1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT
  6. Manual

Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
Password Management Guide
Novell
®
Identity Manager
3.6.1
June 05, 2009
www.novell.com
Identity Manager 3.6.1 Password Management Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT

Summary of Contents for Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT

  • Page 1 AUTHORIZED DOCUMENTATION Password Management Guide Novell ® Identity Manager 3.6.1 June 05, 2009 www.novell.com Identity Manager 3.6.1 Password Management Guide...
  • Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Identity Manager 3.6.1 Password Management Guide...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Overview Universal Password and Distribution Password........10 Password Synchronization Flow .
  • Page 6 6 Checking the Password Synchronization Status for a User 7 Troubleshooting Password Synchronization A Password Synchronization Scenarios Scenario 1: Using NDS Password to Synchronize between Two Identity Vaults... 43 A.1.1 Advantages and Disadvantages of Scenario 1 .

  • Page 7: About This Guide

    ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash.
  • Page 8 Identity Manager 3.6.1 Password Management Guide...

  • Page 9: Overview

    Overview Identity Manager helps you manage user passwords across multiple accounts. You can synchronize passwords among systems, allow users to change their passwords, and enable users to recover from forgotten passwords. In the following diagram, the Identity Manager system is configured to synchronize passwords for users who have Active Directory* and iPlanet* accounts.

  • Page 10: Universal Password And Distribution Password

    Distribution) stored in the Identity Vault and provides password policies that define the rules for creating and replacing passwords in the Identity Vault. Universal Password is explained in detail in the Novell Password Management 3.2 Administration Guide (http://www.novell.com/documentation/password_management32). To control password synchronization between the Identity Vault and connected systems, Identity Manager uses the Distribution password.

  • Page 11: Password Policy Enforcement

    The connected system determines the level of support for password synchronization. Some systems, such as Microsoft Active Directory and Novell eDirectory , support bidirectional synchronization. Other systems support synchronization in one direction only. See Chapter 3, “Connected System Support for Password Synchronization,” on page 15 for details.

  • Page 12: Password Synchronization Status

    Application Identity Self-Service lets users manage their passwords, including resetting and recovering from forgotten passwords. Identity Manager also includes a Client Login Extension that can be used with the Novell Client and the Microsoft login GINA to facilitate password self-service. When users click the Forgot Password link in their client login, the Client Login Extension launches a restricted browser to access the User Application Identity Self-Service feature.

  • Page 13: Password Management Checklist

    (http://www.novell.com/documentation/password_management32/pwm_administration/ index.html?page=/documentation/password_management32/pwm_administration/data/ allq21t.html) in the Novell Password Management 3.2 Administration Guide. 2.2 Synchronizing Passwords Complete the following tasks to set up password synchronization between the Identity Vault and a connected system. Repeat the tasks for each connected system with which you want to synchronize passwords.

  • Page 14: Password Self-Service

    Assign the policy to the Identity Vault containers that hold the users to whom you want the policy applied. You can have more than one password policy if needed. For instructions, see “Managing Passwords by Using Password Policies” (http://www.novell.com/ documentation/password_management32/pwm_administration/data/ampxjj0.html) in the Novell Password Management 3.2 Administration Guide.

  • Page 15: Connected System Support For Password Synchronization

    Connected System Support for Password Synchronization The level of support for password synchronization varies depending on the connected system. The following sections provide support information: Section 3.1, “Systems That Support Bidirectional Password Synchronization,” on page 15 Section 3.2, “Systems That Accept Passwords from Identity Manager,” on page 15 Section 3.3, “Systems That Don’t Accept or Provide Passwords By Default,”...

  • Page 16: Systems That Don't Accept Or Provide Passwords By Default

    Although they can’t provide the user’s actual password, they can be configured to create a password in the Identity Vault by using a policy on the Publisher channel. The password would be based on other user data in the connected system. The basic driver configurations provided for the connected systems include a default password based on the surname.

  • Page 17: Systems That Don't Support Password Synchronization

    Systems That Don’t Accept or Provide Passwords Table 3-3 Subscriber Subscriber Channel Subscriber Channel Publisher Channel Channel Connected System Driver Application Can Application Can Application Application Can Accept Setting of Accept Modification Supports Check Provide (Sync) Initial Password of Password Password Password Delimited Text...
  • Page 18 Identity Manager 3.6.1 Password Management Guide...

