README.TXT FSLOGIN 2.22 -------------------------------------------------------------- FSLOGIN A login program for all Novell users ÚÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÁÄÄÄ¿ ³ (R) Äij ³o ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³ ÚÄÄÄÄÄÁÐÄÄ¿ ³ Association of ³ ³ ³ÄÙ Shareware ÀÄÄij o ³ Professionals ÄÄÄÄÄij º ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÀÄÄÄÄÐÄÄÄÄÙ MEMBER FSLOGIN is a registered trademark of Confirm. NetWare is a registered trademark of Novell, Inc. Save exceptions stated by the law no part of this publication may be reproduced in any form, by print, photoprint, microfilm or other means, including a complete or partial transcription, without the prior written permission of Confirm. Only Confirm is qualified to collect the dues indebted by others for copying. Copyright (c) Confirm 1993, 1996, Zevenaar, The Netherlands. All Rights Reserved. TABLE OF CONTENTS FOREWORD CHAPTER 1: THE PURPOSE OF THIS PROGRAM CHAPTER 2: HOW TO INSTALL FSLOGIN 2.1 Server installation 2.2 Workstation installation 2.3 Supervisor Workstation CHAPTER 3: HOW TO CUSTOMIZE FSLOGIN 3.1 Set default login-values 3.2 Change global settings of FSLOGIN 3.3 Command line parameters CHAPTER 4: HOW TO USE FSLOGIN 4.1 Edit keys 4.2 Function keys 4.3 Using NetWork News CHAPTER 5: HOW TO SEARCH IN NDS. CHAPTER 6: PASSWORD EXPIRED! CHAPTER 7: PASSWORD SYNCHRONIZATION CHAPTER 8: FSLOGIN AND DIALIN SERVERS CHAPTER 9: NOTES 9.1 Login script parameters 9.2 NDS restrictions APPENDIX A: ERRORLEVELS APPENDIX B: ERROR CODES APPENDIX C: REGISTRATION AND SUPPORT APPENDIX D: THE SHAREWARE CONCEPT APPENDIX E: DISCLAIMER - AGREEMENT FOREWORD The idea to develop a menu driven login program actually came from users, who were dissatisfied with the standard command line utility. They wanted and needed more than a few lines of text on their PC screens when login was not possible, a better guidance through the changing of passwords and an easier way to log into their network. FSLOGIN version 1 was first published on March 1, 1993. Soon after the first release several new ideas were built into our program. In the meantime Novell Inc. started shipping NetWare version 4, which included a new X500 based directory system called NetWare Directory Services. NDS is different from bindery based servers, and will have a major impact on the way large networks are being administered. FSLOGIN version 2 supports both NetWare Directory Services networks, which are build around NetWare 4, and servers running the NetWare 3 and 2 operating systems. Many thanks to those who did a fine job of evaluating, testing, talking and criticizing. They helped, and often still help FSLOGIN grow. If you have any suggestions for improvement of this product, please contact us. Aad Slingerland CHAPTER 1: THE PURPOSE OF THIS PROGRAM All PC-users who are connected to a local area network with Novell servers, have at least one thing in common. They must log into the network, before applications and data become available. This is almost always done by means of the standard Novell login program. This command line utility, however, is not very attractive to use and is not very helpful, when users must be informed about network exceptions or errors. FSLOGIN enhances the way users can login to a server or a NetWare Directory Services based network by providing a full screen, Novell menu style program. FSLOGIN is not only a different way to type some data, like the userid and the password, it also runs extensive checks on accounting and security exceptions. All kinds of reasons why a user cannot log into a network are presented in clear text in text windows. Because the user is properly informed of certain exceptions, he or she will be able to communicate better with the system administrator, instead of complaining of not being able to login. Technically speaking is FSLOGIN a front-end to the actual Novell login command line utility. LOGIN.EXE is still needed for the interpretation of the system and/or user login scripts. This design assures optimum compatibility with existing login scripts and other procedures that might be used during the login process. The login script is only executed after various checks on correctness of names, accounting and security matters have been conducted. CHAPTER 2: HOW TO INSTALL FSLOGIN The easiest and most obvious way to install Full Screen Login is on the server it is going to be used on. FSLOGIN needs about 200 kilobytes of disk space in the SYS:LOGIN directory and about 3 kilobytes in the SYS:PUBLIC directory (section 2.1). However, in some situations it might be desirable to install FSLOGIN on the local disk of workstations (section 2.2). One good example is when workstations must access a server through a wide area link instead of the local area network. Wide area links can be fast, but program loading still suffers from loss of speed compared to local area networks. To improve support of these kinds of environments FSLOGIN can be installed on local disk drives, as well. Another reason for installing FSLOGIN on the local hard disk of a PC (typically the PC of the Supervisor) is to evaluate or customize FSLOGIN, without affecting other users of the network (section 2.3). 2.1 Server installation Execute the installation batch file (INSTALL.BAT) from the drive and directory where the distribution files reside. The installation procedure prompts for the language to install and copies the program and language support files to the directory SYS:LOGIN. The file FSLOGIN.COM is also copied to the SYS:PUBLIC directory to make it accessible to users that are already logged in. All files are flagged shareable. When the installation procedure detects the presence of a previous installation of FSLOGIN, it will prompt you to cancel the installation, or to overwrite the currently installed version or to preserve the currently installed configuration file FSLOGIN.INI. As you will see in the next chapter the configuration file can be used to tailor FSLOGIN to your particular needs. When you are using a NetWare 2.x server, you must grant a trustee assignment to the group EVERYONE. The reason for this is to give everyone read and file scan rights in the SYS:LOGIN directory when they are logged in. NetWare 2.x differs in this from later versions of NetWare, which make the SYS:LOGIN directory accessible at all times. Granting access can be done either by using SYSCON or with the following command line utility: GRANT R F FOR SYS:LOGIN TO EVERYONE The basic installation of FSLOGIN on the server has been carried out now. You can have a first peek at what it all looks like at present. 2.2 Workstation installation In addition to running FSLOGIN from a server, the program files can be executed from a local hard disk. Several program files must be distributed to the local harddisk to accomplish this. In general, this should not be done, because it creates a maintenance problem when a new version must be installed. However, there are situations in which installation on a local disk is preferred. For example, when a workstation is connected to a LAN through a WAN (Wide Area Network). Although wide area connections can operate at a considerable speed, they are still much slower than the LAN. Avoid program loading over WAN links whenever possible. FSLOGIN supports these kind of environments by making it possible to install program files on local (storage) disks of workstations thereby executing program loading from the hard disk instead of the SYS:LOGIN directory. Example of a directory on a local hard disk: C:\NWCLIENT\LSL.COM C:\NWCLIENT\NE2000.COM C:\NWCLIENT\IPXODI.COM C:\NWCLIENT\NETX.EXE C:\NWCLIENT\NET.CFG C:\NWCLIENT\FSLOGIN.COM C:\NWCLIENT\FSLOGIN.OVL C:\NWCLIENT\FSLOGIN.CWA C:\NWCLIENT\FSLOGIN.PPX C:\NWCLIENT\FSLOGIN.LCF To further optimize working with wide area links, the Novell LOGIN.EXE can also be copied to the same directory. This is optional but will speed up the login process. The only thing that needs to be done after installation is taking care that the copy of FSLOGIN.COM in the directory C:\NWCLIENT is executed. This initial program module takes care of program loading from either the local hard disk or, if needed from the standard SYS:LOGIN directory. Note that the file FSLOGIN.INI is not copied to the local harddisk directory. For security reasons this file is always read from the directory SYS:LOGIN, because users should not be able to modify this file themselves. Modifications in the configuration file FSLOGIN.INI should only be made by the network administrator, and to improve support to the supervisor in this task there is also the option to use the Supervisor Workstation Installation... 2.3 Supervisor Workstation The configuration file FSLOGIN.INI contains a number of statements and textual information. If modifications are needed you probably prefer to try them in a test version, before taking changes into production. This can be done by copying FSLOGIN.INI to the C:\NWCLIENT, as well and by using the special command line parameter !LI, which stands for 'Use Local Ini'. An example of what to type at the command line is: FSLOGIN !LI After changes to the configuration file have been tested, it can be taken into production by copying it to the SYS:LOGIN directory. Needless to say that the !LI option should not be made available to regular users of the network. CHAPTER 3: HOW TO CUSTOMIZE FSLOGIN FSLOGIN provides three ways to customize various options and program behaviour. The first method to customize FSLOGIN is to use environment variables to pre-fill one or more fields in the data entry form with a specific value (see section 3.1). The second option is to modify one or more of the text sections or statements in the customization file FSLOGIN.INI. This file resides in the SYS:LOGIN directory, together with other program files. The text sections and statements that are specified here are system wide, meant for all users who are attached to this server (see section 3.2). The third method to customize is to use one or more command line parameters that override one or more of the system-wide options from FSLOGIN.INI. The use of command line parameters applies only to that particular part of FSLOGIN (see section 3.3). 