If you want to take advantage of all the features of password policies, you need to complete some steps to prepare your environment.
Upgrade your environment to support Universal Password.
For more information, see Section 2.0, Deploying Universal Password.
If you want to use the Microsoft Server 2008 Password Policy option, ensure that you upgrade to eDirectory 8.8 SP7, which includes NMAS 3.3.4.
Upgrade your client environment to support Universal Password.
See Section 3.2.3, Planning Login and Change Password Methods for your Users and Section 2.0, Deploying Universal Password.
If you have not run the iManager Configuration Wizard previously when you set up iManager, either as part of the iManager install or post-installation, you must run it. For information on how to run the iManager Configuration Wizard, see the “Role-Based Services” section in the Novell iManager 2.7.5 Administration Guide.
IMPORTANT:After you run the iManager Configuration Wizard, iManager runs in RBS mode. This means that administrators do not see any tasks unless they have assigned themselves to specific roles. Make sure you assign administrators to roles to give them access to all the iManager tasks.
Install the Novell iManager Password Management plug-in.
This is available for download at the Novell Downloads Web site.
IMPORTANT:If you upgrade to the latest version of the Novell iManager Password Management plug-in without first upgrading eDirectory and then try to modify or create a password policy, iManager displays an error.
Make sure that SSL is configured between the iManager Web server and eDirectory, even if they are running on the same machine.
This is a requirement for NMAS 2.3 or later, and for Step 7.
Make sure the LDAP Group-Server object in eDirectory is configured to require TLS for simple bind.
This is the default setting when you configure iManager. Requiring TLS for simple bind is strongly recommended for Password Self-Service functionality, and is required for using the iManager task > .
If you are requiring TLS for simple bind, no additional configuration is needed for the LDAP SSL port.
IMPORTANT:If you choose not to require TLS for simple bind, this means that users are allowed to log in to the iManager self-service console by using a clear-text password.
You can use this option, but another step is required.
By default, the Password Self-Service functionality assumes that the LDAP SSL port is the one specified in the System.DirectoryAddress setting in the PortalServlet.properties file. If your LDAP SSL port is different, you must indicate the correct port by adding the following key pair to the PortalServlet.properties file:
LDAPSSLPort=your_port_number
For example, if you are running Tomcat, you would add this key pair in the PortalServlet.properties file in the tomcat\webapps\nps\WEB_INF directory.
To enable e-mail notification for Forgotten Password features, complete the steps in Section 4.6, Configuring E-Mail Notification for Password Self-Service.
You must set up the SMTP server and customize the e-mail templates.
(NetWare 6.5 users only) If you have previously set up Universal Password for use with NetWare 6.5, complete the steps in Section 3.3.1, Re-Creating Universal Password Assignments.
You are now ready to use all the features of password policies. Create policies as described in Section 3.4, Creating Password Policies.
If you have previously set up Universal Password for use with NetWare 6.5, you must remove the old password policies and use the new plug-ins and password policies.
The NMAS plug-ins that were used in NetWare 6.5 for Universal Password are no longer available. Instead, you use > , which offers more features.
The first time you use the in the new plug-ins, you see three policy objects in the list that cannot be edited:
Universal Password On
Universal Password Off
Universal Password On - S
These objects were used for the NetWare 6.5 implementation of Universal Password. To take advantage of the additional benefits of password policies provided by Identity Manager, you need to remove them.
To remove the old policy objects and re-create your policies:
Decide where you want Universal Password enabled in your tree:
If you want it turned on for the same containers as when you set up Universal Password the first time with the NetWare 6.5 plug-ins, continue with Step 2.
If you want it turned on everywhere in your tree, simply create a new password policy with Universal Password enabled and assign it to the Login Policy object. Then continue with Step 4 to remove the old policies.
Find out where in the tree you had previously enabled Universal Password when you set it up using the plug-ins that shipped with NetWare 6.5.
This step is necessary because the plug-ins do not display where the assignments were made using the old plug-ins. Instead, you find them by searching the tree.
Search the tree for objects that have the nspmPasswordPolicyDN attribute populated with one of the following values:
Universal Password On
Universal Password On - S
Make a note of all the containers that are the results of the search. These are the containers where Universal Password is turned on.
If you want Universal Password assigned in the same containers where you had assigned it previously, create one or more new password policies with Universal Password enabled and assign them to the same containers.
Refer to the list of containers from Step 2 to make sure your assignments match.
Go to > and remove the policy objects that remain from the first NetWare 6.5 implementation:
Universal Password Off
Universal Password On
Universal Password On - S
After removing the old policy objects, you can use new password policies to meet your password needs.