24.1 Setting Up the Environment for Limiting Concurrent Connections
24.1.1 Registry Entry
Modify the EnforceConcurrentConnections variable in HKLM\Software\Novell\Login\LDAP _ REG_DWORD - EnforceConcurrentConnections by setting the value to 1 to enable the feature or to 0 to disable the feature.
24.1.2 Schema Extension
In order to facilitate the feature, the schema and the attribute rights have to be extended using the .sch and .ldif files, which are found in SecureLogin\Tools\Schema\LDAP.
The Concurrent_schema_extn.sch file is used to add the attributes to the schema, and the concurrent-rights.ldif file is used to extend the rights. These files can be extended as mentioned in the following options:
-
The Concurrent_schema_extn.sch file can be extended by using either of the following options:
-
ndssch (eDirectory schema extension utility): Execute the following command in eDirectory:
-
ndssch <AdminDN> Concurrent_schema_extn.sch
-
-
ICE Tool (version 20503.02 or later): Execute the following command in eDirectory:
-
ice -S SCH -f Concurrent_schema_extn.sch -D LDAP -d <AdminDN> -w <password> -L <ServerCertificate>
For more information, see iManager ICE Plug-ins.
-
-
-
The concurrent-rights.ldif file can be extended by using either of the following options:
-
ICE Tool (version 20503.02 or later): Execute the following command in eDirectory:
-
ice -S LDIF -f concurrent-rights.ldif -D LDAP -d <AdminDN> -w <password> -L <ServerCertificate>
For more information, see iManager ICE Plug-ins.
-
-
LDAP Modify tool: Execute the following command in eDirectory:
-
ldapmodify -x -h <host ip address> -p 389 -D cn=admin,o=context -w password -f concurrent-rights.ldif
-
-
After the schema is extended, three new attributes are added to the list of attributes:
-
Protocom-SSO-Connections: This attribute stores the connection information, that is the IP address along with the timestamp.
-
Protocom-SSO-ConnectionLimit: This attribute stores the configuration parameter, indicating the number of concurrent connections that are allowed for the user.
-
Protocom-SSO-ConnectionTTL: This attribute stores the configuration parameter that indicates how long the connection information will be stored.
-
Protocom-SSO-ConcurrentConfig: This preference controls the inheritance of settings from higher level containers or organizational units.
For more information on attributes, see Section B.0, Schema Updates.
NOTE:LDIF and SCH files are not integrated with the ldapschema.exe file, but are bundled as separate files in SecureLogin\Tools\Schema\LDAP.
24.1.3 Setting the Attribute Values
To set the attribute values by using iManager, you should assign the Protocom-SSO-ConnectionLimit attribute and the Protocom-SSO-ConnectionTimeToLive attribute to the user and then set the attribute values.
-
In the iManager console, click > > t.
-
Select the user, then click .
-
Click > .
-
Select the attribute from the list under , then click
.
-
In the Add Attribute window, set the attribute value, then click .
24.1.4 Editing the Attribute Values
To edit the attribute values in iManager:
-
In the iManager console, click > .
-
Select the user, then click .
-
In the Manage SecureLogin SSO window, click .
-
Edit the attribute values under s.
-
Click to save the changes.
Example:
The attributes are set to the following values:
-
Protocom-SSO-ConcurrentConnectionLimit: 2
-
Protocom-SSO-ConcurrentConnectionTTL: 1440 (in minutes)
When UserA logs in from workstation 1 with IP 1.1.1.1, a new entry is added to the Protocom-SSO-Connections attribute in the IP@timestamp format, that is, 1.1.1.1@20110621000000 (2011 June 21 00 AM).
Similarly, when UserA logs in from workstation 2 with IP 2.2.2.2, another entry is added to the Protocom-SSO-Connections attribute in the IP@timestamp format, that is, 2.2.2.2@20110621040000 (2011 June 21 04 AM). If UserA then tries to log in from workstation 3, Novell SecureLogin will deny the authentication because the connection limit is exceeded.