home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 21
/
Cream of the Crop 21 (Terry Blount) (October 1996).iso
/
lan
/
fsl222.zip
/
README.TXT
< prev
next >
Wrap
Text File
|
1996-07-22
|
90KB
|
2,528 lines
README.TXT FSLOGIN 2.22
--------------------------------------------------------------
FSLOGIN
A login program for all Novell users
┌─────────┐
┌─────┴───┐ │ (R)
──│ │o │──────────────────
│ ┌─────┴╨──┐ │ Association of
│ │ │─┘ Shareware
└───│ o │ Professionals
──────│ ║ │────────────────────
└────╨────┘ MEMBER
FSLOGIN is a registered trademark of Confirm.
NetWare is a registered trademark of Novell, Inc.
Save exceptions stated by the law no part of this publication may be
reproduced in any form, by print, photoprint, microfilm or other
means, including a complete or partial transcription, without the prior
written permission of Confirm. Only Confirm is qualified to collect the
dues indebted by others for copying.
Copyright (c) Confirm 1993, 1996, Zevenaar, The Netherlands.
All Rights Reserved.
TABLE OF CONTENTS
FOREWORD
CHAPTER 1: THE PURPOSE OF THIS PROGRAM
CHAPTER 2: HOW TO INSTALL FSLOGIN
2.1 Server installation
2.2 Workstation installation
2.3 Supervisor Workstation
CHAPTER 3: HOW TO CUSTOMIZE FSLOGIN
3.1 Set default login-values
3.2 Change global settings of FSLOGIN
3.3 Command line parameters
CHAPTER 4: HOW TO USE FSLOGIN
4.1 Edit keys
4.2 Function keys
4.3 Using NetWork News
CHAPTER 5: HOW TO SEARCH IN NDS.
CHAPTER 6: PASSWORD EXPIRED!
CHAPTER 7: PASSWORD SYNCHRONIZATION
CHAPTER 8: FSLOGIN AND DIALIN SERVERS
CHAPTER 9: NOTES
9.1 Login script parameters
9.2 NDS restrictions
APPENDIX A: ERRORLEVELS
APPENDIX B: ERROR CODES
APPENDIX C: REGISTRATION AND SUPPORT
APPENDIX D: THE SHAREWARE CONCEPT
APPENDIX E: DISCLAIMER - AGREEMENT
FOREWORD
The idea to develop a menu driven login program
actually came from users, who were dissatisfied with
the standard command line utility. They wanted and
needed more than a few lines of text on their PC
screens when login was not possible, a better guidance
through the changing of passwords and an easier way
to log into their network.
FSLOGIN version 1 was first published on March 1,
1993. Soon after the first release several new ideas
were built into our program. In the meantime Novell
Inc. started shipping NetWare version 4, which included
a new X500 based directory system called NetWare
Directory Services. NDS is different from bindery based
servers, and will have a major impact on the way large
networks are being administered.
FSLOGIN version 2 supports both NetWare Directory
Services networks, which are build around NetWare 4,
and servers running the NetWare 3 and 2 operating
systems.
Many thanks to those who did a fine job of evaluating,
testing, talking and criticizing. They helped, and often
still help FSLOGIN grow. If you have any suggestions
for improvement of this product, please contact us.
Aad Slingerland
CHAPTER 1: THE PURPOSE OF THIS PROGRAM
All PC-users who are connected to a local area network
with Novell servers, have at least one thing in common.
They must log into the network, before applications and
data become available. This is almost always done by
means of the standard Novell login program. This
command line utility, however, is not very attractive to
use and is not very helpful, when users must be
informed about network exceptions or errors.
FSLOGIN enhances the way users can login to a server
or a NetWare Directory Services based network by
providing a full screen, Novell menu style program.
FSLOGIN is not only a different way to type some data,
like the userid and the password, it also runs extensive
checks on accounting and security exceptions.
All kinds of reasons why a user cannot log into a
network are presented in clear text in text windows.
Because the user is properly informed of certain
exceptions, he or she will be able to communicate
better with the system administrator, instead of
complaining of not being able to login.
Technically speaking is FSLOGIN a front-end to the
actual Novell login command line utility. LOGIN.EXE is
still needed for the interpretation of the system and/or
user login scripts. This design assures optimum
compatibility with existing login scripts and other
procedures that might be used during the login process.
The login script is only executed after various checks
on correctness of names, accounting and security
matters have been conducted.
CHAPTER 2: HOW TO INSTALL FSLOGIN
The easiest and most obvious way to install Full Screen
Login is on the server it is going to be used on.
FSLOGIN needs about 200 kilobytes of disk space in
the SYS:LOGIN directory and about 3 kilobytes in the
SYS:PUBLIC directory (section 2.1). However, in some
situations it might be desirable to install FSLOGIN on
the local disk of workstations (section 2.2).
One good example is when workstations must access a
server through a wide area link instead of the local area
network. Wide area links can be fast, but program
loading still suffers from loss of speed compared to
local area networks.
To improve support of these kinds of environments
FSLOGIN can be installed on local disk drives, as well.
Another reason for installing FSLOGIN on the local hard
disk of a PC (typically the PC of the Supervisor) is to
evaluate or customize FSLOGIN, without affecting other
users of the network (section 2.3).
2.1 Server installation
Execute the installation batch file (INSTALL.BAT) from
the drive and directory where the distribution files
reside. The installation procedure prompts for the
language to install and copies the program and
language support files to the directory SYS:LOGIN. The
file FSLOGIN.COM is also copied to the SYS:PUBLIC
directory to make it accessible to users that are already
logged in. All files are flagged shareable.
When the installation procedure detects the presence of
a previous installation of FSLOGIN, it will prompt you to
cancel the installation, or to overwrite the currently
installed version or to preserve the currently installed
configuration file FSLOGIN.INI.
As you will see in the next chapter the configuration
file can be used to tailor FSLOGIN to your particular
needs.
When you are using a NetWare 2.x server, you must
grant a trustee assignment to the group EVERYONE.
The reason for this is to give everyone read and file
scan rights in the SYS:LOGIN directory when they are
logged in. NetWare 2.x differs in this from later
versions of NetWare, which make the SYS:LOGIN
directory accessible at all times. Granting access can be
done either by using SYSCON or with the following
command line utility:
GRANT R F FOR SYS:LOGIN TO EVERYONE
The basic installation of FSLOGIN on the server has
been carried out now. You can have a first peek at
what it all looks like at present.
2.2 Workstation installation
In addition to running FSLOGIN from a server, the
program files can be executed from a local hard disk.
Several program files must be distributed to the local
harddisk to accomplish this. In general, this should not
be done, because it creates a maintenance problem
when a new version must be installed. However, there
are situations in which installation on a local disk is
preferred. For example, when a workstation is
connected to a LAN through a WAN (Wide Area
Network). Although wide area connections can operate
at a considerable speed, they are still much slower than
the LAN. Avoid program loading over WAN links
whenever possible.
FSLOGIN supports these kind of environments by
making it possible to install program files on local
(storage) disks of workstations thereby executing
program loading from the hard disk instead of the
SYS:LOGIN directory.
Example of a directory on a local hard disk:
C:\NWCLIENT\LSL.COM
C:\NWCLIENT\NE2000.COM
C:\NWCLIENT\IPXODI.COM
C:\NWCLIENT\NETX.EXE
C:\NWCLIENT\NET.CFG
C:\NWCLIENT\FSLOGIN.COM
C:\NWCLIENT\FSLOGIN.OVL
C:\NWCLIENT\FSLOGIN.CWA
C:\NWCLIENT\FSLOGIN.PPX
C:\NWCLIENT\FSLOGIN.LCF
To further optimize working with wide area links, the
Novell LOGIN.EXE can also be copied to the same
directory. This is optional but will speed up the login
process. The only thing that needs to be done after
installation is taking care that the copy of
FSLOGIN.COM in the directory C:\NWCLIENT is
executed. This initial program module takes care of
program loading from either the local hard disk or, if
needed from the standard SYS:LOGIN directory.
Note that the file FSLOGIN.INI is not copied to the local
harddisk directory. For security reasons this file is
always read from the directory SYS:LOGIN, because
users should not be able to modify this file themselves.
Modifications in the configuration file FSLOGIN.INI
should only be made by the network administrator, and
to improve support to the supervisor in this task there
is also the option to use the Supervisor Workstation
Installation...
2.3 Supervisor Workstation
The configuration file FSLOGIN.INI contains a number
of statements and textual information. If modifications
are needed you probably prefer to try them in a test
version, before taking changes into production. This
can be done by copying FSLOGIN.INI to the
C:\NWCLIENT, as well and by using the special
command line parameter !LI, which stands for 'Use
Local Ini'. An example of what to type at the command
line is:
FSLOGIN !LI
After changes to the configuration file have been
tested, it can be taken into production by copying it to
the SYS:LOGIN directory. Needless to say that the !LI
option should not be made available to regular users of
the network.
