Installing the new NMAS 2.3 Universal Password Policies and Self Service Forgotten Password enhancements
(Last modified: 25Feb2005)
This document (10091354) is provided subject to the disclaimer at the end of this document.
fact
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell iManager 2
Novell Modular Authentication Service version 2.3
symptom
Installing the new NMAS 2.3 Universal Password Policies and Self Service Forgotten Password enhancements
change
This enhancement allows for the setting of password policies in addition to requiring a minimum password length. You can specify the inclusion of case sensitivity, numerics, special characters as well as rules on what passwords are not allowed. This also enables self service for forgetting passwords by first verifying via challenge questions whether this user is who they say they are then either providing a hint or the password itself. This can be either via a web server or the hint\password can be mailed to the user.
fix
Sample Configuration
Please review the documentation so that there is a complete understanding of the prerequisites required for implementing Universal Password.
1. Delete the old policies: Go to iManager - Password Management - Manage Password Policies. The old system default policies are invalid and can be deleted.
2. Create a new policy: Select the new tab and create a new one.
3. Edit the new policy: Highlight the new policy and click the edit button. Select the Universal Password tab, then on the next screen Select the Advanced Password Rules and configure the rules your organization wishes to put in place.
4. Turn on Universal Password: Select Configuration Options - Turn on UP and enable the Advanced Password Rules. Also enable the user agent to retrieve password and save the changes.
**NOTE: If you select for the policy to verify existing rules and you have made the new password policy tree wide you may be forcing all users in the tree to change their password on their next login. Your user community and help desk may find this to be challenging if they have not yet been informed of the new rules.
5. Assign the Policy: Select the Policy Assignment tab and use the object browser button to make your assignment. The assignment can be made at the Login Policy Object, Partition Root, Container or User level.
NOTE: The following rules apply depending on where the policy is assigned:
A. If you assign the policy to the Login Policy Object (LPO)in the security container this policy will be tree wide.
B. If assigned to a partition root then the policy flows to the bottom of that partition.
C. If assigned to a container that is not a partition root then the policy is only effective for users within that container. It will not apply to any users in child containers.
D.If assigned to a user it will only apply to that user.
For our purposes we will assign it to the LPO. Save the changes.
6. Setup User password self-service: Select the Forgotten Password tab, then select - Enable Forgotten Password and require a Challenge Set. Create a new Challenge Set by clinking on the Manage Challenge Sets link and set to Mother's Maiden Name. Once done go back to the Manage Password Policies link on the left frame of iManager - edit the policy - select the Forgotten Password tab and check in the Action section to Show hint on Page and Force user to configure Challenge Set. Save your changes.
What next?
One last piece of setup. The users will need to first be given the url of the server's portal (https://ipaddress/nps) and they must login. Once logged in they will be prompted for their mother's maiden name then are prompted to select a hint for their password. After they select submit and the page indicates the submit was successful they can close the page.
What is the process for a forgotten password?
The user goes to the server portal and selects the Forgot Password? link. They input their userid, they then are prompted for their mother's maiden name. If they input this information correctly they are then given a hint about their password. They then can put the correct password into their NetWare client and complete logging into the tree.
INSTALLATION
NOTE: A new installer for Password Management was released with the IDM 2.0.1 support pack. If you have the old passwordmanagement.zip file, continue on. If you do not have this file, it is no longer available from Novell's website. You will need to download the new plugins for eDirectory. Go to Novell's main download page (http://download.novell.com) then choose Category | iManager Plug-ins. The files are under eDirectory | eDirectory Password Management 2.0.1 for Novell eDirectory. Then download the correct file that corresponds to your platform. This installer is specific to the platform you are on, and so is the method to initiate the install:
On Linux: Copy the downloaded jar file to a directory (/tmp in this example). Then run the following command: java -Djava.library.path=/tmp -cp /tmp/pwd_mgmt_2.0.1_nw_lin.jar install
These commands will initiate the GUI driven install of the Password Management 2.01 for eDirectory. The install will prompt you at several points for information, and so cannot be run unattended.
This file automates steps 1-4 below and assumes that iManager is running correctly.
