Sun Java System Communications Services 6 2005Q4 Delegated Administrator Guide

Chapter 4 Customizing Delegated Administrator

After you have installed and configured Delegated Administrator with the configuration program (config-commda), you can customize your configuration to meet your particular needs. This chapter offers examples of how to customize certain Delegated Administrator features.

You should back up any existing Delegated Administrator configuration file before you begin customizing it.

Also, customized configuration data can be lost when you upgrade Delegated Administrator. Therefore, you should preserve your customized configuration before you upgrade Delegated Administrator or rerun the Delegated Administrator configuration program. For more information, see Preserve an Existing Configuration.

This chapter describes the following topics:

Configuring the Preferred Mail Host Using the Service-Wide Default

If you want the Preferred Mail Host and Preferred Mail Store to be set using the server-wide default, you can perform the tasks described in this section.

If you need to remove the Preferred Mail Host field from the Console (specifically, from the New Organization Wizard and Organization Properties screens), you can should take the following steps:

The Security.properties file lets you customize the Delegated Administrator Console for all or for individual roles.

The Security.properties file is located in the directory da_base/da/WEB-INF/classes/com/sun/comm/da/resources

To remove the Preferred Mail Host from the Console, add the lines shown below to the Security.properties file:


# Remove Preferred Mail Host from UI
*.NewOrganizationPage6.PreferredMailHostProperty=INVISIBLE
*.NewOrganizationSummaryPage.PreferredMailHostSummaryProperty=INVISIBLE
*.OrgProperties.MailHostName=INVISIBLE
*.OrgProperties.MailHostNameText=INVISIBLE
*.OrgProperties.MailHostValue=INVISIBLE

CAUTION: You may add lines to this file for your own customization, but do not edit the lines already present. Editing existing lines could result in exceptions being thrown on the Console.

The properties in the file are of the form: Security Element Name=Permission

A Security Element Name is of the form:Role Name.Container View Name.Console Element Name

A Security Element specifies the Console element and role for which the permission is being defined. If you do not know an element name, view the source of a page to match the name on the page to the Console element you are interested in.

The names on the page are fully qualified names. You need to pick up only the last two elements of the name, which form Container View Name.Console Element Name.

Valid role names for Delegated Administrator are as follows:

“ProviderAdminRole” (SPA) For information about this role, see Appendix A, Service Provider Administrator and Service Provider Organizations.

“OrganizationAdminRole” (OA)

“Top-levelAdminRole” (TLA)

“*” (applies a permission to all roles unless it is overridden for a specific role)

A permission must be one of the following strings:

Adding Plug-ins for Delegated Administrator

You can customize Delegated Administrator to support the following plug-ins:

Enabling the Plug-Ins

To enable these plug-ins, edit the commcli servlet resource.properties file, located in the following directory:


da_base/data/WEB-INF/classes/sun/comm/cli/server/servlet/
resource.properties

(By default, da_base is /opt/SUNWcomm.)

The plug-ins are located in the resource.properties file in a section headed as follows:


########################
# Plugin Configuration #
##########################

Each has "plugin" as the suffix. The current list looks like:


jdapi-mailhoststoreplugin=disabled

jdapi-mailhoststorepluginclass=sun.comm.cli.server.util.MailHostStorePlugin
jdapi-mailhoststorepluginfile=/tmp/mailhostmailstore
jdapi-maildomainreportaddressplugin=enabled
jdapi-maildomainreportaddresspluginclass=sun.comm.cli.server.
  util.MailDomainReportAddressPlugin
jdapi-uidautogenerationplugin=disabled
jdapi-uidautogenerationpluginclass=sun.comm.cli.server.util.UidPlugin

Plug-In Format

Each plug-in has at least two lines, which take the following form:

To enable a plug-in, change “disabled” to “enabled”.

Plug-in classes are supplied for all the plug-ins listed in this section. The classes are located in the following directory:

da_base/data/WEB-INF/classes/sun/comm/cli/server/util

You do not need to do anything with these classes.

Additional Flat File Required for MailHostStorePlugin

The MailHostStorePlugin requires a flat file, which is included in a third line for the plug-in. The plug-in reads the value in the flat file and uses it to set attribute values. If the plug-in is enabled, the file must be present, or an error will occur.

Adding a Custom Object Class When You Create an LDAP Object

You can enable Delegated Administrator to add a custom object class to the LDAP entry of a new user, group, resource, or organization. To accomplish this task, you customize the appropriate object-creation template installed in the directory by Access Manager.

For example, the BasicUser creation template determines which object classes and attributes are added to a user entry when you create a new user. You can update the BasicUser creation template with your custom object class. Thereafter, the custom object class will be added to each new user entry together with the standard object classes.

The following procedure describes how to customize the BasicUser template. You can follow the same procedure to customize the BasicGroup, BasicResource, and BasicOrganization creation templates.

ProcedureTo add a custom object class to the user-creation process

Steps
  1. Make sure your custom object class is defined in the directory schema.

  2. Locate the following directory entry:


    ou=basicuser,ou=creationtemplates,ou=templates,ou=default,
    ou=globalconfig,ou=1.0,ou=dai,ou=services,
    o=$Root_Suffix
    

    where $Root_Suffix is the root suffix of your directory.

  3. Add the following attribute:value to the entry:


    sunkeyValue:required=objectClass=$Your_Custom_Objectclass.

    where $Your_Custom_Objectclass is your custom object class.

Customizing the User Log-In

When you run the Delegated Administrator configure program (config-commda), the value you use to log in to Delegated Administrator is set to be a uid.