  • Page 19: Configuring Password Flow

    Configuring Password Flow To ensure that passwords flow between the Identity Vault and the connected system the way you expect them to, you should verify the password synchronization settings for the connected system’s driver are configured properly. Section 4.1, “Verifying Password Synchronization Settings in iManager,” on page 19 Section 4.2, “Verifying Password Synchronization Settings in Designer,”...
  • Page 20 The settings that are enabled and disabled vary depending on the driver. Only those settings for features supported by the driver are available (not dimmed). 3 Verify that the settings are configured properly. Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity Manager allows passwords to flow from the connected system into the Identity Vault.

  • Page 21: Verifying Password Synchronization Settings In Designer

    Application accepts passwords (Subscriber Channel): If you enable this option, the driver sends passwords from the Identity Vault to this connected system. This also means that if a user changes the password on a different connected system that is publishing passwords to the Distribution password in the Identity Vault, the password is changed on this connected system.
  • Page 22 The settings that are enabled and disabled vary depending on the driver. Only those settings for features supported by the driver are available (not dimmed). 3 Verify that the settings are configured properly. Identity Manager accepts passwords (Publisher Channel): If this option is enabled, Identity Manager allows passwords to flow from the connected system into the Identity Vault.
  • Page 23 The application accepts passwords (Subscriber Channel): If you enable this option, the driver sends passwords from the Identity Vault to this connected system. This also means that if a user changes the password on a different connected system that is publishing passwords to the Distribution password in the Identity Vault, the password is changed on this connected system.
  • Page 24 Identity Manager 3.6.1 Password Management Guide...

  • Page 25: Configuring E-Mail Notification

    Password, e-mail notifications are sent only if you choose to use one of the Forgotten Password actions that causes an e-mail to be sent: e-mailing a password to the user, or e-mailing a password hint to the user. See “Managing Forgotten Passwords” (http://www.novell.com/documentation/ password_management32/pwm_administration/data/bqf5d1x.html) in the Password Management 3.2 Administration Guide.

  • Page 26: Prerequisites

    “Setting Up E-Mail Templates for Notification” on page 28 Section 5.4, “Providing SMTP Authentication Information in Driver Policies,” on page 28 Section 5.5, “Adding Your Own Replacement Tags to E-Mail Notification Templates,” on page 30 Section 5.6, “Sending E-Mail Notifications to the Administrator,” on page 36 Section 5.7, “Localizing E-Mail Notification Templates,”...
  • Page 27 2 Specify the following information: The host name. The name (for example, Administrator) that you want to appear in the From field of the e- mail message. The username and password for authenticating to the server, if necessary. 3 Click OK. 4 If you are using Password Synchronization with your Identity Manager drivers and want to use the e-mail notification feature, you must also do the following: 4a If your SMTP server requires authentication before sending e-mail, make sure that the...

  • Page 28: Setting Up E-Mail Templates For Notification

    5.3 Setting Up E-Mail Templates for Notification You can customize these templates with your own text. The name of the template indicates what it is used for. 1 In iManager, select Passwords > Edit Email Templates. 2 Edit the templates as desired. Keep in mind that if you want to add any replacement tags, some additional tasks might be required.
  • Page 29 You are using Identity Manager Password Synchronization with an Identity Manager driver In the Password Synchronization settings for the driver, you have selected Notify the user of password synchronization failure via e-mail. To add the SMTP server password to the driver policy: 1 In iManager, select Identity Manager >...

  • Page 30: Adding Your Own Replacement Tags To E-Mail Notification Templates

    The password is obfuscated when it is stored in the Identity Vault. 8 Select the rule, then click OK. 5.5 Adding Your Own Replacement Tags to E- Mail Notification Templates The e-mail notification templates have some tags defined by default, to help you personalize the message for the user.
  • Page 31 Like this example, each new tag you add must be defined in both the e-mail template and the policy rules that refer to the e-mail template, so that the Metadirectory engine knows how to insert the correct data in place of the replacement tag when sending the e-mail to the user. You can refer to the tags in the Identity Manager driver configurations that shipped with Identity Manager as examples.
  • Page 32 6 In the list of rules that opens, click the rule that refers to the e-mail notification template. For example, in the Password(Pub)-Sub Email Notifications policy, you see the following list of rules. Both of these rules reference one of the password synchronization e-mail templates. You need to edit both rules if you are adding tags to both templates.
  • Page 33 7 Scroll to the Actions section. Configuring E-Mail Notification...
  • Page 34 8 For the Do Send Email from Template rule, click the browse button for the Enter strings field. This opens the string builder. For the example rule, the following figure shows the list of strings you would see. The default tags that are used in the e-mail notification templates are already defined in the password synchronization policies that are part of the Identity Manager driver configurations, like this one.
  • Page 35 You can define the tag to be any of the following: Any Source or Destination attribute for the user Unlike adding tags for the e-mail templates for Forgotten Password, simply adding a tag that has the same name as an attribute on the user object in the Identity Vault does not cause the tag to work.

