Chapter 10   Using an Existing Directory Server


If you're using an existing Directory Server that is already provisioned with users, you must make several changes in your Directory Information Tree (DIT) before iPlanet Directory Server Access Management Edition (DSAME) will recognize your user data. The number and scope of changes you must make will depend upon how your existing DIT is structured, and upon how you plan to use DSAME.

This chapter provides instructions for installing DSAME services against an existing directory that contains user data. It also explains how to configure DSAME to work with your DIT, and how to make the necessary changes to your existing directory entries.

Topics in this chapter include:

• Before You Begin

• Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME

• Step 2: Install DSAME Services

• Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema

• Step 4: (Optional) Configure Alternative Naming Attributes

• Step 5: Load DSAME LDIF into Your Directory

• Step 6: Load DSAME Service Attributes into Your Directory

• Step 7: (Optional) Add DSAME ACIs to Your Default Organization

• Step 8: Remove Unnecessary Files

• Step 9: Start DSAME

• Step 10: Add DSAME Object Classes and Attributes to Existing Directory Entries

Before You Begin

---

The requisite directory modifications are complex. They require a high level of expertise in LDAP planning and implementation, as well as some familiarity with XML. The procedures are complicated and can be time-consuming. Be sure to plan accordingly for this phase of deployment.

---

Note	If you do not already have an existing directory that is provisioned with users, you do not need to perform the steps described in this chapter. See "Simple Installations with No Existing Directory Server".

---

Supported DITs and Unsupported DITs

While DSAME can be reconfigured to support most existing DITs, in some situations reconfiguration may not be recommended. To determine whether your DIT may be compatible with DSAME, see "DITs That Cannot Be Managed by DSAME".

Background for Examples Used in This Chapter

In order to illustrate the types of changes you'll need to make to your directory, we'll use a simple DIT for a fictitious company. The directory entries for this company, represented by o=madisonparc, contain two custom object classes. These are object classes that are not already defined in DSAME schema. If your DIT contains custom object classes, you'll also need to make changes to the DSAME XML files.

Basic DIT Structure

The examples used in this chapter are based on a simple DIT for a fictitious company. Figure 10-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups. This means that entries for these groups use the groupOfUniqueNames object class, which contains values naming the members of the group.

Figure 10-1    Directory Information Tree (DIT) Used in Examples in this Chapter.

The following summarizes the use of groups in this sample DIT:

• There is one group containing the administrators for Engineering, and one group with the administrators for Sales.

• Very simple ACIs are set for the groups Engineering and Sales to allow members of these groups to manage their respective organizations.

• In each organization, there is a group that contains non-administrator users.

• There is another group at the root level, or top level. It contains the all users in the directory.

Custom Object Classes

The fictitious company used in this example uses two object classes that are not included in the DSAME schema nor in the Directory Server 5.1 schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. In order to manage these extensions, changes must be made in the following three files:

• amEntrySpecific.xml
  (Changes are not required if you're modifying only user entries.)

• amUser.xml

• ums.xml

These changes are described in detail in the section "Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema". If you use custom object classes in your existing directory, you will need to make similar changes.

Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME

---

DSAME will work only with iPlanet Directory Server 5.1. If you have a pre-5.1 version installed, you must upgrade to version 5.1 and migrate your data before you can install DSAME services.

Step 1a: Back Up Your Directory Data

For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:

  http://docs.iplanet.com/docs/manuals/directory.html

Step 1b: Install and Configure Directory Server 5.1 with DSAME Schema

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software. If you've downloaded the product, unzip the product binaries file.

2. Run the setup.exe program. You'll find the program in the root directory of the CD-ROM. If you've downloaded the product binariers, you'll find the program in the directory where you unzipped the binary files.

   Double-click the setup.exe icon.

   Installation messages are written to log files in the following directory:

     C:\Documents and Settings\username.hostname.*\
           Local Settings\Temp\

3. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

4. In the Installation Directory, provide the following information:

   Install DSAME in this directory: Enter the full path to the directory where you want to install DSAME components. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.

5. In the Components to Be Installed/Uninstalled window, select only iPlanet Directory Server. De-select all other components.

6. In the Directory Schema window, provide the following information, and then click Next:

   Root Suffix: This is the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one naming_attribute=value pair. Examples:

     o=isp

     o=madisonparc

     dc=sun,dc=com,l=us

   If you want the default organization to be the root suffix, then enter a period (.).

   Install DSAME Schema: Select this option. Click the checkbox until a checkmark displays.

