Novell IDENTITY MANAGER 3.6.1 - PASSWORD MANAGEMENT, Manual

Page 1: ...Novell www novell com novdocx en 13 May 2009 AUTHORIZED DOCUMENTATION Identity Manager 3 6 1 Password Management Guide Identity Manager 3 6 1 June 05 2009 Password Management Guide...

Page 2: ...port to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missi...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the proper...

Page 4: ...4 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...

Page 5: ...That Don t Accept or Provide Passwords By Default 16 3 4 Systems That Don t Support Password Synchronization 17 4 Configuring Password Flow 19 4 1 Verifying Password Synchronization Settings in iMana...

Page 6: ...y Vault and Connected Systems with Identity Manager Updating the Distribution Password 55 A 3 1 Advantages and Disadvantages of Scenario 3 56 A 3 2 Setting Up Scenario 3 56 A 3 3 Troubleshooting Scena...

Page 7: ...ho require a high level introduction to Identity Manager business solutions technologies and tools Documentation Updates For the most recent version of this document see the Identity Manager Documenta...

Page 8: ...8 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...

Page 9: ...Figure 1 1 Password Management with Identity Manager Identity Manager provides synchronization of passwords between the Identity Vault and connected systems It also supports password self service whic...

Page 10: ...ronize the Distribution and Universal passwords or not synchronize them If you synchronize the passwords your Identity Vault passwords and connected system passwords will be the same If you don t sync...

Page 11: ...y Manager resets passwords that flow from the connected system but do not comply with rules in the policy 1 4 Password Policy Enforcement Notifications Identity Manager enables you to automatically no...

Page 12: ...nformation on how to check passwords see Checking the Password Synchronization Status for a User on page 39 For a list of which systems support checking passwords see Connected System Support for Pass...

Page 13: ...rd_management32 pwm_administration index html page documentation password_management32 pwm_administration data allq21t html in the Novell Password Management 3 2 Administration Guide 2 2 Synchronizing...

Page 14: ...pplication by following the installation checklist For instructions see Installation Checklist http www novell com documentation idmrbpm361 install data bf8up4w html in the Identity Manager Roles Base...

Page 15: ...cept password changes from Identity Manager This allows the password to be changed in either the Identity Vault or the connected system and then synchronized as needed Table 3 1 Systems that Support B...

Page 16: ...ed in the sample driver configuration 4 Passwords can be synchronized as data when stored in a table 5 If the target LDAP server allows setting the userpassword attribute 6 The Notes driver can accept...

Page 17: ...ronization Connected System Driver Subscriber Channel Subscriber Channel Subscriber Channel Publisher Channel Application Can Accept Setting of Initial Password Application Can Accept Modification of...

Page 18: ...18 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...

Page 19: ...e properties page for the driver whose password settings you want to check 1a Click to display the Identity Manager Administration page 1b In the Administration list click Identity Manager Overview 1c...

Page 20: ...t password only if it complies with user s Password Policy This setting is available only if the Use Distribution Password for password synchronization setting is enabled If this option is selected Id...

Page 21: ...If you enable this option e mail is sent to the user if a password is not synchronized set or reset The e mail that is sent to the user is based on an e mail template This template is provided by the...

Page 22: ...t password only if it complies with user s Password Policy This setting is available only if the Use Distribution Password for password synchronization setting is enabled If this option is selected Id...

Page 23: ...l password made in the Identity Vault are also sent to the connected system Notify the user of password synchronization failure via e mail If you enable this option e mail is sent to the user if a pas...

Page 24: ...24 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...

Page 25: ...oices in iManager For Forgotten Password e mail notifications are sent only if you choose to use one of the Forgotten Password actions that causes an e mail to be sent e mailing a password to the user...

Page 26: ...the SMTP server See Section 5 4 Providing SMTP Authentication Information in Driver Policies on page 28 If you are concerned that some users might not have the e mail address populated or if you want...

Page 27: ...policies contain the password See Section 5 4 Providing SMTP Authentication Information in Driver Policies on page 28 for instructions Specifying the authentication information in the Email Server Op...

Page 28: ...vers that need to be updated with the changes The driver reads the templates and SMTP server information only at startup time 5 4 Providing SMTP Authentication Information in Driver Policies You speci...

