12.1 Extending the Active Directory Schema and Assigning Rights

Novell SecureLogin leverages the directory to store and manage Novell SecureLogin data. Novell SecureLogin extends the directory schema to add six Novell SecureLogin schema attributes where Novell SecureLogin data is stored.

After you extend the directory schema, you must give permissions to access objects, including group policy, organizational units, and containers. Authorizing read or write rights to the Novell SecureLogin directory schema attributes is referred to as assigning user rights.

The Novell SecureLogin Microsoft Active Directory schema extension executable extends the schema on the server and enables you to assign user rights. You must determine which containers and organizational units need Novell SecureLogin access, and you must know their distinguished name (DN), because you must assign rights to each container and organizational unit separately.

You can also extend the Microsoft Active Directory schema to the root of the domain and assign rights to each container and organizational unit below the root.

IMPORTANT:Keep the following information in mind as you extend the schema:

  • If Novell SecureLogin version 3.5.x is installed, you do not need to extend the directory schema, because the attributes are the same. However, any new directory objects such as organizational units still require you to assign rights.

  • If the Microsoft Active Directory instance is deployed by copying and running the adsscheme.exe file from another location, you must copy the entire folder containing the Microsoft Active Directory schema and configuration files to the new preferred location. The Microsoft Active Directory schema and configuration files must be located in the same folder in order for the Active Directory instance to successfully deploy.

12.1.1 Extending the Schema

The following instructions apply to the configuration of the Microsoft Active Directory instance stored and administered on a separate server from the Active Directory server domain controller.

  1. Log in to the server as an administrator.

  2. Click Schema Extension Tools > Active Directory Extension.

    or

    If you are installing from the Novell SecureLogin installer package, locate the Tools folder and double-click adsschema.exe.

    The Novell SecureLogin Active Directory Schema dialog box is displayed.

  3. Select Extend Active Directory Schema.

  4. Click OK.

    The following Novell SecureLogin attributes are added to the Directory schema:

    • Protocom-SSO-Auth-Data

    • Protocom-SSO-Entries

    • Protocom-SSO-Entries-Checksum

    • Protocom-SSO-Profile

    • Protocom-SSO-SecurityPrefs

    • Protocom-SSO-Security-Prefs-Checksum

    A confirmation message is displayed.

    IMPORTANT:If the Microsoft Active Directory instance is deployed by copying and running the adsscheme.exe file from another location, you must copy the entire folder containing the Microsoft Active Directory Schema and configuration files to the new preferred location. The Microsoft Active Directory Schema and configuration files must be located in the same folder in order for the Active Directory instance to successfully deploy.

  5. Click OK to return to the Active Directory Schema dialog box.

    Now that directory schema is extended, you must assign access rights to the relevant containers and organizational units.

    If you have previosuly extended the schema, a message listing the existing schema appears. Ignore this message.

  6. Click OK in the Active Directory Schema dialog box.

  7. Continue with Section 12.1.2, Assigning User Rights to assign user access rights to the relevant containers and organizational units.

12.1.2 Assigning User Rights

You must assign permission to objects in the directory to store data against the new Novell SecureLogin schema attributes. You assign rights to all objects that access Novell SecureLogin, including user objects, containers, group policies, and organizational units.

When you assign rights to containers and organizational units, the rights filter down to all associated user objects, so unless you are required to do so, it is not necessary to assign rights at the individual user object level.

  1. Run adsschema.exe, which is found in the Securelogin\Tools\Schema\ADS directory.

  2. Select Assign User Rights, then click OK. The Assign Rights to This Object dialog box is displayed.

    For example, if you assign rights to Users container, the User container definition is:

    cn=users, dc=www, dc=training, dc=com To assign rights to an organizational unit, such as Marketing, in the domain www.company.com, the definition is: ou=marketing, dc=www, dc=company, dc=com

  3. Specify your container or organizational unit definition in the Assign rights to this object field. The confirmation dialog box appears.

  4. Click OK to return to the Active Directory Schema dialog box.

  5. Repeat Step 2 to Step 4 to assign rights to all required user objects, containers and organizational units.

    If you see an error message indicating Error opening specified object: - 2147016661, it means that rights have already been assigned to the object.

    If you see an error message indicating Error opening specified object: -214716656, it means that you have attempted to assign rights to an object that does not exist in the directory. Check your punctuation, syntax, and spelling, and repeat the procedure.

  6. After all required rights are successfully assigned, click OK to return to the Active Directory Schema dialog box.

  7. Click Cancel.

NOTE: You can extend rights to objects at any time after the schema is extended. If you add organizational units, you need to rerun the adschema.exe tool and assign rights to the new object to permit Novell SecureLogin data to write to the directory.

12.1.3 Refreshing the Directory Schema

  1. Run the Microsoft Management Console (MMC) and display the Active Directory Schema plug-in.

  2. Right-click Active Directory Schema, then select Reload the Schema.

  3. On the Console menu, click Exit to close the MMC.

In a multiple-server environment, schema updates occur on server replication.