To allow Self Service Password Reset to store the challenge-response information in an LDAP directory, you must extend the LDAP directory schema and assign specific permissions to attributes in the LDAP directory. This allows Self Service Password Reset to manage the passwords for your users.
Self Service Password Reset provides .ldif files that manually extend the schema for the LDAP directories and change the permissions that allow Self Service Password Reset to work. You can access the .ldif files here: https://sspr.server.com/sspr/public/reference/ on your Self Service Password Reset application. The .ldif files are also included in the Configuration Guide for the appliance and for the Windows installer.
WARNING:Extending the schema and changing rights in your LDAP directory permanently changes the LDAP directory. Ensure that your LDAP directory administrator performs these steps. If the directory is not healthy or there are communication problems in your network, changing the schema can cause problems.
Self Service Password Reset contains an LDAP Permissions tool that reads your Self Service Password Reset configuration file. The LDAP Permissions tool lists all of the required rights for your environment depending on the components of Self Service Password Reset you have enabled. The rights listed in the tool change depending on the Self Service Password Reset modules you enable. The following steps are guidelines for what rights you need in your environment for Self Service Password Reset to work. It is best to use the LDAP Permissions tool to see all of the rights specific to your deployment of Self Service Password Reset. For more information, see Viewing LDAP Permissions Recommendations
in the Self Service Password Reset 4.8 Administration Guide.
Use the following information to extend the LDAP directory schema and assign rights:
Before you extend the schema or change any rights to make Self Service Password Reset work with eDirectory, you must install the iManager Password Management plugin and enable the Universal Password policy. For more information, see Managing Password
in the eDirectory Administration Guide.
Self Service Password Reset uses eDirectory attributes to store the following user data:
The last time a user changed the password
The last time Self Service Password Reset sent an email notification to the user about password expiry
Secret questions and answers
Use the following information to modify eDirectory:
You must use eDirectory tools to extend the eDirectory schema with the edirectory-schema.lidf file. You can access this file here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.
Depending on your platform, you must use a different eDirectory tool to extend the schema. The steps for extending the schema are in the eDirectory documentation. For more information, see Manually Extending the Schema
in the NetIQ eDirectory Administration Guide.
The edirectory-schema.ldif file adds the following Self Service Password Reset attributes to the eDirectory schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmGUID
pwmOTPsecret
pwmData (new in the Self Service Password Reset 4.4 release or later)
Self Service Password Reset requires permission to perform all operations in eDirectory. For instructions on how to change eDirectory rights, see eDirectory Rights
in the eDirectory Administration Guide.
Use the LDAP Permissions tool to determine the proper rights for your environment and your configuration of Self Service Password Reset. For more information about the LDAP Permissions tool, see Viewing LDAP Permissions Recommendations
in the Self Service Password Reset 4.8 Administration Guide.
Set up the following user rights:
Users with generic proxy user rights perform operations such as pre-authentication. Proxy users need the following rights to user containers:
Browse rights to [Entry Rights]
Read and Compare rights to the pwmResponseSet and Configured Naming (CN) attribute
Read, Compare, and Write rights to objectClass, passwordManagement, pwmEventLog, and pwmLastPwdUpdate
IMPORTANT:
If you enable the New User Registration module for Self Service Password Reset, you must enable the Create right to the [Entry Rights]. The edirectory-rights.ldif file does not add this right. To add the Create right to the [Entry Rights], use the Modify Trustees task of the Rights role in iManager.
The domain administrator should only grant the necessary rights to the proxy user for executing REST API calls.
Users with authenticated user rights perform operations based on the permissions associated with the user’s connection. Authenticated users need the following rights for their own user entries:
Browse rights to [Entry Rights]
Read, Compare, and Write rights, Inherited to [This] for pwmResponseSet
Write rights, Inherited rights to [This] for pwmLastPwdUpdate
Depending on the Self Service Password Reset configuration, users might need other rights assigned as well. In most cases, Self Service Password Reset interacts with the directory by using the user's LDAP connection. The user must have LDAP rights to execute operations. For example:
Update Profile Module: Users must have all rights to read attributes that are part of the Update Profile module and Write rights to any attributes they must write to.
Help Desk Module: Users must have Read rights to search and display attributes of users whom they administer. Users must also have Write rights to any attributes modified by the Help Desk module through configured actions or password setting and unlocking accounts.
Self Service Password Reset requires that your users reside in an LDAP directory. Using Azure Active Directory for your LDAP user store has no impact on where you install and run Self Service Password Reset. For more information, see Selecting an Appropriate Deployment.
