[ngw] Slighty OT - Universal Passwords

James Taylor James.Taylor at eastcobbgroup.com
Sat Oct 29 04:37:51 UTC 2016


It's in the current OES2015sp1.
Works like a charm.
-jt 
 
>>> Matt Weisberg <matt at weisberg.net> 10/28/2016 7:20 PM >>> 

IdM is/can be pretty complicated, no question there.  But it is
incredibly powerful and can do just about anything you want.

FYI, salvage ability without a client is coming, not sure when, but I
know it was in the list of features coming.

Matt

— 
  Matt Weisberg
  Weisberg Consulting, Inc.
  matt at weisberg.net
  www.weisberg.net
  ofc. 248.685.1970
  cell 248.705.1950
  fax 248.769.5963


On 10/28/16, 3:52 PM, "ngw-bounces+matt=weisberg.net at ngwlist.com on
behalf of Joe Brugaletta" <ngw-bounces+matt=weisberg.net at ngwlist.com on
behalf of JBrugaletta at braytonlaw.com> wrote:

    I looked into IDM years ago.. it sure seemed complicated to just
set up edir/ad/gw.. heck it might've been called DirXML at the time :)
Might take another look. We also have other systems (mssql, shoretel
voip, etc) where users get created that would benefit from having full
IDM. 
    
    My dilemma is to keep the OES client or start to phase it out and
enable NSS for AD in OES 2015. I really cant think of a reason to *need*
the client (besides Salvage, which doesn't get used much)..  gw and zen
both can auth against AD. So... :-\ 
    
    NOTICE: This email and all attachments are CONFIDENTIAL and
intended SOLELY for the recipients as identified in the "To", "Cc" and
"Bcc" lines of this email.  If you are not an intended recipient, your
receipt of this email and its attachments is the result of an
inadvertent disclosure or unauthorized transmittal.  Sender reserves and
asserts all rights to confidentiality, including all privileges that may
apply.  Pursuant to those rights and privileges, immediately DELETE and
DESTROY all copies of the email and its attachments, in whatever form,
and immediately NOTIFY the sender of your receipt of this email.  DO NOT
review, copy, forward or rely on the email and its attachments in any
way.
     
    NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS
COMMUNICATION.  If you have not executed a fee contract or an engagement
letter, this firm does NOT represent you as your attorney.  You are
encouraged to retain counsel of your choice if you desire to do so.  All
rights of the sender for violations of the confidentiality and
privileges applicable to this email and any attachments are expressly
reserved.
    
    >>> "James Taylor" <James.Taylor at eastcobbgroup.com> 10/28/2016 9:56
AM >>>
    We normally use the full IDM packages, but for AD-only sync you can
use the bundle.
    We also sync to student information systems and HR, so we need the
full version in any case.
    However, the bundle does not include SSPR and a number of other
handy features.
    Most of my environments are primarily eDir with DSFW to handle
workstation management and integration with products that "require" AD
to work.
    No Novell client, but single sign-on to workstations with the
ability to manage group policies though windows group policy tool.
    
    Enabling LDAP for GW would allow you to user either AD or eDir for
auth, or a mix if you need it.
    Same as with mobility.
    I'm assuming current GW and mobility version...
    -jt
    
    James Taylor
    678-697-9420
    james.taylor at eastcobbgroup.com
    
    
    
    >>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 10/28/2016 12:39
PM >>> 
    Or.. get rid of the Novell client and login to AD alone.. :)
    Are you using the bundled IDM that you get with NOWS or do you have
full IDM?
    
    NOTICE: This email and all attachments are CONFIDENTIAL and
intended SOLELY for the recipients as identified in the "To", "Cc" and
"Bcc" lines of this email.  If you are not an intended recipient, your
receipt of this email and its attachments is the result of an
inadvertent disclosure or unauthorized transmittal.  Sender reserves and
asserts all rights to confidentiality, including all privileges that may
apply.  Pursuant to those rights and privileges, immediately DELETE and
DESTROY all copies of the email and its attachments, in whatever form,
and immediately NOTIFY the sender of your receipt of this email.  DO NOT
review, copy, forward or rely on the email and its attachments in any
way.
    NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS
COMMUNICATION.  If you have not executed a fee contract or an engagement
letter, this firm does NOT represent you as your attorney.  You are
encouraged to retain counsel of your choice if you desire to do so.  All
rights of the sender for violations of the confidentiality and
privileges applicable to this email and any attachments are expressly
reserved.
    
    >>> "James Taylor" <James.Taylor at eastcobbgroup.com> 10/28/2016 9:29
AM >>>
    IDM would honestly be your best solution. Anything else would
require nearly as much admin effort as you have now.
    Also, IDM includes Self Service Password Service, which includes
forgotten password and a people search option.
    However, you can use the Novell client to change passwords on the
windows client, but I'm not sure of that passes through to AD.
    And there is an free, open source version of sspr, but it requires
more set up. It doesn't have the preconfigs for AD and eDir.
    My usual setup with IDM is to point the SSPR to the identity vault.
eDir has better password policy management in my opinion.
    -jt
    
    James Taylor
    678-697-9420
    james.taylor at eastcobbgroup.com
    
    
    
    >>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 10/28/2016 11:37
AM >>> 
    Finally getting around to doing this.. we currently have Edir/Ad/GW
passwords that we have to maintain.. not very secure ones either and
maintained by IT department. I'm looking to implement stronger passwords
and have them preferably sync to AD, also enable a Forgot Password type
thing on the client. Users login to the OES Client initially, which
passes credentials to the computer (domain joined), then zenworks, and
login succeeds.  GW *could* have a separate password, which they'd have
to login again to the GW client, but most are the same. We're also using
GW Mobility, if that comes into play. 
    
    If I enable LDAP Auth to GW.. that would remove having to maintain
gw password, right?
    
    Anyone know if you can have the OES client change the AD password
and how well it works?
    
    I don't think I need to go the IDM route.. but maybe..
    
    Thanks for any insight/experiences!
    
    
    NOTICE: This email and all attachments are CONFIDENTIAL and
intended SOLELY for the recipients as identified in the "To", "Cc" and
"Bcc" lines of this email.  If you are not an intended recipient, your
receipt of this email and its attachments is the result of an
inadvertent disclosure or unauthorized transmittal.  Sender reserves and
asserts all rights to confidentiality, including all privileges that may
apply.  Pursuant to those rights and privileges, immediately DELETE and
DESTROY all copies of the email and its attachments, in whatever form,
and immediately NOTIFY the sender of your receipt of this email.  DO NOT
review, copy, forward or rely on the email and its attachments in any
way.
    NOTICE: NO DUTIES ARE ASSUMED, INTENDED OR CREATED BY THIS
COMMUNICATION.  If you have not executed a fee contract or an engagement
letter, this firm does NOT represent you as your attorney.  You are
encouraged to retain counsel of your choice if you desire to do so.  All
rights of the sender for violations of the confidentiality and
privileges applicable to this email and any attachments are expressly
reserved.
    
    
    
    
    _______________________________________________
    ngw mailing list
    ngw at ngwlist.com
    http://ngwlist.com/mailman/listinfo/ngw
    
    
    
    
    
    _______________________________________________
    ngw mailing list
    ngw at ngwlist.com
    http://ngwlist.com/mailman/listinfo/ngw
    
    
    
    

_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw



More information about the ngw mailing list