If you choose to manually configure Self Service Password Reset, there are a number of different tasks you must perform. Complete the following tasks in the order listed, to manually configure Self Service Password Reset and your environment.
Gather the information listed in the worksheet.
For more information, see Self Service Password Reset Configuration Worksheet.
Manually configure your LDAP directory by extending the schema and assigning permissions.
For more information, see Configuring the LDAP Directories.
Manually create an LDAP profile in the Self Service Password Reset Configuration Editor.
For more information, see Creating an LDAP Profile for Your Environment.
Manually configure your external database to store the challenge-response information.
For more information, see Configuring Databases.
Manually define the database settings in the Self Service Password Reset Configuration Editor.
For more information, see Configuring Self Service Password Reset to Work with the External Database.
After you have completed the manual configuration of your environment, you can now configure Self Service Password Reset. Proceed to Section 6.0, Configuring Self Service Password Reset.
To create a secure channel of communication between LDAP and Self Service Password Reset, Self Service Password Reset must trust the LDAP server’s certificates to create a secure channel. You must export the LDAP server certificates to use during the manual configuration of Self Service Password Reset.
To export the LDAP server certificates:
Identify the certificates you want to use. You can use one of the following certificates:
The certificate of this type of CA must be present in the certificate database. If the server name in the LDAP URL is identical to the common name (CN) of the certificate, the certification process is complete.
In this case, the certificates of this CA must be imported into the Java certificate database.
In this case, import the self-signed certificate into the Java certificate database.
Export the certificates from the LDAP server.
To export certificates from eDirectory, see Exporting the SSL Certificate Using iManager.
To export certificates from Microsoft Active Directory, see Exporting the LDAPS Certificates and Importing for Use with AD DS
To export certificate from Oracle Directory Server, see Managing Certificates.
Ensure that the exported certificate is accessible from a computer that you will use to configure Self Service Password Reset.
After you have your LDAP certificate, you must manually configure the LDAP directories to work with Self Service Password Reset. Proceed to Configuring the LDAP Directories.
To allow Self Service Password Reset to store the challenge-response information in an LDAP directory, you must extend the LDAP directory schema and assign specific permissions to attributes in the LDAP directory. This allows Self Service Password Reset to manage the passwords for your users.
Self Service Password Reset provide .ldif files that manually extend the schema for the LDAP directories and change the permissions that allow Self Service Password Reset to work. The .ldif files are included in the Configuration Guide for the appliance or for the Windows installer. You can also access the .ldif files here: https://sspr.server.com/sspr/public/reference/ on your Self Service Password Reset application.
WARNING:Extending the schema and changing rights in your LDAP directory permanently changes the LDAP directory. Ensure that your LDAP directory administrator performs these steps. If the directory is not healthy or there are communication problems in your network, changing the schema can cause problems.
Self Service Password Reset contains an LDAP Permissions tool that reads your Self Service Password Reset configuration file. The LDAP Permissions tool lists all of the required rights for your environment depending on the components of Self Service Password Reset you have enabled. The rights listed in the tool change depending on the Self Service Password Reset modules you enable. The following steps are guidelines for what rights you need in your environment for Self Service Password Reset to work. It is best to use the LDAP Permissions tool to see all of the rights specific to your deployment of Self Service Password Reset. For more information, see Viewing LDAP Permissions Recommendations.
Use the following information to extend the LDAP directory schema and assign rights:
Before you extend the schema or change any rights to make Self Service Password Reset work with eDirectory, you must install the iManager Password Management plugin and enable the Universal Password policy. For more information, see Managing Password
in the eDirectory Administration Guide.
Self Service Password Reset uses eDirectory attributes to store the following user data:
The last time a user changed the password
The last time Self Service Password Reset sent an email notification to the user about password expiry
Secret questions and answers
Use the following information to modify eDirectory:
You must use eDirectory tools to extend the eDirectory schema with the edirectory-schema.lidf file. You can access this file here: https://sspr.server.com/sspr/public/reference. Depending on your platform, you must use a different eDirectory tool to extend the schema. The steps for extending the schema are in the eDirectory documentation. For more information, see Manually Extending the Schema
in the NetIQ eDirectory Administration Guide.