To use Azure Active Directory as the LDAP user store for your users, there are two requirements.
You must store the challenge-response information in a Microsoft SQL Server or PostgreSQL database. Self Service Password Reset does not require that you change the Azure Active Directory schema because you store the users’ challenge-response information in a database, not in the Azure Active Directory.
You must enable LDAP in the Azure Active Directory. For more information, see the Configure secure LDAP for a Microsoft Entra Domain Services managed domain section in Microsoft Documentation.
If your users reside in Active Directory and selected to store the challenge-response information that same Active Directory, you must extend the schema and assign user rights to store data in Active Directory.
Self Service Password Reset provides .ldif files that extend the schema and assign the correct rights to your Active Directory. You can access these files here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.
After you extend the directory schema, you must give permissions to access objects, including the group policy, organizational units, and containers. Assigning users’ rights include authorizing read or write rights to Self Service Password Reset directory schema attributes.
The AD-schema.ldif file extends the schema on the server and enables you to assign user rights. You must determine containers and organizational units that need Self Service Password Reset access. You must know their distinguished names (DN) so that you can assign rights to each container and organizational unit separately.
You can use the LDAP Permissions tool to determine what rights you must change in Active Directory for each Self Service Password Reset module you enable. For more information, see Viewing LDAP Permissions Recommendations
in the Self Service Password Reset 4.8 Administration Guide.
IMPORTANT:You must ensure that the domain controller is accessible via DNS for Self Service Password Reset to find all of the user objects in Active Directory.
You can also extend the Active Directory schema to the root of the domain and assign rights to each container and the organizational unit below the root.
You must use Active Directory tools to extend the schema. You use the AD-schema.ldif file provided here https://sspr.server.com/sspr/public/reference/ldap-schema.jsp to extend the schema.
Log in as the domain administrator and run the schema extension file on an Active Directory domain controller or computer that is connected to the Active Directory domain. Following the instructions provided in the Microsoft documentation. For more information, see the Methods for Extending Schema section in Microsoft Documentation.
The .ldif file adds the following Self Service Password Reset attributes to the directory schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmToken
pwmOTPSecret
pwmData (new with the Self Service Password Reset 4.4 release or later)
In a multi-server environment, schema updates occur after server replication. To ensure that the schema synchronized through your environment you can perform a schema cache update. For more information, see the Schema Cache section in Microsoft Documentation.
To store the data against the new Self Service Password Reset schema attributes, assign user permissions to objects in the directory. Assign rights to the attributes added through the schema extension to all of the objects that access the Self Service Password Reset data, including the following:
User objects
User containers
Group policies
Organizational units
If you assign rights to containers and organizational users, the rights filter down to the associated user objects.
IMPORTANT:Do not assign rights at the user level or object level.
To assign rights, use the Microsoft documentation. For more information, see the Configuring User Rights section in Microsoft Documentation.
You can also assign rights to a Password Settings object (PSO) to add a fine-grained password and account lockout policy for Active Directory. For more information, see the Create a PSO section in Microsoft Documentation.
You must extend the schema and assign permissions for the Oracle Directory Server to store the challenge-response information. This allows Self Service Password Reset to manage the passwords for the users.
You must use Oracle tools to extend the schema. You use the OracleDS-schema.ldif file to extend the schema. The file is available here: https://sspr.server.com/sspr/public/reference/.
IMPORTANT:You must be running Self Service Password Reset 4.1 Patch Update 1 or later to access the .ldif file on the reference page here: https://sspr.server.com/sspr/public/reference/ldap-schema.jsp.
To extend the Oracle schema for Self Service Password Reset, use the Oracle documentation. For more information, see the Extending Directory Server Schema in Oracle Documentation.
The OracleDS.ldif file adds the following Self Service Password Reset attributes to the Oracle Directory Server schema:
pwmEventLog
pwmResponseSet
pwmLastPwdUpdate
pwmGUID
pwmOTPsecret
pwmData (new in the Self Service Password Reset 4.4 release or later)
You must change the permission for the Oracle Directory attributes to store the following users’ data:
The last time when a user changed the password
The last time when Self Service Password Reset sent an email notification to the user about password expiry
Secret questions and answers
The permission between the Oracle Directory Server and eDirectory are similar. The information for permission provided for eDirectory is the same as for the Oracle Directory Server.
Self Service Password Reset requires permission to perform operations in Oracle Directory. The following rights are required:
Use the OracleDS-right.ldif file to make the permissions changes for your environment. You must modify this file for your environment for the file to work.