Environment
Novell SecureLogin 6.0 LDAP Authentication (NSL)
Microsoft Windows XP Professional
Microsoft Windows 2000 Professional
CONFIGURATION:
NSL configuration:
- LDAP mode connecting to eDirectory
-Â set to attempt LDAP login after successfully logging
into windows.
Microsoft (MS) is the controlling GINA on the workstation (on
bootup user see's MS login prompt).
Situation
After user boots up machine and logs into windows a long delay
(roughly 1 minute) is experienced before the windows desktop is
painted and the NSL splash logo is displayed. NSL then
indicates that it is loading then completes login
promptly.
Resolution
To cut down on the time the LDAPAuth client piece in NSL
searches the tree for the provided username, employ LDAPAuth search
constraints.
Please see KB 10093336 "Registry Settings in LDAPAuth"
Please see KB 10093336 "Registry Settings in LDAPAuth"
The following methods can be used separately or in conjunction
with each other.
I.Context Based Search – Limit the search to particular partitions
II.Search Attributes – Limit the search to particular attributes
I.Context Based Search – Limit the search to particular partitions
II.Search Attributes – Limit the search to particular attributes
I.CONTEXT BASED
SEARCH
1.Open the registry editor on the workstation in question
a. click start
 b. click run
 c. type regedit
2.Create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\
 a. browse out to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP in the registry
 b. in the key LDAP right click, select new, select key
 c. name the key LDAPSearch
3.Create a DWORD Value called ContextBasedSearch and set its value to "1"
 a. from within the newly created LDAPSearch key right click, select new, select DWORD value
 b. name the DWORD Value "ContextBasedSearch"
 c. double click the newley created ContextBasedSearch and type "1" in the Value data field
4.Create a String Value (Multi String Value if specifying more than one) specifying the specific context to search, name the String value Context1 and set the value to the specific context.
 a. from within the newly created LDAPSearch key right click, select new, select STRING value
 b. name the String value context1, context2, context3, (depending on how many specific contexts you want to search
 c. double click the new string value and enter the specfic context that is to be searched. (ou=organizationUnit,o=organization)
II. SEARCH ATTRIBUTES
1.Open the registry editor on the workstation in question
 a. click start
 b. click run
 c. type regedit
1.Open the registry editor on the workstation in question
a. click start
 b. click run
 c. type regedit
2.Create registry key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\
 a. browse out to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP in the registry
 b. in the key LDAP right click, select new, select key
 c. name the key LDAPSearch
3.Create a DWORD Value called ContextBasedSearch and set its value to "1"
 a. from within the newly created LDAPSearch key right click, select new, select DWORD value
 b. name the DWORD Value "ContextBasedSearch"
 c. double click the newley created ContextBasedSearch and type "1" in the Value data field
4.Create a String Value (Multi String Value if specifying more than one) specifying the specific context to search, name the String value Context1 and set the value to the specific context.
 a. from within the newly created LDAPSearch key right click, select new, select STRING value
 b. name the String value context1, context2, context3, (depending on how many specific contexts you want to search
 c. double click the new string value and enter the specfic context that is to be searched. (ou=organizationUnit,o=organization)
II. SEARCH ATTRIBUTES
1.Open the registry editor on the workstation in question
 a. click start
 b. click run
 c. type regedit
2.Create registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\
a. browse out to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP in the registry
 b. in the key LDAP right click, select new, select key
 c. name the key LDAPSearch
a. browse out to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP in the registry
 b. in the key LDAP right click, select new, select key
 c. name the key LDAPSearch
3.Create a String Value (Multi String Value if
specifying more than one) named SearchAttributes and assign it the
value that you would like it to search on ("fullName", "givenName","sn", "cn", and "uid")
a. from within the LDAPSearch key right click, select new, select string value
 b. name the string value to SearchAttributes
 c. double click SearchAttributes and add the attributes you would like to search on. By default it searches on all 5 attributes listed above.
("givenName", "cn")
a. from within the LDAPSearch key right click, select new, select string value
 b. name the string value to SearchAttributes
 c. double click SearchAttributes and add the attributes you would like to search on. By default it searches on all 5 attributes listed above.
("givenName", "cn")
Additional Information
The size of the eDirectory Tree, number of partitions, and
number of containers is causing the delay.
The LDAPAuth client piece in NSL is searching the
eDirectory tree for the username that was previously
entered for the windows login.
Enabling LDAPAuth debugging shows the client searching
different containers in the tree with different variations of the
username until a match is found.