  • Page 36: Adding Replacement Tags To Forgotten Password E-Mail Notification Templates

    5.5.2 Adding Replacement Tags to Forgotten Password E-Mail Notification Templates Using the following guidelines, you can add tags to the e-mail notification templates for Forgotten Password: You can add only tags that correspond to LDAP attributes on the User object that the message is being sent to.
  • Page 37 If this setting doesn't exist, no encoding is used on the mail transformation. For Password Synchronization e-mail messages, an XML attribute named charset can be specified on the following elements: < >, < >, and <‘>. mail message For information on using these elements, see the Identity Manager 3.6 Manual Task Service Driver Implementation Guide, which gives more detail on the e-mail templates.
  • Page 38 Identity Manager 3.6.1 Password Management Guide...

  • Page 39: Checking The Password Synchronization Status For A User

    Checking the Password Synchronization Status for a User You can determine whether the Distribution password for a specific user is the same as the password in the connected system. 1 In iManager, click to display the Identity Manager Administration page. 2 In the Passwords list, >...
  • Page 40 always reported as being not synchronized. In fact, the Distribution password and the password on the connected system might be in sync, but Check Password Status won't be accurate unless both the NDS password and the Distribution password are synchronized with the Universal password. Identity Manager 3.6.1 Password Management Guide...

  • Page 41: Troubleshooting Password Synchronization

    Chapter A, “Password Synchronization Scenarios,” on page Make sure you have the Simple Password Login Method installed with NMAS (Novell Modular Authentication Service). Make sure you have a copy of the root of the tree on the servers where you need to NMAS to enforce password policies on eDirectory login methods or on passwords from connected systems being synchronized by Identity Manager.
  • Page 42 This option is preferable because we recommend that a default password policy exist in order to maintain a high level of security within the system. On the Publisher channel, remove the policy that creates the default password. In the sample configuration, this policy is provided in the Command Transformation policy set. Adding a user without a password is allowed in the Identity Vault.

  • Page 43: Scenario 1: Using Nds Password To Synchronize Between Two Identity Vaults

    Password Synchronization Scenarios Identity Manager enables you to implement several different password synchronization scenarios. This section outlines basic scenarios that help you understand how the Identity Manager settings affect the way passwords are synchronized. You can use one or more of the scenarios to meet the needs of your environment.

  • Page 44: Advantages And Disadvantages Of Scenario 1

    This method should be used only to synchronize passwords from Identity Vault to Identity Vault. It does not use NMAS and therefore cannot be used to synchronize passwords to connected applications. Section A.1.1, “Advantages and Disadvantages of Scenario 1,” on page 44 Section A.1.2, “Setting Up Scenario 1,”...

  • Page 45: Troubleshooting Scenario 1

    Driver Configuration Make the following changes in the eDirectory driver’s filter. This must be done for both eDirectory drivers involved in the synchronization. Remove the nspmDistributionPassword attribute from the User class in the filter. Add the Public Key and Private Key attributes for all object classes (typically, the User class) for which passwords should be synchronized.
  • Page 46 Using Universal Password to Synchronize Passwords Figure A-3 NMAS 3.0 Identity Distribution Manager Password Universal Password Password Simple Password 1. Passwords come in through Identity Manager. 2. Identity Manager goes through NMAS to directly update the Universal password. 3. NMAS synchronizes the Universal password with the Distribution password and other passwords according to the NMAS password policy settings.

  • Page 47: Advantages And Disadvantages Of Scenario 2

    A.2.1 Advantages and Disadvantages of Scenario 2 Synchronizing by Using Universal Password Table A-2 Advantages Disadvantages Allows synchronization of passwords to and from By design, resetting passwords in the connected the Identity Vault and the connected system. system is not supported with this method because the Distribution password and Universal passwords Allows passwords to be validated against the might not be the same, depending on your settings...
  • Page 48 You can assign the policy to the entire tree structure (by browsing to and selecting the Login Policy object in the Security container), a partition root container, a container, or a specific user. To simplify management, we recommend that you assign password policies as high in the tree as possible.
  • Page 49 Synchronize Distribution Password when setting Universal Password Because Identity Manager retrieves the Distribution password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization. 5 Complete your password policy as desired. NMAS enforces the Advanced Password Rules in your password policies, if you have the rules enabled.
  • Page 50 These settings allow for bidirectional password synchronization if it is supported by the connected system. You can adjust the settings to match your business policies for the authoritative source for passwords. For example, if a connected system should subscribe to passwords but not publish, select only Application accepts passwords (Subscriber Channel).