3.1 Set default login-values To make daily use more easy, all fields, except the password field in the Login window, can be pre-filled with a default value. When DOS environment variables are not being used, the default value for the Server or the Location field (depending on the type of connection used, Bindery mode or Directory mode) will reflect the actual situation of the workstation concerned. The default values that are to be used within the application FSLOGIN, however, can be forced to a pre-set value per workstation using DOS environment variables. FSLOGIN uses the three environment variables: FS_CON, FS_SRV and FS_UID to specify default values for the Context, Server and Userid. When the names of these environment variables do not match the current environment setup, alternate environment variable names can be specified in the [environment] section of the FSLOGIN.INI customization file. SET FS_CON=MY_CONTEXT When specified, the value of this variable is placed in the Location field in the Login window. When this variable does not exist, the actual current context of the workstation is used as a default in the Location field. It is possible to suppress the default value in the Location field by giving the variable FS_CON the value NONE. By executing the DOS command SET FS_CON=NONE the default value will be suppressed. SET FS_SRV=MY_SERVER The Server field automatically displays the name of the server to which the PC is attached. This automatic filling in of a servername will do in a single server environment, where no server can be chosen. However, in a multiple server environment the server to which the PC is attached is not always the one the user wants access to. The environment variable FS_SRV (or its alternate) can be used to specify another server as the default. When fslogin is started again the Server field will contain the string 'MY_SERVER'. By giving the variable FS_SRV the value NONE, the default value will be suppressed. SET FS_UID=MY_USERID By giving the DOS command SET FS_UID=USERID, the Userid field will come up with a default. When the pre- filled values for the Server/Context and Userid are correct, the only thing the user has to do is type the corresponding password and press the enter key. The syntax used for the value of this variable allows you to specify a partial name to appear as the default in the Userid field. This option can be useful when the userids in your organisation always have the same prefix. There are companies that use userids like ACCOUNT01, ACCOUNT02, ACCOUNT03 , or SALES01, SALES02 and so on. This 'common' part of the userid can be pre-filled by typing it in the environment variable FS_UID, followed by a tilde. For example: SET FS_UID=ACCOUNT~ The cursor will be displayed in the Userid field at the position of the tilde (in the given example the cursor will be displayed behind the T). 3.2 Change global settings of FSLOGIN The customization file FSLOGIN.INI in the SYS:LOGIN directory is a plain ASCII text file, which can be edited using any ASCII text editor. Comment lines start with a semicolon and can be added or deleted as required. The customization file is divided into a number of sections each dealing with a certain topic. Major sections are a number of statement sections, the [help] section and the [messages] section. Each of these sections is described below. [presentation] This section contains statements that affect the way FSLOGIN displays itself on your PC screen. These are merely cosmetic functions. Most of the statements use numbers as a value, but there are also some statements that have a string as a value. The range of valid numbers for a particular statement are described below. Do not specify numbers outside the range for a particular statement. Align=0 - 1 The data entry windows (the Login Data window and the Password Change window) and most of the message windows can be left aligned on the tenth column of the screen or can be centred on the screen. When these windows are left aligned, it's easier for the human eye to 'catch' the place where typing has to start. This is due to the natural habit to start reading at the left top of a page, or in this case the display screen. The benefit of the centred windows is that text modifications in the text windows are easier to do. 0 = No left alignment (auto-centre) 1 = Left alignment Dimmer=0 - 9 The built-in screen dimmer becomes active after a certain time of keyboard inactivity. You can set the period of time with the Dimmer= statement. 0 = The built-in screen dimmer is disabled. 1-9 The period, measured in minutes, after which the screen dimmer will be activated. The screen dimmer can also be disabled using the !ND command line parameter, but it only affects that particular part of FSLOGIN. DimmerProg= The built-in screen dimmer can be replaced with an external dimmer program. When, after a certain time of keyboard inactivity, the dimmer-function becomes active and an external dimmer program has been specified, that program will be loaded. If loading of the external dimmer program fails, the built-in screen dimmer is activated as usual. The external dimmer program can be specified in the [presentation] section of FSLOGIN.INI. For example: [presentation] Dimmer=5 DimmerProg=c:\util\pcxview c:\util\company.pcx These statements result in the loading of a PCX viewer program that presents a company logo PCX file. When the external dimmer program ends (by user action or otherwise) the FSLOGIN screen is restored. It should be understood that the amount of conventional memory is limited, but most PCX viewers can operate in as less as 100 kilobytes of conventional memory. Explode=0 or 1 0 = Disable the exploding windows effect. 1 = Enable the exploding windows effect. HideContext=0 - 1 The NDS login screen shows a Context (Location) field in which the user can specify a context before logging in. This Context field is not actually needed when the NDS search feature is being used. The HideContext= statement controls whether this field shows up or not. Note that regardless of this setting, the user can still press the F5 function key to select a specific context for the login process. The F5 function key is controlled by the NDSList= statement in a next section. 0 = Show the Location (Context) field. 1 = Do not show the Location (Context) field. Password=0 - 3 The Password statement value determines what the user will see while typing a password. 0 = Show nothing (the same effect as a 'default' Novell menu style). The cursor stays in the home position of the field and there is no further indication of what has been typed. This default might be considered the most secure option, because the length of a password cannot be seen. However, this option is not particularly user-friendly (_). 1 = Move the cursor as characters are typed, and show spaces instead of the actually typed characters ( _). 2 = Move the cursor and show dots instead of characters (..._). 3 = Move the cursor and show a row of stars instead of characters (***_). Shadow=0 or 1 0 = Disable the shadow effect. 1 = Enable the shadow effect behind the windows. [operation] The [operation] section contains a few statements that control some functional aspects of FSLOGIN. Days=0 - 9 0 = Disable expiration warning. 1-9 The number of days a user is invited to change a password, before the actual expiration date. The number of days a user is warned about the fact that his or here account is going to expire. Changing the password before the actual expiration date is not required, so when the user presses the escape key, he or she is logged in using the current, but soon expired, password. This method, however, triggers the average user to start thinking about something new before it is too late. This option prevents unnecessary phone calls to the system supervisor. Escape=0 - 2 The Escape key at the top level (the Login Data form) can be enabled or disabled using the 'Escape=' statement. In some environments the system administrator might want to force users to log in before doing something else on their workstation. 0 = Disable 'escaping' from the top level menu. 1 = Enable the user to leave FSLOGIN right away. 2 = Show a Yes/No prompt box. The Escape function can also be disabled by using the !NE command line parameter, but it only affects that particular part of FSLOGIN. EscapePWX=0 - 2 This parameter determines if a user can escape from the 'Change Password' panel when the password has actually expired. When using this feature the user is more or less forced to specify a new password, thus preventing accounts that are locked out because the NetWare security system runs out of grace logins. 0 = User cannot escape. 1 = User can use the escape key. 2 = User can escape but is prompted first. KbdClear=0 or 1 In some situations it might be useful to clear the keyboard buffer to prevent unneeded characters from appearing as typed user data in the Login Data form. The drawback for fast typing users is that they will have to wait a second or so, before they can start typing their information. 0 = Leave the keyboard buffer untouched. 1 = Clear the keyboard buffer of the PC automatically. PwdNumeric=0 - 9 This parameter can be used to force a certain number of numerical characters in a new passwords, thereby forcing users to use more 'random' passwords in general. The number of numerical characters enforced this way should be in 'balance' with the minimum password length specified in the NetWare security system. 0 = Disables this feature 1-9 Enforce 1 through 9 numerical characters. [environment] This section has statements that make it possible to specify your own environment variables, which can be used to pre-fill certain fields in the Login Data form. The actual use of environment variables are explained in more detail in the previous section (section 3.1). FS_CON= FS_CON is the (standard) environment variable used to specify a default value for the context. If you are willing to use this environment variable, you do not have to specify this statement in FSLOGIN.INI. However, if you have already been using a different environment variable for the same purpose, you might want to customize this part of FSLOGIN to fit the environment you already have. Let us say, for example, you are already using CONTEXT as a variable to indicate some kind of default. Instead of adding FS_CON to each workstation (in addition to the existing variable CONTEXT) it would be much easier to tell FSLOGIN to use the existing CONTEXT environment variable. That is exactly what these statements do. When such an alternate variable has been specified, FSLOGIN still looks for FS_CON first. If FS_CON does not exist in the environment of the PC, FSLOGIN looks for the value of the alternate variable. FS_SRV= This statement specifies an alternate variable to be used in addition to or instead of FS_SRV. FS_SRV, or its alternate, is used to specify a default Server name in the Login Data form. FS_UID= This statement specifies an alternate variable to be used in addition to or instead of FS_UID. FS_UID, or its alternate, is used to specify a default Userid. [network] The network section contains statements, which identify which Novell login program has to be used as the actual login script interpreter. The default for both programs is the standard program name LOGIN.EXE. However, there might be situations that require a different program to get control first. One example is the use of Intel LANDesk Manager, which comes with its own LOGIN.COM program. Another possibility of this feature is to rename the standard LOGIN.EXE to a different filename, for example LOGIN.312 or LOGIN.410, thereby preventing users from accessing the standard login program directly. Logout=0 - 1 The Logout statement controls whether a logged in user is logged out immediately when FSLOGIN is started or not. When the immediate Logout option has been enabled the current LPT port captures are closed and the current account is logged out. When the Logout option is not used, the user at the PC can return to DOS (depending on the setting of the Escape statement discussed below) and find the workstation in the same state as just before starting FSLOGIN. The Logout option is for Bindery mode connections only. It does not function with NDS based connections. 