CHAPTER 3: HOW TO CUSTOMIZE FSLOGIN
FSLOGIN provides three ways to customize various
options and program behaviour. The first method to
customize FSLOGIN is to use environment variables to
pre-fill one or more fields in the data entry form with a
specific value (see section 3.1).
The second option is to modify one or more of the text
sections or statements in the customization file
FSLOGIN.INI. This file resides in the SYS:LOGIN
directory, together with other program files. The text
sections and statements that are specified here are
system wide, meant for all users who are attached to
this server (see section 3.2).
The third method to customize is to use one or more
command line parameters that override one or more of
the system-wide options from FSLOGIN.INI. The use of
command line parameters applies only to that particular
part of FSLOGIN (see section 3.3).
3.1 Set default login-values
To make daily use more easy, all fields, except the
password field in the Login window, can be pre-filled
with a default value. When DOS environment variables
are not being used, the default value for the Server or
the Location field (depending on the type of connection
used, Bindery mode or Directory mode) will reflect the
actual situation of the workstation concerned. The
default values that are to be used within the application
FSLOGIN, however, can be forced to a pre-set value
per workstation using DOS environment variables.
FSLOGIN uses the three environment variables:
FS_CON, FS_SRV and FS_UID to specify default values
for the Context, Server and Userid. When the names of
these environment variables do not match the current
environment setup, alternate environment variable
names can be specified in the [environment] section of
the FSLOGIN.INI customization file.
SET FS_CON=MY_CONTEXT
When specified, the value of this variable is placed in
the Location field in the Login window. When this
variable does not exist, the actual current context of
the workstation is used as a default in the Location
field. It is possible to suppress the default value in the
Location field by giving the variable FS_CON the value
NONE. By executing the DOS command SET
FS_CON=NONE the default value will be suppressed.
SET FS_SRV=MY_SERVER
The Server field automatically displays the name of the
server to which the PC is attached. This automatic
filling in of a servername will do in a single server
environment, where no server can be chosen. However,
in a multiple server environment the server to which the
PC is attached is not always the one the user wants
access to. The environment variable FS_SRV (or its
alternate) can be used to specify another server as the
default. When fslogin is started again the Server field
will contain the string 'MY_SERVER'.
By giving the variable FS_SRV the value NONE, the
default value will be suppressed.
SET FS_UID=MY_USERID
By giving the DOS command SET FS_UID=USERID, the
Userid field will come up with a default. When the pre-
filled values for the Server/Context and Userid are
correct, the only thing the user has to do is type the
corresponding password and press the enter key.
The syntax used for the value of this variable allows
you to specify a partial name to appear as the default in
the Userid field. This option can be useful when the
userids in your organisation always have the same
prefix. There are companies that use userids like
ACCOUNT01, ACCOUNT02, ACCOUNT03 , or
SALES01, SALES02 and so on. This 'common' part of
the userid can be pre-filled by typing it in the
environment variable FS_UID, followed by a tilde. For
example:
SET FS_UID=ACCOUNT~
The cursor will be displayed in the Userid field at the
position of the tilde (in the given example the cursor
will be displayed behind the T).
3.2 Change global settings of FSLOGIN
The customization file FSLOGIN.INI in the SYS:LOGIN
directory is a plain ASCII text file, which can be edited
using any ASCII text editor. Comment lines start with a
semicolon and can be added or deleted as required. The
customization file is divided into a number of sections
each dealing with a certain topic. Major sections are a
number of statement sections, the [help] section and
the [messages] section. Each of these sections is
described below.
[presentation]
This section contains statements that affect the way
FSLOGIN displays itself on your PC screen. These are
merely cosmetic functions. Most of the statements use
numbers as a value, but there are also some statements
that have a string as a value.
The range of valid numbers for a particular statement
are described below. Do not specify numbers outside
the range for a particular statement.
Align=0 - 1
The data entry windows (the Login Data window and
the Password Change window) and most of the
message windows can be left aligned on the tenth
column of the screen or can be centred on the screen.
When these windows are left aligned, it's easier for the
human eye to 'catch' the place where typing has to
start. This is due to the natural habit to start reading at
the left top of a page, or in this case the display screen.
The benefit of the centred windows is that text
modifications in the text windows are easier to do.
0 = No left alignment (auto-centre)
1 = Left alignment
Dimmer=0 - 9
The built-in screen dimmer becomes active after a
certain time of keyboard inactivity. You can set the
period of time with the Dimmer= statement.
0 = The built-in screen dimmer is disabled.
1-9 The period, measured in minutes, after which
the screen dimmer will be activated.
The screen dimmer can also be disabled using the !ND
command line parameter, but it only affects that
particular part of FSLOGIN.
DimmerProg=
The built-in screen dimmer can be replaced with an
external dimmer program. When, after a certain time of
keyboard inactivity, the dimmer-function becomes
active and an external dimmer program has been
specified, that program will be loaded. If loading of the
external dimmer program fails, the built-in screen
dimmer is activated as usual. The external dimmer
program can be specified in the [presentation] section
of FSLOGIN.INI. For example:
[presentation]
Dimmer=5
DimmerProg=c:\util\pcxview c:\util\company.pcx
These statements result in the loading of a PCX viewer
program that presents a company logo PCX file. When
the external dimmer program ends (by user action or
otherwise) the FSLOGIN screen is restored. It should be
understood that the amount of conventional memory is
limited, but most PCX viewers can operate in as less as
100 kilobytes of conventional memory.
Explode=0 or 1
0 = Disable the exploding windows effect.
1 = Enable the exploding windows effect.
HideContext=0 - 1
The NDS login screen shows a Context (Location) field
in which the user can specify a context before logging
in. This Context field is not actually needed when the
NDS search feature is being used. The HideContext=
statement controls whether this field shows up or not.
Note that regardless of this setting, the user can still
press the F5 function key to select a specific context
for the login process. The F5 function key is controlled
by the NDSList= statement in a next section.
0 = Show the Location (Context) field.
1 = Do not show the Location (Context) field.
Password=0 - 3
The Password statement value determines what the
user will see while typing a password.
0 = Show nothing (the same effect as a 'default'
Novell menu style). The cursor stays in the
home position of the field and there is no further
indication of what has been typed. This default
might be considered the most secure option,
because the length of a password cannot be
seen. However, this option is not particularly
user-friendly (_).
1 = Move the cursor as characters are typed, and
show spaces instead of the actually typed
characters ( _).
2 = Move the cursor and show dots instead of
characters (..._).
3 = Move the cursor and show a row of stars
instead of characters (***_).
Shadow=0 or 1
0 = Disable the shadow effect.
1 = Enable the shadow effect behind the windows.
[operation]
The [operation] section contains a few statements that
control some functional aspects of FSLOGIN.
Days=0 - 9
0 = Disable expiration warning.
1-9 The number of days a user is invited to change a
password, before the actual expiration date.
The number of days a user is warned about the
fact that his or here account is going to expire.
Changing the password before the actual expiration
date is not required, so when the user presses the
escape key, he or she is logged in using the current,
but soon expired, password. This method, however,
triggers the average user to start thinking about
something new before it is too late. This option
prevents unnecessary phone calls to the system
supervisor.
Escape=0 - 2
The Escape key at the top level (the Login Data form)
can be enabled or disabled using the 'Escape='
statement. In some environments the system
administrator might want to force users to log in before
doing something else on their workstation.
0 = Disable 'escaping' from the top level menu.
1 = Enable the user to leave FSLOGIN right away.
2 = Show a Yes/No prompt box.
The Escape function can also be disabled by using the
!NE command line parameter, but it only affects that
particular part of FSLOGIN.
EscapePWX=0 - 2
This parameter determines if a user can escape from
the 'Change Password' panel when the password has
actually expired. When using this feature the user is
more or less forced to specify a new password, thus
preventing accounts that are locked out because the
NetWare security system runs out of grace logins.
0 = User cannot escape.
1 = User can use the escape key.
2 = User can escape but is prompted first.
KbdClear=0 or 1
In some situations it might be useful to clear the
keyboard buffer to prevent unneeded characters from
appearing as typed user data in the Login Data form.
The drawback for fast typing users is that they will
have to wait a second or so, before they can start
typing their information.
0 = Leave the keyboard buffer untouched.
1 = Clear the keyboard buffer of the PC automatically.
PwdNumeric=0 - 9
This parameter can be used to force a certain number
of numerical characters in a new passwords, thereby
forcing users to use more 'random' passwords in
general. The number of numerical characters enforced
this way should be in 'balance' with the minimum
password length specified in the NetWare security
system.
0 = Disables this feature
1-9 Enforce 1 through 9 numerical characters.
[environment]
This section has statements that make it possible to
specify your own environment variables, which can be
used to pre-fill certain fields in the Login Data form. The
actual use of environment variables are explained in
more detail in the previous section (section 3.1).
FS_CON=
FS_CON is the (standard) environment variable used to
specify a default value for the context. If you are
willing to use this environment variable, you do not
have to specify this statement in FSLOGIN.INI.