7. In the iPlanet Directory Server Information window, provide the following information, and then click Next:

   Host: Enter the fully qualified domain name for the computer system where Directory Server will be installed.

   Port: Enter a port number. Directory Server typically uses port 389.

   Installation Directory: Enter the full path to the directory where Directory Server will be installed.

   Directory Manager: Enter the distinguished name (DN) of the user who has unrestricted access to Directory Server. Example: cn=Directory Manager.

   Password: Enter a password for the Directory Server administrator.The password must be at least eight characters in length.

   Confirm Password: Enter the password again to confirm it.

8. In The Administration Server that Manages Directory Server window, provide the following information, and then click Next:

   Administrator: This administrator user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator (typically, cn=Directory Manager). The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

   Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

   Port: Enter a port number. The Administration Server that manages Directory Server typically uses port 8900.

   Password: Enter a password for the Directory Server administrator. The password must be minimum eight characters in length.

   Confirm Password: To confirm the Administrator password, enter it again.

9. In the Currently Selected Settings window, review the configuration information that you've entered. If you need to make changes, click Back. Otherwise, click Next to proceed.

10. In the Ready to Install window, review the installation information. If you need to make changes, click Back. Otherwise, click Next to begin the installation.

11. In the Installation Summary window, click Details for a detailed summary of the configuration information that was processed during Installation. Then click Exit to end the program.

Once you've exited the installation program, iPlanet recommends that you optimize the Directory Server for use with the DSAME Policy service and Management service. For detailed instructions, see "Step 1d: Optimizing Directory Server for DSAME" in this chapter.

Step 1c: Migrate Existing Data to Directory Server 5.1

In this step, you will update your pre-5.1 data to work with Directory Server 5.1. This process, called migration, is performed by running the migrateInstance5 script that comes with Directory Server. The migration script performs the following tasks in sequence:

• Checks the schema configuration files, and notifies you of any changes between the standard configuration files and the ones present on your system.

• Creates a database for each suffix stored in the legacy Directory Server. (In Directory Server 5.0 you can have multiple databases, but just one suffix per database).

• Migrates the server parameters and database parameters. (In Directory Server 5.0, these are stored as LDAP entries in the dse.ldif file.)

• Migrates user-defined schema objects.

• Migrates indexes.

• Migrates standard server plug-ins.

• Migrates the certificate database, and SSL parameters.
  

  ---

  Note	Your existing user data must be migrated to Directory Server 5.1 before you go on to Step 2. Otherwise, DSAME may not be able to recognize your existing user data.

  ---

  
  

  You must run the script on the system where your existing Directory Server is installed. You must shut down your directory service before running the migration script. For detailed migration instructions, see the iPlanet Directory Server Installation Guide at:   http://docs.iplanet.com/docs/manuals/directory.html.

Step 1d: Optimizing Directory Server for DSAME

You can optimize DSAME page handling and search performance by modifying the Directory Server configuration. The following measures are necessary when any organization in your directory exceeds 4000 users:

• Add indexes for the memberof and uid attributes.

• Reset the lookthroughlimit parameter.

• (Optional) Reset the sizelimit parameter.

To Add Appropriate Indexes to Your Directory

1. Start the Directory Server console. In the directory where Directory Server is installed, double-click the startconsole.exe icon, and then log in.

2. In iPlanet Console, in the navigation tree, double -click the Directory Server icon.

1. In iPlanet Console, in the navigation tree, locate and double -click the Directory Server icon.

2. In the Directory Server console, click the Configuration tab.

3. In the navigation tree, click the Data icon, and then click Database Settings.

4. In the right pane, click Default Indexes.

5. To add the memberof attribute, click Add Attribute, and then do the following:
   1. In the Select Attributes window, select the memberof attribute and then click OK.

   2. In the Default Indexes list, select the memberof attribute and then check the boxes for Equality, Presence, and Substring.

6. To add a substring index for the uid attribute, in the Default Indexes list, select the uid attribute. Then check the boxes for Equality, Presence, and Substring.

7. Click Save.

To Reset the Lookthroughlimit Parameter

1. In iPlanet Console, in the navigation tree, locate and double -click the Directory Server icon.

2. In the Directory Server console, click the Configuration tab.

3. In the navigation tree, double-click the Data icon and then click the Database Settings.

4. In the right pane, click LDBM Plug-in Settings.

5. In the Look Through Limit field, enter a number greater than the number of entries that Directory Server will check in response to a search request.

6. Click Save.

To Reset the Sizelimit Parameter

By default, the Administration Console displays up to 2000 entries. If you want to display more than 2000 entries, you can reset the value of the iPlanet Directory Server attribute nsslapd-sizelimit to a greater number that is appropriate for your directory size. You can also reset the value at -1 for no limit. For more information, see the Directory Server documentation.

