6.1 Extending the eDirectory Schema

You must extend the Novell eDirectory schema to enable Novell SecureLogin to save users’ single sign-on information. ndsschema.exe found in Securelogin\Tools\Schema\NDS directory extends the eDirectory schema and grants rights to existing users so that they can use Novell SecureLogin.

To extend the schema of a given tree, you must have sufficient rights over the [root] of the tree. In addition, make sure that you have Novell Client 4.91or later installed on your machine.

NOTE:If you use iManager to administer Novell SecureLogin, you must also extend the LDAP schema. For information on extending the LDAP schema Section 9.3, Extending the LDAP Directory Schema and Assigning Rights on the Server.

  1. Run ndsschema.exe.

    Extending the schema might take some time to filter throughout your network, depending on the size of your network and the speed of the links.

    When the eDirectory schema is extended, the following attributes are added:

    • Prot:SSO Auth

    • Prot:SSO Entry

    • Prot:SSO Entry Checksum

    • Prot:SSO Profile

    • Prot:SSO Security Prefs

    • Prot:SSO Security Prefs Checksum

  2. Specify the eDirectory context so that Novell SecureLogin can assign rights to User objects under that context.

  3. At the prompt, define a context where you want the User objects' rights to be updated, allowing users access to their own single sign-on credentials.

    If you do not specify a context, rights begin at the root of the eDirectory tree.

    Only the rights on Container objects are inherited. These rights flow to subcontainers, so that users can read attributes. User rights are not inherited.

    If the installation program displays a message similar to:

    -601 No Such Attribute

    you have probably entered an incorrect context or included a leading dot in the context.

  4. (Optional) Grant rights to local cache directories.

    Users on Windows XP must have workstation rights to their local cache directory locations. To grant rights, do one of the following:

    • Grant rights to the user’s cache directory. For example, c:\programfiles\novell\securelogin\cache\v2slc\username


      c:\users\<usersv2slc>\applicationdata on a Windows Vista machine.

      The default location is the user’s profile directory or the user’s application directory. By default, the user already has rights to this directory. However, if the user specified an alternative path during the installation, you might need to grant rights to the cache directory.

      If user selects the non-default directory to store the cache, the SecureLogin\cache is appended to the specified path.

    • During the installation, specify a path to a location that the user has rights to (for example, the user’s documents folder).