Self Service Password Reset enables you to configure settings to control interactions of Self Service Password Reset with the LDAP directory that contains your users. You can select a template to configure the settings. Self Service Password Reset provides templates to set default settings for your back-end directories. Changing the template only affects default values. You can change the template at any time. Changing a template does not affect the modified settings.
Self Service Password Reset provides the following templates for supported directories:
eDirectory
Active Directory
Oracle Directory Server
Identity Manager/ OAuth Integration
To configure Identity Manager/ OAuth Integration see, Identity Manager and Section 11.0, Integrating Self Service Password Reset with NetIQ Identity Manager and Section 9.0, Integrating Self Service Password Reset with NetIQ Access Manager.
Use the following information to configure the settings for the other LDAP directory templates.
The Global settings control the interaction with an LDAP directory. These settings are not applicable for the user's LDAP profile. For more information about configuring LDAP for a profile see, Configuring LDAP Directory Profile.
To configure the Global LDAP settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Select the LDAP directory template for your LDAP directory.
Click Default Settings > LDAP Vendor Default Settings, then select the LDAP directory you are using.
NOTE:If you select NetIQ eDirectory, you can configure NMAS settings. See, Configuring NetIQ eDirectory Settings.
In the toolbar, click Save changes.
In the toolbar, click your name.
Click Configuration Editor.
Click LDAP > LDAP Settings > Global.
Configure the following settings:
Specify the amount of time an LDAP session can remain inactive before the session times out and the user must authenticate again. If you specify 0 (the number), the LDAP connection does not time out in the HTTP session unless you close it.
Specify object classes of user entries in your LDAP directory.
Select this option if you want Self Service Password Reset to follow the LDAP referrals.
Select the appropriate mode that provides a solution for searching the appropriate user from the list of multiple users. For multiple user matches found, you can control the user authentication. Select any of the following options from the list:
No duplicates permitted: Select this option if you want the application to fail whenever duplicate users are found in any context or profile.
Match first LDAP profile: Select this option if you want the application to use the first user that the system discovers in the first profile that has only a single match.
Match first user: Select this option if you want the application to authenticate the first user that the system discovers in any context or profile. This option ignores any duplicate user in the search result.
Select appropriate option from the following list to control the use of LDAP profiles and LDAP contexts during identification such as login, the Forgotten Password process, and so on:
Show the LDAP profile
Show the LDAP profile and LDAP contexts
Do not show
Select this option if you want to ignore the profiles that are unreachable. The system uses this option when there are multiple LDAP profiles.
The system displays a directory unavailable error message for the user when there is only a single configured LDAP Profile or all LDAP Profiles are unreachable.
Select this option to log all LDAP events to the TRACE logging level.
WARNING:Enabling this option might allow user passwords and other sensitive data to be written to the log files.
In the toolbar, click Save changes.
You can use either eDirectory or eDirectory with NMAS as the back-end directory. These settings allow you to change the eDirectory setting configuring during the Configuration Guide.
When the back-end directory is eDirectory, you can configure NMAS. All NMAS operations require an SSL connection to the directory. Benefits of this configuration include:
Validation of passwords against the NMAS password policy.
Email notifications for failed password operations, such as when a password coming from a connected system does not comply with the password policies.
Better error messages when using universal password policies
Better error handling during the change password process
If you must apply the policy settings for the challenge sets that you configured in NMAS, perform the following:
To change the policy settings for the challenge sets:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click LDAP > LDAP Settings > NetIQ eDirectory > eDirectory Challenge Sets.
Configure the following settings:
Select this option if you want Self Service Password Reset to read the challenge set configuration from the eDirectory universal password policy and apply it to users.
If you want Self Service Password Reset to use challenge sets configured in NAMAS only, do not configure the required and forgotten questions in Self Service Password Reset, else Self Service Password Reset uses these if no eDirectory policy exists.
Specify the number of random questions that a user is required to answer from NMAS at the time of saving challenge/response answers.
Enable this option if you do not want the users to use any of the words mentioned in the word list dictionary for the challenge/response answers.
Specify the maximum number of characters of the question text that are allowed in answers when saving challenge/response answers in NMAS.
In the toolbar, click Save changes.
Apart from configuring the NMAS extension, you can configure some additional parameters for eDirectory.
To configure NetIQ eDirectory:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Default Settings > LDAP Vendor Default Settings, then select NetIQ eDirectory.
Click LDAP > LDAP Settings > NetIQ eDirectory > eDirectory Settings.
Configure the following settings:
Select this option if you want to save the user responses to the NMAS response storage container. This storage is in addition to any other configured response storage methods.
Select this option to use NMAS stored responses during forgotten password recovery. Self Service Password Reset tries all other configured storage methods before evaluating.
Select this option if you want Self Service Password Reset to read the user's password from eDirectory before changing it.
This prevents an extra password change from being set to a temporary random password during the forgotten password sequence. If the proxy user does not have rights to read the password, then Self Service Password Reset generates a temporary random password for the user.
In the toolbar, click Save changes.
Self Service Password Reset allows you to change the settings for Microsoft Active Directory.
To change the Microsoft Active Directory settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Default Settings > LDAP Vendor Default Settings > Microsoft Active Directory.
Select LDAP > LDAP Settings > Microsoft Active Directory.
Configure the following settings:
If you select this option, when users forget their passwords, the system uses the LDAP proxy account for LDAP to work. This is because an LDAP connection is not possible to Active Directory without the passwords for the users. When authenticated in this condition, the system forces the users to change their passwords immediately.
Active Directory fails an LDAP login attempt when the Must Change Password On Next Login flag is set. If you enabled this option, the system allows login even though the LDAP bind has failed. The user is only able to set a new password when this condition occurs. No other functions are available until the password has been set (and this flag is cleared).
Active Directory fails an LDAP login attempt when the current date is after the user's password expiration date. If you enabled this option, the system allows login even though the LDAP bind has failed. The user is only able to set a new password when this condition occurs. No other functions are available until the password has been set (and this flag is cleared).
Enforce password policy during forgotten password when the option Use Proxy When Password Forgotten is also set to true. This setting that the Active Directory servers support the LDAP_SERVER_POLICY_HINTS_OID (1.2.840.113556.1.4.2066) LDAP modification control.
In the toolbar, click Save changes.
Self Service Password Reset allows you to change settings for the Oracle Directory Server setting.
To change the Oracle Directory Server settings:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Default Settings > LDAP Vendor Default Settings > Oracle Directory Server.
Select LDAP > LDAP Settings > Oracle DS.
Configure the following settings:
If select this option, during the forgotten password recovery sequence, allow manipulation of the allowPasswordChangeTime attribute. This allows forgotten password functionality, with expected behavior, when the system enforces a policy of minimum time between password changes.
Oracle Directory Server normally fails an LDAP login attempt when the user's pwdReset attribute is set due to an administrator password set. If you enabled this option, the system allows login even though the LDAP bind has failed. The user can only set a new password when this condition occurs. No other functions are available until the password has been set (and this flag is cleared).
In the toolbar, click Save changes.