However, if you have already been using a different
environment variable for the same purpose, you might
want to customize this part of FSLOGIN to fit the
environment you already have.
Let us say, for example, you are already using
CONTEXT as a variable to indicate some kind of
default. Instead of adding FS_CON to each workstation
(in addition to the existing variable CONTEXT) it would
be much easier to tell FSLOGIN to use the existing
CONTEXT environment variable. That is exactly what
these statements do.
When such an alternate variable has been specified,
FSLOGIN still looks for FS_CON first. If FS_CON does
not exist in the environment of the PC, FSLOGIN looks
for the value of the alternate variable.
FS_SRV=
This statement specifies an alternate variable to be
used in addition to or instead of FS_SRV. FS_SRV, or
its alternate, is used to specify a default Server name in
the Login Data form.
FS_UID=
This statement specifies an alternate variable to be
used in addition to or instead of FS_UID. FS_UID, or its
alternate, is used to specify a default Userid.
[network]
The network section contains statements, which
identify which Novell login program has to be used as
the actual login script interpreter. The default for both
programs is the standard program name LOGIN.EXE.
However, there might be situations that require a
different program to get control first. One example is
the use of Intel LANDesk Manager, which comes with
its own LOGIN.COM program. Another possibility of
this feature is to rename the standard LOGIN.EXE to a
different filename, for example LOGIN.312 or
LOGIN.410, thereby preventing users from accessing
the standard login program directly.
Logout=0 - 1
The Logout statement controls whether a logged in
user is logged out immediately when FSLOGIN is
started or not. When the immediate Logout option has
been enabled the current LPT port captures are closed
and the current account is logged out. When the
Logout option is not used, the user at the PC can return
to DOS (depending on the setting of the Escape
statement discussed below) and find the workstation in
the same state as just before starting FSLOGIN. The
Logout option is for Bindery mode connections only. It
does not function with NDS based connections.
0 = Disable the automatic bindery logout.
1 = Enable the automatic directory logout.
EndOfJob=0 - 1
The EndOfJob statement controls the usage of the
EndOfJob network function call. This particular function
is used to tell the server to cleanup internal tables for
the connection, like the open files table. Normally the
EndOfJob processing should be done, but in some
particular configurations with network software for
other purposes this function call can cause problems. If
a workstation with, for example AS400 folder
software, hangs during login, try switching to
EndOfJob=0.
PreProcess=
This option allows the execution of a program or
batchfile before the actual login script processing. The
PreProcess can be, for example, a virus check program.
The benefit of using the PreProcess option is the
amount of conventional memory that is available
compared to using the '#' statement in the NetWare
2.x or 3.x LOGIN.EXE program. A preprocess program
or batch file can be specified in the [network] section of
FSLOGIN.INI. For example:
[network]
PreProcess=z:\public\preproc.bat
The PreProcess can also be a program or batchfile that
is located in the DOS PATH of the workstation, but
specifying an explicit path is a better way to get the
right process executed. It should be understood that
the PreProcess runs within the trustee rights of the
logged in user. The one and only drive letter that is
available during execution of the PreProcess is drive
letter Z:, which points to the SYS: volume.
BorderLine=200000
This parameter is used by FSLOGIN as a file size value
to be compared with the size of the NetWare login
program being executed by FSLOGIN in bindery mode. The
actual NetWare program to be executed in Bindery mode
is specified in the BINLogin= statement. When the file
size of this program is greater than the value of
BorderLine=, the /B parameter is added to the range of
other parameters passed to that program. Using this
method of 'auto detecting' the version of the
login.exe program beeing used, eliminates the need for
a NetWare 3.x login program to be used by FSLOGIN for
bindery mode login to a NetWare 4 server.
The default value only needs to changed when an
executable file compressor like PKLITE is being used.
BINLogin=login.exe
The login script interpreter to be executed when a
Bindery based login has to be performed. Some other
third party products require their own login front-end to
be executed first, for example LOGIN.COM.
NDSLogin=login.exe
The name of the NetWare 4 LOGIN.EXE to be used for
a Directory-based login to the network.
NDSSearch=0 - 1
This statement controls whether the NDS search
feature is turned on or off. Further refinement of the
search process are done in subsequent statements.
0 = Do not use the NDS search feature at all.
1 = Use the NDS search feature.
LevelsUp=0 - 9
The LevelsUp= statement controls if, and how many
steps, the NDS search feature is allowed to go upwards
in the directory tree, in search of a particular userid.
LevelsUp=0 disallows the NDS search feature to start
a new search for a userid upwards in the Directory
Tree, while LevelsUp=9 allows the NDS search feature
to go all the way up to [root] level in order to search for
a userid.
0 = Do not start a new search in a higher level of the tree.
1-9 If a userid is not found in the first search, start
again one level upwards in the NDS tree, if
needed and allowed again one level upwards etc...
CrossPartition=0 - 1
This statement controls whether a second, or
subsequent, search attempt is allowed beyond the
current NDS partition the workstation is in. This
restriction on the NDS search feature could be useful to
limit the search for a userid to one particular NDS
partition, thereby reducing WAN traffic to other sites of
the company with other NDS partitions. This is a way
to restrict a search for a userid to one particular part of
an organisation. The CrossPartition statement only has
effect in combination with the LevelsUp statement.
0 = Do not allow the NDS search feature to cross a
partition boundary.
1 = Allow the NDS search feature to search beyond
a partition boundary.
WildCard=0 - 1
The WildCard= statement controls whether wildcards
in the userid field are allowed. Wildcards can be used to
build a list of userids that match a particular pattern.
The list is presented to the user who initiated a
wildcard search. The user can then pick his/here userid
from the list.
0 = No wildcards allowed in NDS search.
1 = Wildcards are allowed in NDS search.
ChangeWsCxt=0 - 1
This parameter determines if the workstations default
context is changed to the context of the user that
actually logs in into NDS. The default workstation
context is normally set in NET.CFG with the 'name
context' parameter.
0 = Do not change the default workstation context.
1 = Change the workstation context to the context of
the user.
[syncpassword]
The syncpassword section is used to customize the
password synchronization feature. The first statement,
SyncPrompt=, controls wether a user is prompted for
additional old passwords during the password
synchronization process. The statement SyncResult
controls the amount of information a user gets when a
new password has been synchronized among multiple
servers. The SyncGroup= statement is used to disable
or enable password synchronization. The additional
utility FSLSYNC is a tool for the Supervisor to exclude
certain servers from the synchronization process. See
chapter 6 for more information about password
synchronization.
SyncPrompt=0 - 1
0 = Do not prompt the user for an old password for
a specific server but cancel the synchronization
attempt for this server.
1 = Prompt the user for an old password if needed.
SyncResult=0 - 3
0 = The user is not informed about the result of the
synchronization operation at all.
1 = This value results in a list of messages with one
line for each server that has been processed for
a new password. This is the most complete set
of information.
2 = This value results in a list with servers on which
synchronization did not succeed. Only errors
that are of some meaning to the user are
displayed, other errors are not shown. To be
more precise: the errors between 0003 and
89DE are shown (See also: Appendix B of the
file README.TXT or the manual).
3 = Only servers on which the password was
successfully changed are shown in the list.
SyncGroup=0 - 2
0 = Password synchronization is disabled.
1 = Synchronization is enabled and all the servers in
the (inter)network are treated as one logical
group.
2 = Synchronization is enabled and FSLOGIN uses
the list of servers that follows the SyncGroup=
statement.
[dialin]
The [dialin] section contains two statements that
control the way in which FSLOGIN accts when the
dialin command line option is in effect. Dialin security is
a feature that can be used on PCs that act as a dialin
host. This statement only has effect when used in
combination with the !DI command line option. This
feature is explained in more detail in a separate chapter
(see section 3.3).
MaxCount=0 - 9
This statement specifies the maximum number of login
attempts that can be made by a user connected to a
dialin host computer. When the user keeps on
specifying incorrect information FSLOGIN resets the
COM ports and boots the Dialin host PC.
0 = There is no maximum of login attempts.
1-9 The number of login attempts via dialin.
MaxTime=0 - 9
0 = Dialin connections are not limited in time.
1-9 The number of minutes you are allowed to be
logged in on a dialin host PC. After this period
expires FSLOGIN resets the COM ports and
boots the Dialin host PC.
[lists]
Various list functions are available within FSLOGIN. The
list functions range from a DirectoryList of the directory
tree when working in Directory Services mode, a
ServerList of servers when working in Bindery mode
and a UserList feature, which is a specific feature for
the system administrator. The various list functions can
be completely disabled or customized for a specific
network environment.
NDSList=0 - 1
The NDSList statement specifies whether the
DirectoryList (the F5 function key) can be used or not.
Users can get an overview of container objects in the
Directory tree and browse through the tree to set the
correct context for their login.
0 = Disable the DirectoryList.
1 = Enable the DirectoryList.
ServerList=0 - 3
0 = The ServerList function (the F5 function key) is
disabled.
1 = All Novell servers in the entire network are
visible to the user.
2 = Restrict the names of servers in the ServerList
and specify up to 16 servers which may be
displayed.