Page 29: ...on or an Output Transformation icon 5 Select a policy then click Edit 6 Click a rule 7 Specify the password for the SMTP server in the rules that include Do Send E mail from Template actions For examp...

Page 30: ...k unless you also define them in every password synchronization policy rule that refers to the e mail notification template When using a DoSendEmailFromTemplate action all replacement tags declared wi...

Page 31: ...n Password which are limited to eDirectory user attributes Unlike adding tags for the e mail templates for Forgotten Password which require you to use the exact name of an eDirectory user attribute yo...

Page 32: ...the e mail notification template For example in the Password Pub Sub Email Notifications policy you see the following list of rules Both of these rules reference one of the password synchronization e...

Page 33: ...Configuring E Mail Notification 33 novdocx en 13 May 2009 7 Scroll to the Actions section...

Page 34: ...sword synchronization policies that are part of the Identity Manager driver configurations like this one You can use the default tags as an example 9 To define a tag that you could use in an e mail no...

Page 35: ...ferring to the e mail template A global configuration value An XPATH expression The following figure illustrates how to define the tag After you define the tag and click OK it shows up as one of the s...

Page 36: ...fications also go to the administrator To do this you must modify the Identity Manager script for one of the policies Send a Blind Copy to the administrator by defining the token with the administrato...

Page 37: ...l transformation For Password Synchronization e mail messages an XML attribute named charset can be specified on the following elements mail message and For information on using these elements see the...

Page 38: ...38 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...

Page 39: ...st The Check Object Password action checks the Distribution password If the Distribution password is not being updated Check Object Password might report that passwords are not synchronized The Distri...

Page 40: ...ays reported as being not synchronized In fact the Distribution password and the password on the connected system might be in sync but Check Password Status won t be accurate unless both the NDS passw...

Page 41: ...ctive Directory The sample configuration for the Active Directory driver sends the initial password as a separate operation from adding the user and the sample configuration also includes a policy tha...

Page 42: ...e assigned with a tree centric perspective In contrast Password Synchronization is set up per driver Drivers are installed on a per server basis and can manage only those users who are in a master or...

Page 43: ...nd Connected Systems with Identity Manager Updating the Distribution Password on page 55 Section A 4 Scenario 4 Tunneling on page 64 Section A 5 Scenario 5 Synchronizing Application Passwords to the S...

Page 44: ...t attributes in the driver filter If you are deploying Identity Manager and eDirectory 8 7 3 in stages this method can help you deploy gradually You don t need to add the new password synchronization...

Page 45: ...Figure A 2 Synchronizing the Private and Public Key Attributes A 1 3 Troubleshooting Scenario 1 Turn on the DSTrace option Check the driver Filter to make sure the Public Key and Private Key attribute...

Page 46: ...ieves the Distribution password to distribute to connected systems that are set to accept passwords Although multiple connected systems are shown as connecting to Identity Manager in this figure keep...

Page 47: ...he Identity Vault and the connected system Allows passwords to be validated against the NMAS password policy Allows e mail notifications for failed password operations such as when a password coming f...

Page 48: ...the Login Policy object in the Security container a partition root container a container or a specific user To simplify management we recommend that you assign password policies as high in the tree as...

Page 49: ...t conflict with the password policies on any connected systems that are subscribing to passwords Password Synchronization Settings 1 In iManager select Passwords Password Synchronization 2 Search for...

Page 50: ...red Notify the user of password synchronization failure via e mail Keep in mind that e mail notifications require the Internet EMail Address attribute on the eDirectory User object to be populated E m...

Page 51: ...ords on page 53 E Mail Not Generated on Password Failure on page 54 Error When Using Check the Object Password on page 54 Helpful DSTrace Commands on page 54 Also see the tips in Section 7 Troubleshoo...

Page 52: ...hronizing the Universal password with the other passwords Figure A 4 How NMAS Handles the Password It Receives from Identity Manager Trouble Logging in to the Identity Vault Turn on the AUTH DXML and...

Page 53: ...rd when setting Universal Password is selected Trouble Logging in to Another Connected System that Subscribes to Passwords This section is for troubleshooting cases where this connected system is publ...

Page 54: ...on page 25 Error When Using Check the Object Password The Check Password Status task in iManager causes the driver to check object password action If you have problems review the following If the Che...

