Description of NSL LDAP installation options

  • 3009412
  • 11-Jul-2006
  • 03-Jan-2013


Novell SecureLogin


The LDAP authentication piece of Novell SecureLogin can be installed with different authentication options. During the installation either two or three options are presented under the heading of "when to login to LDAP.” The following choices will be available:
  • "when logging into Windows (this option is only available if the Novell client is not on the workstation). This option installs SecureLogin in what is known as GINA Mode.

  • "after successfully logging into Windows.” This option installs SecureLogin in what is known as Credential Manager Mode.

  • "when SecureLogin starts.” This option installs SecureLogin in what is known as Application Mode.

GINA mode.

Replaces the login GINA (either the Windows or Novell Client GINA) with the NSL-LDAP (LDAPAuth) GINA.

Use this if you want users to login to the LDAP server, eDirectory, and Windows all from the LDAPAuth GINA. In this mode, the NSL LDAP GINA becomes the primary workstation login prompt that is presented to users at bootup. In this mode, LDAP Auth authenticates first to LDAP and the directory, and then to Windows; before opening the desktop.

The credentials used for the LDAP login will be captured and stored using SLINAC.DLL. The Windows credentials are captured and stored on the users SecretStore (if present). If SecretStore is not installed, the Windows credentials are not captured.

NSL will periodically re-authenticate to the directory to perform actions such as refreshing the users cache, switching from offline to online mode, unlocking the NSL system tray icon, etc. This authentication is made using the captured  LDAP credentials

As mentioned, the windows user credentials are stored in the users object using SecretStore. If SecretStore is not present, the user will be prompted for windows user credentials after the LDAP gina login and before the Windows desktop opens.

Credential Manager Mode.

Installing in this mode allows the user to utilize the existing workstation GINA (i.e. either the Novell Client GINA or the Windows GINA), and to associate the login credentials used for Windows or Client32 with the LDAP login. The installation routine prompts the user to choose whether to associate the the Windows credentials or the Client32 credentials(available if the Novell Client exists on the workstation) with the LDAP credentials.

In this mode the authentication to LDAP is made after the workstation has logged in to eDirectory and Windows ( if the Novell Client is installed), or after logging in to Windows (if no Novell Client is present).  In Credential Manager mode LDAPAuth will attempt an LDAP bind using the associated credentials after the Windows login. If the credentials (both username and password) match what LDAP expects, the user will be logged into the SecureLogin LDAP server without seeing an NSL/ LDAP login prompt. If the credentials don't match, the LDAPAuth login dialog will be presented.

After a successful ldap authentication, the associated Client32 or Windows credentials will be stored and used periodically to bind to the directory when NSL updates the user cache or performs other behind the scenes actions.

*** Note that both GINA mode and Credential Manager mode are designed to work for a specific user during a specific Windows session. ***

Application Mode

Use this mode if the LDAP user will be changing during the Windows session (i.e. Windows user remains the same while different eDirectory/ LDAP users log in and out). In Application Mode no LDAP authentication is made until the time that SecureLogin is launched - either manually or on Windows startup.  Note that no passthrough authentication is possible. When NSL is launched, the user will be presented with the LDAPAuth login dialog. After credentials are entered the user will be logged into the LDAP server and directory. 

Application mode is commonly used in"kiosk" workstations where workstations are shared by several people throughout the day.  The workstation remains logged in to Windows all day as the same generic user, and LDAPAuth is used to login different eDirectory users.

As in the other modes, the LDAP authentication credentials are stored for later use by NSL.