SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

universalpassword

Universal Password

Universal Password Introduction

Universal Password is a way to simplify the integration and management of different password and authentication systems into by providing the following key features:

  • Providing one password for all access to eDirectory.
  • Enabling the use of extended characters in password.
  • Enabling advanced password policy enforcement.
  • Allowing synchronization of passwords from eDirectory to other systems.

A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end user passwords.

A Universal Password is protected by three levels of security: triple DES encryption of the password itself, eDirectory rights, and file system rights.

The Universal Password is encrypted by a triple DES, user-specific key. Both the Universal Password and the user key are flagged with a hidden attribute that only eDirectory can read. The user key (3DES) is stored encrypted with the tree key, and the tree key is protected by a unique NICI key on each machine. (Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.) The tree key is present on each machine within a tree, but each tree has a different tree key. So, data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.

Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.

File system rights ensure that only a user with the proper rights can access these files.

Before one can implement Universal Password you need to comply with these requirements:

  • Make sure your Security Container is available
  • Verify that your SDI Domain Key servers are ready for Universal Password
  • Upgrade at least one server in the replica ring to Netware 6.5 or later or eDirectory 8.7.3 or later
  • Check the container for SDI Key consistency

A basic implementation of Universal Password is just two steps:

  • Enable Universal Password
  • Deploy Novell Client software

Implement Universal Password

  1. Start Novell iManager.
  2. Click Roles and Tasks > Passwords > Password Policies.
  3. Start the Password Policy Wizard by clicking New.
  4. Provide a name for the policy and click Next.
  5. Select Yes to enable Universal Password.
  6. Complete the Password Policy Wizard.

Configure Universal Password

Configuration of Universal Password consists of two parts. The enabling of universal password and setting the basic options. One of these options is whether to turn advanced password rules on or off, which is the second part.

Configuration Options

configurationoptions.jpg
You have universal password now enabled as you would do for Identity Manager / dirXML. This program needs the universal password as well as the distribution password occupied. All the other options speak for themselves.

Advanced Password Rules

advpasswordrules1.jpg
advpasswordrules2.jpg
advpasswordrules3.jpg

The settings shown here are quite tide. You should consult with your users how these settings can affect them.

Sources

You could leave a comment if you were logged in.
universalpassword.txt · Last modified: 2021/09/24 00:25 (external edit)