Password policy and global SMTP settings

The Security Enhanced Directory Manager plugin enables you to:

• Configure password policies
• Configure a global SMTP server for email notifications

Another function, setting up an LDAPThe Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry-standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. directory, is described in LDAP user authentication.

Application Studio can send email notifications to users for account creation, password reset and other events. Doing this requires configuring a connection to an SMTP server and setting up email templates.

For security purposes, all passwords are hashed and stored encrypted.

Configure password policy

To configure the password policy, select System Settings > Directory Manager Settings and click Configure Plugin to open the General page of the plugin configuration.

General page

The following are the fields on the General page.

Show Login info (e.g. Last Login Date)

When checked, a banner is displayed, showing the user's log-on date and time and failed log-on attempts since the user last logged on.

Failed Login Attempts for Account Lockout

Enables locking users' accounts after a specified number of failed log-on attempts. Options are blank and 3 to 10 attempts. Blank means users are not locked out regardless of the number of failed log-on attempts.

Account Lockout Period (Minutes)

Duration of the lock-out interval in minutes. Options are blank and 10 to 60 minutes. Blank means that lockouts are disabled.

Allow Session Timeout (Inactivity Timeout)

Expires a user session after a specified period of inactivity. The default inactivity period is 30 minutes.

This field only lets you enable or disable session timeouts. You must edit a value in the Tomcatconf/web.xml file to change the inactivity period. The following is the parameter in the file to change:

<session-config>

<session-timeout>30</session-timeout>

</session-config>

If you make any changes to the web.xml file, restart Application Studio for the changes to become effective.

Hard Session Timeout (Hours)

Expires a user session after the specified hours of continuous connection, regardless whether a session is active. Available values range from blank to 48 hours. Selecting blank disables hard timeouts.

Click Submit to save changes or Next to configure password rules.

Saved changes take effect the next time you log on.

Default Directory Password Policy page

The following are the fields on the Default Directory Password Policy page.

Requires Password Change on First Login

Forces a user to change password when logging on the first time.

Generate Random Password

Instructs the system to generate a random password whenever a user account is created, and subsequently to send the generated password to the email address configured for the user

Enable Forgot Password

Enables the Forgot Password link on the log-on page of Application Studio so users can request resetting their passwords.

Forgot Password Link Validity Period (Minutes)

Specifies how long the link to reset a user password is valid. Beyond this period, users must re-request a password reset. The options are blank, 15, 20, 25, and 30 minutes. Blank means that the link remains valid and does not expire.

Number of Unique Passwords Before Re-use

Defines the password re-use policy and specifies how many last passwords cannot be re-used when they change their password. The options are 0 through 10 unique passwords.

Password Minimum Length

Specifies the minimum number of characters a password should contain.

Password Mandatory Characters

Specifies password requirements, such as whether passwords must have at least one upper-case character, one lower-case character, and so on.

Password validity Period (Months)

Specifies how long a password is valid before it needs to be changed. The options are blank, 3, 6, 9, or 12 months. Blank means all user passwords never expire.

Number of days to show the notification before password expiry

Users can be notified in the banner after logging on that their password is about to expire. This option specifies how many days before the actual expiration date the user is notified. The options are blank and 5 to 30 days. If set to blank, users receive no warning and their passwords expire on the prescribed schedules.

Click Submit to save changes or Next to configure an SMTP server.

Saved changes apply to all users as events occur. For example, if a user's password was last changed five months ago and you change the password validity from six to four months, the change makes the user's password invalid immediately. The new setting is applied to that user the next time the user logs on.

Configure SMTP server and email templates

To configure an SMTPSimple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (email) transmission. server and email templates, select System Settings > Directory Manager Settings and click Configure Plugin to open the General page of the plugin configuration. Click Next until the Notification page is displayed.

SMTP settings

The following describes the SMTP fields on the Notification page.

SMTP Host

Server host name.

SMTP Port

Server port number. If not TLS, the port typically is 25 for an SMTP server. If TLS, this must be the port to connect to the server via TLS.

Note

If you want to connect to an external server via TLSTransport Layer Security (TLS) is an encryption protocol that ensures communication security over the Internet. TLS encrypts the network connection above the transport layer. TLS uses asymmetric cryptography for key exchange, symmetric encryption for privacy and message authentication codes for message integrity. Secure Sockets Layer (SSL) is the predecessor of TLS., and the external server uses a self-signed certificate or a certificate issued by your internal CAA certificate authority or certification authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. A CA is a third party trusted by the subject (owner) of the certificate and the party relying upon the certificate., see Certificate management tools for implementation details.

Security

Optionally, select TLS the connection security protocol.

SMTP Username

If required, the user name for connecting to the server.

SMTP Password

If required, the password for connecting to the server.

From

Sender address for all outgoing email notifications.

CC

All copied email addresses for outgoing messages, separated by semicolons. For example: person1@xyz.com; person2@xyz.com.

HTML Content?

Check this to send email messages in HTML. Enable this only when the email templates contain correctly formatted HTML content. When enabled, Application Studio sends messages as text/html MIME type, and email clients try to render the messages as HTML.

Email template settings

The fields for configuring email templates are below the HTML Content? field on the Notification page. There are templates for:

• User creation - Messages to new users that contain log-on credentials.
• Password reset - Messages containing a new password when a user's password changes.
• Forgot password - Messages containing a new temporary password after a user forgets a password and needs a new one.
• Account lockout - Messages telling users their accounts have been locked and informing when the lockout expires.

You can use the messages with the default configurations or change them as needed. The hash variables in the templates are resolved when the messages are sent.

If users are not receiving emails or there are other problems with messages, search the logs for SMTP to find events or errors related to emails and help in troubleshooting.