To make SecureLogin functionality available to users, you must first extend the eDirectory schema. You can also provide additional security through Novell SecretStore and by requiring users on shared workstations to log out securely.
You must extend the eDirectory schema to enable SecureLogin to save users’ single sign-on information. ndsschema.exe found in Securelogin\Tools\Schema\NDS directory extends the eDirectory schema and grants rights to existing users so that they can use SecureLogin.
To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree. In addition, make sure that you have Novell Client 4.91or later installed on your machine.
NOTE:If you use iManager to administer SecureLogin, you must also extend the LDAP schema. For information on extending the LDAP schema Section 6.3.1, Extending the LDAP Directory Schema and Assigning Rights on the Server.
Run ndsschema.exe.
Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.
When the eDirectory schema is extended, the following attributes are added:
Prot:SSO Auth
Prot:SSO Entry
Prot:SSO Entry Checksum
Prot:SSO Profile
Prot:SSO Security Prefs
Prot:SSO Security Prefs Checksum
Specify the eDirectory context so that SecureLogin can assign rights to User objects under that context.
At the prompt, define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials.
If you do not specify a context, rights begin at the root of the eDirectory tree.
Only the rights on Container objects are inherited. These rights flow to subcontainers, so that users can read attributes. User rights are not inherited.
If the installation program displays a message similar to:
-601 No Such Attribute
you have probably entered an incorrect context or included a leading dot in the context.
(Optional) Grant rights to local cache directories.
Users on Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:
Grant rights to the user’s cache directory. For example, c:\programfiles\novell\securelogin\cache\v2slc\username
or
c:\users\<usersv2slc>\applicationdata on a Windows Vista machine.
The default location is the user’s profile directory or the user’s application directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.
If user selects the non-default directory to store the cache, the SecureLogin\cache is appended to the specified path.
During the installation, specify a path to a location that the user has rights to (for example, the user’s documents folder).
To provide the highest possible level of security for user login data, you can use SecureLogin along with the patented Novell SecretStore client and server system. SecretStore requires server components on the eDirectory server, and requires SecureLogin client software with the SecretStore client on workstations.
You can choose to install SecretStore while installing SecureLogin.
If you are using eDirectory 8.7.3, upgrade SecretStore on your server to version 3.3.5
If you are using eDirectory 8.8, upgrade SecretStore on your server to version 3.4
For more information on SecretStore, see “Installing SecretStore” in the SecretStore 3.4 Administration Guide.
If SecureLogin in deployed on a shared workstation where more than one user shares the local credentials, you should require users to use either Secure Workstation or DAS to close all programs and log out of the network.
This is because SecureLogin fails to log off directory users on a shared workstation. Directory users who have logged in with workstation credentials are not disconnected and can access the directory data store.
This occurs when users use either of the following to lock the workstation and later try to unlock the workstation using the workstation credentials.
SecureLogin in Novell Client mode on Microsoft Windows Vista or Microsoft Windows XP.
SecureLogin in LDAP mode on Microsoft Windows Vista.