2.1 Extending the eDirectory Schema

The Novell® eDirectory™ schema must be extended in order to enable SecureLogin to save users’ single sign-on information. Ndsschema.exe extends the eDirectory schema and grants rights to existing users so that they can use SecureLogin.

To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree.

  1. Run ndsschema.exe.

    Typically, this file is in the securelogin\tools directory. However, if you unzipped it to the Temp directory on a Windows 2000 workstation, you might need to unhide the Local Settings directory and then locate ndsschema.exe in the following path:

    c:\Documents and settings\Administrator\Local Settings\Temp\Securelogin\Tools

    Make sure that you have the Novell Client 4.91 or later installed in your machine. Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.

    When the NDS® or eDirectory schema is extended, the following attributes are added:

    • Prot:SSO Auth

    • Prot:SSO Entry

    • Prot:SSO Entry Checksum

    • Prot:SSO Profile

    • Prot:SSO Security Prefs

    • Prot:SSO Security Prefs Checksum

    For information on these attributes, see Section 4.4, Extending the Active Directory Schema.

    If you use iManager to administer SecureLogin, you must extend the LDAP Schema. For more information on extending the LDAP schema, seeExtending the LDAP Directory Schema.

  2. Specify an eDirectory context so that SecureLogin can assign rights to User objects under that context.

    You will be prompted to define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials. The following figure illustrates this prompt:

    Assign User Rights dialog box

    If you don’t specify a context, rights begin at the root of the eDirectory tree.

    Only the rights on Container objects are inherited. These rights flow to subcontainers, so that users can read attributes. User rights aren’t inherited.

    If the installation program displays a message similar to -601 No Such Attribute, you have probably entered an incorrect context or included a leading dot in the context.

  3. (Conditional) Grant rights to local cache directories.

    Users on Windows 2000, and Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:

    • Grant rights to the user’s cache directory (for example, c:\programfiles\novell\securelogin\cache\v2slc\username)

      The default location is the user’s profile directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.

    • During the installation, specify a path to a location that the user has rights to (for example, the user’s documents folder).

2.1.1 Granting SSO Rights to New Users

The SecureLogin iManager

  1. Log in to iManager.

  2. Click the Modify Trustees link from the Rights task.

  3. Select the context to which you need to apply SSO rights.

  4. Click the Assigned Rights link corresponding to that context.

  5. Click the Add Property button.

  6. Select Prot:SSO Entry attribute, then click OK.

  7. Repeat Step 5 and Step 6 to add all properties beginning with ‘Prot’.

  8. Check the Write and Inherit checkboxes for all the newly-added attributes.

  9. Click Done.

  10. Click OK.

  11. Click OK.