9.3 Extending the LDAP Directory Schema and Assigning Rights on the Server

Installing Novell SecureLogin on the server requires extending the LDAP schema and assigning user rights to record data against these attributes.

9.3.1 SecureLogin Attributes

Extending the directory schema adds the following six Novell SecureLogin attributes:

Table 9-1 Attributes

Attribute To Be Mapped

LDAP Mapping

Prot:SSO Auth

Prot:SSO Entry


Prot:SSO Entry Checksum


Prot:SSO Profile


Prot:SSO Security Prefs


Prot:SSO Security Prefs Checksum


NOTE:These mappings are case-sensitive. Extend the LDAP schema on all servers if you want them to act as failover servers.

If you have Novell SecureLogin versions 3.5 installed, you do not need to extend the Directory schemas, because the attributes are the same. However, for any new Directory objects, such as organizational units, you still need to assign rights.

If you intend to use Microsoft Group Policy (GPO) support, Novell recommends that you re-extend the SecureLogin directory schema extensions to include the new schema extensions for GPO support.

If the LDAP-compliant directory extension is deployed using the ldapschema.exe file copied from rather run from the Novell SecureLogin installer package, then you need to copy the entire LDAP folder containing the LDAP schema files to your preferred location.

9.3.2 Extending the Schema on the LDAP Server

  1. Log in to the server as administrator.

  2. Run ldapschema.exe found in the \Securelogin\Tools\Schema\LDAP directory of the Novell SecureLogin 7.0 SP1Windows installer package. The Novell SecureLogin - Active Directory Schema dialog box is displayed.


    Click Schema Extension Tools and click LDAP Compliant.

  3. In the LDAP Server field, provide the IP address or the name of the LDAP server.

  4. In the Admin User field, provide the distinguished name (DN) for the server administrator. For example, CN=admin

  5. Provide the password and select the relevant directory mode (in this example, eDirectory), then click Update Schema. The certificate information is displayed.

  6. Click Accept.

  7. When the Schema Extension dialog box is displayed, click Close.

    NOTE:LDAP schema extension is replicated to all servers in the LDAP Group, and not to all servers in the tree. Schema extensions are LDAP group specific and must be repeated for each LDAP group. By default, each NetWare server is in its own LDAP group, which means that by default LDAPSchema.exe must be run on every LDAP server.

9.3.3 Assigning Rights to Schema Attributes

You must assign permissions to objects in the directory to store data against the new Novell SecureLogin attributes. Assign permissions to all objects that access Novell SecureLogin Assigned User Rights.

The application does not start if you have not set permission to access Novell SecureLogin schema attributes.

NOTE:LDAP implementations are varied. Therefore, Novell SecureLogin does not provide a specific tool for each variation for assigning permissions.

The following permissions are recommended for successful implementation:

  • Novell SecureLogin administrators are assigned read and write access to all Novell SecureLogin attributes on all objects.

  • Users are assigned read and write access to all Novell SecureLogin attributes on their user objects.

  • Users are assigned read access to the Novell SecureLogin attributes on organizational units from which they need to read organizational policies or corporate settings.