If you choose to manually configure Self Service Password Reset, there are a number of different tasks you must perform. Complete the following tasks in the order listed, to manually configure Self Service Password Reset and your environment.
Gather the information listed in the worksheet.
For more information, see Self Service Password Reset Configuration Worksheet.
Manually configure your LDAP directory by extending the schema and assigning permissions.
For more information, see Configuring the LDAP Directories.
Manually create an LDAP profile in the Self Service Password Reset Configuration Editor.
For more information, see Creating an LDAP Profile for Your Environment.
Manually configure your external database to store the challenge-response information.
For more information, see Configuring Databases.
Manually define the database settings in the Self Service Password Reset Configuration Editor.
For more information, see Configuring Self Service Password Reset to Work with the External Database.
After you have completed the manual configuration of your environment, you can now configure Self Service Password Reset. Proceed to Self Service Password Reset 4.2 Administration Guide.
To allow Self Service Password Reset to store the challenge-response information in an LDAP directory, you must extend the LDAP directory schema and assign specific permissions to attributes in the LDAP directory. This allows Self Service Password Reset to manage the passwords for your users.
Self Service Password Reset provide .ldif files that manually extend the schema for the LDAP directories and change the permissions that allow Self Service Password Reset to work. You can access the .ldif files here: https://sspr.server.com/sspr/public/reference/ on your Self Service Password Reset application. The .ldif files are also included in the Configuration Guide for the appliance and for the Windows installer.
WARNING:Extending the schema and changing rights in your LDAP directory permanently changes the LDAP directory. Ensure that your LDAP directory administrator performs these steps. If the directory is not healthy or there are communication problems in your network, changing the schema can cause problems.
Self Service Password Reset contains an LDAP Permissions tool that reads your Self Service Password Reset configuration file. The LDAP Permissions tool lists all of the required rights for your environment depending on the components of Self Service Password Reset you have enabled. The rights listed in the tool change depending on the Self Service Password Reset modules you enable. The following steps are guidelines for what rights you need in your environment for Self Service Password Reset to work. It is best to use the LDAP Permissions tool to see all of the rights specific to your deployment of Self Service Password Reset. For more information, see Self Service Password Reset 4.2 Administration Guide.
Use the following information to extend the LDAP directory schema and assign rights:
Before you extend the schema or change any rights to make Self Service Password Reset work with eDirectory, you must install the iManager Password Management plugin and enable the Universal Password policy. For more information, see eDirectory Administration Guide.
Self Service Password Reset uses eDirectory attributes to store the following user data:
The last time a user changed the password
The last time Self Service Password Reset sent an email notification to the user about password expiry
Secret questions and answers
Use the following information to modify eDirectory:
You must use eDirectory tools to extend the eDirectory schema with the edirectory-schema.lidf file. You can access this file here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.
Depending on your platform, you must use a different eDirectory tool to extend the schema. The steps for extending the schema are in the eDirectory documentation. For more information, see NetIQ eDirectory Administration Guide.
The edirectory-schema.ldif file adds the following Self Service Password Reset attributes to the eDirectory schema:
Self Service Password Reset requires permission to perform all operations in eDirectory. For instructions on how to change eDirectory rights, see eDirectory Administration Guide.
Use the LDAP Permissions tool to determine the proper rights for your environment and your configuration of Self Service Password Reset. For more information about the LDAP Permissions tool, see Self Service Password Reset 4.2 Administration Guide.
Set up the following user rights:
Users with generic proxy user rights perform operations such as pre-authentication. Proxy users need the following rights to user containers:
Browse rights to [Entry Rights]
Read and Compare rights to the pwmResponseSet and Configured Naming (CN) attribute
Read, Compare, and Write rights to objectClass, passwordManagement, pwmEventLog, and pwmLastPwdUpdate
IMPORTANT:If you enable the New User Registration module for Self Service Password Reset, you must enable the Create right to the [Entry Rights]. The edirectory-rights.ldif file does not add this right. To add the Create right to the [Entry Rights], use the task of the Rights role in iManager.
Users with authenticated user rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entries:
Browse rights to [Entry Rights]
Read, Compare, and Write rights, Inherited to [This] for pwmResponseSet
Write rights, Inherited rights to [This] for pwmLastPwdUpdate
Depending on the Self Service Password Reset configuration, users might need other rights assigned as well. In most cases, Self Service Password Reset interacts with the directory by using the user's LDAP connection. The user must have LDAP rights to execute operations. For example:
Update Profile Module: Users must have all rights to read attributes that are part of the Update Profile module and Write rights to any attributes they must write to.
Help Desk Module: Users must have Read rights to search and display attributes of users whom they administer. Users must also have Write rights to any attributes modified by the Help Desk module through configured actions or password setting and unlocking accounts.
If you intend to install Self Service Password Reset with Active Directory and you want the challenge-response information to be stored in Active Directory, you must extend the schema and assign user rights to store data in Active Directory.
