All the functionality that is available in NMAS is also available on the LDAP Authentication client for SecureLogin. The LDAP client enables you to provide multilevel authentication (for example, a biometric device and a password).
When you use LDAP on eDirectory, the LDAP password can come from one of two places:
The eDirectory password
The NMAS Simple password
The eDirectory takes precedence. The simple password exists in case an eDirectory password does not exist.
If a user types a password that does not match the eDirectory password, LDAP attempts to match the simple password.
This section contains the following information:
This section contains the following information:
Ensure that certificate service is installed on the directory server.
Export a copy of the server certificate file to a temporary location for user deployment.
When you export the certificate, ensure that the encoding format you select is DER encoded binary X.509 or Base-64 encoded X.509.
Manually change the certificate filename extension to .der or .b64 (depending on the encoding format you select).
For details on certificate service, refer to the respective section of the documentation for the directory server you use.
By default, anonymous queries are not enabled on some of the directory servers (including Active Directory).
If you use Active Directory, make sure that you have set the Anonymous Logon rights on the user container and that the settings have taken effect on all User objects within that container.
For more details, refer to AppNote:Configuring Active Directory to Allow Anonymous Queries for NSL LDAP Client.
Following are the minimum permissions to be granted for Anonymous Logon:
Table 3-1 Setting Permissions for Anonymous Logon
Servers (except Active Directory): Extend the LDAP directory schema for all directory servers other than Active Directory. While extending LDAP schema, ensure that you have chosen the appropriate directory mode. For details, refer to Extending the LDAP Directory Schema.
NOTE:You have to extend the LDAP Schema on all servers if you want them to act as failover servers.
Active Directory: Extend the Active Directory Schema. For details, refer to Section 4.4, Extending the Active Directory Schema.
NOTE:Extending an LDAP directory schema on Active Directory can lead to improper configuration resulting in authentication failure.
Copy the server certificate file to your workstation.
Specify the certificate file path by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP
Under the above registry key, specify the following value:
CertFilePath REG_SZ full_path_of_cert_file
The certificate filename extension must be either .der or .b64, as in the following examples:
If you configure a workstation to use the LDAP authentication, the LDAP module launches a login dialog box, which requires a user DN and password. The LDAP Authentication client provides a contextless login. This feature simplifies the login process by enabling you to type part of your username.
For example, Henri Dubois’ DN is cn=hdub, ou=rdev,o=vmp. Henri enters hdub in the login dialog box. The LDAP Authentication client finds and displays every user ID that begins with hdub. If just one user ID qualifies, the LDAP authentication client authenticates using Henri’s entire DN.
If multiple hdub IDs exist, the client lists all user IDs that begin with hdub. Henri then selects the DN for his user ID and logs in.
A SecureLogin passphrase is a question and response combination used as an alternative form of identity verification. Passphrase functionality protects SecureLogin credentials from unauthorized access and enables users to access SecureLogin in offline mode. Passphrases can also be used as a substitute authentication mode if for example, a user forgets their password. Depending on the administrator’s preferences SecureLogin passphrase questions can be generated by the administrator and/or the user.
If a passphrase has previously been configured this dialog box will not display and the installation is complete.
On initial login to SecureLogin all users are requested to save a passphrase response. It is important that this response is easy to recall as it cannot be viewed by anyone.
As administrator, and therefore first user of SecureLogin, you must create a passphrase question for yourself.
Specify a question in the
field.Specify an answer in the
field.Specify the answer again in the
field.Click
. Your passphrase is saved and SecureLogin is installed on the administration workstation.