Step 1e: Back Up Your Existing Data

Back up your existing DIT before proceeding further with the other steps. Many of the changes described in this chapter must be done manually and can be error-prone.

For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:

  http://docs.iplanet.com/docs/manuals/directory.html

Step 2: Install DSAME Services

---

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software. If you've downloaded the product, unzip the product binaries file.

2. Run the setup.exe program. You'll find the program in the root directory of the CD-ROM. If you've downloaded the product binariers, you'll find the program in the directory where you unzipped the binary files.

   Double-click the setup.exe icon.

   Installation messages are written to log files in the following directory:

     C:\Documents and Settings\username.hostname.*\
         Local Settings\Temp\

3. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

   
   

   ---

   Note	After installation you will not yet be able to login to the DSAME administration console. The appropriate LDIF and XML files have not yet been loaded. See the following sections for instructions.

   ---

   
   

4. In the Installation Directory window, provide the following information:

   Install DSAME in this directory: Enter the path to the directory where DSAME Services will be installed. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.

5. In the Components to Be Installed window, select only DSAME Management and Policy Services. De-select all other components.

6. In the iPlanet Web Server Information window, provide the following information about the Web Server that will run DSAME services, and then click Next:

   Administrator: Enter a user name for the administrator who will access and manage the Web Server when necessary.

   Port: Enter a port number. Typically, this administration port is set to 8888.

   Password: Enter the password for the Administrator specified above. The password must be a minimum of 8 characters in length.

   Confirm Password: To confirm the Administrator password, enter it again.

7. In The Web Server that Runs DSAME Services window, provide the following information about the computer system where DSAME will be installed, and then click Next:

   Host: Enter the name of the computer system where DSAME will be installed.

   Port: Enter the port number of the Web Server that will run DSAME services.

   Protocol: If the Web Server that will run DSAME services will not be using Secure Socket Layer (SSL) protocol, then select HTTP. If it will be SSL-enabled, then select HTTPS.

   Domain: Enter the domain name of the computer system where DSAME will be installed.

   Deployment URI: Enter the Deployment Universal Resource Identifier (URI) that was specified when DSAME was installed. The default is /amserver.

8. In the Directory Schema window, provide the following information, and then click Next:

   Do you want DSAME to run in iPlanet-compliance mode? In most cases, select No. The iPlanet-compliant DIT uses specialized directory objects, and its tree structure is optimized for use by hosting companies. For detailed information about the iPlanet-compliance mode, see "Compliant vs. Default DIT".

9. In the next Directory Schema window, provide the following information, and then click Next:

   Root Suffix of Your Directory Tree: This is the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one naming_attribute=value pair.

   Examples:

     o=isp

     o=madisonparc

     dc=sun,dc=com,l=us

   Organization Name: Enter a name for the first organization to be used or created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: iPlanet or iplanet.com.

   Directory Component Node: Enter the point in the DIT where DSAME will start managing entries. Example: o=isp.

10. In the iPlanet Directory Server Information window, provide the following information, and then click Next:

    Host: Enter the fully qualified domain name for the computer system where Directory Server will be installed.

    Port: Enter a port number. Directory Server typically uses port 389.

    Directory Manager: Enter the distinguished name (DN) of the user who has unrestricted access to Directory Server. Example: cn=Directory Manager.

    Password: Enter a password for the Directory Server administrator.The password must be a minimum of eight characters in length.

11. In the DSAME Super Administrator Information window, provide the following information, and then click Next:

    User name: The user name for the Super administrator is amAdmin This name cannot be reconfigured.

    Password: Enter the password for the user amAdmin. the password must be a minimum of 8 characters in length.

    Confirm Password: To confirm the amAdmin password, enter it again.

12. In the Currently Selected Settings window, review the configuration information that you've entered. If you need to make changes, click Back. Otherwise, click Next to proceed.

13. In the Ready to Install window, review the installation information. If you need to make changes, click Back. Otherwise, click Next to begin the installation.

14. In the Installation Summary window, click Details for a detailed summary of the configuration information that was processed during installation. Then click Exit to end the program.

Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema

---

If your existing DIT contains object classes you've created and that do not come with Directory Server, then you'll have to add those object classes and attributes to the DSAME schema. For background information, see "Understanding DSAME XMLs and DTDs" in the Programmer's Guide.

If you do not use custom object classes in your DIT, this step is not necessary. Skip to "Step 5: Load DSAME LDIF into Your Directory".

