The following sections describe how to manage forgotten passwords using iManager.
For information on managing forgotten passwords by using the Identity Manager User Application, see “Password Management Configuration” in the Novell Identity Manager 4.0.1 User Application Administration Guide.
To enable users to recover from a forgotten password without contacting the help desk, enable the Forgotten Password feature. As the following figure illustrates, you encounter this option while using the Password Policy Wizard to create a password policy. For more information on the Password Policy Wizard, see To create a challenge set while using the Password Policy Wizard:
Figure 4-1 Enable Forgotten Password
You can also enable Forgotten Password on an existing password policy:
In iManager, click> .
Click the name of the policy.
Select, select or create a challenge set, specify an action, select the option, then click .
A challenge set is a set of questions that a user answers to prove his or her identity, instead of using a password. The challenge set is assigned to a password policy and is used as part of a password policy's method of authentication. Users’ answers to these challenge questions are case insensitive.
You can use challenge sets as part of providing Forgotten Password self-service for users. Requiring a user to answer challenge questions before receiving forgotten password help provides an additional level of security.
When you create a password policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a challenge set and specify that users must answer the challenge set questions before obtaining forgotten password help. You also specify what action takes place to help users after they answer the questions, such as displaying a password hint to the user. These self-service features are available to users through Novell iManager. Your choices are explained in Section 4.3.3, Selecting a Forgotten Password Action.
In iManager, click> .
Type a name in thefield, select a container for the challenge set to be created in, then select or create challenge questions.
To select a default question in the challenge set, select its check box.
To edit a question or the number of characters (minimum or maximum) allowed for responses, click the question.
To create a question and add it to the challenge set, click.
User Defined: If you select this option, users can create their own challenge question.
NMAS stores a user's user-defined questions and responses in Novell eDirectory.
Required Questions: Questions in this list always appear when a user uses Password Self-Service.
Random Questions: Questions in this list appear only once as a complete set, when the user sets up Forgotten Password by answering the challenge set questions for the first time. When the user later needs to use Forgotten Password, only a few of the questions are presented for the user to answer. The number of random questions that appear depends on the number that you specify.
In iManager, launch the Wizard by clicking> > .
In Step 4, clickto enable Forgotten Password.
In Step 5, select Require a Challenge Set and then click New challenge set.
To use an existing challenge set, browse for and select it.
Specify the container you want the challenge set created in. Type a name in thefield, then click .
Select or create required or random challenge questions.
If you don't want to create new questions, select existing ones.
To enable users to add their own questions, select.
To create a new question:
Select, click , specify a language from the drop-down menu, type the question, then click .
Select whether the question is required or random.
Specify minimum and maximum characters required, then click
Specify the number of random question, then click.
Complete the remaining steps in the Password Policy Wizard.
In iManager, click> .
Click the name of a policy.
Browse for and select an existing challenge set or create a new one and then select the new one.
To create a new one:
In the Challenge Sets dialog box, click.
In the Challenge Sets dialog box, name the challenge set, specify a container to create the challenge set in, select or add required or random questions, then specify the number of random questions to ask.
In iManager, click> .
Click the name of the policy.
Select an action.
Allow User to Reset Password: After answering the challenge set questions to prove his or her identity, the user is allowed to change to a new password. Because the user has authenticated through answering the challenge questions, the user is allowed to change the password without being required to provide the old password. To use this option, you must require a challenge set, and the user must have previously set up Forgotten Password in the iManager portal by answering the challenge set questions.
E-mail Current Password to User: After answering the challenge set questions to prove his or her identity, the user receives the current password in an e-mail. To use this option, you must do the following:
Enable Universal Password for the policy. It is found inunder .
Enable theoption, found in under .
Set up e-mail notification as described in Section 4.6, Configuring E-Mail Notification for Password Self-Service.
Also, the user must have previously set up Forgotten Password in iManager by answering the challenge set questions.
E-mail Hint to User: The user receives the password hint in an e-mail. To use this option, you must set up e-mail notification as described in Section 4.6, Configuring E-Mail Notification for Password Self-Service.
Also, the user must have previously set up Forgotten Password in iManager by providing a password hint.
Show Hint on Page: The user is shown the password hint in the iManager portal. To use this option, the user must have previously set up Forgotten Password in iManager by providing a password hint.
If you specify a Forgotten Password action that requires password hint, the user can enter a hint that is a reminder of the password.
The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hints. Password hints can significantly reduce help desk calls.
For security, password hints are checked to make sure they do not contain the user's actual password. However, a user could still create a password hint that gives too much information about the password.
To increase security when using password hints:
Allow access to the nsimHint attribute only on the nds-cluster-config server used for Password Self-Service.
Remind users to create password hints that only they would understand. The Password Change Message in the password policy is one way to do that. See Section 4.5, Adding a Password Change Message.
The Secure Hint attribute (nsimPasswordReminder) is more secure because it is not publicly readable. It requires the user to answer challenge questions before the hint is displayed.