Wildcards in each individual 'name' are allowed.
For example:
ServerList=2
home_server
second_server
third_server
other_*
3 = Do not allow the Servername field of the Login
Data form to be edited. The effect is that the
user can pick from the custom list of servers
after the ServerList statement, but cannot alter
the name in the Servername field.
UserList=0 or 2
This statement defines the behaviour of the UserList
function (the F7 function key).
0 = Turn this feature off.
2 = Enable a popup list of the names that are
specified right after the Userlist= statement.
The following example presents a small list of
three user names when the F7 key is pressed.
For example:
UserList=2
Supervisor
Lanvisor
Admin
When you specify only one name in this list, most
probably Supervisor, the list is not displayed on the
screen and the F7 key directly places this name in the
Userid field.
UserXList=0 or 2
The User eXclude List is a feature to prevent certain
userids from being used. Although these userids might
actually exist, they are reported as invalid.
0 = Disable this feature
2 = Enable the list of userids that should be
restricted from accessing the server or network
through FSLOGIN.
For example:
UserXList=2
GUEST
ACCOUNT99
[help]
The [help] section of FSLOGIN.INI contains the help
items and their corresponding text. Each help item is
defined by a double semicolon as the first two
characters on a line. The text immediately following the
double semicolon is the exact text that is displayed in
the list of help items when the user presses the F1
function key.
The associated text of the help item is the block of text
that immediately follows the help item definition. The
text block can be modified, reformatted and/or
translated using a ASCII text editor. The first blank line
following the text block indicates the end of a block.
Blank lines in a text block can be added by using a TAB
character instead of a plain blank line with only a
Carriage Return. For an example see the ::FunctionKeys
item. This item has a text block with, at first sight,
blank lines in between. The blank lines actually
contains a TAB character.
For example:
::MyHelpItem
First part of help text...
<TAB><CR>
Second part of help text...
<TAB><CR>
Third and last part of help text...
<CR>
Extra help items with company specific text can be
added to the [help] section. The total number of help
items is restricted to sixteen.
[messages]
This section contains a large number of text items that
are being used throughout the operation of FSLOGIN.
Almost every piece of text that can appear on the
screen can be customized. The [message] section
contains single line items and multi-line items. A single
line item consist of an identifier, an equal sign and, on
the same and only line, the corresponding text. The
multi-line items consist of a semicolon followed by the
identifier and on the next line or lines, a block of text.
Single line items are used for small amounts of text that
are used as, for example, window header, whereas the
multi-line items are used for message windows.
Some text items contain characters like %s or %d.
These special characters, well known to all C
programmers, are placeholders for other information.
WhatToDo?
Modify, rearrange or even translate pieces of text to fit
your own needs. Build your own customized help.
Show the availability of certain function keys on the
25th row of the display screen. But...
WhatNotToDo!
Do not delete text items from the [messages] section.
Do not modify the identifiers in the [messages] section,
not even change the case because the identifiers are
case sensitive. When using a word-processor to
reformat some text, be sure to save the FSLOGIN.INI
file in plain ASCII mode. The proper functioning of
FSLOGIN will be disrupted when the FSLOGIN.INI file is
stored in some word-processor format.
3.3 Command line parameters
Command line parameters can be used to change
system-wide settings or default values for a particular
workstation or particular type of usage. Command line
parameters are divided in two types:
- FSLOGIN specific parameters that start with an
exclamation point and which are used to override a
specific system-wide setting.
- Familiar command line parameters that are used to
specify a specific server, userid, context or a
combination of these.
When a combination of the FSLOGIN specific
parameters and the Familiar parameters are used, the
former should be specified first. For example:
FSLOGIN !ND Server/Userid
The syntax and meaning of the FSLOGIN specific
command line parameters are as follows:
!ND (NoDimmer)
The NoDimmer option might be useful when FSLOGIN
is used in combination with asynchronous dial-in
servers. The reason is that the dimmer uses the
keyboard hardware interrupt (INT09) to detect the
press of a key. Most dialin host products are not able
to transport this kind of low-level keyboard handling.
!NE (NoEscape)
Disables the Escape function in the Login Data form.
This prevents the user from Escaping back to DOS
without first completing a login sequence.
!NS (NoServerList)
The ServerList and the DirectoryList function of this
workstation are disabled now (both functions use the
F5 function key).
!NU (NoUserList)
This command line parameter disables the UserList
function (the F7 function key).
!DI (CheckDialin)
Activate the dialin specific parameters in FSLOGIN.INI.
These specific dialin parameters are MaxCount and
MaxTime. The use of !DI parameters also automatically
activates !NE and !ND settings.
Familiar command line parameters are used to specify
certain default values for the Location (Context), the
Server or the Userid field or a combination of these.
These command line parameters are called 'familiar'
because they have the same syntax notation as the
command line parameters that can be used by the
Novell LOGIN.EXE program. A side-effect of using
these parameters is the possibility to select the bindery
or NDS mode login screen of FSLOGIN (provided that
the client software supports both modes). The syntax
forms of the familiar command line parameters and the
effect on the mode are as follows:
Syntax Mode
FSLOGIN SERVER/USERID Bindery
FSLOGIN SERVER/ Bindery
FSLOGIN /USERID Bindery
FSLOGIN / Bindery
FSLOGIN USERID Bindery or NDS
FSLOGIN USERID. NDS
FSLOGIN USERID.CONTEXT NDS
FSLOGIN .CONTEXT NDS
FSLOGIN . NDS
CHAPTER 4: HOW TO USE FSLOGIN
Once installed, Full Screen Login is available for use.
Just type FSLOGIN and the Login Data menu pops up.
The name of the default server, to which the
workstation is attached, is automatically displayed in
the Server field.
In order to see how to login via this window, you can
fill in the name of a Userid and press the enter key. The
highlight moves on to the Password field. When a
password is required for this userid, fill it in. Otherwise
leave this field blank.
When all datafields are entered correctly, press the
enter key. The data will be validated, and when
something is wrong, you will be informed.
When the validation is okay, and there are no other
accounting and security restrictions, the login process
continues with the execution of the system and user
login scripts. You, as a system supervisor, do not have
to change anything to existing login scripts or other
procedures in order to use FSLOGIN.
4.1 Edit keys
In contrast to the 'standard' Novell menu interface, the
cursor is always visible in the input fields. This relieves
the user from the user-unfriendly difference between
moving between fields and editing them. When the
highlight is moved to another field, that field
automatically switches to edit mode and the cursor is
shown.
The keys to move between the fields are: Tab (next),
BackTab (previous), Up Arrow (previous) and Down
Arrow (next).
The Enter key also moves the highlight down (next)
until used in the last field of a form (execute).
The keys to move the cursor in a field while editing are:
Home (first position), End (last position), Left Arrow
(back) and Right Arrow (forward).
4.2 Function keys
F1=Help
The basics of this utility are explained in the on-line
help text and will give the average user enough
information to login in without any problems.
Select a topic
The information is presented as a list of topics from
which you can choose. The Up Arrow, Down Arrow,
Page Up and Page Down let you change the selection.
Press Enter and the information on the chosen topic will
be displayed.
Move within Help
You can display large help texts by scrolling through
them. The cursor indicates the position in the help text
and can be used as a kind of bookmark. Use the keys:
Up Arrow, Down Arrow, Page Up and Page Down.
Leave Help
Escape brings you back again (from the help text to the
help topic list, from the topic list to the login screen).
F2=Info
The Info function key displays license information about
the current license as well as address information about
Confirm. You can use this information for all your
correspondence with Confirm.
F4=Switch
The Switch function key switches between a Bindery-
based server connection and a Directory Services-based
connection. This feature makes it possible to override
the default configuration of the Novell client software.
The Switch function can only be used when the Novell
client software supports both Bindery and Directory
connections.
F5=DirectoryList
The DirectoryList gives an overview of the NetWare
Directory tree. The object types that are useful for the
login process are displayed: Organization (O=),
Organizational Unit (OU=), Country (C=) and Locality
(L=), which are all container objects. In addition, the
Parent Object (..) and the Current Object (.) are
displayed so you can move through the Directory Tree.
Select another context (F5 - F10)
Finally the user can select a new context with the F10
function key. The selected context is displayed in the
Location field of the Login Data form and is also
actually set as the default for that workstation at that
particular moment.
F5=ServerList
When working in a multiple server environment, the
ServerList function becomes valuable. Press F5 to
obtain an overview of all available file servers in your
network, and select one. The F5 function key is
independent of the currently highlighted field. After
selecting a server the highlight will return to the original
position.
The supervisor can restrict the end-user view on the
network by disabling the ServerList function or by
limiting the ServerList to a custom specified list. See
the chapter on 'How to Customize Login' for more
information.
F6=ChangePassword
Once in a while a password should be changed. The
user can change the current password to something
new at the moment of login. All the user has to do is fill
in the Login Data window with the usual information
and press the F6 function key INSTEAD of the Enter
key. FSLOGIN will prompt for a new password now.