In the examples in this section, the company Madison Park uses two object classes that do not come with the DSAME schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. Code Example 10-1    MadisonParc's Customized Schema

---

attributeTypes: ( madisonparc-org-description-oid NAME `madisonparc-org-description' DESC 'org description'

SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'madisonparc' )

attributeTypes: ( madisonparc-org-city-oid NAME 'madisonparc-org-city' DESC 'org city location' SYNTAX

1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'madisonparc' )

attributeTypes: ( madisonparc-user-id-oid NAME 'madisonparc-user-id' DESC 'user madisonparc id' SYNTAX

1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'madisonparc' )

attributeTypes: ( madisonparc-user-building-oid NAME 'madisonparc-user-building' DESC 'priority of a service

with respect to its siblings' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'madisonparc' )

objectClasses: ( madisonparc-org-oid NAME 'madisonparc-org' DESC 'custom attributes for madisonparc org' SUP top MAY

( madisonparc-org-description $ madisonparc-org-city ) X-ORIGIN 'madisonparc' )

objectClasses: ( madisonparc-user-oid NAME 'madisonparc-user' DESC 'custom attributes for madisonparc user' SUP top

MAY ( madisonparc-user-id $ madisonparc-user-building ) X-ORIGIN 'madisonparc' )

In order to manage these extensions, changes must be made in the following three files:

• amEntrySpecific.xml (for organization data)

• amUser.xml (for user data)

• ums.xml

Step 3a: Add Attributes to the Organization Schema

In this step, you will modify two services files:

• amEntrySpecific.xml

• amEntrySpecific.properties.

The DSAME console uses the information in amEntrySpecific.xml for display purposes. Each DSAME abstract entry may have a subschema in this XML file. In the following example, you would add the two attributes from the madisonparc-org object class to the organization subschema. If the DIT contained customized organizational units, groups, or people containers, you would add or modify their subschemas in this same XML file.

The subschema name for an organizational unit will be OrganizationalUnit. The subschema name for a people container will be PeopleContainer.

---

Note

The User subschema is not configured here in the amEntrySpecific.xml file, but in the amuser.xml file (see "Step3b: Add Attributes to the User Schema".) Although any service XML file may describe an attribute that is for a user only, the amentryspecific.xml file can serve as a default placeholder for user attributes that are not tied to a particular service.

---

Note	In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.

---

"> To Add Attributes from a Custom Organization to the Organization Subschema

---

Note	In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.

---

1. In the file DSAME_root\web-apps\services\WEB-INF\config\xml\
     amEntrySpecific.xml,

   add the attributes from the custom object class to the subschema Organization. For example, the following two attributes from the custom object class madisonparc-org were added to the file:

   Example:

   
   

   ---

   type="single"

   syntax="string"

   any="required"

   />

   <AttributeSchema name="madisonparc-org-city"

   type="single"

   syntax="string"

   any=required|filter

   />

2. Also in the amEntrySpecific.xml file, create i18N keys (also called index keys or localization keys) for each attribute. All i18N keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute.

   Example:

   
   

   ---

   type="single"

   syntax="string"

   any="required"

   i18nKey="o3"

   />

   <AttributeSchema name="madisonparc-org-city"

   type="single"

   syntax="string"

   any=required|filter

   i18nKey="o4"

   />

3. In the following file, add the values for i18n keys you created in Step 2:

   DSAME_root\web-apps\services\WEB-INF\classes\amEntrySpecific.properties

   Example:

   
   

   ---

   g1=Member List

   g2=Users Can Subscribe to this Group

   dg1=Membership Filter

   r1=Membership Filter

   o1=Full DNS name

   o2=Organization Status

   o3=Org Description

   o4=Organization Location

All the attributes listed in the subschema are displayed in the Administration Console when the organization is displayed. If an attribute is not listed, the Administration Console will not display the attribute.

---

Tip	If an attribute has no i18N key, it will not be displayed on the administration console. If you add an attribute, and you don't see it in the administration console, be sure to check the i18N key and properties.

---

The "any" attribute

The any attribute in the XML descriptions may have three possible values: required, optional, or filter. Typically, required and optional are not both displayed at the same time; they are mutually exclusive.

required. This value tells Admin Console whether the attribute should appear on the Create page. If any=required, the attribute must have a value or the Console will not allow the Create operation. Use an empty string ("") to tell the Admin Console to display nothing.

optional. This value tells Admin Console whether the attribute should appear on the Create page. If any=optional, the attribute will appear on the Create page without an asterisk. This would indicate that you don't have to give it a value to create the entry.

filter. This value tells the Console whether to use this attribute on the Search page or in organizations.

