LDAP on eDirectory

eDirectory 8.6.2 or later supports LDAP. If you have eDirectory with LDAP functionality enabled, you have an LDAP server.

Preparing for an LDAP Directory

Extending the eDirectory Schema

If you are installing on workstations that use Novell^® eDirectory^TM, Novell SecretStore^®, or Novell Client32^TM, do the following:

1. On an administrative workstation, log in as administrator.

2. Extend the eDirectory schema by running ndsschema.exe.

   Ndsschema.exe is found in the \securelogin\tools directory. This utility assigns rights, but ldapschema.exe doesn't.

Extending the LDAP Directory Schema

1. Extend the LDAP schema and map LDAP attributes by running ldapschema.exe, found in the \securelogin\tools directory.

   For SecureLogin to be able to save user single sign-on information, the directory schema must be extended.

   Ldapschema.exe automatically maps attributes in the extended LDAP schema. The following table illustrates these mappings:

   Attribute To Be Mapped	LDAP Mapping
   Prot:SSO Auth	protocom-SSO-Auth-Data
   Prot:SSO Entry	protocom-SSO-Entries
   Prot:SSO Entry Checksum	protocom-SSO-Entries-Checksum
   Prot:SSO Profile	protocom-SSO-Profile
   Prot:SSO Security Prefs	protocom-SSO-Security-Prefs
   Prot:SSO Security Prefs Checksum	protocom-SSO-Security-Prefs-Checksum

   These mappings are case-sensitive.

Providing Information for Users

As an internet standard, LDAP doesn't require more than a TCP/IP protocol installation on a client workstation. When using the LDAP connectivity option, the user must provide LDAP server information during the first login. For subsequent logins, this information is automatically saved and entered into the login dialog box.

You must provide users with the following

• The registered DNS name or IP address
• The IP port for Secure LDAP

  By default, this is port 636. When entered, it is saved in the workstation's registry for subsequent logins.

NOTE:  By selecting the Custom option, you or the user can provide this information during installation.

Installing SecureLogin for LDAP on eDirectory

The LDAP option installs SecureLogin into LDAP v3.0 directory environments (for example, Novell eDirectory 8.5 or later).

You can install SecureLogin on a Windows NT/2000 server and on workstations. No SecureLogin components are installed on a NetWare^® server.

You can specify more than one LDAP server for the SecureLogin installation. Although the dialog boxes in the installation program only allow you to specify one LDAP server, you can specify additional servers by modifying the automate.ini file.

The LDAP option does not require the Novell Client for Windows. However, if Novell Client32 is installed on the workstation, Client32 is the initial authentication or GINA. If you want LDAP authentication to be the initial authenticator, you must uninstall Novell Client32.

To install the LDAP option:

1. Run setup.exe, found in the securelogin\client directory.

2. Select a language, click Next, and accept the license agreement.

3. Click Complete, then click Next.

   
   

   The Complete option uses default values and installs SecureLogin in c:\program files\novell\securelogin. For options available through the Custom option, see Using the Custom Option for LDAP on eDirectory.

4. Select eDirectory as the platform where SecureLogin stores its data, then click Next.

   
   

5. Click the LDAP option.

   
   

   LDAP is recommended if the Novell Client isn't installed or if LDAP was previously installed but you are overwriting that installation (even if the Novell Client is installed).

6. (Conditional) For Windows NT, 2000, XP, or 2003 servers and workstations, select when to log in to LDAP, then click Next.

   
   

   If the workstation isn't running Novell Client software, the When Logging In to Windows option is also provided. This option enables you to log in when GINA starts.

7. Select whether SecureLogin is to install the SecretStore client, the NMAS client, or both, then click Next.

   
   

   IMPORTANT:  Select Novell SecretStore only if SecretStore is installed on a server. For information on SecretStore, see the Novell SecretStore 3.3 Administration Guide.

   The Novell SecretStore option installs the SecretStore client. If you deselect this option and want to install it later, you must uninstall SecureLogin, then run the SecureLogin installation again.

   However, if you install the SecretStore client and then later run the install program and deselect the SecretStore client, you will cause problems to the directory cache. All the credential sets that are stored in SecretStore will be unavailable to the eDirectory client. Nevertheless, as long as the local cache is enabled, you can still run SecureLogin. The local cache will populate the eDirectory cache.

   The uninstall program doesn't delete user credentials or configuration data.

   The Novell NMAS Client option installs the NMAS client. SecureLogin uses this option with the AAVerify command, to enable advanced authentication access to an application.

8. Click Install.

9. (Conditional) If you selected the NMAS client, select one or more NMAS login methods, then click Next.

   
   

   When you use LDAP on eDirectory, the LDAP password can come from one of two places:

   • The eDirectory password
   • The NMAS simple password

   The eDirectory password takes precedence. The simple password exists in case an eDirectory password doesn't exist.

   If a user types a password that doesn't match the eDirectory password, LDAP attempts to match the simple password. If you don't want a user to have a simple password, use ConsoleOne to remove it from the NMAS options.

10. (Conditional) If you selected the NMAS client, select post-login methods, then click Next.

    
    

11. Click Finish, click Yes, then click OK to restart the computer.

Using the Custom Option for LDAP on eDirectory

The Custom option provides the same defaults as does the Complete option, but enables you to do the following:

• Specify LDAP server information.
• Specify a path for SecureLogin's local cache.
  

  The user profile directory is the default path.

  User profiles are in the following locations:

  Platform	The User Profile Directory
  Windows 9x	In c:\windows directory if profiles are disabled. In c:\windows\profiles if profiles are enabled.
  Windows NT/2000	In Document and Settings\username

• Select SecureLogin components.
  

  The Description panel provides information about a component that you select.

• Select options as to when SecureLogin will start.
  

  If the Start SecureLogin Now check box is checked, SecureLogin will be started after the installation, unless you are prompted to restart your workstation.

  If you check the Start SecureLogin On Windows Startup check box, Windows places the SecureLogin icon on the system tray. You can then access SecureLogin from the system tray or from Start > Programs > Novell SecureLogin > Novell SecureLogin.