The edirectory-schema.ldif file adds the following Self Service Password Reset attributes to the eDirectory schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmGUID
pwmOTPsecret
Self Service Password Reset requires permission to perform all operations in eDirectory. For instructions on how to change eDirectory rights, see eDirectory Rights
in the eDirectory Administration Guide.
You must modify the edirectory-rights.ldif file before you use it in your environment.
Set up the following user rights:
Users with generic proxy user rights perform operations such as pre-authentication. Proxy users need the following rights to user containers:
Browse rights to [Entry Rights]
Read and Compare rights to the pwmResponseSet and Configured Naming (CN) attribute
Read, Compare, and Write rights to objectClass, passwordManagement, pwmEventLog, and pwmLastPwdUpdate
IMPORTANT:If you enable the New User Registration module for Self Service Password Reset, you must enable the Create right to the [Entry Rights]. The edirectory-rights.ldif file does not add this right. To add the Create right to the [Entry Rights], use the Modify Trustees task of the Rights role in iManager.
Users with authenticated user rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entries:
Browse rights to [Entry Rights]
Read, Compare, and Write rights to pwmResponseSet
Write rights, Inherited rights to [This] for pwmLastPwdUpdate
Depending on the Self Service Password Reset configuration, users might need other rights assigned as well. In most cases, Self Service Password Reset interacts with the directory by using the user's LDAP connection. The user must have LDAP rights to execute operations. For example:
Update Profile Module: Users must have all rights to read attributes that are part of the Update Profile module and Write rights to any attributes they must write to.
Help Desk Module: Users must have Read rights to search and display attributes of users whom they administer. Users must also have Write rights to any attributes modified by the Help Desk module through configured actions or password setting and unlocking accounts.
If you intend to install Self Service Password Reset with Active Directory and you want the challenge-response information to be stored in Active Directory, you must extend the schema and assign user rights to store data in Active Directory.
After you extend the directory schema, you must give permissions to access objects, including the group policy, organizational units, and containers. Assigning users’ rights include authorizing read or write rights to Self Service Password Reset directory schema attributes.
The Active Directory schema extension executable extends the schema on the server and enables you to assign user rights. You must determine containers and organizational units that need Self Service Password Reset access. You must know their distinguished names (DN) so that you can assign rights to each container and organizational unit separately.
You can also extend the Active Directory schema to the root of the domain and assign rights to each container and the organizational unit below the root.
You must use Active Directory tools to extend the schema. You use the AD-schema.ldif file provided here https://sspr.server.com/sspr/public/reference/ to extend the schema.
Log in as the domain administrator and run the schema extension file on an Active Directory domain controller or computer that is connected to the Active Directory domain. Following the instructions provided in the Microsoft documentation. For more information, see Methods for Extending Schema.
The .ldif file adds the following Self Service Password Reset attributes to the directory schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmToken
pwmOTPSecret
In a multi-server environment, schema updates occur after server replication.To ensure that the schema synchronized through your environment you can perform a schema cache update. For more information, see Schema Cache.
To store the data against the new Self Service Password Reset schema attributes, assign user permissions to objects in the directory. Assign rights to the attributes added through the schema extension to all of the objects that access the Self Service Password Reset data, including the following:
User objects
User containers
Group policies
Organizational units
If you assign rights to containers and organizational users, the rights filter down to the associated user objects.
IMPORTANT:Do not assign rights at the user level or object level.
To assign rights, use the Microsoft documentation. For more information, see Configuring User Rights.
You must extend the schema and assign permissions for the Oracle Directory Server to store the challenge-response information. This allows Self Service Password Reset to manage the passwords for the users.
You must use Oracle tools to extend the schema. You use the OracleDS-schma.ldif file to extend the schema. The file is available here: https://sspr.server.com/sspr/public/reference/.
