Identity Manager Password Synchronization is provided to let you simplify user passwords and reduce help desk costs. One of the new features is bidirectional password synchronization, which lets you share passwords among eDirectory and connected systems in multiple ways, as described in the scenarios in Implementing Password Synchronization.
When you choose to exchange information between connected systems, you should take precautions to make sure the exchange is secure. This is especially true for passwords.
As part of your planning for using Identity Manager and Password Synchronization, you should review the following security suggestions.
You should enable SSL for all transports, where it is available. SSL should be enabled for communication between the DirXML engine and Remote Loader (see Providing for Secure Data Transfers), and between the DirXML engine or Remote Loader and the connected systems.
If you don't enable SSL, you are sending information such as passwords in the clear.
Physical Security. Protect access to the physical location of the servers where Novell eDirectory is installed.
Access Rights. Administrative rights are needed to create Identity Manager objects and configure drivers. Monitor and control who has rights to create or modify the following:
For security, Password Hints are checked to make sure they do not contain the user's actual password. However, a user could still create a Password Hint that gives too much information about the password.
To increase security when using Password Hints,
If you choose not to use Password Hint at all, make sure you don't use it in any of the Password Policies. To prevent Password Hints from being set, you can go a step further and remove the Hint Setup gadget completely, as described in Disabling Password Hint by Removing the Hint Gadget.
The intruder lockout setting is enforced for Challenge Questions, so the number of incorrect attempts an intruder could make is limited.
However, a user could create Challenge Questions that hold clues to the password. Remind users to create Challenge Questions and Responses that only they would understand. The Password Change Message in the Password Policy is one way to do that. See Adding Your Own Password Change Message to Password Policies.
Using Universal Password and Password Policies allows you to enforce strong password requirements for your users. Use the Advanced Password Rules in Password Policies to follow industry best practices for passwords.
For example, you can require user passwords to comply with rules such as the following:
Keep in mind that you can create multiple Password Policies if you have different password requirements in different parts of the tree. You can assign a Password Policy to the whole tree, a partition root container, container, or even an individual user. (To simplify administration, we recommend you assign Password Policies as high up in the tree as possible.)
In addition, you can use intruder lockout. As always, this eDirectory feature lets you specify how many failed login attempts are allowed before an account is locked. This is a setting on the parent container instead of in the Password Policy. See "Managing User Accounts" in the Novell eDirectory 8.7.3 Administration Guide.
Keep in mind that the connected systems that you are synchronizing data to might store or transport that data in a compromising manner.
Secure the systems to which you exchange passwords. For example LDAP, NIS, and Windows each have security concerns that you must consider before enabling password synchronization with those systems.
Many software vendors provide specific security guidelines that you should follow for their products.
Make sure to follow industry best practices for security measures, such as blocking unused ports on the server.
You can use Nsure Audit to log events that you consider important for security. For information on Nsure Audit, see Logging and Reporting Using Nsure Audit.
For example, you could log password changes for a particular DirXML driver (or driver set) by doing the following:
In the properties for a driver (or driver set), on the DirXML tab click Log Level.
On the Log Level page that appears, click Log Specific Events.
Note that this is the page where you specify whether the driver has its own settings or uses the settings from the driver set.
To select the specific events, click the log events icon .
On the Events page that appears, select the following check boxes:
Click OK on the Events page and on the Log Level page.