Registry Settings for SecureLogin in LDAP mode

  • 3790292
  • 29-Nov-2007
  • 31-Jan-2019

Environment

NSL 3.51
NSL 7
Novell SecureLogin 3.51 Client
Novell SecureLogin 6.0 Client
Novell SecureLogin 6.1 Client
Novell SecureLogin 7.0.x Client

Situation

The registry settings below apply to LDAPAuth, the LDAP authentication piece of Novell Secure Login. These settings can be used to cusomize or modify the behavior of SecureLogin when installed in LDAP mode.

As you read these settings, note that the last entry in the path indicates the registry value, and the rest of the path indicates the registry key. The type of value is noted for each setting. For example, in
item 1.4, HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\DoNTAssoc, DoNTAssoc is a dword value that shows in the right hand window of regedit, while HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\ is the path that shows in the left hand window of regedit.

Note that LDAPAuth uses two types of registry settings: configuration (static) settings and system state (dynamic) settings.

Resolution

1 - Configuration Settings:

1.1 Dialog Banner Image Paths (3.51.100 or higher)
- HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\BannerPath
- HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\BannerLeftPath
- HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\BannerRightPath
- HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\BannerCenterPath
These are all string (REG_SZ) values. The following notes apply:
1.1a) If BannerLeftPath, BannerRightPath and BannerCenterPath are present, then these are applied and BannerPath is ignored.
1.1b) If at least one of BannerLeftPath, BannerRightPath or BannerCenterPath is missing, then BannerPath is considered.
1.1c) If BannerPath is missing, then the bitmaps from the SecureLogin resource dll are loaded.
1.1d) Make sure your bmps are of size that can fit into the designated bitmap area. Otherwise, the bitmaps will shrink/expand and the image does not look proportionately.

1.2 Server History List (3.51.100 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\Servers\server#
Replace the # by using a numeric value. In SP1, each server item should be a multistring value(REG_MULTI_SZ), and can be either an IP address, or DNS name of the server. These values can be set from the installation dialogs or by an installation script. The port value can also be specified along with the server in a new line. By default, port 636 will be used.

1.3 Workstation Unlock (3.51.100 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\EnableFieldOnLock
Allows the user to modify the user DN field of the LDAPAuth dialog during workstation unlock. The default action is to disable this field. If this value exists, regardless of the value contents, then the feature is enabled.

1.4 NT Workstation User ID (3.51.100 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\DoNTAssoc
Activates an NT Workstation user ID to an LDAP DN association. By default, this setting is disabled. The value must be a DWORD set to 1 (one).
 
1.5 Novell Client for Windows User ID (6.0 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\DoClient32Assoc
Activates the use of the eDirectory user ID to an LDAP DN association. By default, this setting is enabled. The value must be a DWORD set to 1 (one) for enabled or set to 0 (zero) for disabled.

1.6 Debug Log (3.51.100 or higher) 
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\Debug
Activates the verbose debug logging feature of LDAPAuth. The key is intended for use by Novell Technical Services.
Debug, DWORD: If this value is non-zero, then Ldapauth will output trace information using the OutputDebugString call. This trace information can be viewed using DebugView from sysinternals.com.

DebugLog, DWORD: If this value is non-zero, then Ldapauth will write trace information to the following logfile
\LdapLog\nldapaut.log.

NOTE: This key redirects the information that is generated by DWORD Debug to a series of logs. Both Debug and Debug log must be set in order to generate log files.

1.7 Default Username (3.51.100 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\UseDefaultUsername
Allows the dialog to keep the username field empty. This value must be a DWORD set to 0 (zero). The default behavior is to always put the default user DN into the username field (unless an application specified otherwise).
1.8 Custom LDAP Error Messages (3.51.100 or higher)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\ErrorStrings\#
Replace the value name # with the numeric value of the LDAP error. Each value must be a string with the text of the error message.
1.9 Context Based Search (3.51.109 or higher)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\ContextBasedSearch
DWORD value, set to ' 1' for context-based search. Also, specify the set of contexts to search, such as Context1, Context2, Context3...of type REG_SZ, each specifying the exact context to search.
For example:
ContextBasedSearch                    DWORD                      1
Context1                                       REG_SZ                      OU=users,O=novell
No explicit context validation is done except that LDAP search returns an appropriate error in case an invalid context is specified.
1.10 Search Attributes (3.51.109 or higher)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\SearchAttributes
REG_MULTI_SZ value, set to list of search attributes to be used in LDAP search. Only the first five attributes are considered.  Any publicly readable attribute can be specified,  for example "fullName", "givenName", "sn", "cn", "uid" and (in an Active Directory environment) "samAccountName".

