4.4 Manually Configuring Self Service Password Reset

If you choose to manually configure Self Service Password Reset, there are a number of different tasks you must perform. However, the manual steps are the same whether you deployed Self Service Password Reset on-premise or in the Cloud.

Complete the following tasks in the order listed, to manually configure Self Service Password Reset and your environment.

  1. Gather the information listed on the worksheet.

    For more information, see Self Service Password Reset Configuration Worksheet.

  2. Manually configure your LDAP directory by extending the schema and assigning permissions.

    For more information, see Configuring the LDAP Directories.

  3. Manually create an LDAP profile in the Self Service Password Reset Configuration Editor.

    For more information, see Creating an LDAP Profile for Your Environment.

  4. Manually configure your external database to store the challenge-response information.

    For more information, see Configuring Databases.

  5. Manually define the database settings in the Self Service Password Reset Configuration Editor.

    For more information, see Configuring Self Service Password Reset to Work with the External Database.

After you have completed the manual configuration of your environment, you can now configure Self Service Password Reset. Proceed to Getting Started in the Self Service Password Reset 4.5 Administration Guide.

4.4.1 Configuring the LDAP Directories

To allow Self Service Password Reset to store the challenge-response information in an LDAP directory, you must extend the LDAP directory schema and assign specific permissions to attributes in the LDAP directory. This allows Self Service Password Reset to manage the passwords for your users.

Self Service Password Reset provides .ldif files that manually extend the schema for the LDAP directories and change the permissions that allow Self Service Password Reset to work. You can access the .ldif files here: https://sspr.server.com/sspr/public/reference/ on your Self Service Password Reset application. The .ldif files are also included in the Configuration Guide for the appliance and for the Windows installer.

WARNING:Extending the schema and changing rights in your LDAP directory permanently changes the LDAP directory. Ensure that your LDAP directory administrator performs these steps. If the directory is not healthy or there are communication problems in your network, changing the schema can cause problems.

Self Service Password Reset contains an LDAP Permissions tool that reads your Self Service Password Reset configuration file. The LDAP Permissions tool lists all of the required rights for your environment depending on the components of Self Service Password Reset you have enabled. The rights listed in the tool change depending on the Self Service Password Reset modules you enable. The following steps are guidelines for what rights you need in your environment for Self Service Password Reset to work. It is best to use the LDAP Permissions tool to see all of the rights specific to your deployment of Self Service Password Reset. For more information, see Viewing LDAP Permissions Recommendations in the Self Service Password Reset 4.5 Administration Guide.

Use the following information to extend the LDAP directory schema and assign rights:

Configuring eDirectory

Before you extend the schema or change any rights to make Self Service Password Reset work with eDirectory, you must install the iManager Password Management plugin and enable the Universal Password policy. For more information, see Managing Password in the eDirectory Administration Guide.

Self Service Password Reset uses eDirectory attributes to store the following user data:

  • The last time a user changed the password

  • The last time Self Service Password Reset sent an email notification to the user about password expiry

  • Secret questions and answers

Use the following information to modify eDirectory:

Extending the eDirectory Schema

You must use eDirectory tools to extend the eDirectory schema with the edirectory-schema.lidf file. You can access this file here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.

Depending on your platform, you must use a different eDirectory tool to extend the schema. The steps for extending the schema are in the eDirectory documentation. For more information, see Manually Extending the Schema in the NetIQ eDirectory Administration Guide.

The edirectory-schema.ldif file adds the following Self Service Password Reset attributes to the eDirectory schema:

  • pwmEventLog

  • pwmResponseSet

  • pwmLastPwdUpdate

  • pwmGUID

  • pwmOTPsecret

  • pwmData (new in the Self Service Password Reset 4.4 release or later)

Modifying eDirectory Rights to Grant Permissions

Self Service Password Reset requires permission to perform all operations in eDirectory. For instructions on how to change eDirectory rights, see eDirectory Rights in the eDirectory Administration Guide.

Use the LDAP Permissions tool to determine the proper rights for your environment and your configuration of Self Service Password Reset. For more information about the LDAP Permissions tool, see Viewing LDAP Permissions Recommendations in the Self Service Password Reset 4.5 Administration Guide.

Set up the following user rights:

Proxy User Rights

Users with generic proxy user rights perform operations such as pre-authentication. Proxy users need the following rights to user containers:

  • Browse rights to [Entry Rights]

  • Read and Compare rights to the pwmResponseSet and Configured Naming (CN) attribute

  • Read, Compare, and Write rights to objectClass, passwordManagement, pwmEventLog, and pwmLastPwdUpdate

    IMPORTANT:If you enable the New User Registration module for Self Service Password Reset, you must enable the Create right to the [Entry Rights]. The edirectory-rights.ldif file does not add this right. To add the Create right to the [Entry Rights], use the Modify Trustees task of the Rights role in iManager.