0 = Disable the automatic bindery logout. 1 = Enable the automatic directory logout. EndOfJob=0 - 1 The EndOfJob statement controls the usage of the EndOfJob network function call. This particular function is used to tell the server to cleanup internal tables for the connection, like the open files table. Normally the EndOfJob processing should be done, but in some particular configurations with network software for other purposes this function call can cause problems. If a workstation with, for example AS400 folder software, hangs during login, try switching to EndOfJob=0. PreProcess= This option allows the execution of a program or batchfile before the actual login script processing. The PreProcess can be, for example, a virus check program. The benefit of using the PreProcess option is the amount of conventional memory that is available compared to using the '#' statement in the NetWare 2.x or 3.x LOGIN.EXE program. A preprocess program or batch file can be specified in the [network] section of FSLOGIN.INI. For example: [network] PreProcess=z:\public\preproc.bat The PreProcess can also be a program or batchfile that is located in the DOS PATH of the workstation, but specifying an explicit path is a better way to get the right process executed. It should be understood that the PreProcess runs within the trustee rights of the logged in user. The one and only drive letter that is available during execution of the PreProcess is drive letter Z:, which points to the SYS: volume. BorderLine=200000 This parameter is used by FSLOGIN as a file size value to be compared with the size of the NetWare login program being executed by FSLOGIN in bindery mode. The actual NetWare program to be executed in Bindery mode is specified in the BINLogin= statement. When the file size of this program is greater than the value of BorderLine=, the /B parameter is added to the range of other parameters passed to that program. Using this method of 'auto detecting' the version of the login.exe program beeing used, eliminates the need for a NetWare 3.x login program to be used by FSLOGIN for bindery mode login to a NetWare 4 server. The default value only needs to changed when an executable file compressor like PKLITE is being used. BINLogin=login.exe The login script interpreter to be executed when a Bindery based login has to be performed. Some other third party products require their own login front-end to be executed first, for example LOGIN.COM. NDSLogin=login.exe The name of the NetWare 4 LOGIN.EXE to be used for a Directory-based login to the network. NDSSearch=0 - 1 This statement controls whether the NDS search feature is turned on or off. Further refinement of the search process are done in subsequent statements. 0 = Do not use the NDS search feature at all. 1 = Use the NDS search feature. LevelsUp=0 - 9 The LevelsUp= statement controls if, and how many steps, the NDS search feature is allowed to go upwards in the directory tree, in search of a particular userid. LevelsUp=0 disallows the NDS search feature to start a new search for a userid upwards in the Directory Tree, while LevelsUp=9 allows the NDS search feature to go all the way up to [root] level in order to search for a userid. 0 = Do not start a new search in a higher level of the tree. 1-9 If a userid is not found in the first search, start again one level upwards in the NDS tree, if needed and allowed again one level upwards etc... CrossPartition=0 - 1 This statement controls whether a second, or subsequent, search attempt is allowed beyond the current NDS partition the workstation is in. This restriction on the NDS search feature could be useful to limit the search for a userid to one particular NDS partition, thereby reducing WAN traffic to other sites of the company with other NDS partitions. This is a way to restrict a search for a userid to one particular part of an organisation. The CrossPartition statement only has effect in combination with the LevelsUp statement. 0 = Do not allow the NDS search feature to cross a partition boundary. 1 = Allow the NDS search feature to search beyond a partition boundary. WildCard=0 - 1 The WildCard= statement controls whether wildcards in the userid field are allowed. Wildcards can be used to build a list of userids that match a particular pattern. The list is presented to the user who initiated a wildcard search. The user can then pick his/here userid from the list. 0 = No wildcards allowed in NDS search. 1 = Wildcards are allowed in NDS search. ChangeWsCxt=0 - 1 This parameter determines if the workstations default context is changed to the context of the user that actually logs in into NDS. The default workstation context is normally set in NET.CFG with the 'name context' parameter. 0 = Do not change the default workstation context. 1 = Change the workstation context to the context of the user. [syncpassword] The syncpassword section is used to customize the password synchronization feature. The first statement, SyncPrompt=, controls wether a user is prompted for additional old passwords during the password synchronization process. The statement SyncResult controls the amount of information a user gets when a new password has been synchronized among multiple servers. The SyncGroup= statement is used to disable or enable password synchronization. The additional utility FSLSYNC is a tool for the Supervisor to exclude certain servers from the synchronization process. See chapter 6 for more information about password synchronization. SyncPrompt=0 - 1 0 = Do not prompt the user for an old password for a specific server but cancel the synchronization attempt for this server. 1 = Prompt the user for an old password if needed. SyncResult=0 - 3 0 = The user is not informed about the result of the synchronization operation at all. 1 = This value results in a list of messages with one line for each server that has been processed for a new password. This is the most complete set of information. 2 = This value results in a list with servers on which synchronization did not succeed. Only errors that are of some meaning to the user are displayed, other errors are not shown. To be more precise: the errors between 0003 and 89DE are shown (See also: Appendix B of the file README.TXT or the manual). 3 = Only servers on which the password was successfully changed are shown in the list. SyncGroup=0 - 2 0 = Password synchronization is disabled. 1 = Synchronization is enabled and all the servers in the (inter)network are treated as one logical group. 2 = Synchronization is enabled and FSLOGIN uses the list of servers that follows the SyncGroup= statement. [dialin] The [dialin] section contains two statements that control the way in which FSLOGIN accts when the dialin command line option is in effect. Dialin security is a feature that can be used on PCs that act as a dialin host. This statement only has effect when used in combination with the !DI command line option. This feature is explained in more detail in a separate chapter (see section 3.3). MaxCount=0 - 9 This statement specifies the maximum number of login attempts that can be made by a user connected to a dialin host computer. When the user keeps on specifying incorrect information FSLOGIN resets the COM ports and boots the Dialin host PC. 0 = There is no maximum of login attempts. 1-9 The number of login attempts via dialin. MaxTime=0 - 9 0 = Dialin connections are not limited in time. 1-9 The number of minutes you are allowed to be logged in on a dialin host PC. After this period expires FSLOGIN resets the COM ports and boots the Dialin host PC. [lists] Various list functions are available within FSLOGIN. The list functions range from a DirectoryList of the directory tree when working in Directory Services mode, a ServerList of servers when working in Bindery mode and a UserList feature, which is a specific feature for the system administrator. The various list functions can be completely disabled or customized for a specific network environment. NDSList=0 - 1 The NDSList statement specifies whether the DirectoryList (the F5 function key) can be used or not. Users can get an overview of container objects in the Directory tree and browse through the tree to set the correct context for their login. 0 = Disable the DirectoryList. 1 = Enable the DirectoryList. ServerList=0 - 3 0 = The ServerList function (the F5 function key) is disabled. 1 = All Novell servers in the entire network are visible to the user. 2 = Restrict the names of servers in the ServerList and specify up to 16 servers which may be displayed. Wildcards in each individual 'name' are allowed. For example: ServerList=2 home_server second_server third_server other_* 3 = Do not allow the Servername field of the Login Data form to be edited. The effect is that the user can pick from the custom list of servers after the ServerList statement, but cannot alter the name in the Servername field. UserList=0 or 2 This statement defines the behaviour of the UserList function (the F7 function key). 0 = Turn this feature off. 2 = Enable a popup list of the names that are specified right after the Userlist= statement. The following example presents a small list of three user names when the F7 key is pressed. For example: UserList=2 Supervisor Lanvisor Admin When you specify only one name in this list, most probably Supervisor, the list is not displayed on the screen and the F7 key directly places this name in the Userid field. UserXList=0 or 2 The User eXclude List is a feature to prevent certain userids from being used. Although these userids might actually exist, they are reported as invalid. 