  • Page 51: Troubleshooting Scenario 2

    3 To ensure password security, make sure that you control who has rights to Identity Manager objects. A.2.3 Troubleshooting Scenario 2 “Flowchart for Scenario 2” on page 51 “Trouble Logging in to the Identity Vault” on page 52 “Trouble Logging in to Another Connected System that Subscribes to Passwords” on page 53 “E-Mail Not Generated on Password Failure”...

  • Page 52: Trouble Logging In To The Identity Vault

    Whether Advanced Password Rules are enabled that incoming passwords must comply with. What the other settings are in the password policy for synchronizing the Universal password with the other passwords. How NMAS Handles the Password It Receives from Identity Manager Figure A-4 Identity NMAS...

  • Page 53: Trouble Logging In To Another Connected System That Subscribes To Passwords

    DSTrace Commands Figure A-5 Verify that the < > or < > elements are being passed to Identity password modify-password Manager. To verify that they are being passed, watch the trace screen with those options turned Verify that the password is valid according to the rules of the password policy. Check the NMAS password policy configuration and assignment.

  • Page 54: E-Mail Not Generated On Password Failure

    Verify that the for an Add or < > element is being sent to the <password> modify-password connected system. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first items. Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Appendix B, “Driver Configuration Policies,”...

  • Page 55: Scenario 3: Synchronizing An Identity Vault And Connected Systems, With Identity Manager Updating The Distribution Password

    A.3 Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password In this scenario, Identity Manager directly updates the Distribution password, and allows NMAS to determine how the other Identity Vault passwords are synchronized. Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password Figure A-6 NMAS 3.0...

  • Page 56: Advantages And Disadvantages Of Scenario 3

    A.3.1 Advantages and Disadvantages of Scenario 3 Synchronizing an Identity Vault and Connected Systems by Updating the Distribution Password Table A-3 Advantages Disadvantages Allows synchronization of passwords between the Identity Vault and connected systems. Lets you choose whether or not to enforce password policies for passwords coming from connected systems.
  • Page 57 Enable Universal Password Synchronize NDS Password when setting Universal Password Synchronize Distribution Password when setting Universal Password Because Identity Manager retrieves the Distribution password to distribute passwords to connected systems, it's important that this option be selected to allow bidirectional password synchronization.
  • Page 58 Make sure that the following are selected: Identity Manager accepts passwords (Publisher Channel) Use Distribution Password for password synchronization A message is displayed on the page if the driver manifest does not contain a “password- publish” capability. This is to inform users that passwords cannot be retrieved from the application and can only be published by creating a password in the driver configuration using a policy.
  • Page 59 Driver Configuration 1 Set the filter correctly for nspmDistributionPassword attribute: For the Publisher channel, set the driver filter to Ignore for the nspmDistributionPassword attribute for all object classes. For the Subscriber channel, set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that should subscribe to password changes.

  • Page 60: Troubleshooting Scenario 3

    3 To ensure password security, make sure that you control who has rights to Identity Manager objects. A.3.3 Troubleshooting Scenario 3 “Flowchart for Scenario 3” on page 60 “Trouble Logging In to eDirectory” on page 61 “Trouble Logging In to Another Connected System that Subscribes to Passwords” on page 62 “E-Mail Not Generated on Password Failure”...
  • Page 61 Password from Identity Manager is Synchronized to the Distribution Password Figure A-7 Identity Validate NMAS Manager Password pass Valid Sync to Set DP Sync to UP Password fail pass pass Set UP Set NDS fail fail Notify Reset Reset Stop Send Email User Password...
  • Page 62 ConsoleOne , check the version. Legacy Novell Clients and ConsoleOne might not be able to log in to the Identity Vault if the Universal password is not synchronized with the NDS password. Versions of the Novell Client and ConsoleOne that are aware of the Universal password are available.
  • Page 63 Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Appendix B, “Driver Configuration Policies,” on page Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • Page 64: Scenario 4: Tunneling

    Helpful DSTrace Commands +DXML: To view Identity Manager rule processing and potential error message. +DVRS: To view Identity Manager driver messages. +AUTH: To view NDS password modifications. A.4 Scenario 4: Tunneling Identity Manager enables you to synchronize passwords among connected systems while keeping the Identity Vault password separate.