F7=UserList
There is one specific userid, which is probably typed
thousands of times each day by thousands of
supervisors. Just press the F7 function key and look
what happens. FSLOGIN presents you with a list of a
few very often used names. Move the highlight to the
one you need and press the Enter key. After pasting
the chosen username in the Userid field, the highlight
goes straight to the Password field, since this is most
likely the place you want to go.
The three names that appear in the list right after
installation are just examples. The names that are to
appear in the list can be customized in FSLOGIN.INI. If
security is very important and you do not want users to
'discover' the existence of a supervisor userid, you can
turn this feature off by using the statement UserList=0
(see section 3.3).
F9=ActivateDimmer
The built-in screen dimmer or the external dimmer
program can be activated with the F9 function key at
any place in the program.
F10=SelectContext
When a DirectoryList is being displayed, a new Context
can be made active by highlighting the name and
pressing the F10 function key. The new context is
presented in the Location field and is used for
subsequent logins.
CHAPTER 5: HOW TO SEARCH IN NDS
The NDS search feature of FSLOGIN is a powerful way
to ensure maximum user-friendliness in a NetWare 4
environment. The user does not have to explicitally
specify the correct context but leave that job to the
NDS search feature. This feature, however, requires
some understanding of the structure of NetWare
Directory Services and the way an account is searched
for. The following scenarios describes step by step
what happens when the NDS search feature is not
being used and what the options are when it is being
used.
5.1 When NDSSearch=0
The user starts FSLOGIN and a login data entry window
is presented. Two of the fields in this window can be
pre-filled with information (Location and Userid). The
initial value of the Location (Context) field is taken from
one of the following sources (in order of precedence):
- the environment variable FS_CON (if it exists).
- the alternate environment variable (instead of
FS_CON) specified in the FSLOGIN.INI file in the
section [environment] (if it exists).
- The current (default) context of the workstation (if it
is defined).
- The value [ROOT] (if all above fails).
Depending of the user requirement the user needs to
modify the value in the Location (Context) field. The
user can use the NDSList feature (the F5 function key)
to 'walk' through the directory tree, thereby positioning
the correct context. If the user fails to specify the
correct combination of context and userid, the user is
presented an error message telling so.
5.2 When NDSSearch=1
First of all the user does not have to see the Location
(Context) field in the login window at all. This is
controlled by the HideContext= statement in
FSLOGIN.INI. The display of the Location field in the
login window is a matter of preference. It does not turn
'on' or 'off' the NDS search feature.
Although the Location (Context) field does not need to
be 'visible', it still is being used internally. The value of
the (hidden) Context field is derived in the same way as
described above in 'When NDSSearch=0'.
Given a certain value for the Context and userid,
FSLOGIN validates this context and userid. If there is a
match no further NDS searching is needed at all. If
there is no match, the NDS search feature is activated
and a search is done for the userid downwards from
the given context in the directory tree.
If the userid is found in a subtree, FSLOGIN continues
to check the password and eventually start the login
process. However, there might be more than one
instance of the same userid in different subtrees. In
that case a list is presented with the canonicallized
names of the users found. It's up to the (human) user
to pick the right one from the list and continue.
When LevelsUp=0
Suppose the specified userid in the previous example
could not be found at all in the subtrees of the given
context? One option is to stop here and tell the user to
do some homework and come back later. This is the
case when LevelsUp=0.
When LevelsUp=1 - 9
It is, however, possible to let FSLOGIN search in a
bigger part of the directory tree. The LevelsUp
statement controls how many times FSLOGIN can take
one step upwards in the directory tree and start a new
search from that point. The NDS search feature takes
one step upwards at a time, and if one or more userids
are found FSLOGIN continues as described above.
Either start the next part of the login process or present
the (human) user with a list of userids in different parts
of the directory tree.
When LevelsUp=9 has been specified in the
FSLOGIN.INI file, the effect is that eventually the entire
directory could be searched for a particular userid.
Especially in large networks with Wide Area
connections, this could result in unwanted delays and
unwanted WAN traffic. Therefore a break has been
build in to limit the search to a NDS partition.
When CrossPartition=0
The CrossPartition statement controls whether the
LevelsUp method is allowed to cross the border of an
NDS partition. Given a certain context, that has either
be filled in by the environment variable FS_CON or by
specifying the appropriate statement in NET.CFG, the
CrossPartition statement limits the NDS search feature
to the NDS partition the workstation is in.
However, it should be understood that the user is able
to change the current context either with the CX
command line utility or within FSLOGIN with the
NDSList feature (the F5 function key). This makes it
possible for the more experienced user to specify
another context beyond or above the 'original' NDS
partition in the Directory tree. An experienced user
could choose the [root] as the current context and start
a search from that point downwards.
When WildCard=1
When wildcards are allowed, all userids matching a
specific pattern can be retrieved and put in a list. A
wildcard userid can also be a '*', which results in a list
of userids in the current context and below.
CHAPTER 6: PASSWORD EXPIRED!
An expired password is almost always a source of
inconvenience. Most users manage well by reading the
line mode text from the Novell Login program. Some
users, however, will always succeed in locking up their
userid and have to call for supervisor assistance.
FSLOGIN helps most users to take this hurdle in a
friendly way and, most important, without help of a
system administrator. The first step FSLOGIN takes is
notifying the user that his or her password is going to
expire a specific number of days in the near future and,
at the same time giving the user the possibility to
change it right away.
When the user takes no action the user will be forced
to change the password on the actual expiration date.
It is possible to Escape from the Password Change
form, but in that case the user will not be logged in.
ATTENTION
This method of 'inviting' a user to change a password
does not mean that the grace login mechanism of the
Novell security system is not needed any more. At least
one grace login is needed to be able to change the
current password into a new one. So do not set the
grace login count for users to zero! When there are no
grace logins left, there is no way a user can log in.
Neither with the Novell login program, nor with any
other program!
CHAPTER 7: PASSWORD SYNCHRONIZATION
When an organisation needs more than one server,
either because of capacity or functionality, and chooses
not to use the NetWare 4 Directory Services, the
system administrator is faced with the problem of
separate administrations for users and groups. The
users that have an account on more than one server
also need to be aware of the fact that their userid and
corresponding password are different entities on each
server. NetWare Directory Services is the best solution
for this kind of problems, but a lot of servers are still
operating under control of NetWare version 3 or even
NetWare version 2.
However, FSLOGIN has a password synchronization
feature that assists the user in maintaining the same
password for all servers that have the same account
defined for that user.
The password synchronization feature is turned off by
default, because of the major impact it could have on
larger networks with lots of Wide Area Network (WAN)
connections. Password synchronization can be
configured to treat all the servers in the network as one
large group, or the servers can be subdivided in smaller
logical groups, called Synchronization Groups.
It is the system administrators responsibility to make a
decision how to implement the password
synchronization feature based on the size of the
network and the way people are used to work in the
organisation.
When the password synchronization feature has been
enabled, either global or with a synchronization group,
and the user specifies a new password, FSLOGIN will
try to apply that new password to all the servers in the
group.
It is important to understand that all this processing is
done on behalf of the logged in userid, so when the
accounting restrictions on one particular server in the
group does not allow the user to change the password,
it will not be changed.
The user is informed about this process with a message
on row 25 of the display. When FSLOGIN detects that
the old password for a particular server is not valid, it
will prompt the user to enter the (good) old password
for that particular server. The benefit of using the
password synchronization feature of FSLOGIN is that it
is independent of the current logged in state of the user
(all servers in the logical group are processed).
The customization file FSLOGIN.INI contains a section
called [syncpassword]. This section contains three
statements that can be used to customize password
synchronization. The SyncGroup= statement is used to
disable or enable synchronization. The SyncPrompt=
statement is used to specify if a user should be
prompted for an old password, if needed. The
SyncResult= statement determines to which extend
the user is informed about the result of a
synchronization operation.
SyncPrompt=0 - 1
0 = Do not prompt the user for an old password for
a specific server but cancel the synchronization
attempt for that server.
1 = Prompts the user for an old password if needed.
SyncResult=0 - 3
0 = The user is not informed about the result of the
synchronization operation at all.
1 = This value results in a list of messages with one
line for each server that has been processed for
a new password. This is the most complete set
of information.
2 = This value results in a list with servers on which
synchronization did not succeed. Only errors
that are of some meaning to the user are
displayed, other errors are not shown. To be
more precise: the errors between 0003 and
89DE are shown (See also: Appendix B of the
file README.TXT or the manual).
3 = Only servers on which the password was
successfully changed are shown in the list.
SyncGroup=0 - 2
0 = Password synchronization is disabled.
1 = Synchronization is enabled and all the servers in
the (inter)network are treated as one logical
group.
2 = Synchronization is enabled and FSLOGIN uses
the list of servers that follows the SyncGroup=
statement.
FSLSYNC
In addition to the statement SyncGroup=, another tool
is available to control which server 'belongs' to the
logical group or not. The FSLSYNC utility is a tool to
exclude certain servers from the password
synchronization process. This utility should be run by
the Supervisor once for each server that should not be
involved. Servers that are candidates for exclusion are
special purpose machines like SNA gateways, mail
gateways, routers etc.
