In an eDirectory environment, the SecureLogin tool ldapschema.exe must be run against every server in the tree for the SecureLogin iManager plug-in to work reliably.
The SecureLogin iManager plug-in uses LDAP to manage the SecureLogin attributes. But when the eDirectory schema is extended with the SecureLogin attributes, the names of the attributes are such that they can not be utilized by ldap.
So even though the eDirectory schema is extended successfully, iManager can not read the needed attributes. To resolve this condition you must run the SecureLogin tool ldapschema.exe. When you run this tool against an eDirectory server this tool will modify the LDAP_Group object and setup schema mapping between the LDAP and eDirectory schema names.
Because we don’t always know what replica iManager is communicating with, it is recommended that the ldapschema tool be run against every server in your tree. The schema is only extended once. but the mapping on the ldap_group object are server specific need to be in place on each server.
Below is a list of the Schema mapping ldapschema will setup when run against an eDirectory server.
|eDirectory attribute||ldap attribute|
|Prot:SSO Entry Checksum||protocom-SSO-Entries-Checksum|
|Prot:SSO Security Prefs||protocom-SSO-Security-Prefs|
|Prot:SSO Security Prefs Checksum||protocom-SSO-Security-Prefs-Checksum|
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.