In a mixed environment of Novell Client software earlier than the Novell Client for Windows NT/2000/XP version 4.9 or the Novell Client for Windows 95/98 version 3.4 (including Native File Access servers on NetWare 5.1 and NetWare 6), if passwords are changed from those older systems, only the older values are changed, so the NDS or the simple password is out of synchronization with the Universal Password. This might be an issue only for users who log in to their accounts from both older Novell Client workstations (earlier than Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 v3.4) and from newer Novell Client workstations (Novell Client for Windows NT/2000/XP version 4.9 or Novell Client for Windows 95/98 version 3.4). If so, the problem occurs only if users either use international characters in passwords or if they change the password from the older workstation.
When you disable a user’s NDS password, the NDS password is set to an arbitrary value that is unknown to the user. The following list describes how some login methods handle this change:
The simple password method is not disabled if the NDS password is disabled. The simple password method uses the Universal Password if it is enabled and available. Otherwise, it uses the simple password. If Universal Password is enabled but not set, then the simple password method sets the Universal Password with the simple password.
The enhanced password method is not disabled when the NDS password is disabled. The enhanced password does not use the Universal Password for login.
The NDS password method (Universal Password) is not disabled when the NDS password is disabled. The NDS password method uses the Universal Password if it is enabled and available. Otherwise, it uses the NDS password. If the Universal Password is enabled but not set, then the NDS Password method sets the Universal Password with the NDS password.
A security enhancement was added to NMAS 2.3.4 regarding Universal Passwords changed by an administrator. It works the same way as the feature previously provided for NDS password. If an administrator changes a user's password, such as when creating a new user or in response to a help desk call, for security reasons the password is automatically expired if you have enabled the setting to expire passwords in the password policy. (This is the
setting in the password policy under ). For this particular feature, the number of days is not important, but the setting must be enabled.NOTE:With NMAS 3.1.3 and later, this behavior can be overwritten in the password policy by selecting the
option.Prior to NMAS 3.1, NDS password settings are replaced when password policies are changed.
If you create a password policy and enable Universal Password and enable Advanced Policy, the Advanced Password Rules are enforced instead of any existing password settings for NDS password. The legacy password settings are ignored. No merging or copying of previous settings is done automatically when you create password policies.
For example, if you had a setting for the number of grace logins that you were using with the NDS password, when you enable Universal Password you need to re-create the grace logins setting in the Advanced Password Rules in the password policy.
NMAS 3.1 and later replaces the NDS password setting on the user object with corresponding password policy settings. For example, if the number of grace logins for the user object is 4, and it is 5 for the password policy, when the user logs in or changes the password, the number of grace logins for the user object changes to 5.