NetIQ Documentation: Novell Self Service Password Reset 2.0.0 User Guide

4.3 Configuring SSPR

To access SSPR application, open a web browser and navigate to http:// <host_name>:<port_number> / sspr.

<host_name>: ip address or host name of the server on which SSPR is deployed.
<port_number>: http port number of Tomcat server. Default http port number is 8080.

NOTE:SSPR will run on http, however to set up a secure channel between the browser and application, enable https. To enable https, see Section 3.3, Setting up a Secure Channel Between the Client and the SSPR portal (Optional)

Novell, OpenLDAP, DirectoryService389, Others: Select this option if the backend directory server is eDirectory and you would want to store the challenge responses in eDirectory.
Active Directory - Store responses in a database: Select this option if the back end directory server is active directory and you would like to store the challenge response information in a database of your choice. SSPR provides support for most of the commercially available RDBMS database(s).

Ensure that the Forgotten Password Module is configured properly. To configure Forgotten Password module, goto Configuration Editor > Modules > Forgotten password.
Active Directory - Store responses in Active Directory: Select this option if the back end directory server is Active directory you would want to store the challenge responses in Active Directory.

After selecting an option, configure the following options appropriately. This sections explains only the basic settings which are just enough to start using SSPR. Refer the Configuration editor for more options:

4.3.1 LDAP Directories

Configure the following basic settings:

LDAP URLs: List the LDAP servers in URL format. SSPR will use these servers in a fail-over configuration. The servers are used in order of appearance in this list. If the first server is unavailable SSPR will use the next available server in the list. SSPR will then periodically fall-back to the first server to see if it is available.
- For secure SSL, use the ldaps://servername:636 format
- For plain-text servers, use ldap://serverame:389 format (not recommended)
LDAP Proxy User: LDAP Proxy User used by SSPR to access the ldap directory. This user must have rights to browse users, and manage password attributes on the user object.

This value should be in LDAP distinguished name format, even if your ldap directory accepts other types of values for the bind DN. For example, cn=admin,o=example or cn=administrator,cn=users,dc=subdomain,dc=domain,dc=net.
LDAP Proxy Password: The corresponding password of LDAP Proxy User user.
LDAP Contextless Login Root: Base context to search for usernames during login.
SSPR Admin Query String: This query string is used to detect if a user is a SSPR Administrator. An LDAP query is performed during SSPR login against the logged in user to determine if the user is a SSPR Administrator. If the user matches the query, then the user is considered a SSPR administrator.

4.3.2 Challenge Policy

Configure the following basic settings:

Force Response Setup: If true, the user will be directed to configure challenge/response before logging out of SSPR. This accounts for new user creation and activation, and other scenarios. The user is forced check to see if eligible for allowSetup, and also if they do not have valid responses already configured.

NOTE:When Force Response Setup is set to True and you click Cancel, ensure that you enter the responses before exiting the page.
Random Questions for Challenge/Response: Some of these questions will be presented to the user during forgotten password.

Format: question::minimumLength::maximumLength
Required Questions for Challenge/Response: The user must supply answers for all of these questions when setting up their responses.

Format: question::minimumLength::maximumLength
Minimum Random Required: Minimum number of random questions required at time of forgotten password recovery.
Minimum Random Challenges Required During Setup The minimum number of random questions the user is required to complete during Response Setup

4.3.3 Database

The RDBMS settings will be applicable only if you have selected Active Directory - Store responses in a database in the SSPR Configuration Editor.

SSPR uses two types of databases:

SSPRDB: The SSPRDB is a local, embedded database that is used by SSPR for storage of local data. In most cases, the SSPRDB requires no administration or maintenance, and the defaults are sufficient.
RDBMS Database: If configured, SSPR can use a traditional RDBMS database to store data for certain functions. Any standard RDBMS that supports a standard Java JDBC driver can work. Upon startup, SSPR will connect to the database and create any necessary tables. Multiple SSPR server instances can be configured for the same database instance.

Configure the following options if RDBMS is selected:
- Database Class
- Database Connection String
- Database Username
- Database Password

4.3.4 Password Policy

You can use password policies to increase security by setting rules on how users create their passwords. You can also decrease the help desk costs by providing users with self-service options for forgotten passwords and for resetting passwords.

Each password policy setting is available in the Self Service Password Reset configuration. These password policies represent the minimum policies applicable to the user.

For example, If you set the directory setting as Novell eDirectory and configured Read eDirectory Password Policy as True, then SSPR tries to locate a Universal Password policy configured for that user. If such a policy is found, the policy is merged with the settings in the policies set in the SSPR configuration. The most restrictive setting is used.