1. Extend schema.
This must be done from a server holding either the Master or a Read-Write copy of the ROOT partition. The schema extensions can be performed using NWCONFIG.
sys:\patch\nmas.sch
sys:\patch\nsimpm.sch
sys:\patch\nspm.sch
sys:\patch\notf.sch
Force a schema sync from the server using the following commands:
set dstrace=on
set dstrace=+schema
set dstrace=*ssd
set dstrace=*ssa
Look at the Directory Services screen and make sure you get an All Processed=Yes.
2. Add the Challenge Response NMAS method
This method can be found on the Novell eDirectory 8.7.3 installation CD (or download files) which can be found at http://download.novell.com. The method installer is in the \nmas\NmasMethods\ directory of the eDirectory CD and is called MethodInstaller.exe. Run the exe on a workstation and check the Challenge Response method. Accept the agreement and the defaults for the Login Sequence. This method will be added to the Authorized Login Methods.Security.<tree-name> container.
3. Assign Self Rights to Hint
Run the enclosed Java app to assign self rights to Hint attribute for user self service. This allows a user to modify his own challenge and hint to his user object. This method allows the acl to be configured so that noone else, including admin, to view this information. The challenge is encypted and written to the user's secret store attribute in a non-recoverable format. You can do this in one of two ways, but NOTE: Regardless of the procedure you use the outcome is the same, and you need to do this ONLY ONCE PER TREE.
NOTE: You can verify that this step has taken place by looking at the partition root and examining the acls. There should be one for ID_THIS for the nspmHint attribute.
A. JAVA utility procedure -
In a DOS window, go to the directory where you unzipped the files. If that directory was sys:patch, then the path would be: sys:\patch\password management\nsimhint. This presumes you have Java installed on the workstation, enter the following command line:
java -classpath ./jclient.jar;. ChangeACLRights <username> <password> <eDirectory Server IP Address>
an example would be
java -classpath ./jclient.jar;. ChangeACLRights cn=admin.o=novell passwd 10.0.0.1
If this worked properly, you should see a message stating "Assigned user rights to modify nSimHint successfully".
B. iManager procedure -
Login to iManager as user with Supervisor rights to the Root of the Tree.
On the Roles and Tasks page go to the Rights role, click on Modify Trustees, browse to the Tree object, select that and click on OK, choose Admin or the equivalent user you have selected. Next click on Add property, then check the show all properties box (this will refresh the list for you automatically), scroll down to the LOWER CASE nsimhint property, select it and click on OK, on the next screen you should have the Compare, Read, and Inherit boxes checked, then click on Done.
*You can VERIFY that either of these methods worked by using ConsoleOne to view the Trustees of the Tree Root object.
4. Install the iManager plugins
Login into iManager, Click on the configure icon (man sitting behind desk icon), Module Configuration, Install Module Package, then click the Install button (far right of screen), and browse to the password management\plugins directory and select the passwordmanagement.npm file. Once complete you will need to refresh the web servlet in the iManager Configuration, Portal link.
Once these steps have completed you are ready to configure Password Policies in iManager using the Password Management Role.
Note: After this step the Universal Password Task under the NMAS role is no longer functional for what we need. You will instead use the Universal Password task under the Password Management Role.
If the url is not displayed when hitting the server's portal address please refer to the following TID #10091932 - Installing NMAS Password Self Service on a server running Virtual Office
If you are unable to authenticate via the Forgot Password Link refer to the following TID #10091935 - Error: 1681 or cannot connect when attempting to use the Forgot Password? url in Portal for NMAS password self service.
If a popup dialog is displayed saying the secret store is invalid or asks whether you want to delete it please refer to TID #10092130 - Popout window prompts to delete the secret store on login after password change.
document
| Document Title: | Installing the new NMAS 2.3 Universal Password Policies and Self Service Forgotten Password enhancements |
| Document ID: | 10091354 |
| Solution ID: | NOVL95636 |
| Creation Date: | 18Feb2004 |
| Modified Date: | 25Feb2005 |
| Novell Product Class: | Novell eDirectory Security Components |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.