0 = Disable this feature 2 = Enable the list of userids that should be restricted from accessing the server or network through FSLOGIN. For example: UserXList=2 GUEST ACCOUNT99 [help] The [help] section of FSLOGIN.INI contains the help items and their corresponding text. Each help item is defined by a double semicolon as the first two characters on a line. The text immediately following the double semicolon is the exact text that is displayed in the list of help items when the user presses the F1 function key. The associated text of the help item is the block of text that immediately follows the help item definition. The text block can be modified, reformatted and/or translated using a ASCII text editor. The first blank line following the text block indicates the end of a block. Blank lines in a text block can be added by using a TAB character instead of a plain blank line with only a Carriage Return. For an example see the ::FunctionKeys item. This item has a text block with, at first sight, blank lines in between. The blank lines actually contains a TAB character. For example: ::MyHelpItem First part of help text... Second part of help text... Third and last part of help text... Extra help items with company specific text can be added to the [help] section. The total number of help items is restricted to sixteen. [messages] This section contains a large number of text items that are being used throughout the operation of FSLOGIN. Almost every piece of text that can appear on the screen can be customized. The [message] section contains single line items and multi-line items. A single line item consist of an identifier, an equal sign and, on the same and only line, the corresponding text. The multi-line items consist of a semicolon followed by the identifier and on the next line or lines, a block of text. Single line items are used for small amounts of text that are used as, for example, window header, whereas the multi-line items are used for message windows. Some text items contain characters like %s or %d. These special characters, well known to all C programmers, are placeholders for other information. WhatToDo? Modify, rearrange or even translate pieces of text to fit your own needs. Build your own customized help. Show the availability of certain function keys on the 25th row of the display screen. But... WhatNotToDo! Do not delete text items from the [messages] section. Do not modify the identifiers in the [messages] section, not even change the case because the identifiers are case sensitive. When using a word-processor to reformat some text, be sure to save the FSLOGIN.INI file in plain ASCII mode. The proper functioning of FSLOGIN will be disrupted when the FSLOGIN.INI file is stored in some word-processor format. 3.3 Command line parameters Command line parameters can be used to change system-wide settings or default values for a particular workstation or particular type of usage. Command line parameters are divided in two types: - FSLOGIN specific parameters that start with an exclamation point and which are used to override a specific system-wide setting. - Familiar command line parameters that are used to specify a specific server, userid, context or a combination of these. When a combination of the FSLOGIN specific parameters and the Familiar parameters are used, the former should be specified first. For example: FSLOGIN !ND Server/Userid The syntax and meaning of the FSLOGIN specific command line parameters are as follows: !ND (NoDimmer) The NoDimmer option might be useful when FSLOGIN is used in combination with asynchronous dial-in servers. The reason is that the dimmer uses the keyboard hardware interrupt (INT09) to detect the press of a key. Most dialin host products are not able to transport this kind of low-level keyboard handling. !NE (NoEscape) Disables the Escape function in the Login Data form. This prevents the user from Escaping back to DOS without first completing a login sequence. !NS (NoServerList) The ServerList and the DirectoryList function of this workstation are disabled now (both functions use the F5 function key). !NU (NoUserList) This command line parameter disables the UserList function (the F7 function key). !DI (CheckDialin) Activate the dialin specific parameters in FSLOGIN.INI. These specific dialin parameters are MaxCount and MaxTime. The use of !DI parameters also automatically activates !NE and !ND settings. Familiar command line parameters are used to specify certain default values for the Location (Context), the Server or the Userid field or a combination of these. These command line parameters are called 'familiar' because they have the same syntax notation as the command line parameters that can be used by the Novell LOGIN.EXE program. A side-effect of using these parameters is the possibility to select the bindery or NDS mode login screen of FSLOGIN (provided that the client software supports both modes). The syntax forms of the familiar command line parameters and the effect on the mode are as follows: Syntax Mode FSLOGIN SERVER/USERID Bindery FSLOGIN SERVER/ Bindery FSLOGIN /USERID Bindery FSLOGIN / Bindery FSLOGIN USERID Bindery or NDS FSLOGIN USERID. NDS FSLOGIN USERID.CONTEXT NDS FSLOGIN .CONTEXT NDS FSLOGIN . NDS CHAPTER 4: HOW TO USE FSLOGIN Once installed, Full Screen Login is available for use. Just type FSLOGIN and the Login Data menu pops up. The name of the default server, to which the workstation is attached, is automatically displayed in the Server field. In order to see how to login via this window, you can fill in the name of a Userid and press the enter key. The highlight moves on to the Password field. When a password is required for this userid, fill it in. Otherwise leave this field blank. When all datafields are entered correctly, press the enter key. The data will be validated, and when something is wrong, you will be informed. When the validation is okay, and there are no other accounting and security restrictions, the login process continues with the execution of the system and user login scripts. You, as a system supervisor, do not have to change anything to existing login scripts or other procedures in order to use FSLOGIN. 4.1 Edit keys In contrast to the 'standard' Novell menu interface, the cursor is always visible in the input fields. This relieves the user from the user-unfriendly difference between moving between fields and editing them. When the highlight is moved to another field, that field automatically switches to edit mode and the cursor is shown. The keys to move between the fields are: Tab (next), BackTab (previous), Up Arrow (previous) and Down Arrow (next). The Enter key also moves the highlight down (next) until used in the last field of a form (execute). The keys to move the cursor in a field while editing are: Home (first position), End (last position), Left Arrow (back) and Right Arrow (forward). 4.2 Function keys F1=Help The basics of this utility are explained in the on-line help text and will give the average user enough information to login in without any problems. Select a topic The information is presented as a list of topics from which you can choose. The Up Arrow, Down Arrow, Page Up and Page Down let you change the selection. Press Enter and the information on the chosen topic will be displayed. Move within Help You can display large help texts by scrolling through them. The cursor indicates the position in the help text and can be used as a kind of bookmark. Use the keys: Up Arrow, Down Arrow, Page Up and Page Down. Leave Help Escape brings you back again (from the help text to the help topic list, from the topic list to the login screen). F2=Info The Info function key displays license information about the current license as well as address information about Confirm. You can use this information for all your correspondence with Confirm. F4=Switch The Switch function key switches between a Bindery- based server connection and a Directory Services-based connection. This feature makes it possible to override the default configuration of the Novell client software. The Switch function can only be used when the Novell client software supports both Bindery and Directory connections. F5=DirectoryList The DirectoryList gives an overview of the NetWare Directory tree. The object types that are useful for the login process are displayed: Organization (O=), Organizational Unit (OU=), Country (C=) and Locality (L=), which are all container objects. In addition, the Parent Object (..) and the Current Object (.) are displayed so you can move through the Directory Tree. Select another context (F5 - F10) Finally the user can select a new context with the F10 function key. The selected context is displayed in the Location field of the Login Data form and is also actually set as the default for that workstation at that particular moment. F5=ServerList When working in a multiple server environment, the ServerList function becomes valuable. Press F5 to obtain an overview of all available file servers in your network, and select one. The F5 function key is independent of the currently highlighted field. After selecting a server the highlight will return to the original position. The supervisor can restrict the end-user view on the network by disabling the ServerList function or by limiting the ServerList to a custom specified list. See the chapter on 'How to Customize Login' for more information. F6=ChangePassword Once in a while a password should be changed. The user can change the current password to something new at the moment of login. All the user has to do is fill in the Login Data window with the usual information and press the F6 function key INSTEAD of the Enter key. FSLOGIN will prompt for a new password now. F7=UserList There is one specific userid, which is probably typed thousands of times each day by thousands of supervisors. Just press the F7 function key and look what happens. FSLOGIN presents you with a list of a few very often used names. Move the highlight to the one you need and press the Enter key. After pasting the chosen username in the Userid field, the highlight goes straight to the Password field, since this is most likely the place you want to go. The three names that appear in the list right after installation are just examples. The names that are to appear in the list can be customized in FSLOGIN.INI. If security is very important and you do not want users to 'discover' the existence of a supervisor userid, you can turn this feature off by using the statement UserList=0 (see section 3.3). F9=ActivateDimmer The built-in screen dimmer or the external dimmer program can be activated with the F9 function key at any