SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


universalpassword
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

universalpassword [2013/03/05 06:52] (current)
sjoerd created
Line 1: Line 1:
 += Universal Password =
 +== Universal Password Introduction ==
 +Universal Password is a way to simplify the integration and management of different password and authentication systems into by providing the following key features:
 +* Providing one password for all access to eDirectory.
 +* Enabling the use of extended characters in password.
 +* Enabling advanced password policy enforcement.
 +* Allowing synchronization of passwords from eDirectory to other systems.
 +A password policy is a collection of administrator-defined rules that specify the criteria for creating and replacing end user passwords. ​
  
 +A Universal Password is protected by three levels of security: triple DES encryption of the password itself, eDirectory rights, and file system rights.
 +
 +The Universal Password is encrypted by a triple DES, user-specific key. Both the Universal Password and the user key are flagged with a hidden attribute that only eDirectory can read. The user key (3DES) is stored encrypted with the tree key, and the tree key is protected by a unique NICI key on each machine. (Note that neither the tree key nor the NICI key is stored within eDirectory. They are not stored with the data they protect.) The tree key is present on each machine within a tree, but each tree has a different tree key. So, data encrypted with the tree key can be recovered only on a machine within the same tree. Thus, while stored, the Universal Password is protected by three layers of encryption.
 +
 +Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.
 +
 +File system rights ensure that only a user with the proper rights can access these files.
 +
 +Before one can implement Universal Password you need to comply with these requirements:​
 +* Make sure your Security Container is available
 +* Verify that your SDI Domain Key servers are ready for Universal Password
 +* Upgrade at least one server in the replica ring to Netware 6.5 or later or eDirectory 8.7.3 or later
 +* Check the container for SDI Key consistency
 +
 +A basic implementation of Universal Password is just two steps:
 +* Enable Universal Password
 +* Deploy Novell Client software
 +== Implement Universal Password ==
 +# Start Novell iManager.
 +# Click Roles and Tasks > Passwords > Password Policies.
 +# Start the Password Policy Wizard by clicking New.
 +# Provide a name for the policy and click Next.
 +# Select Yes to enable Universal Password.
 +# Complete the Password Policy Wizard.
 +== Configure Universal Password ==
 +Configuration of Universal Password consists of two parts. The enabling of universal password and setting the basic options. One of these options is whether to turn advanced password rules on or off, which is the second part.
 +=== Configuration Options ===
 +{{configurationoptions.jpg}} \\ 
 +You have universal password now enabled as you would do for Identity Manager / dirXML. This program needs the universal password as well as the distribution password occupied. All the other options speak for themselves. ​
 +=== Advanced Password Rules
 +{{advpasswordrules1.jpg}} \\
 +{{advpasswordrules2.jpg}} \\
 +{{advpasswordrules3.jpg}} \\
 +
 +The settings shown here are quite tide. You should consult with your users how these settings can affect them.
 +
 += Sources =
 +Novell Password Management Guide: http://​www.novell.com/​documentation/​password_management/​index.html
 +
 +{{tag>​edirectory security}}
universalpassword.txt ยท Last modified: 2013/03/05 06:52 by sjoerd