To extend the Oracle schema for Self Service Password Reset, use the Oracle documentation. For more information, see Extending Directory Server Schema
.
The OracleDS.ldif file adds the following Self Service Password Reset attributes to the Oracle Directory Server schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmGUID
pwmOTPsecret
You must change the permission for the Oracle Directory attributes to store the following users’ data:
The last time when a user changed the password
The last time when Self Service Password Reset sent an email notification to the user about password expiry
Secret questions and answers
The permission between the Oracle Directory Server and eDirectory are similar. The information for permission provided for eDirectory is the same as for the Oracle Directory Server.
Self Service Password Reset requires permission to perform operations in Oracle Directory. The following rights are required:
Use the OracleDS-right.ldif file to make the permissions changes for your environment. You must modify this file for your environment for the file to work.
After you have manually configured your LDAP directory, you must now create an LDAP profile for your environment in the Self Service Password Reset Configuration Editor. You will use the information from the worksheet to configure the LDAP Profile.
However, you must know additional information to manually create an LDAP profile. You must know:
A user name attribute you want to use when viewing users in Self Service Password Reset
A GUID attribute that is unique to all users that are managed by Self Service Password Reset
Attributes to use for logging in to Self Service Password Reset
Attribute used for user groups
For instructions and more information, see Configuring LDAP Directory Profile.
Self Service Password Reset uses two types of databases:
Local Database: Self Service Password Reset uses a local database for storing local data. The local database requires no administration or maintenance and the default values are sufficient.
External Database: Self Service Password Reset uses an external database to store data for certain functions. Any standard JDBC database that supports a standard Java JDBC driver works. Self Service Password Reset connects to the database and creates the necessary tables. You can configure multiple Self Service Password Reset instances to the same database instance. Self Service Password Reset officially supports MS SQL database and Oracle database.
You must manually configure the database to save the challenge-response information from Self Service Password Reset. You must work with a database administrator to completed the tasks.
To configure the database:
Create a database.
For more information about how to create a database, see the related product documentation.
Create a database administrator for that database. You must specify this administrator during Self Service Password Reset configuration.
Create a user and associate it with the database you created in Step 1.
(Conditional) If you are using the Microsoft SQL database, ensure that the user has enabled the SQL server authentication mode and has suitable rights to open the database, which is the SQL Server Authentication mode. For more information, see Choosing an Authentication Mode.
After you have created the external database, you must configure Self Service Password Reset to communicate with the database. Self Service Password Reset uses the JDBC driver for the specific database. Download the JDBC driver from the vendor’s website to connect to the JDBC database.
To configure an external database to store the challenge-response information:
Ensure that you have downloaded the JDBC driver from the vendor’s website.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor > Default Settings.
Select the LDAP directory type you are using.
Select where to store information as Remote Database
Click Save.
(Conditional) If you are using anything other than Active Directory to store challenge-response information in an external database, click Modules > Forgotten Password > Settings.
Set Response Read Location to Database.
Set Response Write Location to Database.
Click Save.
Click Settings > Database (Remote) > Connection.
Use the following information to configure the database connection:
Upload the JDBC database driver you downloaded from the vendor’s website.
Specify the Java class name of the JDBC driver. For example:
Microsoft SQL: com.microsoft.sqlserver.jdbc.SQLServerDriver
Microsoft SQL using jTDS: net.sourceforge.jtds.jdbc.Driver
Oracle: oracle.jdbc.OracleDriver
Specify the database connections string that configures the Java JDBC database driver with the information required to reach your database server such as IP address, port number, and database name. For example:
Microsoft SQL: jdbc:sqlserver://host.example.net:port;databaseName=SSPR
Microsoft SQL using jTDS: jdbc:jtds:sqlserver://host.example.net:port/SSPR
Oracle: jdbc:oracle:thin:@//host.example.net:1521/SSPR
Specify the name of the user who can connect to the database.
Specify a password for the database user.
Select the vendor for your database. The options are Other or Oracle.
Click Test Database Connection to validate in the information you entered.
Click Save.