place in the program. F10=SelectContext When a DirectoryList is being displayed, a new Context can be made active by highlighting the name and pressing the F10 function key. The new context is presented in the Location field and is used for subsequent logins. CHAPTER 5: HOW TO SEARCH IN NDS The NDS search feature of FSLOGIN is a powerful way to ensure maximum user-friendliness in a NetWare 4 environment. The user does not have to explicitally specify the correct context but leave that job to the NDS search feature. This feature, however, requires some understanding of the structure of NetWare Directory Services and the way an account is searched for. The following scenarios describes step by step what happens when the NDS search feature is not being used and what the options are when it is being used. 5.1 When NDSSearch=0 The user starts FSLOGIN and a login data entry window is presented. Two of the fields in this window can be pre-filled with information (Location and Userid). The initial value of the Location (Context) field is taken from one of the following sources (in order of precedence): - the environment variable FS_CON (if it exists). - the alternate environment variable (instead of FS_CON) specified in the FSLOGIN.INI file in the section [environment] (if it exists). - The current (default) context of the workstation (if it is defined). - The value [ROOT] (if all above fails). Depending of the user requirement the user needs to modify the value in the Location (Context) field. The user can use the NDSList feature (the F5 function key) to 'walk' through the directory tree, thereby positioning the correct context. If the user fails to specify the correct combination of context and userid, the user is presented an error message telling so. 5.2 When NDSSearch=1 First of all the user does not have to see the Location (Context) field in the login window at all. This is controlled by the HideContext= statement in FSLOGIN.INI. The display of the Location field in the login window is a matter of preference. It does not turn 'on' or 'off' the NDS search feature. Although the Location (Context) field does not need to be 'visible', it still is being used internally. The value of the (hidden) Context field is derived in the same way as described above in 'When NDSSearch=0'. Given a certain value for the Context and userid, FSLOGIN validates this context and userid. If there is a match no further NDS searching is needed at all. If there is no match, the NDS search feature is activated and a search is done for the userid downwards from the given context in the directory tree. If the userid is found in a subtree, FSLOGIN continues to check the password and eventually start the login process. However, there might be more than one instance of the same userid in different subtrees. In that case a list is presented with the canonicallized names of the users found. It's up to the (human) user to pick the right one from the list and continue. When LevelsUp=0 Suppose the specified userid in the previous example could not be found at all in the subtrees of the given context? One option is to stop here and tell the user to do some homework and come back later. This is the case when LevelsUp=0. When LevelsUp=1 - 9 It is, however, possible to let FSLOGIN search in a bigger part of the directory tree. The LevelsUp statement controls how many times FSLOGIN can take one step upwards in the directory tree and start a new search from that point. The NDS search feature takes one step upwards at a time, and if one or more userids are found FSLOGIN continues as described above. Either start the next part of the login process or present the (human) user with a list of userids in different parts of the directory tree. When LevelsUp=9 has been specified in the FSLOGIN.INI file, the effect is that eventually the entire directory could be searched for a particular userid. Especially in large networks with Wide Area connections, this could result in unwanted delays and unwanted WAN traffic. Therefore a break has been build in to limit the search to a NDS partition. When CrossPartition=0 The CrossPartition statement controls whether the LevelsUp method is allowed to cross the border of an NDS partition. Given a certain context, that has either be filled in by the environment variable FS_CON or by specifying the appropriate statement in NET.CFG, the CrossPartition statement limits the NDS search feature to the NDS partition the workstation is in. However, it should be understood that the user is able to change the current context either with the CX command line utility or within FSLOGIN with the NDSList feature (the F5 function key). This makes it possible for the more experienced user to specify another context beyond or above the 'original' NDS partition in the Directory tree. An experienced user could choose the [root] as the current context and start a search from that point downwards. When WildCard=1 When wildcards are allowed, all userids matching a specific pattern can be retrieved and put in a list. A wildcard userid can also be a '*', which results in a list of userids in the current context and below. CHAPTER 6: PASSWORD EXPIRED! An expired password is almost always a source of inconvenience. Most users manage well by reading the line mode text from the Novell Login program. Some users, however, will always succeed in locking up their userid and have to call for supervisor assistance. FSLOGIN helps most users to take this hurdle in a friendly way and, most important, without help of a system administrator. The first step FSLOGIN takes is notifying the user that his or her password is going to expire a specific number of days in the near future and, at the same time giving the user the possibility to change it right away. When the user takes no action the user will be forced to change the password on the actual expiration date. It is possible to Escape from the Password Change form, but in that case the user will not be logged in. ATTENTION This method of 'inviting' a user to change a password does not mean that the grace login mechanism of the Novell security system is not needed any more. At least one grace login is needed to be able to change the current password into a new one. So do not set the grace login count for users to zero! When there are no grace logins left, there is no way a user can log in. Neither with the Novell login program, nor with any other program! CHAPTER 7: PASSWORD SYNCHRONIZATION When an organisation needs more than one server, either because of capacity or functionality, and chooses not to use the NetWare 4 Directory Services, the system administrator is faced with the problem of separate administrations for users and groups. The users that have an account on more than one server also need to be aware of the fact that their userid and corresponding password are different entities on each server. NetWare Directory Services is the best solution for this kind of problems, but a lot of servers are still operating under control of NetWare version 3 or even NetWare version 2. However, FSLOGIN has a password synchronization feature that assists the user in maintaining the same password for all servers that have the same account defined for that user. The password synchronization feature is turned off by default, because of the major impact it could have on larger networks with lots of Wide Area Network (WAN) connections. Password synchronization can be configured to treat all the servers in the network as one large group, or the servers can be subdivided in smaller logical groups, called Synchronization Groups. It is the system administrators responsibility to make a decision how to implement the password synchronization feature based on the size of the network and the way people are used to work in the organisation. When the password synchronization feature has been enabled, either global or with a synchronization group, and the user specifies a new password, FSLOGIN will try to apply that new password to all the servers in the group. It is important to understand that all this processing is done on behalf of the logged in userid, so when the accounting restrictions on one particular server in the group does not allow the user to change the password, it will not be changed. The user is informed about this process with a message on row 25 of the display. When FSLOGIN detects that the old password for a particular server is not valid, it will prompt the user to enter the (good) old password for that particular server. The benefit of using the password synchronization feature of FSLOGIN is that it is independent of the current logged in state of the user (all servers in the logical group are processed). The customization file FSLOGIN.INI contains a section called [syncpassword]. This section contains three statements that can be used to customize password synchronization. The SyncGroup= statement is used to disable or enable synchronization. The SyncPrompt= statement is used to specify if a user should be prompted for an old password, if needed. The SyncResult= statement determines to which extend the user is informed about the result of a synchronization operation. SyncPrompt=0 - 1 0 = Do not prompt the user for an old password for a specific server but cancel the synchronization attempt for that server. 1 = Prompts the user for an old password if needed. SyncResult=0 - 3 0 = The user is not informed about the result of the synchronization operation at all. 1 = This value results in a list of messages with one line for each server that has been processed for a new password. This is the most complete set of information. 2 = This value results in a list with servers on which synchronization did not succeed. Only errors that are of some meaning to the user are displayed, other errors are not shown. To be more precise: the errors between 0003 and 89DE are shown (See also: Appendix B of the file README.TXT or the manual). 3 = Only servers on which the password was successfully changed are shown in the list. SyncGroup=0 - 2 0 = Password synchronization is disabled. 1 = Synchronization is enabled and all the servers in the (inter)network are treated as one logical group. 