In the following example, both attributes will be displayed on the Organization page, and both attributes are required for creation. This is indicated by the use the required value. Only the madisonparc-org-city attribute will be used on the Search page in DSAME Administration Console, as indicated by the use of the filter value. Example:

---

type="single"

syntax="string"

any="required"

i18nKey="o3"

/>

<AttributeSchema name="madisonparc-org-city"

type="single"

syntax="string"

any=required|filter

i18nKey="o4"

/>

The "type" attribute

The type attribute can use a string, string list, single choice, multiple choice, or boolean value. For example, if the madisonparc-org-city attribute can have only one of the cities Concord, San Francisco, or Palo Alto, as a valid value, then you would make this attribute a single choice; each city would be one of the choices. The DSAME Administration Console would display a list containing only these cities. If multiple cities were allowed, the attribute could be a multiple choice.

Step3b: Add Attributes to the User Schema

In this step, you will modify two files for services:

• amUser.xml

• amUser.properties

The amUser.xml file is where user attributes are described, just as organization and group schema are described in the amEntrySpecific.xml (see Step 2). The file amUser.xml describes the User service for DSAME. Note that any service may describe an attribute that is for a user only. This file is just the default placeholder for user attributes that are not tied to a particular service.

When displaying a user's attributes, the DSAME Administration Console gets all attributes from all services that are subschema type User, and displays them using the same values as used in the amEntrySpecific.xml file (see "The "any" attribute" and "The "type" attribute"). In the following examples, a few attributes from the madisonparc-user object class are added to the file, thus it is not necessary to create a new service. It's only necessary to modify, or extend, the amUser service.

Additional Notes About the amUser.xml File

The file amUser.xml contains the special any attribute. The any=display attribute tells DSAME whether to display the attribute in the user profile page. This is a misleading name since it implies access control. It is strictly used for display. If this attribute is set to no then the console will not display the attribute.

Also note that the attributes are defined under subschema User and not Dynamic. Any attribute defined under User is physically an attribute in the user entry. If you want the attribute to be a role-based or organization-based attribute, then you would define it under the Dynamic subschema. For background information, see "Understanding DSAME XMLs and DTDs" in the Programmer's Guide.

For example, you could make the madison-user-building attribute Dynamic, and have DSAME create a role with this attribute. This way if all employees in a division moved to a different building, you would only have to modify the role attribute instead having to modify of every single user entry.

To Add Attributes from a Custom Organization to the User Subschema

1. In the following file, add the attributes from the custom object class to the User subschema:

     DSAME_root\web-apps\services\WEB-INF\config\xml\amUser.xml

2. For example, the following two attributes from the custom object class madisonparc-user were added to the file:
   
   

   ---

   type=single

   syntax=string

   any=required|display

   i18nKey=u13

   />

   <AttributeSchema name=madisonparc-user-building

   type=single

   syntax=string

   any=required|filter|display

   i18nKey=u14

3. In the amUser.xml file, create i18N keys (also called index keys or localization keys) for each attribute. All i18N keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute. See the example above.

4. Add values for the i18nKeys created in the previous step to the following file:   DSAME_root\web-apps\services\WEB-INF\classes\amUser.properties

   Example:

   
   

   ---

   iwtUser-desc=Default User Profile

   u1=User Name

   u2=First Name

   u3=Last Name

   u4=Full Name

   u5=Password

   u6=Email Address

   u7=Employee Number

   u8=Telephone Number

   u9=Manager

   u10=Home Address

   u11=User Status

   u12=User Auth Modules

   u13=User Id

   u14=Employee Building

   The value is the exact field to be displayed on the administration console page; the key will be localized for the locale. In this example, the administration console will display the text fields "User Id" and "Employee Building."

Step 3c: Modify the Creation Templates

In this step, you will modify the ums.xml file.

In Figure 10-3, the sample DIT has new object classes for both users and organizations. To expose the new object classes in the UI, you would modify the Creation Templates for both users and organizations in the ums.xml file. The Creation Templates configure DSAME to add or allow specific object classes and attributes when these entries are created.

