Jim Beard, University of Oregon
Lightning Talk on Password Reset
Very ad hoc
at Access Management CAMP in Philadelphia June 15, 2009
Note: requires further editing as of July 7 09
University of Oregon deployed SUN IDM IdM in 2007,.
Has 45,000 active account. IdM information is stored in LDAP.
Account password resets
Store everything in LDAP.
Found certain areas, things were harder.
became more challenging after the implementation of Sun IdM.
Things were able to get away with things before
So have Previously, there was a central account clerk in charge of password resets. They could call her to
Users who had lost their password, and could not retrieve or reset it through automatic methods, used to call the account clerk and she could take care of things beforeover the phone.
But w with the new IdM system, policies were put in place, people can't and users could not longer just get pwd their password reset set over phone.
So you need There was a new requirement to walk into the accounts clerk office to get a password reset.
COMPLAINTS from There were complaints from folks located on the other side of campus from the account clerk. They don't want to come in.
And univ opened up a new location 40+ miles away. Always had researchers abroad.
Registration in Hawaii
In past. Fax or Phone call
Used credentialing agents on campus.
Very decentralized. Trying to improve
Bring IT professionals in from on campus that are not part of Central ID. Let them reset passwords.
Worked w someone a new Portland campus.
System is auditable.
We know who is doing the resets.
Had to think about level of trust.
Flat structure. If you can change one person's pwd you can change everyone's pwd.
Some of the challenges ---rolled out 4 months ago --- on campus credentialing agent is dean of ? for a different school.
That person is busy and helps students and is not always there for this purpose.
Portland branch person is an IT person set to be there.
A: our account clerk can access confidential info. But students lose cards a lot. Might pick up someone else's card.
Brining in more services, so pwd
they still go in and do the new pwd