled by default.

    • Allow user to retrieve password

      Determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If this option is not selected, the corresponding feature is dimmed on the Forgotten Password page in the Password Policy.

      This option allows users to retrieve their own passwords by using NMAS LDAP extensions.

    • Allow admin to retrieve passwords

      Lets you retrieve users' passwords by using a third-party product or service that uses this functionality.

      This option is not recommended. Instead, you should use the Allow the following to retrieve passwords option to assign password read rights to specific objects, such as the SAMBA or freeRADIUS service objects, that need this ability to perform their functions.

      If Allow admin to retrieve passwords is selected, then users that have write privileges on the target object’s ACL attribute can retrieve the target object’s password.

    • Allow the following to retrieve passwords

      Lets you insert an object that has the ability to retrieve passwords.

      NOTE:Members with insufficient privileges receives a -672 error while using the Check Password Status task on any given user.

  • Authentication

    • Verify whether existing passwords comply with the password policy (verification occurs on login)

      If this option is selected, and users log in through iManager, their existing passwords are checked to make sure they comply with the Advanced Password Rules in the users’ password policy. If an existing password does not comply, users are required to change it. If Universal Password is disabled, this option will also be disabled by default.

      An administrator can change the settings of a user in user > Restrictions > Password Restrictions as shown in the image.

      Figure 26-5

      eDirectory 9.2.7 and onwards, the settings can still be changed. But as soon as the user logs in, these settings are overwritten by the password policy. This does not only effect password expiration but also passwordExpirationInterval (Force periodic password changes), Allow user to change password, Require unique passwords. This has the effect that all settings in that regard that were done on user level with assigning a policy are now overwritten by the policy.

      If Universal Password is disabled, this option will also be disabled by default. You can still enable Universal Password manually in the Password Policy window.

      Figure 26-6

      NOTE:Non-admin users can change their password only if the administrator enable the Allow user to change password and Require a password check boxes in user > Restrictions > Password Restrictions window. However, any settings done on the user object (assigned with a password policy) will be overwritten by the policy rules.

26.5.5 Assigning Password Policies to Users

You can assign a password policy to users in eDirectory by assigning the policy to the whole tree by using the Login Policy object, to specific partitions or containers, or to specific users. We encourage you to set password policies as high up in the tree as you can, to simplify administration.

IMPORTANT:Assigning a password policy to an entire eDirectory tree or to a container in a tree that contains a very large number of users (tens of thousands) in subcontainers can cause iManager and the iManager plug-in to hang.

In this case, you might want to consider individually assigning password policies to lower-level containers in order to control the number of users for each password policy assignment.

A policy is not in effect until you assign it to one or more objects. You can assign a password policy to the following objects:

  • Login Policy object

    We recommend that you create a default password policy for all users in the tree. You do this by creating a policy and assigning it to the Login Policy object. The Login Policy object is located in the Security container just below the root of the tree.

  • A container that is a partition root

    If you assign a policy to a container that is the root of a partition, the policy assignment is inherited by all users in that partition, including users in subcontainers. To determine whether a container is a partition root, browse for the container and note whether a partition icon is displayed beside it.

  • A container that is not a partition root

    If you assign a policy to a container that is not the root of a partition, the policy assignment is inherited only by users in that specific container. It is not inherited by users that are in subcontainers. If you want the policy to apply to all users below a container that is not a partition root, you must assign the policy to each subcontainer individually.

  • A specific user

Only one policy is effective for a user at a time. NMAS determines which policy is effective for a user by looking for policies in the following order and applying the first one it finds.

  1. Specific user assignment: If a password policy has been assigned specifically to the user, that policy is applied.

  2. Container: If the user has no specific assignment, NMAS applies the policy that is assigned to the container that holds the user.

  3. Partition root container: If no policy is assigned to the user or to the container directly above the user, the policy assigned to the partition root container is applied.

  4. Login Policy object: If no policy is assigned to the user or other containers, the policy assigned to the Login Policy object is applied. It is the default policy for all users in the tree.

The following figure shows an example of the property page where you specify which object password policy is assigned to:

Figure 26-7 Assigning Password Policy to Objects

26.5.6 Finding Out Which Policy a User Has

Only one policy is in effect for a user at a time. To find out which policy is in effect for a particular user or container:

  1. In iManager, in the Roles and Tasks view, click Passwords > View Policy Assignments.

  2. Browse to and select the desired user.

  3. Click OK.

If there are multiple policies in the tree, NMAS determines which policy to apply to a user as described in Assigning Password Policies to Users.

26.5.7 Setting A User's Password

Administrators or help desk personnel can set a user's Universal Password by using a task in iManager. The task shows the password rules for the password policy that is in effect for the user.

  1. In iManager, in the Roles and Tasks view, click Passwords > Set Universal Password.

  2. Browse to and select the desired user.

  3. Click OK.

    If the user has a password policy assigned and Universal Password enabled, you can change the password by using this task.

    If the Advanced Password Rules are enabled in the policy, you see a list of rules that must be followed.

    If Universal Password is not enabled for a user, iManager displays an error. You must either assign a policy to the user and then return to this task or change the user’s NDS password by using the eDirectory Administration > Modify Object task.

