Sun Java Enterprise System 2005Q1 Deployment Example Series: Evaluation Scenario

The User Management Specification

Installing and configuring a Java ES solution establishes the basic structure of the LDAP directory tree for the solution. The installation and configuration process also adds data to the directory. The user management specification describes the directory for a Java ES solution.

The Directory Tree Structure

The main points to consider when you develop an LDAP directory structure for you solution are the following:

The directory can be distributed among several instances of Directory Server. The appropriate arrangement for your solution depends on your quality of service requirements and your security requirements. For example, you can create separate Directory Server instances for configuration data and user and group data. You can also create several directory branches for user and group data, such as a branch for employee data and a branch for web-based customers, with each branch established in a separate Directory Server instance.
For each Directory Server instance that holds user and group data, you must specify a base DN suffix. You specify this value when you run the Java ES installer.
For each Directory Server instance that holds user and group data for Java ES communications services (Messaging Server, Calendar Server, andInstant Messaging), you must create a directory tree branch that is configured to support single-sign on access to these services. You create this branch when you run the Messaging Server configuration wizard. You complete the configuration of this branch with the Directory Server Preparation Tool and the Delegated Administrator tool.

The evaluation solution has minimal quality of service and security requirements, and a single Directory Server instance for both configuration data and user and group data satisfies those requirements. The Directory Server instance for the evaluation solution runs on one computer system with the other components.

The evaluation solution uses Java ES communications services, so an LDAP tree branch that supports communications services and single sign-on is needed.

The LDAP directory for the evaluation solution is set up for an imaginary company named Examplecorp. The LDAP base DN for the evaluation solution is o=exanplecorp. You specify this base DN when you run the Java ES installer. The branch you create with the Messaging Server configuration wizard to support communications services is named o=examplecorp.com,o=examplecorp. The branch has a People container (the LDAP DN is ou=people,o=examplecorp.com,o=examlecorp. You add the end user accounts to this People container.

A simplified diagram of the evaluation solution's directory tree is illustrated in Figure 3–1.

Figure 3–1 Evaluation Solution Directory Tree

At top is o=examplecorp. Second level is o=examplecorp.com,o=examplecorp.com.
Third level is ou=people,o=examplecorp.com,o=examplecorp.com.

The Administrator Accounts

In addition to setting up the basic structure of the LDAP directory, installing and configuring a Java ES solution establishes a number of administrator accounts. For each component that you install and configure, the installer or the component configuration wizard creates one or more administrator accounts.

The evaluation solution, for simplicity, creates the minimum number of administrator accounts, and uses the value “password” for most administrator passwords. The administrator accounts created for the evaluation solution are as follows:

Directory Server — The administrator account name is admin, and administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp. You also create a directory manager account. The account name for the directory manager is dn=Directory Manager and the password is password. Other components use the directory manager account to access the directory.
Administration Server — The evaluation solution uses the same administrator account for Directory Server and Administration Server. The account name is admin, and the administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp.
Access Manager— The administrator user ID is amadmin, and the administrator password is password. The LDAP DN for the account is uid=amadmin,ou=People,o=examplecorp. You use this account to access the Access Manager console and perform some configuration.
Web Server — The evaluation solution uses the same administrator account for Administration Server, Directory Server and Web Server. The administrator account name is admin, and the administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp.
Messaging Server — The administrator user ID is admin, and the administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp.com,o=examplecorp. Communications Express uses this account to access messaging services.
Calendar Server — The administrator user name is calmaster, and the administrator password is password. The LDAP DN for the account is uid=calmaster,ou=People,o=examplecorp.com,o=examplecorp. Communications Express uses this account to access calendar services.
Instant Messaging — The administrator account name is admin, and the administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp.com,o=examplecorp.
Communications Express — The administrator account name is admin, and the administrator password is password. The LDAP DN for the account is uid=admin,ou=People,o=examplecorp.com,o=examplecorp.

In a production solution, you would consider your security requirements and develop a plan for separate and secure administrator accounts.

The Delegated Administrator Instance

Delegated Administrator is the Java ES tool you use to create and manage user accounts. You run the Delegated Administration configuration wizard to configure an instance of Delegated Administrator. You configure the instance to operate on the o=examplecorp.com,o=examplecorp branch of the evaluation solution's directory tree.

Delegated Administrator is a versatile user management tool. Among other features, it allows you to set up a number of administrator accounts, each with administrator privileges to a specific segment of the user and group directory. For the evaluation solution you use only basic command line features of Delegated Administrator.

The LDAP Schema Extensions

The LDAP directory tree branch that you create for use with the Sun Java^TM Enterprise System (the o=examplecorp.com,o=examplecorp branch) must be configured so that user accounts you create in the branch are authorized to use the mail and calendar services. You perform this configuration with the Delegated Administrator command line interface.