Password use

This topic describes how to manage user passwords.

About password use

Passwords are required for the server administrator and users to access StarTeam Server configurations. When the server configuration is created, a server administrator account is created by default with both the user name and password set to Administrator. This password should be changed immediately. When the server administrator adds a user, a unique user name is created and a password is assigned according to the password properties specified for this server configuration.

The server administrator specifies password properties for each server configuration in the Tools > Accounts > System Policy dialog on the Passwords tab. Whatever is specified as the system policy for passwords applies to all users accessing this server configuration.

Password properties include the password expiration time limit, the minimum length, and use of strong passwords.

The server administrator can specify that a strong password is required for users accessing a server configuration. If the system policy for this server configuration requires a strong password, the password must:

New password must be different from the old password.
New password must be different from the user name.
New password must be mixed case, containing at least one lowercase and at least one uppercase alphabetical character. (This is the English alphabet as determined by the ASCII value of the character.)
New password must contain at least one non-alphabetical character.

By default, the strong password option is turned off.

Password property changes

If the system administrator changes the password properties for a server configuration, when the changes take effect depends on the property.

Changes made to the password length properties take effect immediately, but apply only to new user accounts or new passwords. For example, if you change the minimum password length from eight characters to ten, all new users must have a password that is a minimum of ten characters long. However, existing users will still be able to use their eight character passwords.

Changes made to the expiration time limit take effect after the appropriate time interval. For example, if you change the password expiration time limit to thirty days, user accounts are suspended if their passwords have not been changed before the time expires. Users are prompted to change their passwords two weeks before the suspension takes place. The only user account not subject to expiration is the Administrator account.

If the strong password option is turned on, it applies only to new users and users who change their passwords. Until such a change is made, their old “weak” passwords continue to work.

Note: The system administrator can force a password change if they want users to immediately conform to a password property change or if a project security breach has occurred.

LDAP for password verification

StarTeam can use directory services (either Microsoft Active Directory or OpenLDAP) to perform password authorization. As users log on, they enter their StarTeam user name and their directory service password. Before allowing the users to access the server, StarTeam then checks a directory service for valid passwords.

To set up directory service authentication in StarTeam, you set options on the Directory Service tab of the Configure Server dialog. These options enable directory service support and provide information about accessing the service. In addition, you use the User Manager to set options for the individual users whose passwords are to be authenticated. Not all users need to use this feature.

The distinguished name (DN), a unique identifier, is used by OpenText servers as they communicate with the directory service. For example, StarTeam must send each user’s distinguished name (DN) to the directory service in order to verify the user’s password. DNs can be long and not very intuitive. Also, some organization’s change DNs occasionally, and updating these changes by hand can be very tedious.

When creating new users, you indicate whether new users will have their passwords authenticated by the StarTeam Server or by a directory service by selecting either the Validate Password Through Directory Service or the Validate Password Through StarTeam Server option button. StarTeam Servers request directory service validation of user passwords if the server configuration both allows directory service validation and has the correct connection settings for the directory service.

Enabling directory service support

StarTeam allows password verification with Microsoft Active Directory.

Open the Server Administration tool and select the server configuration.
Click Tools > Administration > Configure Server. The Configure Server page opens.
Select the Directory Service tab.
Check Enable directory service. By default this option is not selected.
Type the Host name and a secure (SSL) or non-secure Port number for the directory server. By default the Server Administration tool specifies port 636. You must specify both values to enable directory service support.
You can optionally check the option to Use a secure port. This is the recommended default setting.
Click OK. The system displays a message instructing you to reboot the server. You must do this to enable directory service.

Note: Remember that a user cannot be authenticated by the directory server unless the Validate through directory service option is selected on the Logon tab of the New User Properties or User Properties dialog boxes and a Distinguished name is entered for that user.

Changing user passwords

In addition to setting or changing a user’s password, you can specify how long a password is usable, how many characters a password must have, and whether strong passwords are required. This operation can be performed only when the server is running.

Open the Server Administration tool and select the server configuration.
Click the Accounts bar and then click (User Manager).
The User Manager tab opens.
Select the user from the User list.

If the user does not appear in the Users list, you can display a list of all users by:
1. Selecting the All Users group in the Groups tree.
2. Selecting the Show Users in All Descendant Groups check box.
Right-click, and select Properties. The User Properties dialog box appears.
Select the Logon tab.
Verify that the Validate through StarTeam button has been selected.
Type a new password for the user in the Password field.
Type the password again in the Confirm field.
Click OK.

Configuring password constraints

Changes made to the expiration time limit take effect after the appropriate time interval. For example, if you change the password expiration time limit to thirty days, user accounts get suspended if their passwords have not been changed before the time expires. Users will be prompted to change their passwords two weeks before the suspension takes place. By default, the strong password option is turned off. When this feature is turned on, as users change their passwords, they must provide strong passwords. Until such a change is made, their old “weak” passwords continue to work.

Open the Server Administration tool and select the server configuration.
Click the Accounts bar and then click (System Policy). The System Policy tab opens.
On the Passwords tab, select a password expiration option:
- Passwords never expire
- Passwords expire after ___ days. With this option, you must enter the number of days a password will be valid. StarTeam counts the days from the time the password was created.
In the Password configuration group, select the Require Strong Passwords check box to require passwords to meet all of the following criteria:
- New password must be different from the old password.
- New password must be different from the user name.
- New password must be mixed case, containing at least one lowercase and at least one uppercase alphabetical character. (This is the English alphabet as determined by the ASCII value of the character.)
- New password must contain at least one non-alphabetical character.
Selecting this check box also changes the value in the Minimum password length field to 3. You can increase it if you choose.
Optionally, type a number for the minimum password length. The default, zero, allows passwords to be blank. The maximum password length is 32 characters.
Click OK.

Forcing password changes

It may be necessary to force users to change their StarTeam passwords if a project security breach has occurred. This operation can be performed only when the server is running. You can set the password expiration time limit, the minimum length, and require the use of strong passwords. These password properties apply to all user accounts on the server configuration.

Open the Server Administration tool and select the server configuration.
Click the Accounts bar and then click (System Policy). The System Policy tab opens.
Select the user from the User list.

If the user does not appear in the Users list, you can display a list of all users by:
1. Selecting the All Users group in the Groups tree.
2. Selecting the Show Users in All Descendant Groups check box.
Right-click the user’s name, and select Force Password Change. The Account Status column in the Users list changes to Password change required. The user will be asked to change his or her password at the next log on. If the change is not made, the user is allowed access to the server configuration and the projects it contains, but will be locked out of the server configuration at the next log on. An error message warns the user that this will happen.
Note: The accounts of users who fail to change their passwords can be reactivated by administrators.