To Modify the Creation Templates

Make the following modifications in the file   DSAME_root\web-apps\services\config\ums\ums.xml

1. Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="required" /> element, add the following:

   <Value>objectClass=madisonparc-org</Value>

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicOrganization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.Organization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=organization</Value>

   <Value>objectClass=nsManagedDomain</Value>

   <Value>objectClass=inetDomain</Value>

   <Value>objectClass=iplanet-am-managed-org</Value>

   <Value>objectClass=madisonparc-org</Value>

   <Value>o</Value>

   <Value>inetdomainstatus=Active</Value>

   </AttributeValuePair>

2. Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair><Attribute name="optional" /> element, add the following:

   <Value>objectClass=madisonparc-user</Value>

   Example:

   
   

   ---

   <SubConfiguration name="BasicUser" id="CreationUmsObjects">

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicUser</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.User</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=person</Value>

   <Value>objectClass=organizationalPerson</Value>

   <Value>objectClass=inetOrgPerson</Value>

   <Value>objectClass=iPlanetPreferences</Value>

   <Value>objectClass=iplanet-am-user-service</Value>

   <Value>objectClass=inetuser</Value>

   <Value>objectClass=iplanet-am-managed-person</Value>

   <Value>objectClass=madisonparc-user</Value>

   <Value>cn=default</Value>

   <Value>sn=default</Value>

   <Value>uid</Value>

   <Value>inetuserstatus=Active</Value>

   </AttributeValuePair>

3. Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:.

   <Value>madisonparc-org-description</Value>

   <Value>madisonparc-org-city</Value>

   Example:

   
   

   ---

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicOrganization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.Organization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=organization</Value>

   <Value>objectClass=nsManagedDomain</Value>

   <Value>objectClass=inetDomain</Value>

   <Value>objectClass=iplanet-am-managed-org</Value>

   <Value>objectClass=madisonparc-org</Value>

   <Value>o</Value>

   <Value>inetdomainstatus=Active</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="namingattribute" />

   <Value>o</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="optional" />

   <Value>*</Value>

   <Value>madisonparc-org-description</Value>

   <Value>madisonparc-org-city</Value>

   </AttributeValuePair>

4. Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:

   <Value>madisonparc-user-id</Value>

   <Value>madisonparc-user-building</Value>

   Example:

   
   

   ---

   <SubConfiguration name="BasicUser" id="CreationUmsObjects">

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicUser</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.User</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=person</Value>

   <Value>objectClass=organizationalPerson</Value>

   <Value>objectClass=inetOrgPerson</Value>

   <Value>objectClass=iPlanetPreferences</Value>

   <Value>objectClass=iplanet-am-user-service</Value>

   <Value>objectClass=inetuser</Value>

   <Value>objectClass=iplanet-am-managed-person</Value>

   <Value>objectClass=madisonparc-user</Value>

   <Value>cn=default</Value>

   <Value>sn=default</Value>

   <Value>uid</Value>

   <Value>inetuserstatus=Active</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="optional" />

   <Value>nsroledn</Value>

   <Value>madisonparc-user-id</Value>

   <Value>madisonparc-user-building</Value>

   <Value>*</Value>

Step 4: (Optional) Configure Alternative Naming Attributes

---

If you used a naming attribute other than o=organization to define organizations in your DIT, your must modify the ums.xml file to accommodate the non-standard naming attributes. If you used a naming attribute other than uid=username to define users in your DIT, your must make similar modifications in the ums.xml file. For detailed reference information, see "Using Alternative Naming Attributes".

To Configure Alternative Naming Attributes for Organizations

The following steps assume that dc is the naming attribute used for an organization. Perform the modifications in the following file:

  DSAME_root\web-apps\service\WEB-INF\config\ums\ums.xml

1. Replace any appearance of o=org with dc=org.

2. In the BasicOrganization section, replace value of o with dc.

3. In the BasicOrganizationSearch SubConfiguration section, replace value of o with dc.

4. In the BasicOrganization section, change the objectclass of organization to domain. If you use ou for an organization, then you need to change it to organizationalUnit.

To Configure Alternative Naming Attributes for Users

The following steps assume that cn is the naming attribute used for users.

Make modifications in the following directory:

  DSAME_root\web-apps\services\WEB-INF\config

1. In the file ldif\installExisting.ldif, with two exceptions, replace uid with cn. The exceptions are:
   • The occurrence under ACI.

   • The uid: amAdmin attribute in the amAdmin entry.

2. In xml\amAuth.xml, replace uid with cn for user naming attribute.

3. In xml\amMembership.xml, replace uid with cn for the user naming attribute.

4. In xml\amAuthLDAP.xml, replace uid with cn for the user naming attribute.

5. In AMConfig.properties, replace uid=amAdmin with cn=amAdmin.

6. In ums\ums.xml, in BasicUser subconfiguration, replace uid with cn for namingattribute.

7. In ums\ums.xml, in BasicUser required values, change cn=default to cn and uid to uid=default.

Step 5: Load DSAME LDIF into Your Directory

---

The installExisting.ldif file contains DSAME-specific entries that are loaded into Directory Server during installation. Typically, you will not need to modify this file before it gets loaded during the installation process.

