Environment
Novell SecureLogin 7.0.3
NetIQ SecureLogin 8.x
Installed in eDir / LDAP mode
Situation
How to restrict users to accessing SecureLogin data from only one workstation at time.
How to limit the number of connections to eDir held by a SecureLogin user
How to set the maximum number of concurrent connections to eDirectory for a SecureLogin user attaching via LDAP.
Resolution
Perform the following three steps:
1. On the LDAP server(s):
Extend the schema and grant appropriate rights. This can be done with the .sch and .ldif files included with the SecureLogin installation files in the folder ...\SecureLogin\Tools\Schema\LDAP. Use the ICE tool on the following files:
- Concurrent_schema_extn.sch (adds the required attributes)
- Concurrent-rights.ldif (extends rights)
Four new attributes will be added:
Protocom-SSO-ConnectionLimit - Specifies the limited number of connections allowed
Protocom-SSO-ConnectionTimeToLive - Time to live value in minutes
Protocom-SSO-Connections - contains the current active connections
Protocom-SSO-ConnectionConfig - Since the above configuration can be inherited by users if set on containers, this attribute holds a "Yes / No" value specifying whether or not a user can inherit the configuration from higher up in the tree (similar to "Stop walking here").
For more detail see "Setting up the Environment for Limiting Concurrent Connections." For a complete list of SecureLogin LDAP schema extensions see the online documentation here.
2. On the client workstations:
Run regedit and create and set to 1 the DWORD value
EnforceConcurrentConnections under
HKLM\Software\Novell\Login\LDAP
3. In iManager with the SecureLogin SSO plugin:
Set the limit for the number of connections
Define the desired time to live in minutes
Additional Information
Note that these settings are only available in an eDirectory / LDAP environment. In an environment with the Novell Client SecureLogin will use the NCP connection established by the Novell Client. To restrict NCP connections, use iManager to set the maximum connections on the "Login Restrictions" tab for the user or container.