2 = Synchronization is enabled and FSLOGIN uses the list of servers that follows the SyncGroup= statement. FSLSYNC In addition to the statement SyncGroup=, another tool is available to control which server 'belongs' to the logical group or not. The FSLSYNC utility is a tool to exclude certain servers from the password synchronization process. This utility should be run by the Supervisor once for each server that should not be involved. Servers that are candidates for exclusion are special purpose machines like SNA gateways, mail gateways, routers etc. The syntax of this command line utility and some examples follow: C:>fslsync FSLSYNC - (c) Confirm, 1995. Usage: FSLSYNC ServerName [ON | OFF] FSLSYNC ServerName Show Sync status FSLSYNC ServerName OFF Exclude FSLSYNC ServerName ON Include again C:>fslsync z220 Server Z220 can be part of the sync process. C:>fslsync z220 off Server Z220 is excluded from the sync process. C:>fslsync z220 on Server Z220 can be part of the sync process. C:>_ The HomeServer concept When an organisation uses more than one server in bindery (emulation) mode, the system administrator is faced with multiple administrations (binderies) that need attention. Especially when a number of users have accounts defined on more then one server it becomes important to avoid conflicts in the Accounting Restrictions on the different servers. Essentially, using accounting restrictions for a particular user on more than one server is the source of most login problems for the regular user. It's like having two (or more!) captains on the same security ship, each captain having his own opinion about how the user should be treated! What if we simply could send some of those captains home and let One captain do the job for One particular user? That's exactly the concept of the HomeServer. If the system administrator assigns each user to a particular HomeServer (most likely the server where that user has a Home or User directory) and controls Accounting restrictions for that user on that HomeServer only, we are one step further in administrating a multiserver environment. The Accounting Restrictions on the HomeServer determines when its time to change a password. That means that for that particular user the Accounting Restrictions on other servers must be 'relaxed' in such a way that those other servers never prompt the user for a new password. That might sound like a security risk at first, but take into consideration that the user will first login to the HomeServer. That's where his/here data is after all. CHAPTER 8: FSLOGIN AND DIALIN SERVERS Most of the Local Area Networks are not only used from workstations that are directly attached. There is a growing need for access to the data and programs on a corporate LAN from other geographical locations. This need for communication has led to products that turn a regular workstation in a LAN into a dialin host that can be accessed by using regular telephone lines and modems. It is obvious that these gateways to programs and data need to have mechanisms to prevent unauthorised access. Many of the products on the market today have built-in security options. FSLOGIN, however, adds an extra layer of access security to the Novell servers in the network. Once a remote user has a dialin connection to a dialin host on a LAN, that user has to enter the proper login information before data and or programs can be accessed. FSLOGIN has extra security options, which have been specifically designed for use on dialin host machines. First of all the amount of information that a user can 'see' on the FSLOGIN screen can be restricted to almost nothing. The user has to know the exact names of the Directory Context or the Server, his/her userid and, of course, the corresponding password. The DirectoryList / Serverlist feature of FSLOGIN can be turned off for individual workstations using the !NS command line option. This command line option overrules the global setting in FSLOGIN.INI. Furthermore, the default name in the Location or Server field can be suppressed using the environment variables FS_CON=NONE and FS_SRV=NONE. The UserList feature (the F7 function key) can also be turned off by means of the !NU command line parameter. Although it might be common knowledge that there is something like the Supervisor userid, it does not need to be advertised at this particular place. The next step in building a security wall is disabling the use of certain userids that are not easy to delete (GUEST for example), but are not meant for regular access by users. The User eXclude List feature makes this possible. This list is specified in the FSLOGIN.INI file with the statement 'UserXList'. When the dialin user accesses the host PC, it is obvious that FSLOGIN should not be terminated with the Escape key. This would allow the user to access the standard Novell commands CX, NLIST or SLIST and LOGIN. Although the Escape key can be enabled or disabled globally in FSLOGIN.INI, it can be disabled in specific situations by using the !NE command line option. The next step is preventing a user from entering all kinds of combinations of Server names, Userids and Passwords. Not that this is likely to succeed but these tryouts can be prevented using the following statements in FSLOGIN.INI: MaxCount=0 - 9 0 = Do not maximize the number of login attempts. 1-9 The maximum number of login attempts that a user can make before FSLOGIN takes action. The user can make 1 - 9 attempts to log in and when the next attempt is invalid (invalid Directory Context, invalid Servername, invalid Userid or invalid Password) FSLOGIN takes action. MaxTime=0 - 9 0 = Do not limit the period of time of login attempts. 1-9 Limit the maximum time in minutes that FSLOGIN gives the user to login. When this time expires, it is assumed that the connection between the dialin host and the PC at the other end should be terminated. So what does FSLOGIN do when one of the above events actually occurs? First of all the Data Terminal Ready (DTR) signal of both the COM1 and the COM2 ports are forced to zero. Most modems react on this drop of the DTR signal and will hangup. After terminating the connection the dialin host PC will be rebooted. No better way to break the connection between you and an unwanted, unknown hacker. ATTENTION Note that although the latter two functions, MaxCount and MaxTime, are specified in FSLOGIN.INI, they are only activated when FSLOGIN is started with the !DI command line argument. The !DI argument also automatically activates the !NE (NoEscape) and the !ND (NoDimmer) options. The !NS (NoServerlist) and the !NU (NoUserlist) are not automatically included. Here is a sample batch file that starts dialin host software and FSLOGIN: .. SET FS_CON=NONE ; no default context SET FS_SRV=NONE ; no default server LSL ; Link Support Layer NE2000 ; Hardware driver IPXODI ; IPX protocol stack NETX ; NetWare Shell PCSOMEWHERE ; Wait here for dialin user! FSLOGIN !DI !NS !NU ; Secure login .. The batch file continues with the next statement when the dialin user specifies the correct login information in the specified amount of time. Otherwise the dialin host PC will be rebooted. CHAPTER 9: NOTES 9.1 Login Script Parameters Full Screen Login has support for the optional parameters, that can be passed to the system login script. There is no separate field for this, but parameters can be typed in the Userid field following the User name. Type one space between the User name and the parameter. When the Userid field seems to be full, just type on and you will see the text scroll. The available typing space is 64 characters (including Username and spaces). 9.2 NDS restrictions FSLOGIN currently does not support the use of spaces in NDS names. APPENDIX A: ERRORLEVELS IF ERRORLEVEL==0 ERRORLEVEL 0 indicates a successful login to either a server (in Bindery mode) or the network (in Directory Services mode). IF ERRORLEVEL==1 This ERRORLEVEL is used to indicate that the user used the Escape function to exit FSLOGIN. Escaping from FSLOGIN can be disabled by customizing the Escape= statement in FSLOGIN.INI. IF ERRORLEVEL==2 This ERRORLEVEL is reserved for future use. IF ERRORLEVEL==3 This ERRORLEVEL is used to indicate various errors that could occur when attempting to load program overlay files or program resource files. Each overlay or resource file has its own error message that exactly pinpoints the problem. FSLOGIN.OVL could not be loaded. This file is a program overlay that is loaded by the FSLOGIN.COM program. Under normal circumstances this file is installed in the SYS:LOGIN directory or in a directory on a local harddisk. This error could occur when part of FSLOGIN has been manually copied from one machine to another. When this error occurs, check the success of the installation procedure or the result of your own copy actions. FSLOGIN.PPX could not be loaded. This file is a program overlay file that is installed in the SYS:LOGIN directory or in a directory on a local harddisk. Check the result of the installation procedure or the success of your own copy actions. FSLOGIN.CWA could not be loaded. This file is a C-Worthy resource file that is loaded by the FSLOGIN.OVL program file. C-Worthy is the well- known Novell style menu interface that has been used for all Novell and many third party utilities. FSLOGIN has been build with C-Worthy version 2. This file should be available in the SYS:LOGIN directory or, if FSLOGIN has been installed on a local harddisk, in the same directory as the other program files. LOGIN.EXE (or its alternate) could not be loaded In order to process the system login script and possibly profile login scripts and a user login script, FSLOGIN needs to load the Novell program file LOGIN.EXE. This program must be available in the SYS:LOGIN directory. It is, however, possible to customize FSLOGIN to use a different name then LOGIN.EXE. This feature is further explained in the chapter 'How to Customize...' Under normal circumstances this error will not occur, but this error could indicate that a mistake has been made when the alternate login program option is being used. IF ERRORLEVEL==4 This ERRORLEVEL is used to indicate a problem while processing the FSLOGIN.INI file. This file is the customization file that contains statements that affect the operation of FSLOGIN, help text items and other textual message items. The INI file should be available in the SYS:LOGIN directory at all times. One exception to the rule is using the !LI (Use Local INI) command line option, which should be used by the system administrator only. The message that is displayed indicates the various reasons for the failure. The common part of the message is: FSLOGIN.INI could not be processed. Reason: ... The possible reasons are: Reason: open error. The INI file can not be opened at all. Check the installation of FSLOGIN. The INI file should be installed in the SYS:LOGIN directory. Reason: malloc error. The program could not allocate enough memory to load the INI file. This error could occur when conventional memory is very scarce. Have a look at all programs loaded and decide if any of them is really needed and/or try to make use of Upper Memory Blocks to load certain programs high. Reason: read error. A read error can occur when the network connection between a workstation and a server is not reliable or when a harddisk error occurred. The reason for this error lies outside FSLOGIN and should be treated depending on the particular situation. A read error could be caused by an interrupted connection between the fileserver and the workstation. Reason: [help] label not found. The INI file contains various labels that indicate a statement section, the start of the Help Items or the start of the Messages items. The labels that are used to indicate various statement sections, for example [dialin], are just there to make a logical arrangement. Other labels like [help] are needed to process the INI file. If the [help] label is not found, FSLOGIN assumes that the INI file is invalid. Reason: [messages] label not found. If the [messages] label is not found, FSLOGIN assumes that the INI file is invalid. Reason: [end] label not found. If the [end] label is not found, FSLOGIN assumes that the INI file is invalid. IF ERRORLEVEL==5 ERRORLEVEL 5 is used to indicate various errors related to the NetWare Client software or the state of the network connection. The various error messages that are used are described below. There is no NetWare shell. FSLOGIN checks for the availability of the NetWare shell (NETX.EXE) or the DOS Requester (VLMs). If neither of these client programs is available, FSLOGIN has no access to a network. NWCallsInit returned an error: x'....'