5.2 Configuring and Deploying

To make SecureLogin functionality available to users, you must first extend the eDirectory schema. You can also provide additional security through Novell SecretStore and by requiring users on shared workstations to log out securely.

5.2.1 Extending the eDirectory Schema

You must extend the eDirectory schema to enable SecureLogin to save users’ single sign-on information. The ndsschema.exe file is found in Securelogin\Tools\Schema\NDS directory extends the eDirectory schema and grants rights to existing users so that they can use SecureLogin.

To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree. In addition, make sure that you have Novell Client 4.91 or later installed on your machine.

NOTE:If you use iManager to administer SecureLogin, you must also extend the LDAP schema. For information on extending the LDAP schema Extending the LDAP Directory Schema and Assigning Rights on the Server.

  1. Run ndsschema.exe.

    Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.

    When the eDirectory schema is extended, the following attributes are added:

    • Prot:SSO Auth

    • Prot:SSO Entry

    • Prot:SSO Entry Checksum

    • Prot:SSO Profile

    • Prot:SSO Security Prefs

    • Prot:SSO Security Prefs Checksum

  2. Specify the eDirectory context so that SecureLogin can assign rights to User objects under that context.

    IMPORTANT:The AES Encryption option is selected by default to use AES256 Encryption. If you unselect this option then the container will use 3DES encryption. It is recommended to use AES256 encryption.

    IMPORTANT:You can run ndsschema.exe again with AES Encryption option unselected but it does not change to 3DES encryption. Use slmanager.exe to enable 3DES encryption.

    NOTE:Rights Assignment works on root level and organizational unit level.

  3. At the prompt, define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials.

    If you do not specify a context, rights begin at the root of the eDirectory tree.

    Only the rights on Container objects are inherited. These rights flow to sub-containers, so that users can read attributes. User rights are not inherited.

    If the installation program displays a message similar to:

    -601 No Such Attribute

    you have probably entered an incorrect context or included a leading dot in the context.

  4. (Optional) Grant rights to local cache directories.

    Users on Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:

    • Grant rights to the user’s cache directory. For example, c:\programfiles\novell\securelogin\cache\v2slc\username

      or

      c:\users\<usersv2slc>\applicationdata on a Windows Vista machine.

      The default location is the user’s profile directory or the user’s application directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.

      If user selects the non-default directory to store the cache, the SecureLogin\cache is appended to the specified path.

    • During the installation, specify a path to a location that the user has rights to (for example, the user’s documents folder).