Using DirXperts to achieve LDAP-based Contextless Login
Novell Cool Solutions: Trench
By Marcel Cox
Digg This -
Posted: 18 Jun 2003
You may already have discovered the DirXperts toolset which, among other things, contains an LDAP-based contextless login extension.
I did some research on this and found that this tool is much more powerful than documented. For example, it allows you to limit searching to a certain context instead of searching the whole tree. Also, I have some tips on how to configure LDAP with newer versions of eDirectory to make contextless login work, as the default LDAP configuration is no longer sufficient for contextless login.
Using REGMON and Ethereal, I was able to figure out the hidden options of LGNCXW32.DLL, and the following document describes my findings:
How to use LDAP-based contextless login
Starting with the v4.90 client for NT/W2K/XP, Novell plans to include LDAP based contextless login in the client. For older clients and for Win9x clients however, LDAP-based clientless login has already been available for some time as an unsupported login extension called lgncxw32.dll. You can find it on the Cool Solutions web site as part of the DirXperts tools.
An older version with fewer features can also still be found in some places as a file called lgncx.zip.
Lgncxw32.dll is quite powerful and allows you to limit your search to specific contexts. This is neither documented, nor configurable through the included configuration tool. This document describes the registry settings on the workstation and the LDAP configuration settings on the server that are needed to make LDAP-based contextless login work.
There are two areas in the registry where lgncxw32.dll reads its settings.
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Graphical Login\NWLGE\LgnCx] "RUNCONTEXT"=dword:00000001 "LOGINEXTNAME"="LgnCxW32.DLL" "LOGINEXTDESC"="Novell LDAP Contextless Login Extension" "LOGINEXTTYPE"=dword:00008001 "SearchUsername"=dword:00000001 "SearchMail"=dword:00000000 "AllowWild"=dword:00000001
The meaning of the values is the following:
RUNCONEXT: enable(1) or disable(0) this login extension
LOGINEXTNAME: name of the extension DLL. The example above assumes that LGNCXW32.DLL is in the WINNT\SYSTEM32 directory.
LOGINEXTDESC: a descriptive text
LOGINEXTTYPE: type of the extension. Use the value shown above
SearchUsername: enable(1) or disable(0) searching the user name
SearchMail: enable(1) or disable(0) searching the user's e-mail address
AllowWild: enable(1) or disable(0) the use of wildcards
Tree specific settings:
] [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Trees\ \LDAPServers] [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Trees\ \LDAPServers\ ] "LgnCx"=dword:00000001
- Replace <TREE> with the actual name of your tree. You can search multiple trees by creating multiple keys, one for each tree.
- Replace <LDAP> with the IP address or DNS name of the LDAP server you want to search. If you want to search multiple LDAP servers, create multiple keys, one for each server.
- For each LDAP server key, create a LgnCx DWORD entry with the value 1. This will include the specified LDAP server in the contextless login search.
If you want to limit the search to specific contexts, create the following registry keys and values:
- UsePruning enables(1) or disables(0) pruning the search to a specific container and all those below.
- The key <context> specifies the context of the container to search. For multiple containers, simple create multiple keys of this type.
- Note that the context is in LDAP syntax. E.g. it is something like:
"O=" and "ou=" need to be included, and they have to be separated by commas.
The easiest way to install the contextless login on your workstations and push out the registry settings is to use the NetWare Application Launcher which is part of ZENworks for Desktops.
Important note for the server configuration:
The LDAP server needs to be enabled to allow public listing of all the users. On older NDS/eDirectory versions, this right is available by default. For newer versions of eDirectory, the default rights are no longer enough to make contextless login work. As additional non-default right, you need read access to the CN property of the objects. You can either grant this right to the pseudo object [public] or, even better, create an LDAP proxy user which has the required rights. See the eDirectory documentation for more information on configuring LDAP.
If you have any questions you may contact Marcel at email@example.com
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com