  • Page 65: Advantages And Disadvantages Of Scenario 4

    The following sections provide information and instructions for this scenario: Section A.4.1, “Advantages and Disadvantages of Scenario 4,” on page 65 Section A.4.2, “Setting Up Scenario 4,” on page 65 Section A.4.3, “Troubleshooting Scenario 4,” on page 67 A.4.1 Advantages and Disadvantages of Scenario 4 Tunneling Table A-4 Advantages...
  • Page 66 Password Policy Configuration Review your password policy to confirm the following: Make sure that Synchronize Distribution Password when setting Universal Password is not selected. This is the key to tunneling passwords without the Identity Vault password being affected. By not synchronizing the Universal password with the Distribution password, you keep the Distribution password separate, for use only by Identity Manager for connected systems.

  • Page 67: Troubleshooting Scenario 4

    A.4.3 Troubleshooting Scenario 4 If password synchronization is set up for tunneling, the Distribution password is different than the Universal password and the NDS password. “Trouble Logging in to Another Connected System that Subscribes to Passwords” on page 67 “E-Mails Not Generated on Password Failure” on page 67 “Error When Using Check Password Status”...

  • Page 68: Scenario 5: Synchronizing Application Passwords To The Simple Password

    Simple Password without reversing the hash. Then, other applications can authenticate to the Identity Vault by using the same clear text or hashed password through LDAP or the Novell Client, with NMAS components configured to use the Simple Password as the login method.
  • Page 69 Synchronizing to the NDS Password Figure A-10 NMAS 2.3 or later Distribution Password Universal Password Password Simple Password Identity Connected system Manager with hashed or clear text passwords Connected system authenticating through LDAP If the password in the connected system is in clear text, it can be published as it is from the connected system into the Identity Vault Simple Password store.

  • Page 70: Advantages And Disadvantages Of Scenario 5

    A.5.1 Advantages and Disadvantages of Scenario 5 Synchronizing to the NDS Password Table A-5 Advantages Disadvantages Lets you update the Simple Password This scenario does not allow the use of directly. Universal Password. Lets you synchronize a hashed password Forgotten Password and Password Self- and use it to authenticate for more than one Service features can still be used to the application, without reversing the hash.
  • Page 71 2 Configure the driver policies to publish the password from the connected system. 3 For hashed passwords, configure the driver policies to prepend the type of hash (if it is not already provided by the application): {MD5}hashed_password This password is Base64 encoded. {SHA}hashed_password This password is Base64 encoded.
  • Page 72 For add operations, the add-attr element would contain one of the following: <add-attr attr-name="SAS:Login Configuration> <value>{MD5}2tEgXrIHtAnGHOzH3ENslg==</value> </add-attr> <add-attr attr-name="SAS:Login Configuration> <value>clearpwd</value> </add-attr> Identity Manager 3.6.1 Password Management Guide...

  • Page 73: Policies Required In The Publisher Command Transformation Set

    Driver Configuration Policies Identity Manager policies on the Publisher and Subscriber channels for each driver govern the password flow. These policies are included in the driver configurations in Identity Manager. “Policies Required in the Publisher Command Transformation Set” on page 73 “Policies Required in the Publisher Input Transformation Policy Set”...

  • Page 74: Policies Required In The Publisher Command Transformation Set

    Policies Required in the Publisher Command Transformation Set Table B-1 Location in the Driver Password Synchronization Policy What the Policy Does Configuration Name Publisher Command Password(Pub)-Default Adds a default password to an Transformation Password Policy Add object if the Add object does not already contain a password.

  • Page 75: Policies Required In The Publisher Input Transformation Policy Set

    B.2 Policies Required in the Publisher Input Transformation Policy Set We recommend that the Password(Pub)-Sub Email Notifications policy be listed last if there are multiple policies in the Input Transformation. Policies Required in the Publisher Input Transformation Policy Set Table B-2 Location in the Driver Password Synchronization Policy What the Policy Does...

  • Page 76: Policies Required In The Subscriber Output Transformation Policy Set

    Policies Required in the Subscriber Command Transformation Policy Set Table B-3 Location in the Driver Password Synchronization Policy What the Policy Does Configuration Name Subscriber Command Password(Sub)-Transform Transforms the Universal Transformation Distribution Password password to a < > password element. Password(Sub)-Default Adds a default password to an Password Policy...
  • Page 77 Policies Required in the Subscriber Output Transformation Policy Set Table B-4 Location in the Driver Password Synchronization Policy What the Policy Does Configuration Name Subscriber Output Password(Sub)-Pub Email If the password payload Transformation Notifications information comes through, and the status shows a problem, it sendsan e-mail to the user.
  • Page 78 Identity Manager 3.6.1 Password Management Guide...

This manual is also suitable for:

Identity manager 3.6.1

Table of Contents