When you are setting up a new GroupWise system, you need to determine what kind of password protection you want to have on users' GroupWise mailboxes before users start running GroupWise. In ConsoleOne®, you can choose where password information is obtained when users log in to GroupWise and you can set defaults under Client Options to enforce your choices. You and GroupWise client users should keep in mind that GroupWise passwords are case sensitive.
When you create a new post office, you must select a security level for it.
If you select Low Security for the post office, users are not required to set passwords on their GroupWise mailboxes. However, passwordless mailboxes are completely unprotected from other users who know how to use the @u-user_ID startup switch.
If you select High Security for the post office, users are still not required to set passwords on their GroupWise mailboxes, but they are required to be successfully logged in to a network before they can access their own passwordless mailboxes. Users cannot access other users' passwordless mailboxes.
After you select High Security, you can further enhance post office security by requiring specific types of authentication before users can access their passwordless GroupWise mailboxes. You can require eDirectory authentication so that users must be logged into eDirectory before they can access their passwordless GroupWise mailboxes.
In spite of these passwordless solutions to GroupWise mailbox security, users are always free to set their own GroupWise passwords on their mailboxes. When they do, the post office security settings no longer apply (except for LDAP authentication as discussed below) and users will be regularly faced with both logins unless some additional password options are selected for them, as described in the following sections.
Users are required to set passwords on their GroupWise mailboxes if they want to access their GroupWise mailboxes in any of the following ways:
When GroupWise passwords are in use in addition to network passwords, there are a variety of things you can do to make GroupWise password management easier for your and to make the additional GroupWise password essentially transparent for your GroupWise users.
NOTE: A GroupWise password can contain as many as 64 characters and can contain any typeable characters.
If you want to require users to have GroupWise passwords on their mailboxes, you can establish the initial passwords when you create the GroupWise accounts. In ConsoleOne, you can establish a default mailbox password to use automatically on all new GroupWise accounts, as described in Establishing a Default Password for All New GroupWise Accounts. Or you can set the password on each new GroupWise account as you create it.
Keep in mind that some situations require users to have passwords on their GroupWise mailboxes, as listed in Requiring GroupWise Passwords.
When you create users in eDirectory, you typically assign them network passwords and users must provide those passwords when they log in to the network. If you want to make GroupWise mailbox access easy for client users, you can select Allow eDirectory Authentication Instead of Password (ConsoleOne > Tools menu > GroupWise Utilities > Client Options > Password). This allows users to select No Password Required with eDirectory (GroupWise client > Tools menu > Security > Password tab).
As long as users who select this option are logged into eDirectory as part of their network login, they are not prompted by GroupWise for a password when they access their GroupWise mailboxes. If they are not logged in to eDirectory, they must provide their GroupWise passwords in order to access their GroupWise mailboxes.
If users have Novell SecureLogin installed on their workstations, you can select Enable Single Sign-On (ConsoleOne > Tools menu > GroupWise Utilities > Client Options > Password). This allows users to select Use Single Sign-On (GroupWise client > Tools menu > Security > Password tab). Users need to provide their GroupWise mailbox password only once and thereafter SecureLogin provides it for them as long as they are logged in to eDirectory.
If you want to allow password information to be stored on Windows workstations, you can select Allow Password Caching (ConsoleOne > Tools menu > GroupWise Utilities > Client Options > Password). This allows users to select Remember My Password (GroupWise client > Tools menu > Security > Password tab). Users need to provide their GroupWise mailbox passwords only once and thereafter Windows provides them automatically.
Intruder detection identifies system break-in attempts in the form of repeated unsuccessful logins. If someone cannot provide a valid username and password combination fairly quickly, then that person probably does not belong in your GroupWise system.
Intruder detection for the GroupWise Windows client is performed by the POA and is configurable. You can set the number of failed login attempts before lockout, the length of the lockout, and so on. If a user becomes locked out, you can re-enable his or her account in ConsoleOne. See Enabling Intruder Detection.
Intruder detection for the GroupWise WebAccess client is built in and is not configurable. After five failed login attempts, the user is locked out for 10 minutes. If a user becomes locked out, the user must wait for the lockout period to end (unless you want to restart the WebAccess Agent).
In ConsoleOne, you can remove a user's password from his or her mailbox in case the password has been forgotten and needs to be reset (User object > Tools menu > GroupWise Utilities > Client Options > Security > Password tab). If necessary, you can remove the passwords from all mailboxes in a post office (Post Office object > Tools menu > Mailbox/Library Maintenance > Reset Client Options).
It is easy for users to reset their own passwords in the GroupWise Windows client (Tools menu > Options > Security > Password tab). However, if this method is used when users are in Caching or Remote mode, this changes the password on their local Caching or Remote mailboxes, but does not change the passwords on their Online mailboxes. To change their Online mailbox password while in Caching or Remote mode, users must use a method they might not be familiar with (Accounts menu > Account Options > Novell GroupWise account > Properties > Advanced > Online Mailbox Password).
It is also easy for users to reset their own passwords in the GroupWise WebAccess client (Options > Password). However, you may not want users to be able to reset their GroupWise passwords from Web browsers. In ConsoleOne, you can prevent WebAccess client users from resetting their GroupWise passwords (GroupWiseWebAccess object > Application tab > Settings page). Windows client users cannot be prevented from changing their GroupWise passwords.
There is no automatic procedure for synchronizing GroupWise passwords and eDirectory passwords. However, if you use LDAP authentication, synchronization becomes a moot point because GroupWise users are authenticated through an LDAP directory (such as eDirectory) rather than by GroupWise itself. See Using LDAP Passwords Instead of GroupWise Passwords .
Instead of using GroupWise passwords, users' password information can be validated using an LDAP directory. In order for users to use their LDAP passwords to access their GroupWise mailboxes, you must define one or more LDAP servers in your GroupWise system and configure the POA for each post office to perform LDAP authentication, as described in Providing LDAP Authentication for GroupWise Users.
When LDAP authentication is enabled, you can control whether users can use the GroupWise client to change their LDAP passwords in ConsoleOne (Post Office object > GroupWise > Security). If you allow them to, users can change their passwords through the Security Options dialog box (GroupWise Windows client > Tools menu > Options > Security) or on the Passwords page (GroupWise WebAccess client > Options > Password). If you do not allow them to change their LDAP passwords in the GroupWise client, users will need to use a different application in order to change their LDAP passwords.
You and users can use some of the same methods to bypass LDAP passwords as you can use for bypassing GroupWise passwords. See Accepting eDirectory Authentication Instead of GroupWise Passwords and Allowing Windows to Cache GroupWise Passwords.
For more information about LDAP passwords, see Authenticating to GroupWise with Passwords Stored in an LDAP Directory.
Sometimes it is necessary to access user mailboxes to meet corporate mandates such as virus scanning, content filtering, or e-mail auditing that might be required during litigation. These types of mailbox access are obtain using trusted applications, third-party programs that can log into Post Office Agents (POAs) in order to access GroupWise mailboxes. For more information about using trusted application to bypass mailbox passwords, see Trusted Applications