You can use the ldapmodify utility that comes with Directory Server to load installExisting.ldif. In the MadisonParc example, when you load the LDIF, the following occurs:

• Users and marker object classes required for DSAME are added to o=madisonparc and o=Engineering,o=madisonparc

• Default roles for organization and help desk administrators are created.

• Default Access Control Instructions (ACIs) for those administrator entries are set up.
  
  

Before You Begin

You can use the version of ldapmodify that comes with Directory Server 5.x, or you can use the version that comes with DSAME. If your Directory Server is installed on a computer system other than the one where DSAME services are installed, you can use the ldapmodify utility that comes with DSAME. You'll find ldapmodify in this directory of the DSAME installation:

  DSAME_root\tools

To run commands in the following procedures, open a DOS prompt window and set the path to the ldapmodify tool, for example:

  set PATH=DSAME_root/tools;%PATH%"

To Load the installExisting.ldif File

1. Go the following the directory:

   cd DSAME_root\web-apps\services\WEB-INF\config\ldif

2. Run the following command:

     ldapmodify -v -c -D "cn=Directory manager" -w password -a -f      installExisting.ldif
   

   ---

   Note	You must specify the -c option. Be sure you install only installExisting.ldif, and none of the other LDIF files in the same directory.

   ---

   
   

   If you encounter error messages regarding "already existing" entries or values for the default organization, see "Step 7: (Optional) Add DSAME ACIs to Your Default Organization".

The DSAME administration user amAdmin will be created under the ou=People,o=Engineering,o=madisonparc people container. This is the top level administrator for DSAME. This administrator has read and write access to the entire subtree for o=madisonparc. You can add one of your users to this top level administrator role after the DSAME console is started.

Figure 10-2    Directory Information Tree (DIT) Used in Examples in This Chapter.

Step 6: Load DSAME Service Attributes into Your Directory

---

You can load the ums.xml file and all services files with the same command.

1. Go to the following directory:   DSAME_root\web-apps\services\WEB-INF\config\ums

2. At the command line, enter the following command:

     dpserveradmin DN password

If you see any parsing errors, you should go back and double-check the changes you made in the previous steps. Also examine the syntax in the amUser.xml and amEntrySpecific.xml files, and make sure you've used the correct syntax. If you need to look at syntax examples, look at the other service XML files located in the following directory:

DSAME_root\web-apps\services\WEB-INF\config\xml

Step 7: (Optional) Add DSAME ACIs to Your Default Organization

---

You only need to perform this step if, during installation, you specified an existing organization as your default organization. (By default, DSAME creates one new organization with the an RDN o=iplanet. If you accepted the default RDN, skip to the Step 8.)

In this step, you will manually add the DSAME default ACIs to the organization you specified as the default, or first, organization.

1. Copy the DSAME default organization ACIs from the following file to a text file:

     DSAME_root\web-apps\services\WEB-INF\config\
           installExisting.ldif

2. In the directory where your ldapmodify utility is located, enter the following command:

     ldapmodify -D bind_DN -w password -p port_number -h hostname -a -f       textfile_name

Step 8: Remove Unnecessary Files

---

The following files contain password tags that were swapped during DSAME installation. These files are unnecessary now and can be deleted:

• DSAME_root\web-apps\services\WEB-INF\config\ldif\*.ldif

• DSAME_root\web-apps\services\WEB-INF\config\ums\dpserveradmin
  

  ---

  Tip	As an alternative to deleting the files, you can change the passwords contained in the files.

  ---

  
  

Step 9: Start DSAME

---

At this point, you can start the DSAME server and you will be able to log in to the DSAME Administration Console as amAdmin user. You should see the root suffix and organization you specified during installation. In the Madison Park example, you would see o=madisonparc and o=Engineering. You will not be able to see the rest of your entries since they do not yet contain the DSAME marker object classes.

To start DSAME

You can start DSAME by using one of the following methods:

• Enter the following commands in a DOS prompt window:

    cd DSAME_root\web-apps\services\WEB-INF\bin
    amserver start

• From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Start.

To log into the Administration Console

Use a browser to go to the following URL:

  http://localhost.sub-domain.domain:port number/URI_prefix/console

At installation, the default URI_prefix is amserver.

