Universal Password and Containers
Posted: 13 Apr 2005
Here are two questions and two responses from Forum experts on the subject of
Universal Password management.
Question 1: How Do I Assign a Password Policy to the Tree?
In the NMAS documentation I read: "When you enable Universal Password on a
container, it is enabled on all existing subcontainers as well. If you enable
Universal Password at the Tree level, all subcontainers you create after
enabling Universal Password will be enabled for Universal Password. However, if
you enable Universal Password on a container below the Tree level, such as, on
an Organization (O) or an Organizational Unit (OU), and then create a new
subcontainer, you must enable Universal Password on that subcontainer. It is not
automatically enabled."
What I cannot get right in iManager, however, is to assign my password policy
(with Universal Password enabled) to the tree. I can only assign it to Users,
Organizations, Organizational Units, and Login Policy objects. We have a client
with a lot of containers, and I don't want them to have to assign the password
policy to each new container when it is created.
Answer, Forum Expert 1
The solution to this is quite simple.
- If you want to assign it on a tree wide basis, assign it to the Login
Policy object.
- If you set it on a container that is not partitioned, then the policy will
only be in effect for the objects inside that container (no subcontainers).
- However, if the container IS partitioned then the assigned policy will
flow down to the subcontainers inside that partition only.
- You can also set it on a user basis if needed.
Universal Password starts at the User, then parent container, partition root,
then Login policy object searching for a policy. The lowest policy found is the
policy that is applied. So a policy set on a user will override a container or
tree-wide policy.
Question 2: How does UP Affect eDirectory?
If we enable Universal Password in a test OU on the live tree, what changes
occur in eDirectory? Are they easily reversible? In other words, if we switch UP
off, will everything go back to normal?
I've read many articles and postings on slow logins and NMAS on the client
etc., but we just want to enable CIFS on one OU and have UP sync NDS with simple
passwords, so we don't have to manage simple passwords. This particular OU does
not have any machines with Novell clients. Needless to say they cannot access
the NW servers yet.
I have read the deployment guide but do not have a clear understanding of the
changes I'll be making by enabling UP. Any comments are greatly appreciated.
Answer, Forum Expert 2
Enabling a Universal Password Policy on an OU (that is not partitioned) will
apply to the users inside that container ONLY.
Enabling the Password Policy on the container does absolutely nothing to the
users inside the container until they log in from an NCP client (Novell Client).
Once they log in, and there is a policy in place, additional attributes are
created on the user object. These attributes store the passwords, but they are
hidden attributes, so you can't tell anything has happened. You can use
DIAGPWD1.EXE to verify that the NDS, Simple and Universal Passwords are the
same. You can find that utility on Novell's support website.
If Simple passwords aren't previously populated on the users before enabling
UP, the users must log in from an NCP client to get their NDS password to sync
to Simple. That should only be the case if you don't have a Simple password
already assigned, and it's a one-time thing.
If you turn the password policy off (by taking the assignment off the OU) the
users will revert back to using the NDS password, Simple password, etc. However,
if they logged in while UP Policy was enabled, they will have the additional
attributes (they won't hurt anything).
|