. NWCallsInit is an Novell API function used by FSLOGIN to establish a working environment between the application and the Novell client software. In the rare case that this error occurs, the Novell client software is in trouble and returns a hexadecimal errorcode to the application (in this case FSLOGIN). Try to unload and load the NetWare shell or NetWare DOS Requester. NWGetDefaultConnectionID returned an error: x'....'. This indicates an error when using a Novell API function that collects information about the default connection between the workstation and a server. The reason for an error lies in the state of the Novell client software. Unloading the client software and loading again will probably correct this of error. NWInitUniCodeTables returned an error: x'....'. The country code is: ..., the code page is: ... First of all, what are UniCode tables? UniCode is a 16 bit character set that covers all the possible characters in all the languages of the world. NetWare Directory Services uses this UniCode internally, but the clients (PCs with DOS or Windows) are not capable of dealing with this 16 bit characters. UniCode tables are the translation tables from the 16 bit UniCode characters to the 8 bit characters of a certain language and codepage combination. Unicode tables need to be loaded by an application that needs to access NetWare Directory Services. All the UniCode tables are provided by Novell and are part of the installation of a NetWare 4 server but also part of the installation of the NetWare DOS Requester. The directory used to install the UniCode tables is called NLS (for example: C:\NWCLIENT\NLS). Check the availability of the UniCode tables and/or put the C:\NWCLIENT\NLS subdirectory in the PATH of the PC. NWGetDefaultNameContext returned an error: x'....' The Default Name Context is the context that is specified in the network configuration file NET.CFG. FSLOGIN reads this default context to display it in the Login Data window. In very rare cases this Novell API call might return an error with which FSLOGIN cannot deal. Check the NET.CFG file and unload and reload the NetWare DOS Requester. NWDSCreateContext returned an error: x'....' FSLOGIN needs to create two internal context buffers to handle various Directory Services requests. The creation of these buffers might fail. If this is the case, FSLOGIN is not able to continue. Check the hexadecimal errorcode in the next appendix. NWDSAllocBuffer returned an error: x'....' FSLOGIN needs to create two internal buffers as input and output for various Directory Services requests. The creation of these buffers might fail. If this is the case, FSLOGIN is not able to continue. Check the hexadecimal errorcode in the next appendix. APPENDIX B: ERROR CODES 89C1 No account balance This userid, also called account, has no initial account balance to work with. The supervisor should assign an account balance by means of NETADMIN or SYSCON. This only occurs on servers with an activated (Novell) accounting system. 89C2 Your credit has exceeded The user has no more credits to continue working. The supervisor should assign enough credit by means of NETADMIN or SYSCON for the user to be able to work. This only occurs on servers with an activated (Novell) accounting system. 89C5 Intruder lockout There has been a number of attempts to log in with this userid in combination with an incorrect password. The user either has to wait for the intruder lockout time to expire, or the intruder lockout can be cleared by the supervisor. This error can only occur when the intruder lockout mechanism for the server or the network has been activated. 89D7 Password has been used before The newly specified password could not be applied, because the accounting restrictions for this user do not allow old passwords to be reused again. 89D8 Password too short for this server Passwords have a minimum length, which can be set on a per user basis in the accounting restrictions of each user. A new password must meet this requirement before it is accepted by the NetWare security system. 89D9 Maximum concurrent connections in use The user tried to log in from a number of workstations at the same time. However, a limit has been set to the number of stations that this user can log in from at the same time. The limit could be increased for this user or the user should log out from another workstation. 89DA Not authorized at this time There is a time restriction for this user, which prevents login at this moment. Time restrictions are set by the supervisor, system-wide or per user. 89DB Not authorized at this station There is a station restriction for this account. For security reasons a restriction can be made that certain accounts can be logged into from certain workstations only. 89DC This account has been disabled The account (userid) exists but cannot be used, because it has been disabled by the supervisor. Note that accounts can also expire automatically at a pre- determined date in the future. 89DE The password has been disabled The current password for the user has expired, and there are no more grace logins available. The supervisor must assign another password to this user or reset the number of grace logins to be able to continue. It is advisable to give users more than one grace login, so they will be able to change their password themselves. Setting the number of grace logins to zero will disable the possibility for a user to change a password once the password has expired. The only difference between an expired password and a disabled password at this point is the grace login mechanism. 89F0 Wildcard not allowed A wildcard was used when the network or the server was queried for information. At certain points it is not possible to use wildcards like '*' and '?'. 89F1 Invalid bindery security The current user has no rights to read from or write to the bindery. This error code could indicate a problem in the bindery structure or an application program error. When there are other errors related to bindery functions on other workstations, as well, BINDFIX should be run. 89F2 No object read privilege The program tried to read object information from the bindery or the directory, but the Novell NetWare operating system did not allow this. This could indicate an application programming error but might also indicate problems with the bindery or directory. 89F3 No object rename privilege The current user has no right to rename an object in the bindery or the directory. This error is not likely to occur in FSLOGIN. 89F4 No object delete privilege The current user has no right to delete an object in the bindery or the directory. This error is not likely to occur in FSLOGIN. 89F5 No object create privilege The current user has no right to create an object in the bindery or the directory. This error could indicate a problem with the structure of the bindery or the directory. This error is not likely to occur in FSLOGIN. 89F6 No property delete privilege The current user has no right to delete a property in the bindery or the directory. This error is not likely to occur in FSLOGIN. 89F7 No property create privilege The current user has no right to create a property within its own object. This error could indicate a problem with the structure of the bindery or the directory or a (highly unlikely) programming error. 89F8 No property write privilege The current user has no right to write the value of a certain property within its own object. This error could indicate a problem with the structure of the bindery or the directory or a (sometimes awful) programming error. 89F9 No more free connection slots The NetWare Shell or the NetWare DOS Requester has run out of connections slots. With the NetWare Shell there are eight connections possible with eight different servers. The NetWare DOS Requester can be configured to hold more than eight connection slots, with a maximum of fifty. 89FA No more free server slots The server has reached its limit for the number of concurrent connections. This number is determined by the license that is used on the server (5 .. 1000 users). The supervisor can try to clear some unused connections with FCONSOLE (NetWare 2.xx) or the file server MONITOR program (NetWare 3.x and 4.x). 89FC No such userid on this server The specified userid has not been defined on this server. 89FE The server bindery is locked Bindery read or write actions are not possible, because the bindery is not available. This can be the result of a program that has closed the bindery. Programs that close the bindery are for example BINDFIX and most backup / restore programs. The bindery should be re- opened again when these programs have done their job. If this is not the case the server has to be brought down and started up again. 