The syntax of this command line utility and some
examples follow:
C:>fslsync
FSLSYNC - (c) Confirm, 1995.
Usage: FSLSYNC ServerName [ON | OFF]
FSLSYNC ServerName Show Sync status
FSLSYNC ServerName OFF Exclude
FSLSYNC ServerName ON Include again
C:>fslsync z220
Server Z220 can be part of the sync process.
C:>fslsync z220 off
Server Z220 is excluded from the sync process.
C:>fslsync z220 on
Server Z220 can be part of the sync process.
C:>_
The HomeServer concept
When an organisation uses more than one server in
bindery (emulation) mode, the system administrator is
faced with multiple administrations (binderies) that need
attention. Especially when a number of users have
accounts defined on more then one server it becomes
important to avoid conflicts in the Accounting
Restrictions on the different servers.
Essentially, using accounting restrictions for a particular
user on more than one server is the source of most
login problems for the regular user. It's like having two
(or more!) captains on the same security ship, each
captain having his own opinion about how the user
should be treated!
What if we simply could send some of those captains
home and let One captain do the job for One particular
user?
That's exactly the concept of the HomeServer.
If the system administrator assigns each user to a
particular HomeServer (most likely the server where
that user has a Home or User directory) and controls
Accounting restrictions for that user on that
HomeServer only, we are one step further in
administrating a multiserver environment.
The Accounting Restrictions on the HomeServer
determines when its time to change a password.
That means that for that particular user the Accounting
Restrictions on other servers must be 'relaxed' in such
a way that those other servers never prompt the user
for a new password. That might sound like a security
risk at first, but take into consideration that the user
will first login to the HomeServer. That's where his/here
data is after all.
CHAPTER 8: FSLOGIN AND DIALIN SERVERS
Most of the Local Area Networks are not only used
from workstations that are directly attached. There is a
growing need for access to the data and programs on a
corporate LAN from other geographical locations. This
need for communication has led to products that turn a
regular workstation in a LAN into a dialin host that can
be accessed by using regular telephone lines and
modems. It is obvious that these gateways to programs
and data need to have mechanisms to prevent
unauthorised access. Many of the products on the
market today have built-in security options.
FSLOGIN, however, adds an extra layer of access
security to the Novell servers in the network. Once a
remote user has a dialin connection to a dialin host on a
LAN, that user has to enter the proper login information
before data and or programs can be accessed.
FSLOGIN has extra security options, which have been
specifically designed for use on dialin host machines.
First of all the amount of information that a user can
'see' on the FSLOGIN screen can be restricted to
almost nothing. The user has to know the exact names
of the Directory Context or the Server, his/her userid
and, of course, the corresponding password.
The DirectoryList / Serverlist feature of FSLOGIN can be
turned off for individual workstations using the !NS
command line option. This command line option
overrules the global setting in FSLOGIN.INI.
Furthermore, the default name in the Location or Server
field can be suppressed using the environment variables
FS_CON=NONE and FS_SRV=NONE.
The UserList feature (the F7 function key) can also be
turned off by means of the !NU command line
parameter. Although it might be common knowledge
that there is something like the Supervisor userid, it
does not need to be advertised at this particular place.
The next step in building a security wall is disabling the
use of certain userids that are not easy to delete
(GUEST for example), but are not meant for regular
access by users. The User eXclude List feature makes
this possible. This list is specified in the FSLOGIN.INI
file with the statement 'UserXList'.
When the dialin user accesses the host PC, it is obvious
that FSLOGIN should not be terminated with the Escape
key. This would allow the user to access the standard
Novell commands CX, NLIST or SLIST and LOGIN.
Although the Escape key can be enabled or disabled
globally in FSLOGIN.INI, it can be disabled in specific
situations by using the !NE command line option.
The next step is preventing a user from entering all
kinds of combinations of Server names, Userids and
Passwords. Not that this is likely to succeed but these
tryouts can be prevented using the following
statements in FSLOGIN.INI:
MaxCount=0 - 9
0 = Do not maximize the number of login attempts.
1-9 The maximum number of login attempts that a
user can make before FSLOGIN takes action.
The user can make 1 - 9 attempts to log in and when
the next attempt is invalid (invalid Directory Context,
invalid Servername, invalid Userid or invalid Password)
FSLOGIN takes action.
MaxTime=0 - 9
0 = Do not limit the period of time of login attempts.
1-9 Limit the maximum time in minutes that
FSLOGIN gives the user to login. When this time
expires, it is assumed that the connection
between the dialin host and the PC at the other
end should be terminated.
So what does FSLOGIN do when one of the above
events actually occurs?
First of all the Data Terminal Ready (DTR) signal of both
the COM1 and the COM2 ports are forced to zero.
Most modems react on this drop of the DTR signal and
will hangup. After terminating the connection the dialin
host PC will be rebooted. No better way to break the
connection between you and an unwanted, unknown
hacker.
ATTENTION
Note that although the latter two functions, MaxCount
and MaxTime, are specified in FSLOGIN.INI, they are
only activated when FSLOGIN is started with the !DI
command line argument. The !DI argument also
automatically activates the !NE (NoEscape) and the !ND
(NoDimmer) options.
The !NS (NoServerlist) and the !NU (NoUserlist) are not
automatically included. Here is a sample batch file that
starts dialin host software and FSLOGIN:
..
SET FS_CON=NONE ; no default context
SET FS_SRV=NONE ; no default server
LSL ; Link Support Layer
NE2000 ; Hardware driver
IPXODI ; IPX protocol stack
NETX ; NetWare Shell
PCSOMEWHERE ; Wait here for dialin user!
FSLOGIN !DI !NS !NU ; Secure login
..
The batch file continues with the next statement when
the dialin user specifies the correct login information in
the specified amount of time. Otherwise the dialin host
PC will be rebooted.
CHAPTER 9: NOTES
9.1 Login Script Parameters
Full Screen Login has support for the optional
parameters, that can be passed to the system login
script. There is no separate field for this, but
parameters can be typed in the Userid field following
the User name. Type one space between the User
name and the parameter. When the Userid field seems
to be full, just type on and you will see the text scroll.
The available typing space is 64 characters (including
Username and spaces).
9.2 NDS restrictions
FSLOGIN currently does not support the use of spaces
in NDS names.
APPENDIX A: ERRORLEVELS
IF ERRORLEVEL==0
ERRORLEVEL 0 indicates a successful login to either a
server (in Bindery mode) or the network (in Directory
Services mode).
IF ERRORLEVEL==1
This ERRORLEVEL is used to indicate that the user used
the Escape function to exit FSLOGIN. Escaping from
FSLOGIN can be disabled by customizing the Escape=
statement in FSLOGIN.INI.
IF ERRORLEVEL==2
This ERRORLEVEL is reserved for future use.
IF ERRORLEVEL==3
This ERRORLEVEL is used to indicate various errors that
could occur when attempting to load program overlay
files or program resource files. Each overlay or resource
file has its own error message that exactly pinpoints
the problem.
FSLOGIN.OVL could not be loaded.
This file is a program overlay that is loaded by the
FSLOGIN.COM program. Under normal circumstances
this file is installed in the SYS:LOGIN directory or in a
directory on a local harddisk. This error could occur
when part of FSLOGIN has been manually copied from
one machine to another. When this error occurs, check
the success of the installation procedure or the result of
your own copy actions.
FSLOGIN.PPX could not be loaded.
This file is a program overlay file that is installed in the
SYS:LOGIN directory or in a directory on a local
harddisk. Check the result of the installation procedure
or the success of your own copy actions.
FSLOGIN.CWA could not be loaded.
This file is a C-Worthy resource file that is loaded by
the FSLOGIN.OVL program file. C-Worthy is the well-
known Novell style menu interface that has been used
for all Novell and many third party utilities. FSLOGIN
has been build with C-Worthy version 2. This file
should be available in the SYS:LOGIN directory or, if
FSLOGIN has been installed on a local harddisk, in the
same directory as the other program files.
LOGIN.EXE (or its alternate) could not be loaded
In order to process the system login script and possibly
profile login scripts and a user login script, FSLOGIN
needs to load the Novell program file LOGIN.EXE. This
program must be available in the SYS:LOGIN directory.
It is, however, possible to customize FSLOGIN to use a
different name then LOGIN.EXE. This feature is further
explained in the chapter 'How to Customize...' Under
normal circumstances this error will not occur, but this
error could indicate that a mistake has been made when
the alternate login program option is being used.
IF ERRORLEVEL==4
This ERRORLEVEL is used to indicate a problem while
processing the FSLOGIN.INI file. This file is the
customization file that contains statements that affect
the operation of FSLOGIN, help text items and other
textual message items. The INI file should be available
in the SYS:LOGIN directory at all times. One exception
to the rule is using the !LI (Use Local INI) command line
option, which should be used by the system
administrator only. The message that is displayed
indicates the various reasons for the failure. The
common part of the message is:
FSLOGIN.INI could not be processed. Reason: ...