Authenticated User Rights

Users with authenticated user rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entries:

  • Browse rights to [Entry Rights]

  • Read, Compare, and Write rights, Inherited to [This] for pwmResponseSet

  • Write rights, Inherited rights to [This] for pwmLastPwdUpdate

Other Rights

Depending on the Self Service Password Reset configuration, users might need other rights assigned as well. In most cases, Self Service Password Reset interacts with the directory by using the user's LDAP connection. The user must have LDAP rights to execute operations. For example:

  • Update Profile Module: Users must have all rights to read attributes that are part of the Update Profile module and Write rights to any attributes they must write to.

  • Help Desk Module: Users must have Read rights to search and display attributes of users whom they administer. Users must also have Write rights to any attributes modified by the Help Desk module through configured actions or password setting and unlocking accounts.

Configuring Azure Active Directory

Self Service Password Reset requires that your users reside in an LDAP directory. Using Azure Active Directory for your LDAP user store has no impact on where you install and run Self Service Password Reset. For more information, see Selecting an Appropriate Deployment.

To use Azure Active Directory as the LDAP user store for your users, there are two requirements.

  • You must store the challenge-response information in a Microsoft SQL Server or PostgreSQL database. Self Service Password Reset does not require that you change the Azure Active Directory schema because you store the users’ challenge-response information in a database, not in the Azure Active Directory.

  • You must enable LDAP in the Azure Active Directory. For more information, see Configuring secure LDAP (LDAPS) for an Azure AD Domain Services manage domain.

Configuring Active Directory

If your users reside in Active Directory and selected to store the challenge-response information that same Active Directory, you must extend the schema and assign user rights to store data in Active Directory.

Self Service Password Reset provides .ldif files that extend the schema and assign the correct rights to your Active Directory. You can access these files here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.

After you extend the directory schema, you must give permissions to access objects, including the group policy, organizational units, and containers. Assigning users’ rights include authorizing read or write rights to Self Service Password Reset directory schema attributes.

The AD-schema.ldif file extends the schema on the server and enables you to assign user rights. You must determine containers and organizational units that need Self Service Password Reset access. You must know their distinguished names (DN) so that you can assign rights to each container and organizational unit separately.

You can use the LDAP Permissions tool to determine what rights you must change in Active Directory for each Self Service Password Reset module you enable. For more information, see Viewing LDAP Permissions Recommendations in the Self Service Password Reset 4.5 Administration Guide.

IMPORTANT:You must ensure that the domain controller is accessible via DNS for Self Service Password Reset to find all of the user objects in Active Directory.

You can also extend the Active Directory schema to the root of the domain and assign rights to each container and the organizational unit below the root.

Extending the Active Directory Schema

You must use Active Directory tools to extend the schema. You use the AD-schema.ldif file provided here https://sspr.server.com/sspr/public/reference/ldap-schema.jsp to extend the schema.

Log in as the domain administrator and run the schema extension file on an Active Directory domain controller or computer that is connected to the Active Directory domain. Following the instructions provided in the Microsoft documentation. For more information, see Methods for Extending Schema.

The .ldif file adds the following Self Service Password Reset attributes to the directory schema:

  • pwmEventLog

  • pwmResponseSet

  • pwmLastPwdUpdate

  • pwmToken

  • pwmOTPSecret

  • pwmData (new with the Self Service Password Reset 4.4 release or later)

In a multi-server environment, schema updates occur after server replication. To ensure that the schema synchronized through your environment you can perform a schema cache update. For more information, see Schema Cache.

Assigning User Rights

To store the data against the new Self Service Password Reset schema attributes, assign user permissions to objects in the directory. Assign rights to the attributes added through the schema extension to all of the objects that access the Self Service Password Reset data, including the following:

  • User objects

  • User containers

  • Group policies

  • Organizational units

If you assign rights to containers and organizational users, the rights filter down to the associated user objects.

IMPORTANT:Do not assign rights at the user level or object level.

To assign rights, use the Microsoft documentation. For more information, see Configuring User Rights.

You can also assign rights to a Password Settings object (PSO) to add a fine-grained password and account lockout policy for Active Directory. For more information, see Create a PSO.

Configuring Oracle Directory Server

You must extend the schema and assign permissions for the Oracle Directory Server to store the challenge-response information. This allows Self Service Password Reset to manage the passwords for the users.

Extending the Schema for the Oracle Directory Server

You must use Oracle tools to extend the schema. You use the OracleDS-schema.ldif file to extend the schema. The file is available here: https://sspr.server.com/sspr/public/reference/.

IMPORTANT:You must be running Self Service Password Reset 4.1 Patch Update 1 or later to access the .ldif file on the reference page here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.

To extend the Oracle schema for Self Service Password Reset, use the Oracle documentation. For more information, see Extending Directory Server Schema.

