Top 10 Downloads
  Last 15 New Files
  Web Links
  Last 15 New Tips
  NLM Programming
  Admins Club

SUPLA System
Internet of Things

Installation and Administration

Polish Forum SUSE

Who's Online

 There are currently,
5 guest(s)
that is (are) online.

Technical Information

Back to List of Categories

Technical Information about
  A Beginner's Guide to LDAP Development
  Changing Time SourceType for a 4.X server
  Common Dsrepair switches - with explanations
  Deactivating Anonymous LDAP Logins
  DSMaint -PSE (Replacing Crashed Server)
  DSRepair: Is It Overused?
  Fixing ConsoleOne Refresh Problems
  Generic Design for an iManager Plugin
  Generic Design of iManager Plugin - Part 2
  Getting ConsoleOne Running on Red Hat 9
  LDAP Directory Service: Novell eDirectory
  NMAS and Kerberos
  Removing a Crashed Server from the NDS Tree
  The DSREPAIR Utility
  Timesync Config, Issues and Definitions
  Understanding eDirectory and Clustering
  Universal Password and Containers

Technical Information
 Universal Password and Containers

Printer-friendly version

Posted: 13 Apr 2005

Here are two questions and two responses from Forum experts on the subject of Universal Password management.

Question 1: How Do I Assign a Password Policy to the Tree?

In the NMAS documentation I read: "When you enable Universal Password on a container, it is enabled on all existing subcontainers as well. If you enable Universal Password at the Tree level, all subcontainers you create after enabling Universal Password will be enabled for Universal Password. However, if you enable Universal Password on a container below the Tree level, such as, on an Organization (O) or an Organizational Unit (OU), and then create a new subcontainer, you must enable Universal Password on that subcontainer. It is not automatically enabled."

What I cannot get right in iManager, however, is to assign my password policy (with Universal Password enabled) to the tree. I can only assign it to Users, Organizations, Organizational Units, and Login Policy objects. We have a client with a lot of containers, and I don't want them to have to assign the password policy to each new container when it is created.

Answer, Forum Expert 1

The solution to this is quite simple.

  • If you want to assign it on a tree wide basis, assign it to the Login Policy object.
  • If you set it on a container that is not partitioned, then the policy will only be in effect for the objects inside that container (no subcontainers).
  • However, if the container IS partitioned then the assigned policy will flow down to the subcontainers inside that partition only.
  • You can also set it on a user basis if needed.

Universal Password starts at the User, then parent container, partition root, then Login policy object searching for a policy. The lowest policy found is the policy that is applied. So a policy set on a user will override a container or tree-wide policy.

Question 2: How does UP Affect eDirectory?

If we enable Universal Password in a test OU on the live tree, what changes occur in eDirectory? Are they easily reversible? In other words, if we switch UP off, will everything go back to normal?

I've read many articles and postings on slow logins and NMAS on the client etc., but we just want to enable CIFS on one OU and have UP sync NDS with simple passwords, so we don't have to manage simple passwords. This particular OU does not have any machines with Novell clients. Needless to say they cannot access the NW servers yet.

I have read the deployment guide but do not have a clear understanding of the changes I'll be making by enabling UP. Any comments are greatly appreciated.

Answer, Forum Expert 2

Enabling a Universal Password Policy on an OU (that is not partitioned) will apply to the users inside that container ONLY.

Enabling the Password Policy on the container does absolutely nothing to the users inside the container until they log in from an NCP client (Novell Client). Once they log in, and there is a policy in place, additional attributes are created on the user object. These attributes store the passwords, but they are hidden attributes, so you can't tell anything has happened. You can use DIAGPWD1.EXE to verify that the NDS, Simple and Universal Passwords are the same. You can find that utility on Novell's support website.

If Simple passwords aren't previously populated on the users before enabling UP, the users must log in from an NCP client to get their NDS password to sync to Simple. That should only be the case if you don't have a Simple password already assigned, and it's a one-time thing.

If you turn the password policy off (by taking the assignment off the OU) the users will revert back to using the NDS password, Simple password, etc. However, if they logged in while UP Policy was enabled, they will have the additional attributes (they won't hurt anything).

Since 2003

Portal posiada akceptację firmy Novell Polska
Wszystkie materiały dotyczące produktów firmy Novell umieszczono za zgodą Novell Polska
Portal has been accepted by the Novell Polska
All materials concerning products of Novell firm are placed with Novell Polska consent.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Windows is a trademark or a registered trademark of Microsoft Corporation in the United States and other countries.
Sybase is a registered trademark of Sybase Inc. in the United States of America.
Other company and product names are trademarks or registered trademarks of their respective owners.