| |
iChain mandates that the same login page be presented to all users using Novell's iChain/iChain Proxy Server as a front-end proxy with authentication enabled. In order to understand the means by which customer requests to modify the login page can be accommodated, it is beneficial to examine the current implementation.
When an accelerator is set up, the user has the option of enabling authentication. When this is done, the user must specify an authentication profile. If the profile is an LDAP authentication profile, it will have three options for login name format:
Each login name format is presented to the user via a designated login page.
As an HTTP request comes in to be serviced by the accelerator, the proxy will first check the servicing accelerator to see if it has authentication enabled. If so, the proxy will first present a designated login page, contingent on the type of authentication profile specified for the servicing accelerator.
For example, assume there is an accelerator with an LDAP authentication profile where a distinguished name is the specified type of login name format. If a new HTTP request comes in to be serviced by this accelerator where no prior connection has been established, the proxy will first present the login page to the user:
SYS:\ETC\PROXY\DATA\CALOGLDP.HTM
If the login name format was the user's e-mail, the login page that will be presented is:
SYS:\ETC\PROXY\DATA\CALOGMA.HTM
In order to be able to allow an administrator to specify a custom login page, in the iChain 2.0/iChain Proxy Server Web Administration tool, a field in the setup window exists to specify a subdirectory where the login page for that accelerator can be found. The actual file name will continue to be predetermined by the profile and login name format.
For example, if the user specifies the subdirectory NIKE and specifies an LDAP authentication profile where the login name format is user's e-mail, the proxy will attempt to find:
SYS:\ETC\PROXY\DATA\NIKE\CALOGMA.HTM
Currently the designated login pages are:
The designated error pages are the same as the ones above, but different text is placed in certain fields in these files to indicate an error has occurred. Since PROXY.NLM currently hard-codes strings into designated HTML pages, it is best to allow for the specification of a unique error login page per accelerator.
The same mechanism that is described in Custom Login Pages is provided for child accelerators that are part of either path-based or host-based multi-homing.
Because the login pages are serviced from memory, this limits the types of graphics that can be supported. All streaming types of graphical/sound widgets (that is, avi, wav, mpeg, Quicktime, etc.) are not supported; however, BMP, JPG, GIF, and other types of clipart graphics are supported.
Default login pages are contingent on the type of authentication profiles that are being employed for the accelerator. Coding of specific login pages is most readily accomplished via modifying copies of these files but the following describes significant portions of the specific login pages:
The requirements for an LDAP profile login page for login name formats of distinguished with LDAP contexts can be found between lines 89 and 110 of this file:
The same attributes as explained for CALOGLDP apply to accelerators using profiles with login name formats of distinguished without LDAP contexts (fully distinguished). The difference is that there is no context and the username should contain a fully distinguished LDAP name for the value.
The same attributes as explained for CALOGLDP apply to accelerators using profiles with login name formats of field name. The difference is that there is no context and the username should contain the field name value for the value.
The same attributes as explained for CALOGLDP apply to accelerators using profiles with login name formats of e-mail address. The difference is that there is no context and the username should contain an e-mail address for the value.
The same attributes as explained for CALOGLDP apply to accelerators using RADIUS profiles. The difference is that there is no context and the username should contain a RADIUS username for the value.
If you want to set up a custom logout page, you will need to provide a link in your respective HTML/XML page that reads as follows:
href="/cmd/BM-Logout"
or
href="/cmd/ICSLogout"
When this is completed, the following logout page will be presented to the user:
SYS:ETC\PROXY\DATA\CALOGOUT.HTM
Custom logout pages are similar to custom login pages.
When the user specifies a subdirectory for login/logout pages, either through the GUI or at the iChain Proxy Server command line
set accelerator <acc name> loginpage=<subdir from etc proxy data>
For example:
set accelerator nike loginpage=nike
the proxy will then look for:
SYS:ETC\PROXY\DATA\NIKE\CALOGOUT.HTM
| |