7.4 Deploying

SecureLogin provides centralized management and deployment of user configuration by using the directory structure and administration tools in the same utility. We recommend that you configure SecureLogin on a test user account before deployment.

Use the industry standard application distribution packages such as ZENWorks, Systems Management Server, and Microsoft IntelliMirror to deploy and manage SecureLogin across large enterprises.

SecureLogin can also be installed, configured, and features can be added and removed using Microsoft Windows Installer (MSIExec) options and parameters from the command line or provided through a batch file.

Prior to installing SecureLogin, ensure the LDAP certificate file is saved in the default certificate location of the LDAP log, for example, securelogin\rootcert.der. This certificate is used only in non-eDirectory environments.

NOTE:Copying the LDAP Certificate is necessary only in the Active Directory or Non-eDir LDAP compliant directories. This step is not necessary in the default eDirectroy environments.

7.4.1 Distribution Options

SecureLogin provides the following options for deployment and distribution of user configurations:

Table 7-2 Distribution Options

Options

Descriptions

Copy settings

Copies SecureLogin configuration from one object in a directory to another object in the same directory.

Export and import

Uses an XML file to distribute the configuration.

Directory object inheritance

Inherits the configuration from a higher-level directory object, for example, a Group Policy.

Corporate configuration re-direction

Redirect configurations of a specified directory of a different group to the directory.

7.4.2 Configuring in a Non-eDirectory LDAP or Active Directory Environment

  1. Add a key in the registry HIVE.

  2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP.

  3. Create a registry key of the STRING value.

  4. Name the registry key as CertFilePath.

  5. Specify the path to your certificate.

NOTE:

  • Anonymous bind needs to be enabled on the server for Non-eDirectory, Active Directory and also eDirectory environments.

  • To encrypt LDAP credentials and update the system registry when anonymous bind is disabled in Active Directory, see Updating the System Registry.

  • To encrypt LDAP credentials and update the system registry when TLS is enabled in eDirectory, see Updating the System Registry.

7.4.3 Logging in to LDAP Directory

  1. Log in to the LDAP directory using your user account or administrator account credentials.

  2. Provide your username and password, and click OK.

If you cannot view the full LDAP login dialog, click Advanced to expand the dialog box. If this information is blank, then populate as needed.

  • Server: Specify the name of the LDAP server.

  • Port: Specify the port used by the LDAP server. The default port number is 636.

  • NMAS authentication: Select NMAS if you want to use advanced authentication to login to eDirectory.

As an administrator, you might need to include a system registry update as part of the SecureLogin deployment strategy. See Updating the System Registry.

Updating the System Registry

Configure the operation of SecureLogin by setting registry key values on users’ machines. The keys are located in the local machine hive of the registry. The values that populate the Advanced tab of the SecureLogin dialog box are located at:

HKLM\Software\Novell\Login\LDAP

Configuration Settings

  • Server History List (3.51.100 or later)

    HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\Servers\server#

    Replace the # by using a numeric value. In SP1, each server item should be a multistring value (REG_MULTI_SZ), and can be either an IP address, or DNS name of the server. These values can be set from the installation dialogs or by an installation script. The port value can also be specified along with the server in a new line. By default, port 636 will be used.

  • Context Based Search (3.51.109 or later)

    HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\ContextBasedSearch 

    DWORD value, set to ' 1' for context-based search. Also, specify the set of contexts to search, such as Context1, Context2 or Context3 of type REG_SZ, each specifying the exact context to search.

    No explicit context validation is done except that LDAP search returns an appropriate error in case an invalid context is specified

  • Search Attributes (3.51.109 or later)

    HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\SearchAttributes

    REG_MULTI_SZ value, set to list of search attributes to be used in LDAP search. Any publicly readable attribute can be specified, for example fullName, givenName, sn, cn, uid and in AD environment you can specify samAccountName.

  • CertFilePath (3.51.200 or later)

    HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\CertFilePath

    REG_SZ value lets the user to specify a valid certificate file path for non-eDirectory servers. This requires the user to create another registry entry NonEdirLdap of type REG_DOWORD. CertFilePath is considered only if NonEdirLdap is present and set to 1.

For more information, see Registry Settings for SecureLogin in LDAP mode

7.4.4 Contextless Login

When SecureLogin is configured in the LDAP mode, a login page is displayed when SecureLogin is launched.

The login page requires a user distinguished name (DN) and password. The LDAP Authentication client provides a contextless login. This feature allows you to type part of your fully distinguished name (DN) rather than the full string that some users might find confusing.

Table 7-3 Contextless Login

If

Then

More than one match is found.

A login page is displayed that allows the user to select the login account.

Multiple IDs exist.

The client lists all user IDs that begin with (for example, Westbye Tim), then selects the Domain Name for his or her user ID and login.

You can search using the user’s given name, surname and display name.

Surname (sn) and given name (givenname) are the default values.

To enable LDAPAuth to perform search even when anonymous bind is disabled,ldapce.exe utilty is used. Using this utility, an administrator can create encrypted credentials for any user. The encrypted credentials must be stored in a specific registry. For detailed information on LDAPCE Utility, see Using the LDAPCE Utility to Encrypt LDAP Credentials.

Using the LDAPCE Utility to Encrypt LDAP Credentials

The ldapce.exe is a command-line utility used to encrypt the credentials of an authorised user who has rights to browse the LDAP directory tree. The utility encrypts the authorized LDAP user’s distinguished name and password into a string which is then stored in the LDAPContextlessSearchBindCreds registry key file.

Location

Type

Name

HKEY_LOCAL_MACHINE/SOFTWARE/Protocom/SecureLogin/

REG_SZ

LDAPContextlessSearchBindcreds

NOTE:The ldapce.exe utility is unsupported and is only available on request. It is not distributed with SecureLogin package.

The syntax is:

ldapce.exe <user DN> <password> [output file]

Where,

  • <user DN> is the the full distinguished name of the LDAP user.

  • <password> is the password of the LDAP user.

  • [output file] is the name of the output file to which the encrypted string is written. If this option is omitted, the string is displayed on the screen.

7.4.5 Setting Up Passphrase

After you have successfully installed SecureLogin on a user workstation, you can set up a passphrase for the user.

For more information, see Section 1.2, Setting Up a Passphrase.