18.2 Managing Password Policies

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end-user passwords. NMAS enables you to enforce password policies that you assign to users in eDirectory.Password policies can also include Forgotten Password Self-Service features, to reduce help desk calls for forgotten passwords. Another self-service feature is Reset Password Self-Service, which lets users change their passwords while viewing the rules the administrator has specified in the password policy. Users access these features through the Identity Manager User Application or Identity Console.

Using the Password Policies module, you can perform the following tasks:

18.2.1 Creating a Password Policy with Default Settings

To create a new password policy, perform the following steps:

  1. Click Authentication Management > Password Policies options from the Identity Console landing page.

  2. Click the icon to create a new password policy.

  3. Specify the name, context, description and a password change message in the next screen.

  4. If you want to create a password policy with the default settings, check the box for Create a new Password Policy based on default settings and click on Next to view the Summary page.

  5. Verify the details in Summary page and click Create.

  6. A confirmation message appears indicating that the Password Policy has been created successfully.

Figure 18-9 Creating a Password Policy with Default Settings

18.2.2 Creating a Password Policy with Custom Settings

To create a Password Policy with custom settings, perform the following steps:

  1. Click Authentication Management > Password Policies options from the Identity Console landing page.

  2. Click the icon to create a new password policy.

  3. Specify the name, context, description and a password change message in the next screen.

  4. If you want to create a password policy with the custom settings, click Next.

  5. Perform the following actions in the Configuration page:

    1. Enable Universal Password: Enabling Universal Password for a policy enables you to use options in the Password Policies feature. However, before you can enable Universal Password for a policy, you must meet the prerequisites for Universal Password in your environment.

    2. Enable the Advanced Password Rules: This option enables the password rules found in Advanced Password Rules. These rules help you secure your environment by giving you control over criteria, such as the lifetime of a password and content of a password such as combination of letters, numbers, uppercase or lowercase letters, and special characters. You can exclude passwords that you don't feel are secure, such as your company name.

    3. Password Synchronization: These options determine how Universal Password is synchronized within eDirectory with other types of Identity Vault passwords. The Password Synchronization contains the following options:

      1. Remove NDS password when setting password: If this option is selected, the NDS password will be disabled when the Universal Password is set. Users will be unable to use older methods or utilities that log in directly with the NDS password instead of communicating with NMAS. If this option is set, the next option Synchronize NDS password when setting password will be disabled by default.

      2. Synchronize NDS password when setting password: If you select this option, setting the Universal Password in applications such as the Identity Console also changes the NDS password.

      3. Synchronize Simple Password when setting password: This option provides the compatibility with NetIQ and third-party clients using Simple Password and user provisioning.

      4. Synchronize Distribution Password when setting password: This option determines whether the metadirectory engine can retrieve or set a user's Universal Password in eDirectory.

    4. Universal Password Retrieval: The following options are available:

      1. Allow user to retrieve password: Allows user agent to retrieve password. This option determines whether the Forgotten Password Self-Service feature can retrieve a password on behalf of a user, so that the password can be e-mailed to the user. If you don't select this option, the corresponding feature is dimmed on the Forgotten Password tab in the password policy.

      2. Allow admin to retrieve password: Select that box if you have a particular service that needs it. Identity Manager does not have a need for administrators to retrieve passwords. However, some third-party services might take advantage of this option.

      3. Allow the following to retrieve password: Select the appropriate user who is supposed to retrieve password by clicking the icon.

    5. Authentication:

      1. Verify whether existing passwords comply with the password policy (Verification occurs on login): This option is useful if you are deploying a new password policy or changing the Advanced Password Rules for an existing policy, and you want to make sure that existing passwords comply with the new or changed rules.

        If you select this option, when users log in, their existing passwords are analyzed to make sure that they comply with the Advanced Password Rules in the new or changed password policy. If an existing password does not comply, the user is required to change it.

        Once done, click Next.

  6. Advanced Password Rules help you secure your environment by giving you control over password details such as lifetime of password, the frequency of changing the password and What a password contains.

    Special characters are the characters that are not numbers (0-9) and are not alphabetic characters.

    Perform the following actions in the Advanced Password Rules page:

    1. You can manage password syntax settings using the Microsoft Complexity Policy (pre-Microsoft Windows Server 2008), Microsoft Server 2008 Password Policy, or Novell syntax.

    2. Specify the required options for Change Password, Password Lifetime, Password Length and Composition, and Password Exclusion in the wizard and click Next.

  7. You can reduce help desk costs by enabling Forgotten Password self-service for users who forget a password. These self-service features are available to users through the Identity Console portal. perform the following actions in the Forgotten Password page:

    NOTE:If you enable Forgotten Password, you must also specify whether a Challenge Set is required to help the user log in.

    1. Challenge Sets: If you use Challenge Sets, users are unable to use Forgotten Password self-service until they answer the Challenge Set questions. To make sure that users are prompted to enter this information through the Identity Console portal, select the Require Challenge Set option.

    2. Action: The available options under this tab enable your user to reset password using Challenge Sets and Universal Password, to enable the current password or the password hint to be sent via email and to display the password hint option.

    3. Authenticate: Select Force user to configure Challenge Questions and/or Hint upon authentication box to ensure that users are prompted to specify the Challenge Sets or Password hint.

      Once done, click Next.

  8. A policy is not in effect until you assign it to one or more objects. We recommend that you assign policies as high in the tree as possible, to simplify administration. A Password Policy can be assigned to the following objects:

    1. Login Policy object: We recommend that you create a default password policy for all users in the tree and assign to Login Policy object which is located in the Security container.

    2. A container that is a partition root: If you assign a policy to a container that is the root of a partition, all users in that partition, including users in sub-containers, inherit the policy assignment.

    3. A container that is not a partition root: If you assign a policy to a container that is not the root of a partition, only users held in that specific container inherit the policy assignment. Users that are held in sub-containers do not inherit the policy.

      To apply the policy to all users below a container that is not a partition root, assign the policy to each sub-container individually.

    4. A user: You can assign a policy to one or more users.

      To assign a policy, click on the icon. Then browse and select the appropriate object to assign a password policy.

      In case you want remove a policy association, select the policy from the list and click on the icon.

  9. Verify the details in Summary page and click Create.

  10. A confirmation message appears indicating that the Password Policy has been created successfully.

Figure 18-10 Creating a Password Policy with Custom Settings

18.2.3 Modifying a Password Policy

To modify an existing password policy, perform the following steps:

  1. Click Authentication Management > Password Policies options from the Identity Console landing page.

  2. Select the appropriate Password Policy from the list and click the icon.

  3. Make necessary changes in the Modify Password Policy page and click Save.

Figure 18-11 Modifying a Password Policy

18.2.4 Deleting Password Policies

To delete password policies, perform the following steps:

  1. Click Authentication Management > Password Policies options from the Identity Console landing page.

  2. Select the appropriate Password Policies from the list and click the icon.

  3. In the next warning screen, click OK.

  4. A confirmation message appears indicating that the password policies have been deleted.

Figure 18-12 Deleting a Password Policy