[ngw] Slighty OT - Universal Passwords

Joe Brugaletta JBrugaletta at braytonlaw.com
Fri Oct 28 19:52:18 UTC 2016


I looked into IDM years ago.. it sure seemed complicated to just set up edir/ad/gw.. heck it might've been called DirXML at the time :) Might take another look. We also have other systems (mssql, shoretel voip, etc) where users get created that would benefit from having full IDM. 

My dilemma is to keep the OES client or start to phase it out and enable NSS for AD in OES 2015. I really cant think of a reason to *need* the client (besides Salvage, which doesn't get used much)..  gw and zen both can auth against AD. So... :-\ 

NOTICE: This email and all attachments are CONFIDENTIAL and intended SOLELY for the recipients as identified in the "To", "Cc" and "Bcc" lines of this email.  If you are not an intended recipient, your receipt of this email and its attachments is the result of an inadvertent disclosure or unauthorized transmittal.  Sender reserves and asserts all rights to confidentiality, including all privileges that may apply.  Pursuant to those rights and privileges, immediately DELETE and DESTROY all copies of the email and its attachments, in whatever form, and immediately NOTIFY the sender of your receipt of this email.  DO NOT review, copy, forward or rely on the email and its attachments in any way.
 
NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS COMMUNICATION.  If you have not executed a fee contract or an engagement letter, this firm does NOT represent you as your attorney.  You are encouraged to retain counsel of your choice if you desire to do so.  All rights of the sender for violations of the confidentiality and privileges applicable to this email and any attachments are expressly reserved.

>>> "James Taylor" <James.Taylor at eastcobbgroup.com> 10/28/2016 9:56 AM >>>
We normally use the full IDM packages, but for AD-only sync you can use the bundle.
We also sync to student information systems and HR, so we need the full version in any case.
However, the bundle does not include SSPR and a number of other handy features.
Most of my environments are primarily eDir with DSFW to handle workstation management and integration with products that "require" AD to work.
No Novell client, but single sign-on to workstations with the ability to manage group policies though windows group policy tool.

Enabling LDAP for GW would allow you to user either AD or eDir for auth, or a mix if you need it.
Same as with mobility.
I'm assuming current GW and mobility version...
-jt

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com



>>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 10/28/2016 12:39 PM >>> 
Or.. get rid of the Novell client and login to AD alone.. :)
Are you using the bundled IDM that you get with NOWS or do you have full IDM?

NOTICE: This email and all attachments are CONFIDENTIAL and intended SOLELY for the recipients as identified in the "To", "Cc" and "Bcc" lines of this email.  If you are not an intended recipient, your receipt of this email and its attachments is the result of an inadvertent disclosure or unauthorized transmittal.  Sender reserves and asserts all rights to confidentiality, including all privileges that may apply.  Pursuant to those rights and privileges, immediately DELETE and DESTROY all copies of the email and its attachments, in whatever form, and immediately NOTIFY the sender of your receipt of this email.  DO NOT review, copy, forward or rely on the email and its attachments in any way.
NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS COMMUNICATION.  If you have not executed a fee contract or an engagement letter, this firm does NOT represent you as your attorney.  You are encouraged to retain counsel of your choice if you desire to do so.  All rights of the sender for violations of the confidentiality and privileges applicable to this email and any attachments are expressly reserved.

>>> "James Taylor" <James.Taylor at eastcobbgroup.com> 10/28/2016 9:29 AM >>>
IDM would honestly be your best solution. Anything else would require nearly as much admin effort as you have now.
Also, IDM includes Self Service Password Service, which includes forgotten password and a people search option.
However, you can use the Novell client to change passwords on the windows client, but I'm not sure of that passes through to AD.
And there is an free, open source version of sspr, but it requires more set up. It doesn't have the preconfigs for AD and eDir.
My usual setup with IDM is to point the SSPR to the identity vault. eDir has better password policy management in my opinion.
-jt

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com



>>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 10/28/2016 11:37 AM >>> 
Finally getting around to doing this.. we currently have Edir/Ad/GW passwords that we have to maintain.. not very secure ones either and maintained by IT department. I'm looking to implement stronger passwords and have them preferably sync to AD, also enable a Forgot Password type thing on the client. Users login to the OES Client initially, which passes credentials to the computer (domain joined), then zenworks, and login succeeds.  GW *could* have a separate password, which they'd have to login again to the GW client, but most are the same. We're also using GW Mobility, if that comes into play. 

If I enable LDAP Auth to GW.. that would remove having to maintain gw password, right?

Anyone know if you can have the OES client change the AD password and how well it works?

I don't think I need to go the IDM route.. but maybe..

Thanks for any insight/experiences!


NOTICE: This email and all attachments are CONFIDENTIAL and intended SOLELY for the recipients as identified in the "To", "Cc" and "Bcc" lines of this email.  If you are not an intended recipient, your receipt of this email and its attachments is the result of an inadvertent disclosure or unauthorized transmittal.  Sender reserves and asserts all rights to confidentiality, including all privileges that may apply.  Pursuant to those rights and privileges, immediately DELETE and DESTROY all copies of the email and its attachments, in whatever form, and immediately NOTIFY the sender of your receipt of this email.  DO NOT review, copy, forward or rely on the email and its attachments in any way.
NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS COMMUNICATION.  If you have not executed a fee contract or an engagement letter, this firm does NOT represent you as your attorney.  You are encouraged to retain counsel of your choice if you desire to do so.  All rights of the sender for violations of the confidentiality and privileges applicable to this email and any attachments are expressly reserved.




_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw





_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw





More information about the ngw mailing list