The challenge/response requirement is set in the Forgotten Password section of the Password Policy properties.
If you choose not to use a password hint, make sure you don't use it in any of the password policies. To prevent password hints from being set, you can go a step further and remove the Hint Setup gadget completely, as described in Section 4.3.4, Disabling Password Hint by Removing the Hint Gadget.
Password Hint is one method of helping users remember a password as part of Forgotten Password Self-Service. In the password policy, the Forgotten Password actions that use Password Hint are named E-mail Hint to User and Show Hint on Page.
For Password Hint to be useful to a user who has forgotten a password, unauthenticated users must have public access to the Password Hint attribute (nsimHint). Although Password Self-Service checks the password hint to make sure that the user has not included the actual password within the hint, you might still consider this public access to be a security issue.
If you don't want to use password hints, choose a different option for the Forgotten Password action in the password policy.
If you prefer to, you can remove the Hint Setup gadget completely. After installing the Identity Manager plug-ins for iManager, use the Configure view to remove the Hint Setup gadget by doing the following:
In iManager, click theicon .
From the list of gadgets, select.
After you delete the gadget, Hint Setup is no longer available to the user. The post-authentication services query for the existing gadgets before adding them to the delegation list. Regardless of what the policy states for post-authentication services, if the gadget does not exist, the service is not presented to the user by the post-authentication services or in the iManager portal.
After you delete the Hint gadget, make sure you don't selector as the forgotten password action in the password policy.
Clicking the https://www.servername.com/nps by default) does not work for the user unless the following conditions are met:link when logging in to the portal (
The administrator has set up a password policy with Forgotten Password enabled.
The user has set up challenge questions or a password hint, if either of them is specified in the Forgotten Password setting.
For some Forgotten Password actions, the user must do some setup before using the Forgotten Password self-service. For example, if the password policy specifies that a challenge set is used to allow a user to prove identity, and if the forgotten password action is to e-mail a password hint to the user, the user must first answer challenge-set questions and create a password hint before being able to use Forgotten Password Self-Service.
Users can initiate setting up these features in the portal, or you can require that users set them up by using post-authentication services, which are pages displayed when users log in to the portal.
To prompt users to set up these features at login time, select theoption in the Password Policies interface at the bottom of the Forgotten Password page. This is selected by default when you create a policy.
Figure 4-2 Password Policy
To let users set up Forgotten Password at a time of their choice, you need to give them the URL for the portal, such as https://www.my_iManager_server.com/nps.
There are two ways the user's part of the configuration can be accomplished:
The administrator can require the user to set up Forgotten Password features after a successful login by selecting the https://www.servername.com/nps by default). This is called post-authentication setup.option to force the user to configure challenge questions or a hint upon authentication. If this option is selected, but a user does not have questions or a hint set up, Forgotten Password configuration gadgets are displayed to the user the next time he or she logs in through the portal (
When users log in through the iManager portal, iManager gives them access to the gadgets for setting up or changing challenge sets and password hints for Forgotten Password Self-Service. This is the same place where users can initiate a password change. They can access the following gadgets here:
Answer Challenge Questions
Change Password (Universal)
The user can initiate changing these at any time. But if a hint or challenge set is not required for the user's password policy, the user cannot set them up. The page displays a message indicating that the options are not accessible.
To see specific examples of how these user options look in each application (iManager 2.02 portal, User Application portlet, Novell Client, and Virtual Office), refer to the documentation for each application as outlined in Section 4.1, Overview of Password Self-Service.
If you create or change a password policy, you can require users to change existing passwords that don't comply the next time they log in through the portal.
To do this, set an option in the password policy by using thetab under . The option is called . By default, this option is turned off when you create a new password policy. The following figure illustrates the page where you set this option:
Figure 4-3 Requiring Existing Passwords to Comply
If this option is set, the next time users log in through the portal, their passwords are checked for compliance with the password policy. If the password does not comply, a page similar to the following is displayed, and the user is not allowed to log in without changing the password.
Figure 4-4 Change Password
After you have installed the iManager plug-ins that shipped with Identity Manager, the https://www.servername.com/nps by default), as illustrated in the following figure.link shows up in the iManager portal (
Figure 4-5 Forgotten Password in iManager
A similar link is displayed when authenticating through Virtual Office and the Novell Client.
If a user clicks this link, the following page is displayed, asking for the user name:
Figure 4-6 Forgotten Password in Virtual Office and Novell Client
After the user name is entered, the Forgotten Password settings determine what the user sees.
For example, if the administrator specified in the password policy that a challenge set is used, a page similar to the following is displayed. The user must then answer challenge set questions to prove his or her identity.
Figure 4-7 Forgotten Password Challenge Questions
If the Administrator specified that the Forgotten Password action is, a page similar to the following is displayed:
Figure 4-8 Forgotten Password Hint
If the Administrator specified that the Forgotten Password action isor , a message is displayed saying that the password or hint has been e-mailed. The user receives an e-mail similar to the following:
Figure 4-9 Password Hint E-Mail