Novell Documentation: Novell SecureLogin 3.51 SP2

Deploying SecureLogin

The SecureLogin environment consists of user IDs, scripts that enable applications for single sign-on, password policies (rules), and SecureLogin settings. You can manage this environment individually (at the User object level), collectively (at the container or OU level), or both.

In a Microsoft Active Directory, SecureLogin cannot be configured from the highest level or root of the network directory. You need to configure each container or OU individually. To facilitate speedy deployment, SecureLogin provides two options for the distribution of the SecureLogin data across containers and organizational units:

Copy Settings functionality (copy, export, or import settings)
Copy Settings functionality exports and imports the SecureLogin environment in XML file format from one container or OU to another. We recommend that you test your SecureLogin configuration on a test User object and then copy the environment to the relevant container or OUs.

Use the Copy Settings functionality if
- You need to distribute configurations across a LAN or WAN.
- You need to copy a SecureLogin environment from one object to another, for example from a User object to a container or OU.
- The containers require the same or similar SecureLogin environment.
  It is faster to copy and apply the basic settings, and then modify the settings, than to configure each container or OU individually.
- You need a backup of your user environment for disaster recovery.
Redirect organizational policy
Organizational policy functionality redirects one container or OU to another, essentially inheriting the container's or OU's SecureLogin environment.
Scenario: Redirecting. In the DigitalAirlines Company, the directory tree includes the Development, Marketing, and Sales organizational units. The SecureLogin environment is required to be the same for the Sales and Marketing departments. However, the administrator doesn't want the User objects for each department in the same OU.

Implementing SecureLogin's Organizational Policy functionality, the administrator selects Marketing to be the Corporate Policy OU. The Sales OU is then directed to obtain the SecureLogin environment from the Marketing OU. Any changes made to the Marketing SecureLogin environment are automatically inherited by Sales, significantly reducing administration.

Use redirection if
- Multiple containers or OUs require the same SecureLogin environment.
- Inheritance from a higher level than the Organizational Policy container or OU is not required.
- Administrator User objects are manually configured.
- The container or OUs are on the same directory tree.
  We recommend that you not use redirection across a LAN or WAN.

Copying, Exporting, and Importing SecureLogin Settings

The Copy Settings feature enables you to copy SecureLogin settings (data) from one object in a directory tree to one or more objects in that tree. You can copy an object's settings to a container, OU, or User object. The objects can be in the same context or in a different context. You can't copy settings from one tree to another.

However, you can export or import settings from one tree to a target tree. After settings are exported or imported, you can then copy them from within the target tree.

Also, you can copy from one administrative tool (ConsoleOne, MMC, or SecureLogin Manager) and import into another tool.

The Copy feature saves settings internally (RAM) and copies to objects. The Export feature saves the settings externally to an XML file. You can then use the XML file repeatedly to import settings to objects.

Copy Settings doesn't copy, export, or import variables. Therefore, usernames and passwords are not copied, exported, or imported.

Copying SecureLogin Settings

To copy SecureLogin settings, use the following guidelines:

Typically, copy from a User object to a User object and from a Container object to a Container object.
Copy settings to an object in the same context, a parallel context, or a subordinate context. Don't copy settings from an object in a subordinate context to an object in a superior (higher in the tree) context.
Copy items that have local settings. When inheritable settings are copied, they become local settings on the object that the settings are copied to. Such copied settings might have broken login-to-application links.
Ensure that you don't overwrite Administrator settings when copying settings to a container or organizational unit. For example, if you set the option Allow Users to View and Change Settings to No, and then copy this as part of a SecureLogin environment to the container/OU including the Administrator user object, the Administrator won't be able to view or change SecureLogin settings. To prevent this from happening, always change the settings on Administrative accounts before restricting the associated container or OU settings.

To copy settings:

In ConsoleOne, right-click the object that has the settings that you want to copy, then click Properties.

You can select an Organization, Organizational Unit, Locality, Country, or User object.
At the Novell SecureLogin tab, select Copy Settings.
Select Copy to One or More Objects in eDirectory, then select all check boxes (in the Scope pane) for settings that you want to copy.

By default, all data are selected. To limit the scope, select check boxes for data that you don't want to copy, export, or import.

For example, if you only want to copy user IDs, select the other check boxes.
Click Perform Operation.
On the Select Objects page, select one or more objects that you want to copy the settings to.

You can browse to and select one or more objects from other contexts, but you can't select objects from other trees. You can select objects in one context and then browse to other contexts to select additional objects.

To select an object, click it, then click Select. Selected objects appear in the Selected Objects pane.
Click OK.

Exporting SecureLogin Settings

You can export settings from one tree and import them into the same tree or a different tree. The Export and Import options operate on the same settings as Copy Settings.

To export and import settings, you use XML files. The files have a corresponding XML schema file (nsldata.xsd).

The XML schema file specifies XML tags and type of data. The file controls how SecureLogin behaves.

To export SecureLogin Settings:

Right-click the object that has the settings that you want to export, then click Properties.
On the Novell SecureLogin page, click Copy Settings.
Click Export to an XML File, then select all check boxes (in the Scope pane) for settings that you want to export.

To limit the scope, deselect check boxes for settings that you don't want to export.
Click Perform Operation.
Save the settings to an XML file.

Navigate to the directory where you want to save the XML file, specify the filename, then click Save.

The settings are ready to import to another object.

You can edit exported XML files. The XML schema file is provided so that you can verify any modified XML file. However, an easier way to verify a modified file is to import it. The SecureLogin snap-in to ConsoleOne reports an error if the modified file has incorrect syntax or some other problem.

Importing SecureLogin Settings

Right-click the object that you want to import the settings to, then click Properties.
Select Copy Settings.
Select Import, then select all check boxes (in the Scope pane) for settings that you want to import.

To limit the scope, deselect check boxes for settings that you don't want to import.
Click Perform Operation.
Navigate to and select the XML file that contains the settings that you want to import, then click Open.

When you import settings from an XML file, SecureLogin validates the XML file against the XML schema. An invalid XML file is rejected.

You can only import settings to one object at a time. However, after importing you can then copy (within the target tree) settings that you imported.

Redirecting

Inheritance of SecureLogin data stops at the container or OU. Redirected containers or OUs don't inherit settings, enabled applications, or password rules that a container or OU inherits from another container or OU.

The following process illustrates how to redirect a Sales OU to inherit the SecureLogin configuration from the Marketing OU by using Active Directory.

Select Start > Programs > Administrative Tools > Active Directory Users and Computers.
Right-click the Sales OU, then select Properties.
Select SecureLogin SSO, then click Advanced Settings.
In the Read Corporate Scripts and Settings From edit box, type the container or OU.

Type the complete distinguished name, so that you uniquely identify the container or OU. For example, type
```
CN=Users,CD=www,DC=server,DC=com
```
To remove a name, click Remove.
Save the data and close the Advanced Settings page by clicking OK.
To verify inheritance and redirection, double-click the SecureLogin icon on the task bar, then select Applications.

Prebuilt scripts and password policies that are available at the container or OU level display a checkmark on the icon in the Application Description column. These application scripts and password policies are created and maintained at the container or OU level. Therefore, they can't be edited or deleted by using SecureLogin on the desktop.

For additional information on redirection, see Managing Corporate Scripts.