The OracleDS.ldif file adds the following Self Service Password Reset attributes to the Oracle Directory Server schema:

  • pwmEventLog

  • pwmResponseSet

  • pwmLastPwdUpdate

  • pwmGUID

  • pwmOTPsecret

  • pwmData (new in the Self Service Password Reset 4.4 release or later)

Assigning Rights for the Oracle Directory Server

You must change the permission for the Oracle Directory attributes to store the following users’ data:

  • The last time when a user changed the password

  • The last time when Self Service Password Reset sent an email notification to the user about password expiry

  • Secret questions and answers

The permission between the Oracle Directory Server and eDirectory are similar. The information for permission provided for eDirectory is the same as for the Oracle Directory Server.

Self Service Password Reset requires permission to perform operations in Oracle Directory. The following rights are required:

Use the OracleDS-right.ldif file to make the permissions changes for your environment. You must modify this file for your environment for the file to work.

4.4.2 Creating an LDAP Profile for Your Environment

After you have manually configured your LDAP directory, you must now create an LDAP profile for your environment in the Self Service Password Reset Configuration Editor. You will use the information from the worksheet to configure the LDAP Profile.

However, you must know the additional information to manually create an LDAP profile. You must know:

  • A user name attribute you want to use when viewing users in Self Service Password Reset

  • A GUID attribute that is unique to all users that are managed by Self Service Password Reset

  • Attributes to use for logging into Self Service Password Reset

  • Attribute used for user groups

For instructions and more information, see Configuring Policies in the Self Service Password Reset 4.5 Administration Guide.

4.4.3 Configuring Databases

Self Service Password Reset uses two types of databases:

  • Local Database: Self Service Password Reset uses a local database for storing local data. The local database requires no administration or maintenance and the default values are sufficient.

  • External Database: Self Service Password Reset uses an external database to store data for certain functions. Any standard JDBC database that supports a standard Java JDBC driver works. Self Service Password Reset connects to the database and creates the necessary tables. You can configure multiple Self Service Password Reset instances to the same database instance. Self Service Password Reset officially supports MS SQL database and Oracle database.

You must manually configure the database to save the challenge-response information from Self Service Password Reset. You must work with a database administrator to complete the tasks.

To configure the database:

  1. Create a database.

    For more information about how to create a database, see the related product documentation.

  2. Create a database administrator for that database. You must specify this administrator during Self Service Password Reset configuration.

  3. Create a user and associate it with the database you created in Step 1.

  4. (Conditional) If you are using the Microsoft SQL database, ensure that the user has enabled the SQL server authentication mode and has suitable rights to open the database, which is the SQL Server Authentication mode. For more information, see Choosing an Authentication Mode.

4.4.4 Configuring Self Service Password Reset to Work with the External Database

After you have created the external database, you must configure Self Service Password Reset to communicate with the database. Self Service Password Reset uses the JDBC driver for the specific database. Download the JDBC driver from the vendor’s website to connect to the JDBC database.

To configure an external database to store the challenge-response information:

  1. Ensure that you have downloaded the JDBC driver from the vendor’s website.

  2. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  3. In the toolbar, click your name.

  4. Click Configuration Editor.

  5. Click Default Settings.

    1. Select the LDAP directory type you are using.

    2. Select where to store information as Remote Database

    3. In the toolbar, click Save changes.

  6. (Conditional) If you are using anything other than Active Directory to store challenge-response information in an external database, click Modules > Authenticated > Forgotten Password > Settings.

    1. Set Response Read Location to Database.

    2. Set Response Write Location to Database.

    3. Click Save.

  7. Click Settings > Database (Remote) > Connection.

  8. Use the following information to configure the database connection:

    Database Driver

    Upload the JDBC database driver you downloaded from the vendor’s website.

    Database Class

    Specify the Java class name of the JDBC driver. For example:

    • Microsoft SQL: com.microsoft.sqlserver.jdbc.SQLServerDriver

    • Microsoft SQL using jTDS: net.sourceforge.jtds.jdbc.Driver

    • Oracle: oracle.jdbc.OracleDriver

    • PostgreSQL: org.postgresql.Driver

    Database Connection String

    Specify the database connections string that configures the Java JDBC database driver with the information required to reach your database server such as IP address, port number, and database name. For example:

    • Microsoft SQL: jdbc:sqlserver://host.example.net:port;databaseName=SSPR

    • Microsoft SQL using jTDS: jdbc:jtds:sqlserver://host.example.net:port/SSPR

    • Oracle: jdbc:oracle:thin:@//host.example.net:1521/SSPR

    • PostgreSQL: jdbc:postgresql://host:port/database

    Database User Name

    Specify the name of the user who can connect to the database.

    Database Password

    Specify a password for the database user.

    Database Vendor

    Select the vendor for your database. The options are Other or Oracle.

  9. Click Test Database Connection to validate the information you entered.

  10. In the toolbar, click Save changes.