Novell Home

My Favorites

Close

Please to see your favorites.

Enhanced features for Form Fill (SSO.NLM) in pre iChain 2.3 SP2 patch

(Last modified: 21Dec2004)

This document (10095590) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.3

iChain 2.3.262 build

goal

Enhanced features for Form Fill (SSO.NLM) in iChain 2.3 beta SP2 patch b1ic23fsp2.exe

fix

Note:  The reason for this TID is that we will be releasing a field test version of iChain 2.3 SP2 over the next week or so and the iChain documentation team will not have the new features documented in time.  All these changes will be included in the SP2 documentation by FCS and will include more examples.

Form Fill tags are not case sensitive anymore
Loading the script will still show a warning if the tags do not match expected case.

A number of stack allocated buffers have been replaced by memory allocations.
This allows for bigger URLs in the Form Fill policy than in previous builds, eliminating an abend if the URL was too long.

Enhanced Protection is now set on Shared Secrets written by iChain to Secret Store by default
In previous versions of iChain, Enhanced Protection could not be set on Shared Secrets. By default, version 2.3.261 and beyond enables Enhanced Protection on Shared Secrets written by iChain. If Enhanced Protection is not desired, SSO.NLM can be loaded with the following parameter to disable. Syntax:

E 0|1: Disable/Enable Enhanced protection on secrets where 0 is disabled.

Example: load sso.nlm /e0 to disable.

*Add this line to the end of the SYS:/SYSTEM/APPSTART.NCF file to make it persistent.

Enhanced logging
iChain now supports the ability to send form fill debug information to either the log screen or the extended logs. If extended logging is enabled, the administrator can store and download the files through the iChain browser-based admin utility. Note that in order to use the extended logs, extended logging must be enabled on the accelerator.

Also, logging can be enabled or disabled "on the fly": It is not necessary to unload and re-load SSO.NLM to enable or disable this functionality. Just re-load SSO.NLM with the desired parameters. Command line options are as follows:

*All options are case-insensitive and should be followed by a '/'

D 0|1|2|3|4|5 : Enables level of debug output.
L 0|1|2|3 : Turn logging on
0 - Turn off
1 - Log screen
2 - Extended log. * Extended logging must be enabled on the accelerator for this to work.
3 - Log Screen and extended log

Example: To load SSO.NLM with extended logging a the highest debug level output to the log screen only:

load sso.nlm /d5 /l1

*The load command and parameters can be added to the end of SYS:/SYSTEM/APPSTART.NCF if desired.  The new nlm is backward compatable with the old load parameters, meaning that "load sso /d /l" will still send output to the log screen.

Intelligent and customizable return error handling
Previous versions of iChain in many cases would delete a "remembered" login credential for an accelerated server if an unexpected error was returned by LDAP, Novell Shared Secrets, etc., during the process or reading that credential. This behavior would leave the user at an unexpected application login screen.

In iChain builds 2.3.262 and beyond a default error page with "readable" error information will be displayed to the user...rather than just deleting the credential and dumping them at an the application login screen. (A new NLM, ErrorMap.NLM, and its associated configuration files, has been introduced. This NLM is responsible for translating error codes into readable strings. The NLM supports internationalization of these messages if needed). With this new feature, the help desk then has intelligent information to work from and the credential is not deleted needlessly.

As an alternative, the new <errorRedirect> tag can be used in the Form Fill policy to display a customized .php error page to the user.

The parameters passed in the query string can be handled in any way the adiminstrator sees fit. This new functionality gives the administrator unlimited control over NDS/NSSS/LDAP error handling and the subsequent message displayed to the end user. See "ErrorRedirect" below for details.

ErrorRedirect

A new Formfill Tag, <errorRedirect>URL_TO_REDIRECT_TO</errorRedirect> has been introduced. This url can point to anywhere; it does NOT have to be any accelerator. However, in order to be able to get data like username and credentials, you should consider redirecting to an accelerator on the iChain appliance.

This url works as follows. In this example the error being returned from LDAP is error "81".:

The URL will be called with the following syntax:

http://ms-ichain.provo.novell.com/Formfill/test.php?Stage=Post&Url=http%3A%2F%2Fms-ichain.provo.novell.com%2FFormfill%2Fdave.php&Policy=DaveLogin&Error=81&Class=LDAP&Define=LDAP_SERVER_DOWN&Description=LDAP+Server+Down

The parameters passed from the Formfill ErrorRedirect are:

STAGE: Fill | Post
URL: Policy URL
Policy: Policy Name
Error: Decimal Errorcode
Class: LDAP | NSSS
Define: Corresponding Define in the 'C' SDK header files
Description: A short description of the error – in English

Mapping the parameters to the example URL above results in:

Error sent from host: <IP Address>
[Stage]: Post
[Url]: http://ms-ichain.provo.novell.com/Formfill/dave.php
[Policy]: DaveLogin
[Error]: 81
[Class]: LDAP
[Define]: LDAP_SERVER_DOWN
[Description]: LDAP Server Down

To test a customized .php error page start with the content below. The .php file can be run on an Apache server that supports PHP. You can then modify the content to display a specific message or parse for specific error codes and handle them any way you want!

<html>
<body>
<blockquote>
<?
$myStuff = ($_GET);
$HTTP_HOST =$_SERVER["REMOTE_ADDR"];
echo "<b />The parameters from the Formfill ErrorRedirect are:</b/><br>\n";
echo "Error sent from host: $HTTP_HOST<br>\n";
foreach ($myStuff as $key => $value)
{
echo "[$key]: $value<br>\n";
}
?>
</blockquote>
</body>
</html>

Notes:  You can find the corresponding errorcodes and messages in the SYS:/SYSTEM/ERR_*.CFG files.

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10095590
  • Solution ID: NOVL99934
  • Creation Date: 24Nov2004
  • Modified Date: 21Dec2004
    • NetIQiChain

Did this document solve your problem? Provide Feedback