The possible reasons are:
Reason: open error.
The INI file can not be opened at all. Check the
installation of FSLOGIN. The INI file should be installed
in the SYS:LOGIN directory.
Reason: malloc error.
The program could not allocate enough memory to load
the INI file. This error could occur when conventional
memory is very scarce. Have a look at all programs
loaded and decide if any of them is really needed and/or
try to make use of Upper Memory Blocks to load certain
programs high.
Reason: read error.
A read error can occur when the network connection
between a workstation and a server is not reliable or
when a harddisk error occurred. The reason for this
error lies outside FSLOGIN and should be treated
depending on the particular situation. A read error could
be caused by an interrupted connection between the
fileserver and the workstation.
Reason: [help] label not found.
The INI file contains various labels that indicate a
statement section, the start of the Help Items or the
start of the Messages items. The labels that are used to
indicate various statement sections, for example
[dialin], are just there to make a logical arrangement.
Other labels like [help] are needed to process the INI
file. If the [help] label is not found, FSLOGIN assumes
that the INI file is invalid.
Reason: [messages] label not found.
If the [messages] label is not found, FSLOGIN assumes
that the INI file is invalid.
Reason: [end] label not found.
If the [end] label is not found, FSLOGIN assumes that
the INI file is invalid.
IF ERRORLEVEL==5
ERRORLEVEL 5 is used to indicate various errors related
to the NetWare Client software or the state of the
network connection. The various error messages that
are used are described below.
There is no NetWare shell.
FSLOGIN checks for the availability of the NetWare
shell (NETX.EXE) or the DOS Requester (VLMs). If
neither of these client programs is available, FSLOGIN
has no access to a network.
NWCallsInit returned an error: x'....'.
NWCallsInit is an Novell API function used by FSLOGIN
to establish a working environment between the
application and the Novell client software. In the rare
case that this error occurs, the Novell client software is
in trouble and returns a hexadecimal errorcode to the
application (in this case FSLOGIN). Try to unload and
load the NetWare shell or NetWare DOS Requester.
NWGetDefaultConnectionID returned an error: x'....'.
This indicates an error when using a Novell API
function that collects information about the default
connection between the workstation and a server. The
reason for an error lies in the state of the Novell client
software. Unloading the client software and loading
again will probably correct this of error.
NWInitUniCodeTables returned an error: x'....'.
The country code is: ..., the code page is: ...
First of all, what are UniCode tables?
UniCode is a 16 bit character set that covers all the
possible characters in all the languages of the world.
NetWare Directory Services uses this UniCode
internally, but the clients (PCs with DOS or Windows)
are not capable of dealing with this 16 bit characters.
UniCode tables are the translation tables from the 16
bit UniCode characters to the 8 bit characters of a
certain language and codepage combination. Unicode
tables need to be loaded by an application that needs
to access NetWare Directory Services.
All the UniCode tables are provided by Novell and are
part of the installation of a NetWare 4 server but also
part of the installation of the NetWare DOS Requester.
The directory used to install the UniCode tables is
called NLS (for example: C:\NWCLIENT\NLS). Check
the availability of the UniCode tables and/or put the
C:\NWCLIENT\NLS subdirectory in the PATH of the PC.
NWGetDefaultNameContext returned an error: x'....'
The Default Name Context is the context that is
specified in the network configuration file NET.CFG.
FSLOGIN reads this default context to display it in the
Login Data window. In very rare cases this Novell API
call might return an error with which FSLOGIN cannot
deal. Check the NET.CFG file and unload and reload the
NetWare DOS Requester.
NWDSCreateContext returned an error: x'....'
FSLOGIN needs to create two internal context buffers
to handle various Directory Services requests. The
creation of these buffers might fail. If this is the case,
FSLOGIN is not able to continue. Check the
hexadecimal errorcode in the next appendix.
NWDSAllocBuffer returned an error: x'....'
FSLOGIN needs to create two internal buffers as input
and output for various Directory Services requests. The
creation of these buffers might fail. If this is the case,
FSLOGIN is not able to continue. Check the
hexadecimal errorcode in the next appendix.
APPENDIX B: ERROR CODES
89C1 No account balance
This userid, also called account, has no initial account
balance to work with. The supervisor should assign an
account balance by means of NETADMIN or SYSCON.
This only occurs on servers with an activated (Novell)
accounting system.
89C2 Your credit has exceeded
The user has no more credits to continue working. The
supervisor should assign enough credit by means of
NETADMIN or SYSCON for the user to be able to work.
This only occurs on servers with an activated (Novell)
accounting system.
89C5 Intruder lockout
There has been a number of attempts to log in with this
userid in combination with an incorrect password. The
user either has to wait for the intruder lockout time to
expire, or the intruder lockout can be cleared by the
supervisor. This error can only occur when the intruder
lockout mechanism for the server or the network has
been activated.
89D7 Password has been used before
The newly specified password could not be applied,
because the accounting restrictions for this user do not
allow old passwords to be reused again.
89D8 Password too short for this server
Passwords have a minimum length, which can be set
on a per user basis in the accounting restrictions of
each user. A new password must meet this requirement
before it is accepted by the NetWare security system.
89D9 Maximum concurrent connections in use
The user tried to log in from a number of workstations
at the same time. However, a limit has been set to the
number of stations that this user can log in from at the
same time. The limit could be increased for this user or
the user should log out from another workstation.
89DA Not authorized at this time
There is a time restriction for this user, which prevents
login at this moment. Time restrictions are set by the
supervisor, system-wide or per user.
89DB Not authorized at this station
There is a station restriction for this account. For
security reasons a restriction can be made that certain
accounts can be logged into from certain workstations
only.
89DC This account has been disabled
The account (userid) exists but cannot be used,
because it has been disabled by the supervisor. Note
that accounts can also expire automatically at a pre-
determined date in the future.
89DE The password has been disabled
The current password for the user has expired, and
there are no more grace logins available. The supervisor
must assign another password to this user or reset the
number of grace logins to be able to continue. It is
advisable to give users more than one grace login, so
they will be able to change their password themselves.
Setting the number of grace logins to zero will disable
the possibility for a user to change a password once
the password has expired. The only difference between
an expired password and a disabled password at this
point is the grace login mechanism.
89F0 Wildcard not allowed
A wildcard was used when the network or the server
was queried for information. At certain points it is not
possible to use wildcards like '*' and '?'.
89F1 Invalid bindery security
The current user has no rights to read from or write to
the bindery. This error code could indicate a problem in
the bindery structure or an application program error.
When there are other errors related to bindery functions
on other workstations, as well, BINDFIX should be run.
89F2 No object read privilege
The program tried to read object information from the
bindery or the directory, but the Novell NetWare
operating system did not allow this. This could indicate
an application programming error but might also
indicate problems with the bindery or directory.
89F3 No object rename privilege
The current user has no right to rename an object in the
bindery or the directory. This error is not likely to occur
in FSLOGIN.
89F4 No object delete privilege
The current user has no right to delete an object in the
bindery or the directory. This error is not likely to occur
in FSLOGIN.
89F5 No object create privilege
The current user has no right to create an object in the
bindery or the directory. This error could indicate a
problem with the structure of the bindery or the
directory. This error is not likely to occur in FSLOGIN.
89F6 No property delete privilege
The current user has no right to delete a property in the
bindery or the directory. This error is not likely to occur
in FSLOGIN.
89F7 No property create privilege
The current user has no right to create a property
within its own object. This error could indicate a
problem with the structure of the bindery or the
directory or a (highly unlikely) programming error.
89F8 No property write privilege
The current user has no right to write the value of a
certain property within its own object. This error could
indicate a problem with the structure of the bindery or
the directory or a (sometimes awful) programming
error.
89F9 No more free connection slots
The NetWare Shell or the NetWare DOS Requester has
run out of connections slots. With the NetWare Shell
there are eight connections possible with eight different
servers. The NetWare DOS Requester can be
configured to hold more than eight connection slots,
with a maximum of fifty.
89FA No more free server slots
The server has reached its limit for the number of
concurrent connections. This number is determined by
the license that is used on the server (5 .. 1000 users).
The supervisor can try to clear some unused
connections with FCONSOLE (NetWare 2.xx) or the file
server MONITOR program (NetWare 3.x and 4.x).
89FC No such userid on this server
The specified userid has not been defined on this
server.
89FE The server bindery is locked
Bindery read or write actions are not possible, because
the bindery is not available. This can be the result of a
program that has closed the bindery. Programs that
close the bindery are for example BINDFIX and most
backup / restore programs. The bindery should be re-
opened again when these programs have done their
job. If this is not the case the server has to be brought
down and started up again.
89FF No response from server
This error code can represent several errors, by which
the server is not responding properly to workstation
requests. This error code could indicate network
disruptions as well as a file server that is in the stage of
freezing.
