31.1 User Source Authentication

By default, a user is automatically authenticated to the Management Zone when he or she logs in to an LDAP directory (Novell eDirectory or Microsoft Active Directory) that has been defined as a user source in the Management Zone. User authentication to ZENworks can occur only if the user’s LDAP directory (or the user’s LDAP directory context) is defined as a user source in ZENworks.

The ZENworks Adaptive Agent integrates with the Windows Login or Novell Login client to provide a single login experience for users. When users enter their eDirectory or Active Directory credentials in the Windows or Novell client, they are logged in to the Management Zone if the credentials match the ones in a ZENworks user source. Otherwise, a separate ZENworks login screen prompts the user for the correct credentials.

For example, assume that a user has accounts in two eDirectory trees: Tree1 and Tree2. Tree1 is defined as a user source in the Management Zone, but Tree2 is not. If the user logs in to Tree1, he or she is automatically logged in to the Management Zone. However, if the user logs in to Tree2, the Adaptive Agent login screen appears and prompts the user for the Tree1 credentials.

The first time a user logs in to a device that has more than one user source enabled, the user is prompted to select the user source and specify the user source credentials. During subsequent logins, the user is automatically logged in to the user source selected during the first login. However, if you do not want the user to be prompted to select the user source during the first login, perform the following steps to enable seamless login on the device:

  1. Open the Registry Editor.

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/.

  3. Create a DWORD called EnableSeamlessLogin and set the value to 1.

If seamless login is enabled, a user's first login to a device might be slow. This is because all the existing user sources are searched and the user is logged in to the first user source that matches the user account. If many users use the same device, subsequent logins might also be slow because the user information might not be cached on the device.

To reduce the login time, specify the default user source for the user to seamlessly log in to the device:

  1. Open the Registry Editor.

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/.

  3. Create a String called DefaultRealm and set the value to the desired user source.

    For example, if all the users should log in to a user source named POLICY-TREE, create a String called DefaultRealm and set its value to POLICY-TREE.

If the login to the specified default user source fails, the other existing user sources are searched and the user is logged in to the user source that matches the user account.

On a Windows XP, Windows 2000, or Windows 2003 device, the user can choose to view the status of the login during the process of logging in to ZENworks.

To enable the status messages to be displayed on the screen:

  1. Open the Registry Editor.

  2. Go to HKEY_LOCAL_MACHINE\Software\Novell\NWGINA.

  3. Create a DWORD called EnableStatusMessages and set the value to 1.

If the Novell Client is installed on a device, the HKLM\Software\Novell\ZCM\ZenLgn registry key that has DWORDS, DomainLogin and eDIRLogin is added by default on the device. The value of DomainLogin and eDIRLogin helps you identify whether a logged-in user has logged into Novell eDirectory or Microsoft Active Directory.

For example:

This login information might be useful in the following scenarios:

Scenario 1: If a user has logged in to Microsoft Active Directory, a DLU policy does not need to be enforced on a device. Even if you choose to enforce a DLU policy on the device, the policy is not effective on the device. Consequently, you can add a system requirement that the DLU policy must be effective on the device only when the user has logged into Novell eDirectory.

Scenario 2: If a user has not logged in to Novell eDirectory, any bundle that must access content from a Netware shared location fails. Consequently, you can add a system requirement that the bundle must be effective on the device only when the user has logged into Novell eDirectory.