Self Service Password Reset provides .ldif files that extend the schema and assign the correct rights to your Active Directory. You can access these files here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.
After you extend the directory schema, you must give permissions to access objects, including the group policy, organizational units, and containers. Assigning users’ rights include authorizing read or write rights to Self Service Password Reset directory schema attributes.
The AD-schema.ldif file extends the schema on the server and enables you to assign user rights. You must determine containers and organizational units that need Self Service Password Reset access. You must know their distinguished names (DN) so that you can assign rights to each container and organizational unit separately.
You can use the LDAP Permissions tool to determine what rights you must change in Active Directory for each Self Service Password Reset module you enable. For more information, see Self Service Password Reset 4.2 Administration Guide.
You can also extend the Active Directory schema to the root of the domain and assign rights to each container and the organizational unit below the root.
You must use Active Directory tools to extend the schema. You use the AD-schema.ldif file provided here https://sspr.server.com/sspr/public/reference/ldap-schema.jsp to extend the schema.
Log in as the domain administrator and run the schema extension file on an Active Directory domain controller or computer that is connected to the Active Directory domain. Following the instructions provided in the Microsoft documentation. For more information, see Methods for Extending Schema.
The .ldif file adds the following Self Service Password Reset attributes to the directory schema:
In a multi-server environment, schema updates occur after server replication. To ensure that the schema synchronized through your environment you can perform a schema cache update. For more information, see Schema Cache.
To store the data against the new Self Service Password Reset schema attributes, assign user permissions to objects in the directory. Assign rights to the attributes added through the schema extension to all of the objects that access the Self Service Password Reset data, including the following:
If you assign rights to containers and organizational users, the rights filter down to the associated user objects.
IMPORTANT:Do not assign rights at the user level or object level.
To assign rights, use the Microsoft documentation. For more information, see Configuring User Rights.
You can also assign rights to a Password Settings object (PSO) to add a fine-grained password and account lockout policy for Active Directory. For more information, see Create a PSO.
After you have manually configured your LDAP directory, you must now create an LDAP profile for your environment in the Self Service Password Reset Configuration Editor. You will use the information from the worksheet to configure the LDAP Profile.
However, you must know the additional information to manually create an LDAP profile. You must know:
A user name attribute you want to use when viewing users in Self Service Password Reset
A GUID attribute that is unique to all users that are managed by Self Service Password Reset
Attributes to use for logging into Self Service Password Reset
Attribute used for user groups
For instructions and more information, see Self Service Password Reset 4.2 Administration Guide.
Self Service Password Reset uses two types of databases:
Local Database: Self Service Password Reset uses a local database for storing local data. The local database requires no administration or maintenance and the default values are sufficient.
External Database: Self Service Password Reset uses an external database to store data for certain functions. Any standard JDBC database that supports a standard Java JDBC driver works. Self Service Password Reset connects to the database and creates the necessary tables. You can configure multiple Self Service Password Reset instances to the same database instance. Self Service Password Reset officially supports MS SQL database and Oracle database.
You must manually configure the database to save the challenge-response information from Self Service Password Reset. You must work with a database administrator to completed the tasks.
To configure the database:
Create a database.
For more information about how to create a database, see the related product documentation.
Create a database administrator for that database. You must specify this administrator during Self Service Password Reset configuration.
Create a user and associate it with the database you created in Step 1.
(Conditional) If you are using the Microsoft SQL database, ensure that the user has enabled the SQL server authentication mode and has suitable rights to open the database, which is the SQL Server Authentication mode. For more information, see
After you have created the external database, you must configure Self Service Password Reset to communicate with the database. Self Service Password Reset uses the JDBC driver for the specific database. Download the JDBC driver from the vendor’s website to connect to the JDBC database.
To configure an external database to store the challenge-response information:
Ensure that you have downloaded the JDBC driver from the vendor’s website.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Select the LDAP directory type you are using.
Select where to store information as
In the toolbar, click.
(Conditional) If you are using anything other than Active Directory to store challenge-response information in an external database, click> > > .
Click> > .
Use the following information to configure the database connection:
Upload the JDBC database driver you downloaded from the vendor’s website.
Specify the Java class name of the JDBC driver. For example:
Microsoft SQL: com.microsoft.sqlserver.jdbc.SQLServerDriver
Microsoft SQL using jTDS: net.sourceforge.jtds.jdbc.Driver
Specify the database connections string that configures the Java JDBC database driver with the information required to reach your database server such as IP address, port number, and database name. For example:
Microsoft SQL: jdbc:sqlserver://host.example.net:port;databaseName=SSPR
Microsoft SQL using jTDS: jdbc:jtds:sqlserver://host.example.net:port/SSPR
Specify the name of the user who can connect to the database.
Specify a password for the database user.
Select the vendor for your database. The options areor .
Clickto validate in the information you entered.
In the toolbar, click.