FE15 Unicode tables not loaded
Unicode tables need to be loaded by any application
that needs to do Directory Services functions. Unicode
tables are installed in NLS subdirectories of the
SYS:SYSTEM and SYS:PUBLIC directories of a server.
Unicode files are also installed in the C:\NWCLIENT\NLS
directory, assuming the default installation procedure of
the client software has been performed. Unicode
filenames have the following structure:
UNI_<CP>.CTY Unicode to code page conversion.
<CP>_UNI.CTY Code page to Unicode conversion.
UNI_COL.CTY Unicode collating table.
UNI_MON.CTY Unicode monocasing table.
NWInitUniCodeTables is the internal function used to
initialise this tables. This function searches for the
tables in the following directories in the order they are
listed.
- The current working directory.
- The directory the application was loaded from.
- A directory named \NLS immediate subordinate
to the directory the application was loaded from.
- A directory named \NLS descendent from the
directory the application was loaded from.
- A directory in the DOS search PATH.
Note that the DOS PATH is the last place searched.
Consequently, storing the tables in the search path
could noticeably increase the amount of time it takes
for the tables to load.
FED3 Workstation out of memory
Make sure FSLOGIN is not running from within a
secondary command processor that is often used to
'Go To DOS' from within an application.
FF22 The password has been disabled
This is a Directory Services error. The current password
for the user has expired, and there are no more grace
logins available. The supervisor must assign another
password to this user or reset the number of grace
logins to be able to continue. It is advisable to give
users more than one grace login, so they will be able to
change their password themselves. Setting the number
of grace logins to zero will disable the possibility for a
user to change a password once the password has
expired. The only difference between an expired
password and a disabled password at this point is the
grace login mechanism. See also 89DE.
FF24 This account has been disabled
This is a Directory Services error. The account (userid)
exists but cannot be used, because it has been disabled
by the supervisor. Note that accounts can also expire
automatically at a pre-determined date in the future.
See also 89DC.
FF25 Not authorized at this station
This is a Directory Services error. There is a station
restriction for this account. For security reasons a
restriction can be made that certain accounts can be
logged into from certain workstations only. See also
89DB.
FF26 Not authorized at this time
This is a Directory Services error. There is a time
restriction for this user, which prevents login at this
moment. Time restrictions are set by the supervisor,
system-wide or per user. See also 89DA.
FF27 Maximum concurrent connections in use
This is a Directory Services error. The user tried to login
from a number of workstations at the same time.
However, a limit has been set to the number of stations
that this user can login from at the same time. Either
the limit could be increased for this user or the user
should logout from another workstation first. See also
89D9.
FF3B Intruder lockout
This is a Directory Services error. There has been a
number of attempts to login with this userid in
combination with an incorrect password. The user
either has to wait for the intruder lockout time to
expire, or the intruder lockout can be cleared by the
supervisor. This error can only occur when the intruder
lockout mechanism for the server or the network has
been activated. See also 89C5.
FF3E Your credit has exceeded
This is a Directory Services error. The user has no more
credits to continue working. The supervisor should
assign enough credit by means of NETADMIN or
NWADMIN for the user to be able to work. This only
occurs on servers with an activated (Novell) accounting
system. See also 89C2.
FF3F No account balance
This is a Directory Services error. This userid, also
called account, has no initial account balance to work
with. The supervisor should assign an account balance
by means of NETADMIN or NWADMIN. This only
occurs on servers with an activated (Novell) accounting
system. See also 89C1.
APPENDIX C: REGISTRATION AND SUPPORT
Feel free to use Full Screen Login free for a period of
30 days. After this period you are expected to register
or stop using it. The registration fee is based on a
single file server license. When used on more servers,
each server should have its own license or better, a site
license should be obtained. See also SITELIC.TXT.
HOW TO REGISTER
You can register by filling in the REGISTER form which
is on the diskette or in the ZIP file and send it by fax,
airmail or email to:
Confirm
Ardèchelaan 35
6904 NG Zevenaar
The Netherlands
CompuServe : 100334,572
Internet : 100334.572@compuserve.com
Phone : (+31) 316 - 524988
Fax : (+31) 316 - 341580
BBS : (+31) 316 - 340391
Registration differs for the Netherlands, Belgium,
Germany, other countries of the European Economic
Community, the United States and other countries.
When neither of these countries apply to you, you are
expected to follow the US procedure, or contact
Confirm for another arrangement. See also the
REGISTER.XX forms on the distribution diskette or the
archive file.
Registered users receive a printed manual per server
together with the latest release of FSLOGIN, which is
'personalised' with the name of their company and
other license information.
SUPPORT
Registered users are offered free support for a period of
six months. It is our goal to answer all questions within
a reasonable amount of time.
New versions of FSLOGIN are published on a regular
basis. Publishing is mainly done by providing a Bulletin
Board Service of our own, on which the latest files are
available, and by uploading the unregistered evaluation
copy to the NOVUSER forum on CompuServe.
Registered users of FSLOGIN version 2 can download a
newer, unregistered evaluation copy of FSLOGIN
version 2, and use that to update their license.
Registered users receive further information on how to
apply an unregistered version to their license.
Registered users also receive information about how to
update if they do prefer shipment of newer versions by
Confirm.
APPENDIX D: THE SHAREWARE CONCEPT
Shareware distribution gives users a chance to try
software before buying it. If you try a Shareware
program and continue using it, you are expected to
register. Individual programs differ on details. Some
request registration while others require it, some
specify a maximum trial period. With registration, you
get anything from the simple right to continue using the
software to an updated program.
Copyright laws apply to both Shareware and
commercial software, and the copyright holder retains
all rights, with a few specific exceptions as stated
below. Shareware authors are accomplished
programmers, just like commercial authors, and the
programs are of comparable quality. (In both cases,
there are good programs and bad ones!)
The main difference is in the method of distribution.
The author specifically grants the right to copy and
distribute the software, either to all or to a specific
group. For example, some authors require written
permission before a commercial disk vendor may copy
their software.
Shareware is a distribution method, not a type of
software. You should find software that suits your
needs, whether it is commercial or Shareware. The
Shareware system makes fitting your needs easier,
because you can try before you buy. And because the
overhead is low, prices are also low. Shareware has the
ultimate money-back guarantee -- if you do not use the
product, you do not pay for it.
The Ombudsman
This program is produced by a member of the
Association of Shareware Professionals (ASP). ASP
wants to make sure that the shareware principle works
for you. If you are unable to resolve a shareware-
related problem with an ASP member by contacting the
member directly, ASP may be able to help. The ASP
Ombudsman can help you resolve a dispute or problem
with an ASP member, but does not provide technical
support for members' products. Please write to the ASP
Ombudsman at 545 Grover Road, Muskegon, MI
49442-9427 USA, FAX 616-788-2765 or send a
CompuServe message via CompuServe Mail to ASP
Ombudsman 70007,3536.
APPENDIX E: DISCLAIMER - AGREEMENT
Users of FSLOGIN must accept this disclaimer of
warranty:
"FSLOGIN is supplied as is. The author or Confirm
disclaims all warranties, expressed or implied, including,
without limitation, the warranties of merchantability
and of fitness for any purpose. The author assumes no
liability for damages, direct or consequential, which
may result from the use of FSLOGIN."
FSLOGIN is a "shareware program" and is provided at
no charge to the user for evaluation. Feel free to share
it with your colleagues, but please do not give it away
altered or as part of another system. The essence of
"user-supported" software is to provide personal
computer users with quality software without high
prices, and yet to provide incentive for programmers to
continue to develop new products. If you find this
program useful and find that you are using FSLOGIN
and continue to use FSLOGIN after a trial period of 30
days, you must make a registration payment to
Confirm. You can register by filling in the register form
you find on the diskette or the ZIP file and send it by
fax or airmail to Confirm in the Netherlands. The
registration fee will license one copy for use on any one
Novell NetWare server at any one time. You must treat
this software just like a book. An example is that this
software may be used by any number of people and
may be freely moved from one server location to
another, so long as there is no possibility of it being
used at one location while it is being used at another.
Just as a book cannot be read by two different persons
at the same time.
Users of FSLOGIN must register and pay for their
copies of FSLOGIN within 30 days of first use or their
license will be withdrawn.
Anyone distributing FSLOGIN for any kind of
remuneration must first contact Confirm for written
authorization. This authorization will be automatically
granted to distributors recognized by the (ASP) as
adhering to its guidelines for shareware distributors,
and such distributors may begin offering FSLOGIN
immediately (However Confirm must still be advised so
that the distributor can be kept up-to-date with the
latest version of FSLOGIN).
You are encouraged to pass a copy of FSLOGIN along
to your colleagues for evaluation. Please encourage
them to register their copy if they find that they can
use it.
Confirm
Ardèchelaan 35
6904 NG Zevenaar
The Netherlands
CompuServe : 100334,572
Internet : 100334.572@compuserve.com
WWW : ourworld.compuserve.com/homepages/confirm
Phone : (+31) 316 - 524988
Fax : (+31) 316 - 341580
BBS : (+31) 316 - 340391