Knowledge Partner
Knowledge Partner
783 views

Helpdesk module questions

Currently using SSPR but only for Forgotten Password feature.

Using eDir with NMAS/UP as back-end.

Users have their challenge/response questions for Forgotten Password module only.

Now the HelpDesk module questions:

1) Is there a separate set of questions/answers that users can be required to fill in so that when they call the helpdesk, the helpdesk can use the Module to verify that the user is who they say they are and then reset the users password?

2) If so, I'm guessing this is NOT stored in eDir and can work in conjunction with the NMAS settings (meaning it doesn't force you to use all 100% SSPR challenge/response stuff)?

3) If so, can this also be required before Helpdesk module performs an unlock of an intruder locked-out account?

4) With iManager, RBS can be used to give helpdesk the ability to only say, reset a password and/or unlock accounts and assign the roles to various users, along with scoping to various eDir ou's. Looks like the only way to "scope" in SSPR is to actually add say, 23 different eDir ou's (in our case)? On the plus side, looks like you could actually use an eDir Group for the "role" assignment (unlike iManager where it's individual users, so adding 200 people is a PITA).

Not sure if I missed anything else.

Oh, SSPR 4.1, BTW (yes, I know 4.2 is out now, but didn't see anything changing in the above regards).

Thanks!
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Helpdesk module questions


> 1) Is there a separate set of questions/answers that users can be
> required to fill in so that when they call the helpdesk, the helpdesk
> can use the Module to verify that the user is who they say they are and
> then reset the users password?


Yes. Stored in DB of choice. LocalDB, Remote DB (Oracle, etc), or LDAP
(eDir in pwmResponseSet I think).


> 2) If so, I'm guessing this is NOT stored in eDir and can work in
> conjunction with the NMAS settings (meaning it doesn't force you to use
> all 100% SSPR challenge/response stuff)?


I think these are independant of the nMAS stuff. To be honest, even when
setting NMAS values for C/R it seems like it writes it to pwmResponseSet
as well at the same time.

> 3) If so, can this also be required before Helpdesk module performs an
> unlock of an intruder locked-out account?


I think so, not sure.

> 4) With iManager, RBS can be used to give helpdesk the ability to only
> say, reset a password and/or unlock accounts and assign the roles to
> various users, along with scoping to various eDir ou's. Looks like the
> only way to "scope" in SSPR is to actually add say, 23 different eDir
> ou's (in our case)? On the plus side, looks like you could actually use
> an eDir Group for the "role" assignment (unlike iManager where it's
> individual users, so adding 200 people is a PITA).


Admin users are defined by those users who match an LDAP filter. You
can use nrfMemberOf some ROle DN or Member of a Group. Or any LDAP
filter that makes sense.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Helpdesk module questions

geoffc;2465167 wrote:

> 1) Is there a separate set of questions/answers that users can be
> required to fill in so that when they call the helpdesk, the helpdesk
> can use the Module to verify that the user is who they say they are and
> then reset the users password?


Yes. Stored in DB of choice. LocalDB, Remote DB (Oracle, etc), or LDAP
(eDir in pwmResponseSet I think).



Hmm, so far the only 3 verification options appear to be:
LDAP Attribute
SMS/Email token (SMS deprecated in 4.2)
OTP (Mobile device) verification

Unless maybe I need to enable something else prior?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Helpdesk module questions

On 8/29/2017 5:14 PM, kjhurni wrote:
>
> geoffc;2465167 Wrote:
>>
>>> 1) Is there a separate set of questions/answers that users can be
>>> required to fill in so that when they call the helpdesk, the helpdesk
>>> can use the Module to verify that the user is who they say they are

>> and
>>> then reset the users password?

>>
>> Yes. Stored in DB of choice. LocalDB, Remote DB (Oracle, etc), or LDAP
>> (eDir in pwmResponseSet I think).
>>
>>

>
> Hmm, so far the only 3 verification options appear to be:
> LDAP Attribute
> SMS/Email token (SMS deprecated in 4.2)
> OTP (Mobile device) verification
>
> Unless maybe I need to enable something else prior?


Sorry, i meant the Helpdesk C/Rs are stored in one of three locations.

But looking in 4.1.05 I do not see them anymore either... Wonder if
they got dropped.


0 Likes
Knowledge Partner
Knowledge Partner

Re: Helpdesk module questions

geoffc;2465184 wrote:
On 8/29/2017 5:14 PM, kjhurni wrote:
>
> geoffc;2465167 Wrote:
>>
>>> 1) Is there a separate set of questions/answers that users can be
>>> required to fill in so that when they call the helpdesk, the helpdesk
>>> can use the Module to verify that the user is who they say they are

>> and
>>> then reset the users password?

>>
>> Yes. Stored in DB of choice. LocalDB, Remote DB (Oracle, etc), or LDAP
>> (eDir in pwmResponseSet I think).
>>
>>

>
> Hmm, so far the only 3 verification options appear to be:
> LDAP Attribute
> SMS/Email token (SMS deprecated in 4.2)
> OTP (Mobile device) verification
>
> Unless maybe I need to enable something else prior?


Sorry, i meant the Helpdesk C/Rs are stored in one of three locations.

But looking in 4.1.05 I do not see them anymore either... Wonder if
they got dropped.


Looks a little more promising. Sort of.

So the 3 types of verifications are named very poorly, IMO.
Apparently the middle one:
SMS/Email or something is actually referring to the Forgotten Password module setup.

Or so I'm interpreting the little "?" links on the page.

That's the "sorta promising" because when you go into Forgotten Password you can see some extra options.

The downside is that it uses Forgotten Password module to do this. Normally with NMAS, the Challenge Response questions are "clear text" but the answers are stored encrypted. So not sure if I like/care that the helpdesk CR are then stored in the database (not eDir) or if it'll make all the challenge/response stuff go over there.

I may have to investigate more.

I wonder if I could create a new encrypted attribute and just let user put whatever in there and then use that? But not sure if the SSPR LDAP Attribute supports encrypted attributes. Heck, may not even need to be encrypted since it's just used to verify with the helpdesk. Dunno.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.