Extending the eDirectory Schema
So that SecureLogin can save users' single sign-on information, the Novell® eDirectoryTM schema must be extended. Ndsschema.exe extends the eDirectory schema and grants rights to existing users so that they can use SecureLogin.
The SecureLogin snap-in to ConsoleOne® automatically grants rights to objects that you create after you run ndsschema.exe. Therefore, you don't need to run ndsschema.exe again. You only extend the eDirectory tree schema once for SecureLogin.
IMPORTANT: If you create objects by using ConsoleOne on a workstation that doesn't have the SecureLogin snap-in, those objects won't receive rights.
To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree.
IMPORTANT: Don't run ndsschema.exe from a Windows 98 workstation. SecureLogin doesn't support doing this.
-
Run ndsschema.exe.
This file is available on your workstation after you run nsl351.exe from the CD or download. Typically, this file is in the c:\securelogin\tools directory. However, if you unzipped to the Temp directory on a Windows 2000 workstation, you might need to unhide the Local Settings directory and then locate ndsschema.exe in the following path:
c:\Documents and Settings\Administrator\Local Settings\Temp\SecureLogin\Tools
Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.
When the NDS® or eDirectory schema is extended, the following attributes are added:
- Prot:SSO Auth
- Prot:SSO Entry
- Prot:SSO Entry Checksum
- Prot:SSO Profile
- Prot:SSO Security Prefs
- Prot:SSO Security Prefs Checksum
For information on these attributes, see Extending the Active Directory Schema.
-
Specify an eDirectory context so that SecureLogin can assign rights to User objects.
You will be prompted to define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials. The following figure illustrates this prompt:
If you don't specify a context, rights begin at the root of the eDirectory tree.
Rights on Container objects are inherited. These rights flow to subdirectories, so that users can read attributes. User rights aren't inherited.
If the installation program displays a message similar to -601 No Such Attribute, you have probably entered an incorrect context or included a leading dot in the context.
-
(Conditional) Grant rights to local cache directories.
Users on Windows NT, Windows 2000, and Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:
- Grant rights to the user's cache directory (for example, c:\program files\novell\securelogin\cache\v2slc\username)
The default location is the user's profile directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.
- During the installation, specify a path to a location that the user has rights to (for example, the user's documents folder).
- Grant rights to the user's cache directory (for example, c:\program files\novell\securelogin\cache\v2slc\username)