For example, if you intend to log in as the TLA, and the TLA’s uid is john.doe, you would use john.doe to log in to Delegated Administrator.

You can customize Delegated Administrator to enable you to use additional values for the user log-in. For example, you could add the mail address (mail).

How the User Log-In Value Is Set

The config-commda program sets this value to uid with the loginAuth-idAttr property in the resource.properties file, as shown in the following example:


loginAuth-searchBase=<$rootSuffix>
         servicepackage-cosdefbasedn = <$rootSuffix>
          loginAuth-idAttr-1=uid

where <$rootSuffix> is the root suffix in your directory.

The resource.properties file is located in


da_base/data/WEB-INF/classes/sun/comm/cli/server/servlet/
resource.properties

Adding a User Log-In Value

You can set additional values for the user log-in by editing the resource.properties file.

For example, to enable you to use a mail address (such as john.doe@sesta.com) to log in, you could add the following line to the resource.properties file:


loginAuth-searchBase=<$rootSuffix>
         servicepackage-cosdefbasedn = <$rootSuffix>
          loginAuth-idAttr-1=uid
          loginAuth-idAttr-2=mail

where <$rootSuffix> is the root suffix in your directory.

Note that you must add an increment to the loginAuth-idAttr property for each new value. In this example, a second value is added, so you add -2 to loginAuth-idAttr.

You can add multiple instances of the loginAuth-idAttr property:


          loginAuth-idAttr-1=uid 
            loginAuth-idAttr-2=mail 
            | 
            loginAuth-idAttr-n=<login-in value>

Requiring Service Packages for New Users

By default, Delegated Administrator lets you create a new user without assigning a service package to the user.

You can change the default setting so that all new users must have at least one service package assigned to them.

ProcedureTo require new users to have a service package assigned to them

Steps
  1. Open the daconfig.properties file in a text editor.

    The daconfig.properties file is located by default in the following directory:


    /var/opt/SUNWcomm/da/WEB-INF/classes/com/sun/
    comm/da/resources/daconfig.properties
  2. Change the value of the user.atleastOneServicePackage property from false to true.

    By default, this value is false.

    For example:

    user.atleastOneServicePackage=true

    After you set this value to true, when you use the Create New User wizard in the Delegated Administrator console, you must assign at least one service package to successfully create the new user.

Adding a New Calendar Time Zone

You can customize Delegated Administrator by adding a new Calendar Server time zone. Delegated Administrator can then provision organizations, users, groups, and resources with the new time zone.

Once the time zone has been added, you can set it as the default time zone for newly created users.

ProcedureTo add a new time zone in Delegated Administrator

Steps
  1. Add the time zone in Calendar Server.

    To accomplish this step, you must edit the timezones.ics file and other Calendar Server files. For instructions, see “Adding a New Time Zone” in the chapter, “Managing Calendar Server Time Zones” in the Sun Java System Calendar Server Administration Guide.

  2. Back up the UserCalendarService.xml and DomainCalendarService.xml, and Resources.properties files.

    The xml files are located by default in the following directory:

    /opt/SUNWcomm/lib/services

    The Resources.properties file is located by default in the following directory:


    /var/opt/SUNWcomm/da/WEB-INF/classes/com/sun/ \
    comm/da/resources

    Also be sure to preserve your customized configuration data before you upgrade Delegated Administrator or rerun the Delegated Administrator configuration program.

  3. Edit the UserCalendarService.xml and DomainCalendarService.xml files to add the new time zone in Delegated Administrator.

    These xml files are located by default in the following directory:

    /opt/SUNWcomm/lib/services

    • In both the UserCalendarService.xml and DomainCalendarService.xml files, find the following entry heading:


      <AttributeSchema name="icstimezone"
                                  type="single choice"
                                  syntax="string"
                                  any="optional|adminDisplay">
                                  <ChoiceValues>
    • Add the new time zone value to the list of <ChoiceValues>.

  4. Run the Access Manager amadmin utility to delete the current service and add the updated service.

    For both the UserCalendarService.xml and DomainCalendarService.xml files, run the following amadmincommands:


    ./amadmin -u <admin> -w <password> -r DomainCalendarService

    ./amadmin -u <admin> -w <password> -s $PATH/DomainCalendarService.xml

    Note –

    If you also intend to make the new time zone your default, you can run these amadmin commands after you have performed both tasks. (The following task describes how to change the default time zone.)


  5. Restart your Web container to enable the changes to take effect.

ProcedureTo change the default time zone in Delegated Administrator

Steps
  1. In the UserCalendarService.xml and DomainCalendarService.xml files, edit the following value:


    <DefaultValues>
                    <Value>America/Denver</Value>
    </DefaultValues>

    You can find <DefaultValues> under the following entry in the xml files:


    <AttributeSchema name="icstimezone"
  2. Run the Access Manager amadmin utility to delete the current service and add the updated service.

    For both the UserCalendarService.xml and DomainCalendarService.xml files, run the following amadmincommands:


    ./amadmin -u <admin> -w <password> -r DomainCalendarService

    ./amadmin -u <admin> -w <password> -s $PATH/DomainCalendarService.xml
  3. Restart your Web container to enable the changes to take effect.

ProcedureTo add the new time zone to Delegated Administrator console

Step

    Edit the Resources.properties file, located under your Delegated Administrator data directory.

    The Resources.properties file is located by default in the following directory:


    /var/opt/SUNWcomm/da/WEB-INF/classes/com/sun/ \
    comm/da/resources

    To edit Resources.properties, search for the rsrc.Timezone property and add the new time zone to the appropriate list.

    After you edit this file, the new time zone will appear in the appropriate list boxes in the Delegated Administrator console.