Novell Documentation: Novell SecureLogin 3.51 SP2

LDAP with eDirectory

eDirectory 8.6.2 or later supports LDAP. If you have eDirectory with LDAP functionality enabled, you have an LDAP server.

If users are to log in to an eDirectory server by using SecureLogin LDAP Authentication and using any NMAS method, you must install the NMAS Simple Password. Also, all users authenticating via LDAP must have a simple password assigned to them. Otherwise, the users will be prompted to log in more than once.

Preparing for an LDAP Directory

Extending the eDirectory Schema

If you are installing on workstations that use Novell^® eDirectory^TM, Novell SecretStore^®, or Novell Client32^TM, do the following:

On an administrative workstation, log in as administrator.
Extend the eDirectory schema by running ndsschema.exe.

This utility assigns rights, but ldapschema.exe does not.

Typically, ndsschema.exe is found in the c:\securelogin\tools directory. This directory is available on your workstation after you run nsl351.exe from the CD or download. However, if you unzipped to the Temp directory on a Windows 2000 workstation, you might need to unhide the Local Settings directory and then locate ndsschema.exe in the following path:

c:\Documents and Settings\Administrator\Local Settings\Temp\SecureLogin\Tools

Extending the LDAP Directory Schema

Run ldapschema, found in the \securelogin\tools directory.

Provide information in the LDAP Schema Extension dialog box.

In the LDAP Server edit box, type the LDAP server name or IP address.

In the Admin User edit box, type the fully distinguished name of the user that you logged in as. For example, type cn=admin,o=akranes.

For SecureLogin to be able to save user single sign-on information, the directory schema must be extended. Ldapschema.exe extends the schema and automatically maps LDAP attributes in the extended LDAP schema. The following table illustrates these mappings:

Attribute To Be Mapped	LDAP Mapping
Prot:SSO Auth	protocom-SSO-Auth-Data
Prot:SSO Entry	protocom-SSO-Entries
Prot:SSO Entry Checksum	protocom-SSO-Entries-Checksum
Prot:SSO Profile	protocom-SSO-Profile
Prot:SSO Security Prefs	protocom-SSO-Security-Prefs
Prot:SSO Security Prefs Checksum	protocom-SSO-Security-Prefs-Checksum

These mappings are case-sensitive.

IMPORTANT: You have to extend the LDAP Schema on all servers if you want them to act as failover servers.

Providing Information for Users

As an internet standard, LDAP does not require more than a TCP/IP protocol installation on a client workstation. When using the LDAP connectivity option, the user must provide LDAP server information during the first login. For subsequent logins, this information is automatically saved and entered into the login dialog box.

You must provide users with the following

The registered DNS name or IP address
The IP port for Secure LDAP
By default, this is port 636. When entered, it is saved in the workstation's registry for subsequent logins.

NOTE: By selecting the Custom option, you or the user can provide this information during installation.

Installing SecureLogin: LDAP with eDirectory

The LDAP option installs SecureLogin into LDAP v3.0 directory environments (for example, Novell eDirectory 8.5 or later).

You can install SecureLogin on a Windows NT/2000 server and on workstations. No SecureLogin components are installed on a NetWare^® server.

You can specify more than one LDAP server for the SecureLogin installation. Although the dialog boxes in the installation program only allow you to specify one LDAP server, you can specify additional servers by modifying the automate.ini file.

The LDAP option does not require the Novell Client for Windows. However, if Novell Client32 is installed on the workstation, Client32 is the initial authentication or GINA. If you want LDAP authentication to be the initial authenticator, you must uninstall Novell Client32.

To install the LDAP option:

Run setup.exe, found in the securelogin\client directory.
Select a language, click Next, and accept the license agreement.
Select Complete, then click Next.

The Complete option uses default values and installs SecureLogin in c:\program files\novell\securelogin. For options available through the Custom option, see Using the Custom Option for LDAP on eDirectory.
Select eDirectory as the platform where SecureLogin stores its data, then click Next.
Click the LDAP option.

LDAP is recommended if the Novell Client is not installed or if LDAP was previously installed but you are overwriting that installation (even if the Novell Client is installed).

NOTE: The above screen is displayed only if you have Novell Client for Windows installed on your machine. Otherwise, LDAP is auto-selected as the protocol.
(Conditional) For Windows NT, 2000, XP, or 2003 servers and workstations, select when to log in to LDAP, then click Next.

If the workstation is not running Novell Client software, the When Logging In to Windows option is also provided. This option enables you to log in when GINA starts.
Select whether SecureLogin is to install the SecretStore client, the NMAS client, or both, then click Next.

IMPORTANT: Select Novell SecretStore only if SecretStore is installed on a server. For information on SecretStore, see the SecretStore 3.3.3 Administration Guide.

The Novell SecretStore option installs the SecretStore client, which provides additional security. If you deselect this option and want to install it later, you must uninstall SecureLogin, then run the SecureLogin installation again.

However, if you install the SecretStore client and then later run the install program and deselect the SecretStore client, you will cause problems to the directory cache. All the credential sets that are stored in SecretStore will be unavailable to the eDirectory client. Nevertheless, as long as the local cache is enabled, you can still run SecureLogin. The local cache will populate the eDirectory cache.

The uninstall program does not delete user credentials or configuration data.

The Novell NMAS Client option installs the NMAS client. SecureLogin uses this option with the AAVerify command, to enable advanced authentication access to an application.
Click Install.
(Conditional) If you selected the NMAS client, select one or more NMAS login methods, then click Next.

When you use LDAP on eDirectory, the LDAP password can come from one of two places:
- The eDirectory password
- The NMAS simple password
The eDirectory password takes precedence. The simple password exists in case an eDirectory password does not exist.

If a user types a password that does not match the eDirectory password, LDAP attempts to match the simple password. If you do not want a user to have a simple password, use ConsoleOne to remove it from the NMAS options.
(Conditional) If you selected the NMAS client, select post-login methods, then click Next.
Click Finish, click Yes, then click OK to restart the computer.

Using the Custom Option for LDAP on eDirectory

The Custom option provides the same defaults as does the Complete option, but enables you to do the following:

Specify LDAP server information.

Specify a path for SecureLogin's local cache.
Options for SecureLogin to store the local cache

The user profile directory is the default path.

User profiles are in the following locations:

Platform	The User Profile Directory
Windows 98	In c:\windows if profiles are disabled. In c:\windows\profiles if profiles are enabled.
Windows NT	In c:\winnt\profiles
Windows 2000/XP	In Documents and Settings\username

Select SecureLogin components.

The Description panel provides information about a component that you select.
Select options as to when SecureLogin will start.

If the Start SecureLogin Now check box is checked, SecureLogin will be started after the installation, unless you are prompted to restart your workstation.

If you check the Start SecureLogin On Windows Startup check box, Windows places the SecureLogin icon on the system tray. You can then access SecureLogin from the system tray or from Start > Programs > Novell SecureLogin > Novell SecureLogin.