Page 55: ...ribution password 3 Identity Manager also uses the Distribution password to distribute to connected systems that you have specified should accept passwords 4 NMAS synchronizes the Universal password w...

Page 56: ...parts of the Identity Vault tree that you want to have this kind of password synchronization You can assign it to the entire tree structure a partition root container a container or a specific user To...

Page 57: ...to connected systems it s important that this option be selected to allow bidirectional password synchronization 4 If you are using Advanced Password Rules make sure that they don t conflict with the...

Page 58: ...a connected system should subscribe to passwords but not publish select only Application accepts passwords Subscriber Channel 4 Specify whether you want NMAS password policies to be enforced or ignor...

Page 59: ...ore for the nspmDistributionPassword attribute for all object classes For the Subscriber channel set the driver filter to Notify for the nspmDistribution Password attribute for all object classes that...

Page 60: ...on page 63 Helpful DSTrace Commands on page 64 Also see the tips in Section 7 Troubleshooting Password Synchronization on page 41 Flowchart for Scenario 3 Figure A 7 illustrates how NMAS handles the...

Page 61: ...rd Trouble Logging In to eDirectory Turn on the AUTH DXML and DVRS settings in DSTrace Figure A 8 DSTrace commands Identity Manager NMAS Validate Password Valid Password Set DP yes yes Sync to UP pass...

Page 62: ...don t want to use the NDS password for most users but you have administrator or help desk users who need to authenticate with legacy utilities try using a different password policy for help desk users...

Page 63: ...d system supports checking passwords See Section 3 Connected System Support for Password Synchronization on page 15 If the driver manifest does not indicate that the connected system supports password...

Page 64: ...icies with the option disabled for Synchronize Distribution Password when setting Universal Password Figure A 9 Tunneling with Identity Manager Updating the Distribution Password Figure A 9 illustrate...

Page 65: ...tages Disadvantages Allows synchronization of passwords among connected systems while keeping the Identity Vault password separate The password policy does not need to have Universal Password enabled...

Page 66: ...s Identity Manager acts as a conduit distributing passwords to and from other connected systems without affecting the Identity Vault password Complete the other password policy settings as desired The...

Page 67: ...Make sure that the Identity Manager accepts passwords Publisher Channel option is selected on the Password Synchronization page In the password policy make sure that Synchronize Distribution Password...

Page 68: ...al to Distribution option within the password policy If the Check Object Password action returns Not Synchronized verify that the driver configuration contains the appropriate Identity Manager passwor...

Page 69: ...d using LDAP NMAS compares the password value from the application with the value in the Simple Password If the password stored in the Simple Password is a hash value NMAS first uses the password valu...

Page 70: ...hat the Password Synchronization global configuration values GCVs which are set by using the Password Synchronization page in iManager have no effect Driver Configuration 1 Make sure that the SAS Logi...

Page 71: ...text passwords and UNIX Crypt password hashes are not Base64 encoded 4 To place the password into the Simple Password configure the driver policies to modify the SAS Login Configuration attribute The...

Page 72: ...x en 13 May 2009 For add operations the add attr element would contain one of the following add attr attr name SAS Login Configuration value MD5 2tEgXrIHtAnGHOzH3ENslg value add attr or add attr attr...

Page 73: ...formation Set on page 73 Policies Required in the Publisher Input Transformation Policy Set on page 75 Policies Required in the Subscriber Command Transformation Policy Set on page 75 Policies Require...

Page 74: ...ger accepts passwords from this connected system If not it strips out all password elements The name of the GCV is enable password publish and the display name is Identity Manager accepts passwords fr...

Page 75: ...rd Synchronization Policy Name column must be present in the order listed Also they must be the last policies in the Subscriber Command Transformation policy set Location in the Driver Configuration P...

Page 76: ...t Password Sub Default Password Policy Adds a default password to an Add object if the Add object does not already contain a password This policy and the Password Pub Default Password Policy are the o...

Page 77: ...tion Password Synchronization Policy Name What the Policy Does Subscriber Output Transformation Password Sub Pub Email Notifications If the password payload information comes through and the status sh...

Page 78: ...78 Identity Manager 3 6 1 Password Management Guide novdocx en 13 May 2009...