4.6 Configuration Issues

4.6.1 Contextless Login

If you configure Novell SecureLogin to use LDAP mode, a log page is displayed when Novell SecureLogin is launched.

The login dialog box requires a user distinguished name (DN) and password. The LDAP Authentication client provides a contextless login. This feature allows you to type part of your fully distinguished name (DN) rather than the full string that some users may find confusing.

Table 4-2 Contextless Login

If

Then

More than one match is found.

A login dialog box is displayed that allows the user to select the login account.

Multiple IDs exist.

The client lists all user IDs that begin with (for example, Westbye Tim), then selects the Domain Name for his or her user ID and login.

You can search using the user’s given name, surname and display name.

Surname (sn) and given name (givenname) are the default values.

4.6.2 LDAP Browser

  1. Log in to the LDAP browser using your user account or administrator account credentials.

  2. Provide your username and password, and click OK.

If you cannot view the full LDAP specify information, click Advanced to expand the dialog box. If this information is blank, then populate as needed.

  • If you are installing Novell SecureLogin for LDAP for the first time, then the Context and Primary host areas are blank.

  • If you are upgrading to Novell SecureLogin for LDAP from a previous version then the users distinguished name (DN) information is normally cached in the system registry.

  • As an administrator, you might need to include a system registry update as part of the Novell SecureLogin deployment strategy.

4.6.3 Using LDAP on eDirectory

All the functionality that is available in NMAS is also available in the LDAP Authentication client for SecureLogin. The LDAP client enables you to provide multilevel authentication (for example, a biometric device and a password).

When you use LDAP on eDirectory, the LDAP password can come from one of two places:

  • The eDirectory password

  • The NMAS Simple password

The eDirectory password takes precedence. The Simple Password exists if used in an eDirectory password does not exist.

If a user types a password that does not match the eDirectory password, LDAP attempts to match the simple password.

4.6.4 Using LDAP in Non-eDirectory Environments

This section contains the following information:

Configuring the Server

This section contains the following information:

Retrieving the Certificate

  1. Ensure that certificate service is installed on the directory server.

  2. Export a copy of the server certificate file to a temporary location for user deployment.

    When you export the certificate, ensure that the encoding format you select is DER encoded binary X.509 or Base-64 encoded X.509.

  3. Manually change the certificate filename extension to .der or .b64 (depending on the encoding format you select).

For details on certificate service, refer to the section of the documentation for the directory server you use.

Enabling Anonymous Queries

By default, anonymous queries are not enabled on some of the directory servers (including Active Directory).

If you use Active Directory, make sure that you have set the Anonymous Login rights on the user container and that the settings have taken effect on all User objects within that container.

For more details, refer to AppNote: Configuring Active Directory to Allow Anonymous Queries for NSL LDAP Client.

Following are the minimum permissions to be granted for Anonymous Login:

Table 4-3 Setting Permissions for Anonymous Login

User Object

Permissions

Inheritance

Permission Type

ANONYMOUS LOGON

List Contents

This object and all child objects

Object

ANONYMOUS LOGON

Read name

This object and all child objects

Property

ANONYMOUS LOGON

Read Name

This object and all child objects

Property

ANONYMOUS LOGON

Read objectClass

This object and all child objects

Property
Extending the Schema

  • Servers (except Active Directory): Extend the LDAP directory schema for all directory servers other than Active Directory. While extending LDAP schema, ensure that you have chosen the appropriate directory mode. For details, refer to Extending the Schema.

    NOTE:You must extend the LDAP schema on all servers if you want them to act as failover servers.

  • Active Directory: Extend the Active Directory schema.

    NOTE:Extending an LDAP directory schema on Active Directory can lead to improper configuration resulting in authentication failure.

Configuring the Workstation

  1. Copy the server certificate file to your workstation.

  2. Specify the certificate file path by adding the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP

  3. Under the above registry key, specify the following value:

    CertFilePath REG_SZ full_path_of_cert_file

    The certificate filename extension must be either .der or .b64, as in the following examples:

    Name

    Type

    Data

    CertFilePath

    REG_SZ

    C:\ad_cert.der

    CertFilePath

    REG_SZ

    C:\ad_cert.b64

Using Contextless Login

If you configure a workstation to use the LDAP authentication, the LDAP module launches a login dialog box, which requires a user DN and password. The LDAP Authentication client provides a contextless login. This feature simplifies the login process by enabling you to type part of your username.

For example, Henri Dubois’ DN is cn=hdub, ou=rdev,o=vmp. Henri enters hdub in the login dialog box. The LDAP Authentication client finds and displays every user ID that begins with hdub. If just one user ID qualifies, the LDAP authentication client authenticates using Henri’s entire DN.

If multiple hdub IDs exist, the client lists all user IDs that begin with hdub. Henri then selects the DN for his user ID and logs in.