  4. Create a password for the user, making sure it is compliant with all password rules that are displayed.

  5. Click OK.

    The Universal Password is changed for the user.

    If Password Synchronization is set up in your environment, the user's new password is distributed to the connected systems that are configured to accept it.

NOTE:If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, the password is automatically expired if you have enabled the setting to expire passwords in the password policy. The setting, named Number of days before password expires, is in Advanced Password Rules. For this particular feature, the number of days is not important, but the setting must be enabled.

The Do not expire the user’s password when the administrator sets the password option overrides this feature.

26.5.8 Universal Password Diagnostic Utility

eDirectory provides an utility which checks the status and re-encrypts the Universal Password. The Universal Password Diagnostic Utility (diagpwd) is a tool that allows an administrator to view the status of user's Universal Password (UP), Simple password, NDS password and Distribution Password (DP). It also reports the synchronization status of these passwords. Below is a sample syntax of the diagpwd utility:

diagpwd LDAP_SERVER_ADDR TLS_PORT CA_CERT_FILE SEARCH_BASE SEARCH_SCOPE BIND_DN [BIND_PWD] -t

Option

Description

LDAP_SERVER_ADDR

Specifies address of the target LDAP server.

TLS_PORT

Specifies the LDAP Secure port (TLS) of the target LDAP server.

CA_CERT_FILE

Specifies path of the PEM encoded file containing the Trusted Root Certificate for the target LDAP server.

SEARCH_BASE

Use searchbase as the starting point for the search.

SEARCH_SCOPE

Specifies the scope of the search. Scope should be base, one, or sub to specify a base object, one-level, or subtree search.

BIND_DN

The LDAP DN of the administrator. For example: cn=admin,o=company.

BIND_PWD

The LDAP password of the administrator.

NOTE:This parameter is optional. If it is not included in the command line, the user will be prompted for it.

-t

This re-encrypts UP, DP, simple password and password history with 256-bit AES keys. Use this option after creating AES 256-bit tree key.

NOTE:While using this option, ensure that the Password policy allows the user running this utility to retrieve the user's UP.

NOTE:diagpwd utility is supported with eDirectory 9.1 SP2 and above.

Installing the diagpwd Utility

To install the diagpwd utility, run the following command in the eDirectory Setup folder:

rpm -i /eDirectory-setup-location/novell-nmas-ldap-ext-client-9.2.0-0.x86_64.rpm

Examples

To examine the status of passwords for user cn=user1,ou=users,o=company on server 192.168.1.1, run the following command:

diagpwd 192.168.1.1 636 /home/user1/cert.pem cn=user1,ou=users,o=company base cn=admin,o=company

To examine the status of passwords for all users under ou=users,o=company subtree, run the following command:

diagpwd 192.168.1.1 636 /home/user1/cert.pem ou=users,o=company sub cn=admin,o=company

To re-encrypt passwords of all users under ou=users,o=company subtree with AES 256-bit key, run the following command:

diagpwd 192.168.1.1 636 /home/user1/cert.pem ou=users,o=company sub cn=admin,o=company -t

26.5.9 Troubleshooting Password Policies

Errors Indicate a Password Policy Is Not Assigned to a User

If you see an error saying that a password policy is not assigned to a user from the Set Universal Password task, and you know that the user does have a password policy assigned, SSL might be the issue. To diagnose and resolve SSL issues, perform the following tasks:

  • To help confirm that SSL configuration is the problem, use the View Policy Assignment task to check the policy for that user. If the View Policy Assignment task displays an NMAS Transport error, this can be an indicator that SSL is not configured properly.

  • Make sure that SSL is configured correctly between the Web server running iManager and the primary eDirectory tree. Confirm that you have a certificate configured between the Web server and eDirectory.

  • If you are not requiring TLS for simple bind, you must make sure you indicate the correct LDAP SSL port, as explained in the note in Step 6.

Using Challenge Response Questions

Make sure that you are using a supported browser for iManager.

Giving Access to Users in New Containers

When you set up iManager or one of NetIQ's portal products, such as User Application, you specify the portal users container. Usually you specify a container at a high level in the tree, so that all users in the tree can access portal features. If all your users are below that container, then all users have access to Forgotten Password and Reset Password Self-Service.

NMAS LDAP Transport Error

If you are installing Identity Manager in a multiserver environment and use some of the Password Management plug-ins in iManager, you might see an error that begins with NMAS LDAP Transport Error.

One common cause of this error is that the PortalServlet.properties file is pointing to an LDAP server that does not have the NMAS extensions that are needed for Identity Manager. Open the PortalServlet.properties file and make sure the address for the LDAP server is the same server where you installed Identity Manager.

Other possible causes:

  • The LDAP server is not running.

  • SSL is not configured for LDAP between the iManager server running the plug-ins and the LDAP server.

  • When logging in to other trees with iManager to manage remote Identity Manager servers, you might encounter errors if you use the server name instead of the IP address for the remote server.

  • The trusted root certificate of the tree you authenticate to must be imported as a trusted certificate onto the Web server. You can use keytool.exe to export the certificate to the Web server.