No Option To Create a Login Policy Object in the Security Container - Aug 16, 2004

Aug. 16, 2004 - Added link to ADMSNAP.DLL snapin file HERE.

(Clarifications added April 1, 2001. Information on snapin at the bottom of the page added Nov. 21, 2002)

Do You Need to Worry About LPO's?

First off, this tip from Ross Irvine:

"You only need the LPO if you are using Tokens. That's it! You don't need it for Radius [prior to BorderManage 3.8. Craig] or any VPN. (Unless you are using tokens for VPN). "

Here's how to avoid the need for an LPO

You should NOT need an LPO unless using RADIUS to authenticate (or, I assume, ActivCard token authentication with the VPN). However, there are times when the method show below seems necessary, apparently keyed by having run RADIUS or NMAS (Novell Modular Authentication Services) components. The suggestion I got from Novell to avoid the process described below is to a) delete the LPO, and b) delete a file called LPOCACHE.DAT created in the SYS:SYSTEM directory.

If You Really Want to Create A Login Policy Object

In some cases, you may need to create a Login Policy Object (LPO) inside the Security container. If you have the proper snapins installed, and do not see an option for Login Policy Object in NWADMN32 when creating objects in the Security container, you probably just need to extend the NDS schema for the LPO. Try this:

LOAD BMASEXT <username> <password> ABC

Where <username> is the fully-qualified NDS name of the admin account, such as .ADMIN.ORG, and <password> is the admin password.

The LPO may be necessary when configuring Client-Site VPN on a BorderManager 3.5 (or later?) server. You definitely need an LPO for ActivCard / RADIUS.

Be aware that you may have to create the LPO with the ADMIN user ID, and not an Admin-equivalent ID for it to work properly.

If you have the proper schema extensions and still do not get an option to create the LPO, try the following:

Delete these two files :


Then try again. You should now see a Login Policy Object option.

BorderManager Snapin to Manipulate the LPO

Nov. 21, 2002: The snapin required for manipulating BorderManager-related rules in the Login Policy Object is called ADMSNAP.DLL, and should be present on a BorderManager server. This snapin is required in order to create VPN and Proxy rules in the LPO. The snapin ONLY is used for BorderManager-related rules, and RADIUS. This snapin does NOT allow you to create LPO rules related to Native File Access (NFAP). NFAP rules are configured using ConsoleOne. ConsoleOne snapins do not have the option to create BorderManager-related LPO rules.

Return to the Main Page