89FF No response from server This error code can represent several errors, by which the server is not responding properly to workstation requests. This error code could indicate network disruptions as well as a file server that is in the stage of freezing. FE15 Unicode tables not loaded Unicode tables need to be loaded by any application that needs to do Directory Services functions. Unicode tables are installed in NLS subdirectories of the SYS:SYSTEM and SYS:PUBLIC directories of a server. Unicode files are also installed in the C:\NWCLIENT\NLS directory, assuming the default installation procedure of the client software has been performed. Unicode filenames have the following structure: UNI_.CTY Unicode to code page conversion. _UNI.CTY Code page to Unicode conversion. UNI_COL.CTY Unicode collating table. UNI_MON.CTY Unicode monocasing table. NWInitUniCodeTables is the internal function used to initialise this tables. This function searches for the tables in the following directories in the order they are listed. - The current working directory. - The directory the application was loaded from. - A directory named \NLS immediate subordinate to the directory the application was loaded from. - A directory named \NLS descendent from the directory the application was loaded from. - A directory in the DOS search PATH. Note that the DOS PATH is the last place searched. Consequently, storing the tables in the search path could noticeably increase the amount of time it takes for the tables to load. FED3 Workstation out of memory Make sure FSLOGIN is not running from within a secondary command processor that is often used to 'Go To DOS' from within an application. FF22 The password has been disabled This is a Directory Services error. The current password for the user has expired, and there are no more grace logins available. The supervisor must assign another password to this user or reset the number of grace logins to be able to continue. It is advisable to give users more than one grace login, so they will be able to change their password themselves. Setting the number of grace logins to zero will disable the possibility for a user to change a password once the password has expired. The only difference between an expired password and a disabled password at this point is the grace login mechanism. See also 89DE. FF24 This account has been disabled This is a Directory Services error. The account (userid) exists but cannot be used, because it has been disabled by the supervisor. Note that accounts can also expire automatically at a pre-determined date in the future. See also 89DC. FF25 Not authorized at this station This is a Directory Services error. There is a station restriction for this account. For security reasons a restriction can be made that certain accounts can be logged into from certain workstations only. See also 89DB. FF26 Not authorized at this time This is a Directory Services error. There is a time restriction for this user, which prevents login at this moment. Time restrictions are set by the supervisor, system-wide or per user. See also 89DA. FF27 Maximum concurrent connections in use This is a Directory Services error. The user tried to login from a number of workstations at the same time. However, a limit has been set to the number of stations that this user can login from at the same time. Either the limit could be increased for this user or the user should logout from another workstation first. See also 89D9. FF3B Intruder lockout This is a Directory Services error. There has been a number of attempts to login with this userid in combination with an incorrect password. The user either has to wait for the intruder lockout time to expire, or the intruder lockout can be cleared by the supervisor. This error can only occur when the intruder lockout mechanism for the server or the network has been activated. See also 89C5. FF3E Your credit has exceeded This is a Directory Services error. The user has no more credits to continue working. The supervisor should assign enough credit by means of NETADMIN or NWADMIN for the user to be able to work. This only occurs on servers with an activated (Novell) accounting system. See also 89C2. FF3F No account balance This is a Directory Services error. This userid, also called account, has no initial account balance to work with. The supervisor should assign an account balance by means of NETADMIN or NWADMIN. This only occurs on servers with an activated (Novell) accounting system. See also 89C1. APPENDIX C: REGISTRATION AND SUPPORT Feel free to use Full Screen Login free for a period of 30 days. After this period you are expected to register or stop using it. The registration fee is based on a single file server license. When used on more servers, each server should have its own license or better, a site license should be obtained. See also SITELIC.TXT. HOW TO REGISTER You can register by filling in the REGISTER form which is on the diskette or in the ZIP file and send it by fax, airmail or email to: Confirm ArdŠchelaan 35 6904 NG Zevenaar The Netherlands CompuServe : 100334,572 Internet : 100334.572@compuserve.com Phone : (+31) 316 - 524988 Fax : (+31) 316 - 341580 BBS : (+31) 316 - 340391 Registration differs for the Netherlands, Belgium, Germany, other countries of the European Economic Community, the United States and other countries. When neither of these countries apply to you, you are expected to follow the US procedure, or contact Confirm for another arrangement. See also the REGISTER.XX forms on the distribution diskette or the archive file. Registered users receive a printed manual per server together with the latest release of FSLOGIN, which is 'personalised' with the name of their company and other license information. SUPPORT Registered users are offered free support for a period of six months. It is our goal to answer all questions within a reasonable amount of time. New versions of FSLOGIN are published on a regular basis. Publishing is mainly done by providing a Bulletin Board Service of our own, on which the latest files are available, and by uploading the unregistered evaluation copy to the NOVUSER forum on CompuServe. Registered users of FSLOGIN version 2 can download a newer, unregistered evaluation copy of FSLOGIN version 2, and use that to update their license. Registered users receive further information on how to apply an unregistered version to their license. Registered users also receive information about how to update if they do prefer shipment of newer versions by Confirm. APPENDIX D: THE SHAREWARE CONCEPT Shareware distribution gives users a chance to try software before buying it. If you try a Shareware program and continue using it, you are expected to register. Individual programs differ on details. Some request registration while others require it, some specify a maximum trial period. With registration, you get anything from the simple right to continue using the software to an updated program. Copyright laws apply to both Shareware and commercial software, and the copyright holder retains all rights, with a few specific exceptions as stated below. Shareware authors are accomplished programmers, just like commercial authors, and the programs are of comparable quality. (In both cases, there are good programs and bad ones!) The main difference is in the method of distribution. The author specifically grants the right to copy and distribute the software, either to all or to a specific group. For example, some authors require written permission before a commercial disk vendor may copy their software. Shareware is a distribution method, not a type of software. You should find software that suits your needs, whether it is commercial or Shareware. The Shareware system makes fitting your needs easier, because you can try before you buy. And because the overhead is low, prices are also low. Shareware has the ultimate money-back guarantee -- if you do not use the product, you do not pay for it. The Ombudsman This program is produced by a member of the Association of Shareware Professionals (ASP). ASP wants to make sure that the shareware principle works for you. If you are unable to resolve a shareware- related problem with an ASP member by contacting the member directly, ASP may be able to help. The ASP Ombudsman can help you resolve a dispute or problem with an ASP member, but does not provide technical support for members' products. Please write to the ASP Ombudsman at 545 Grover Road, Muskegon, MI 49442-9427 USA, FAX 616-788-2765 or send a CompuServe message via CompuServe Mail to ASP Ombudsman 70007,3536. APPENDIX E: DISCLAIMER - AGREEMENT Users of FSLOGIN must accept this disclaimer of warranty: "FSLOGIN is supplied as is. The author or Confirm disclaims all warranties, expressed or implied, including, without limitation, the warranties of merchantability and of fitness for any purpose. The author assumes no liability for damages, direct or consequential, which may result from the use of FSLOGIN." FSLOGIN is a "shareware program" and is provided at no charge to the user for evaluation. Feel free to share it with your colleagues, but please do not give it away altered or as part of another system. The essence of "user-supported" software is to provide personal computer users with quality software without high prices, and yet to provide incentive for programmers to continue to develop new products. If you find this program useful and find that you are using FSLOGIN and continue to use FSLOGIN after a trial period of 30 days, you must make a registration payment to Confirm. You can register by filling in the register form you find on the diskette or the ZIP file and send it by fax or airmail to Confirm in the Netherlands. The registration fee will license one copy for use on any one Novell NetWare server at any one time. You must treat this software just like a book. An example is that this software may be used by any number of people and may be freely moved from one server location to another, so long as there is no possibility of it being used at one location while it is being used at another. Just as a book cannot be read by two different persons at the same time. Users of FSLOGIN must register and pay for their copies of FSLOGIN within 30 days of first use or their license will be withdrawn. Anyone distributing FSLOGIN for any kind of remuneration must first contact Confirm for written authorization. This authorization will be automatically granted to distributors recognized by the (ASP) as adhering to its guidelines for shareware distributors, and such distributors may begin offering FSLOGIN immediately (However Confirm must still be advised so that the distributor can be kept up-to-date with the latest version of FSLOGIN). You are encouraged to pass a copy of FSLOGIN along to your colleagues for evaluation. Please encourage them to register their copy if they find that they can use it. Confirm ArdŠchelaan 35 6904 NG Zevenaar The Netherlands CompuServe : 100334,572 Internet : 100334.572@compuserve.com WWW : ourworld.compuserve.com/homepages/confirm Phone : (+31) 316 - 524988 Fax : (+31) 316 - 341580 BBS : (+31) 316 - 340391