Extending the schema for Protocom-SSO-ConnectionLimit and related attributes

  • Document ID:7014548
  • Creation Date:11-Feb-2014
  • Modified Date:12-Feb-2014
    • Micro Focus Products:
      SecureLogin

Environment

NetIQ SecureLogin
NSL7.0.3
NSL8
Installed in LDAP mode
eDirectory environment

Situation

Running LDAPSchema.exe does not add  Protocom-SSO-Connections or related attribues
How do you extend the schema to include the new connection limit attributes?
No LDAP – eDirectory mapping shows after adding SSO Connections attribues
Workstations do not enforce settings to limit concurrent connections

Resolution

To configure SecureLogin to limit the number of LDAP connections a single user may have with the eDirectory server, do the following:

1. Locate the files Concurrent_schema_extn.sch  and concurrent-rights.ldif  that come with the  SecureLogin media, in the directory ...\SecureLogin\Tools\Schema\LDAP
2. Add these to the  schema using standard eDirectory schema extension tools, such as ndssch or  the ICE iManager plugin  
3. Configure as desired through iManager 
4. Set the registry value EnforceConcurrentConnections on the workstations,  a DWORD value set to 1 under under HKLM\Software\Novell\Login\LDAP. 
(To disable this feature, set the value to 0.) 

For more detail see “Limiting Concurrent Connections” in the online docs

Additional Information

Recent enhancements to SecureLogin have introduced four new attributes that allow the administrator to limit the number of LDAP connections a SecureLogin user can have to an eDirectory server, namely:
Protocom-SSO-ConnectionLimit
Protocom-SSO-Connections
Protocom-SSO-ConnectionTTL, and 
Protocom-SSO-ConcurrentConfig

Note that these are all LDAP specific attributes.  There are no corresponding eDirectory attributes that map to these LDAP attributes (for example as shown in TID 3004130

This is because these settings are only available when SecureLogin is connecting to eDirectory via the SecureLogin LDAP Client, NLDAPAut.dll.  NDAPAut.dll uses LDAP protocol to talk to eDirectory and thus only needs LDAP attributes.  There is no need for equivalent attributes in NDS format. Further, such are not necessary because if SecureLogin attaches to eDirectory via the Novell Client,  existing Novell Client and eDirectory settings serve the same purpose. (In iManager, see Modify Object, Restrictions, Login Restrictions.)