Universal Password notes

By SysAdmin1138 on
Passwords changed by the following methods will change Universal Password and get propegated to eDir PW and Simple PW:

  • Change-password from 4.9+ client change-password dialogs
  • Change-password from 3.40 client, if NICI 2.6.1 and NMAS Client 2.2 are also installed (not default)
  • Change-password from AFP client, if AFPTCP.NLM is loaded on a NW6.5 server
  • Change-password API call made from a 4.9+ client machine, to a 8.7.3 directory-server hosting a replica of the user's object
  • Change-password from C1, if on a 4.9+ client machine
  • Change-password from C1, in a special tab, if on a machine under v4.9
  • Change-password from NWADMN32, if on 4.9+ client machine (untested)
  • Change-password from iManager, if iManager is on a NW6.5 machine with eDir 8.7.3
  • Change-password from LDAP, if NLDAP.NLM is loaded on a NW6.5 server
Gotchas:
  • Universal Passwords are enabled by container, or by tree. Subcontainers are also included when selecting by-container, but new containers will NOT have UP enabled by default.
  • When Universal Passwords are turned on, the Simple password is written to the Universal Password, not the eDir password. This is because the eDir password is so secure, it can't be retrieved in cleartext, and Simple passwords can.
  • If Universal Passwords are turned on without the sync option set, the UP will be populated at password-change time. Simple/eDir/UP will still be synced, but the initial population of Universal Passwords will not happen when UP's are turned on.
  • The AFP password is still 8 characters (though OS 10.3 fixed this?). Like Unix, if the Universal Password is longer than 8 characters, the usable password is just the first eight characters.
  • Password policies are created in iManager, which include things such as complexity requirements.
  • Passwords are now case-sensitive. Surprise!
  • Password-policy objects are kept in the security container (.passwordpolicy.security.wwu)
  • The password-change rules are displayed to the end user, if the end user is changing their password from the client (where client is v4.9SP2 or greater)
Advanced Password Restrictions include the following possibilities:
  • Require unique passwords
    • Number of passwords to store
    • Number of days to store a password
  • Password Lifetime
    • Number of days before password can be changed
    • Number of days before password expires
    • Number of grace logins
  • Minimum/Maximum characters in password (1-512)
  • Minimum number of unique characters in the password
  • Maximum number of times a specific character can be used
  • Maximum number of times a specific character can be repeated sequentially
  • Minimum/Maximum number of upper-case characters
  • Minimum/Maximum number of lower-case characters
  • Allow/disallow numeric characters in password
    • Disallow numeric as first/last character
    • Minimum/Maximum number of numerals in password
  • Allow/disallow special characters in password
    • Disallow special characters as first/last character
    • Minimum/Maximum number of special characters in password
  • Password exclusion list, hand edited. NOT INTENDED FOR DICTIONARIES, says so in the documentation.
    • "Instead of a long exclusion list to protect against "dictionary attacks" on passwords, we recommend that you use the Advanced Password Rules to require numbers to be included in the password."