When do I need to run LDAPSchema.Exe?

  • 7940173
  • 19-Aug-2009
  • 08-Jan-2014


SecureLogin SSO



When do I need to run LDAPSchema.Exe?



For SecureLogin to save user SSO data such as their usernames and passwords to applications, and to read SSO enabled applications and settings, the LDAP Directory schema must be extended and rights must be assigned.

LDAPSchema.Exe extends the LDAP Directory with the new SecureLogin attributes, which is where it encrypts and stores your SSO data.

You should run LDAPSchema.Exe if the following is true:

  • You plan to use an LDAP v3 Compliant Directory such as SunOne or the IBM Directory Server as the SecureLogin SSO data store.
  • You are integrating a provisioning solution with SecureLogin to auto populate credentials
  • If using eDirectory as the SSO data store and you wish to use the LDAP client to connect to it (i.e. no dependency on the Novell client) Note: ndsschema should always be run in a Novell environment.
  • If you plan to use Novell iManager to manage SecureLogin data (it connects using LDAP), you will need to run both ndsschema and ldapschema.

Note: LDAPSchema.Exe handles the LDAP Group mappings that are required in a Novell environment and must be run on each LDAP server in the replica ring of the target LDAP server.

You DO NOT need to run LDAPSchema.Exe if the following is true;

  • You are using the Novell client to logon to the workstation, eDirectory as the datastore, are not integrating with a provisioning system, and are not using iManager.
  • You are using ADS as the SecureLogin datastore, adsschema.exe is sufficient even if using the LDAP client.

Note: When installing SecureLogin on an LDAP Directory other than ADS or NDS/eDirectory (e.g. Sun, IBM), you may have to setup access control lists (i.e make rights assignments) so users can run SecureLogin and save SSO data.

Required User object rights summary (users rights to their user object):

  • protocom-SSO-Auth-Data RW
  • protocom-SSO-Entries RW
  • protocom-SSO-Entries-Checksum RW
  • protocom-SSO-Profile R
  • protocom-SSO-Security-Prefs RW
  • protocom-SSO-Security-Prefs-Checksum RW

Users also need the rights to read protocom-SSO-Entries, protocom-SSO-Profile and protocom-SSO-Security-Prefs at the OU level (so they can read published applications and settings for example).

NOTE: The SecureLogin LDAP Client ensures your SSO solution can run on almost any backed Directory, and does not rely on the Microsoft or Novell client being present.