1.11 UserAttributeToDisplay (3.51.200 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\UserAttributeToDisplay
REG_SZ value lets the user to specify what attribute to be displayed in place of DN in the LDAP GINA dialog box. The valid attributes are "fullName", "givenName", "sn", "cn", and"uid".
If there is no "UserAttributeToDisplay" in the registry, if it contains invalid attribute, or if the specified attribute value is not available for the user, then the default behavior of printing the DN takes place.
Note: When making this change, ensure that the attribute specified has public read access, as detailed in KB 10096661 . Otherwise, SecureLogin might not have adequate rights to search on the specified attribute.
1.12 DuplicatesPrintableString (3.51.200 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\DuplicatesPrintableString
REG_SZ value lets the user to specify the string format for entries in "Select the user” dialog box. String format can have any text with search attributes in %attributeName format, where attributeName can be cn, givenName, fullName, sn, or uid (all are case sensitive).
Note: When making this change, ensure that the %attributeName specified has public read access, as detailed in KB 10096661 . Otherwise, SecureLogin might not have adequate rights to fetch the specified attribute value.
1.13 CertFilePath (3.51.200 or later)
HKEY_LOCAL_MACHINE\Software\Novell\Login\LDAP\CertFilePath
REG_SZ value lets the user to specify a valid certificate file path for non-eDirectory servers.
This requires the user to create another registry entry"NonEdirLdap” of type REG_DOWORD. CertFilePath is considered only if NonEdirLdap is present and set to 1.
1.14 UseCNasWindowsUserInCitrix (3.51.300 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\UseCNasWindowsUserInCitrix
REG_DWORD value set to 1, allows to use CN as the Windows username in the Citrix passthrough scenario. Without UseCNasWindowsUserInCitrix or the value set to 0, LDAPAuth retains the existing functionality of using the previous logged in user.
1.15 WSOnly (3.51.300 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\WSOnly
REG_DWORD value set to 1, switches the LDAP login dialog box to the workstation_only mode by default. This applies only to the workstation lock scenario.
1.16 DoNotShutdownNSL (3.51.300 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\ DoNotShutdownNSL
REG_DWORD value when set to 1, does not terminate SecureLogin when a workstation is unlocked with the workstation_only option in the LDAP GINA mode.
1.17 LDAPAudit (6.0 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LdapAudit
REG_DWORD value set to 1, is required to integrate LDAPAuth module with Novell Audit. With this registry configuration, the following events(subject to change) would be sent to the Audit server from LDAPAuth.
1) NSL user login
2) User password change at the time of LDAP GINA login
3) Different user attempting to unlock the workstation
1.18 HideAdvanced (6.0 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\HideAdvanced
Advanced authentication fields in the LDAP login dialog box are hidden by default and can be viewed by expanding the login dialog box using the Advanced button. However, you can hide the Advanced button from the end user with the help of this registry configuration. This registry value should be of type REG_DWORD and to be set to 1.
1.19 NDSTree (6.001 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\NDSTree
REZ_SZ value lets the user specify the NDS tree name so that the NDS connection to the specified tree is used by LDAPAuth to automatically login the SecureLogin user.
1.20 DisableCancel (6.00.005 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\DisableCancel
REG_DWORD value lets the user specify if the Cancel button on the SecureLogin login interface is active. A value of 0 indicates that the Cancel button is operational. A value of 1 indicates that the Cancel button will be disabled.
1.21 TryRegCredInOffline (6.00.005 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Protocom\SecureLogin\TryRegCredInOffline
REG_DWORD value set to 1, results in SecureLogin seamless login to offline mode using Windows user credentials when the following conditions are met.
Ldap is installed in Credential Manager/Gina mode
Ldap user is associated to Windows user(Applicable for Ldap credential manager mode)
Ldap and Windows user credentials are same.
Network/Server is not reachable for the client workstation.
1.22 LdapDlgcaption (6.1 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LdapDlgCaption
REZ_SZ value, lets the user specify the customized title for Ldap login dialog. If this registry configuration is not present,"Novell Login” is displayed by default.
1.23 WindowsGroupstoExclude (6.1 or later)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\WindowsGroupstoExclude
REG_MULTI_SZ value lets the administrator specify the list of Windows User Groups and the LDAP Login dialog will not be displayed in Credential Manager mode, to users belonging to any of the specified groups in the list.
1.24 VerifySSLCert (6.00.103 or higher)
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\VerifySSLCert
REG_DWORD value, if set to 1, verifies the certificate of the server before LDAP authentication. If the certificate does not exist for that server locally on the workstation, it will prompt the user for validation and stores it after confirmation. If the user rejects the certificate, LDAP authentication will be cancelled.
 
1.25 UseDotInCN
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\UseDotInCN
REG_DWORD value, set to 1 for successful LDAP search for objects with a dot (".") in the cn attribute and/or other search attributes configured per HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\LDAP\LDAPSearch\SearchAttributes.
 
2 System State Settings:

Most (if not all) of the system state settings are highly dynamic. Values in system state settings might change at any time
2.1 Default User DN (3.51.100 or higher)
HKEY_CURRENT_USER\Software\Novell\Login\LDAP\DefaultDN
This value can and probably will change location.
2.2 Successful Authentication (3.51.100 or higher)
HKEY_CURRENT_USER\Software\Novell\Login\LDAP\LDAPAuthLoginSuccessful
Indicates that the user has successfully authenticated via LDAPAuth. This value is dynamic and can change without warning.
2.3 NMAS Check Box (3.51.100 or higher)
HKEY_CURRENT_USER\Software\Novell\Login\LDAP\LDAPAuthNMASSelected
Specifies whether the NMAS check box was selected during the last authentication. A DWORD value, 1 (one) indicates that the check box was selected. Any other value otherwise. The value is 0 (zero) when LDAPAuth sets this value.
2.4 Last NMAS Sequence (3.51.100 or higher)
HKEY_CURRENT_USER\Software\Novell\Login\LDAP\LDAPAuthNMASSequence
Specifies the last NMAS sequence authenticated with. This is a string(REG_SZ) value.
2.5 Printable Name (3.51.100 or higher)
HKEY_CURRENT_USER\Software\Novell\Login\LDAP\PrintableName
Specifies the printable name of the last authenticated user. This is a string (REG_SZ) value.