Step 10: Add DSAME Object Classes and Attributes to Existing Directory Entries

---

In this step, you modify your existing directory entries to include the necessary DSAME object classes and attributes. You can think of the DSAME object classes as markers that indicate the directory entries you want to manage through DSAME. These markers enable DSAME to recognize the entries in your directory. The object classes contain special attributes that are necessary to achieve delegated administration.

Before You Begin

There are a number of resources you can use to facilitate the remaining steps for using an existing directory.

Examples Used in This Section

The examples used in this chapter are based on the MadisonParc DIT. Figure 10-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups.

Figure 10-3    The MadisonParc DIT.

Utilities and Scripts You Can Use

You can make these modifications by using iPlanet Directory Server Console, or by using the ldapmodify or db2ldif utilities that come with Directory Server. For detailed information on how to make directory changes by using the Console or by using these utilities, see the documentation for iPlanet Directory Server at:

  http://docs.iplanet.com/docs/manuals/directory.html

You can also use the sample scripts that are included in this product. The sample scripts require Perl 5.x or later. You'll find the sample scripts in the following location:

  DSAME_root\migration

While these samples should prove useful, they are only tools to assist you in properly formatting the DIT and other data. Each script has one or more variables at the top of the file that must be edited before the script is executed. After each script is executed, it generates an LDAP Data Interchange Format (LDIF) file.

If you encounter error messages regarding "already existing" entries or values, you must add the object classes or attributes manually. See the iPlanet Directory Server documentation for detailed instructions.

Steps for using each sample script are included in this chapter in the instructions for marking each object class.

---

Note

Before you can follow the steps for using the sample scripts, you must copy the following sample script files from DSAME_root\migration into the directory Directory_Server_root\shared\bin: update-users.pl update-static-groups.pl update-assignable-dynamic-groups.pl update-filtered-groups.pl update-people.pl update-ou.pl update-o.pl update-groups.pl Also note that the changes made by using these scripts cannot be automatically undone. Be sure to back up your data before running each script.

---

Related Information

Detailed reference information is provided in Appendix A "DSAME Object Classes and Attributes." See page 247 in this manual for information on the following topics:

• Using DSAME Object Classes as Markers

• Using Alternative Naming Attributes

• DITs That Cannot Be Managed by DSAME

• ObjectClass and Attribute Descriptions

Two Approaches to Modifying the Existing DIT

You can use one of two approaches for modifying the DIT. One option is to make all the necessary modifications to your DIT before loading the DSAME LDIF and XML configuration files. This procedure is more error-prone, but may be faster if you have experience using LDAP.

The other option is to make a few modifications in your LDIF and XML files, and then start DSAME to make sure those modifications were done correctly. This second approach is the recommended approach. For example, you may want to add the DSAME object classes for each of your organizations, restart DSAME, and verify that your organizations appear in the DSAME Administration Console. Then add marker classes for groups, check them and so forth.

Step 10a: Mark Organizations

If you used an existing organization as your default organization during installation, you do not have to make these changes. The installation program automatically added these object classes and attributes. Skip to Step 10b.

In this step you will:

1. Add the following object classes to each organization entry:
   • iplanet-am-managed-org

   • inetDomain

2. Add the following attributes to each organization entry:
   • iplanet-am-entry-dn
     (The value for this attribute must be set to the organization DN.)

   • inetDomainStatus

In the MadisonParc example, these object classes and attributes were automatically added to the default organization, o=Engineering, which was the organization specified and created during DSAME installation. The object classes and attributes were manually added to the o=Sales organization.

Example:

objectClass: top

objectClass: organization

objectClass: madisonparc-org

madisonparc-org-description: Engineering Organization

madisonparc-org-city: Santa Clara

aci: (targetattr = "*")(version 3.0; acl "madisonparc Org admin"; allow (all)groupdn="ldap:///cn=Engineering Admins,o=Engineering,o=madisonparc";)

objectclass: iplanet-am-managed-org

objectlcass: inetDomain

iplanet-am-entry-dn: o=Engineering,o=madisonparc

inetDomainStatus: Active

dn: o=Sales,o=madisonparc

objectClass: top

objectClass: organization

objectClass: madisonparc-org

madisonparc-org-description: Sales Organization

madisonparc-org-city: Menlo Park

aci: (targetattr = "*")(version 3.0; acl "madisonparc Org admin"; allow (all)groupdn="ldap:///cn=Sales Admins,o=Sales,o=madisonparc";)

objectclass: iplanet-am-managed-org

objectlcass: inetDomain

iplanet-am-entry-dn: o=Sales,o=madisonparc

inetDomainStatus: Active

...

To Mark Organizations Using the Sample Script

1. Copy update-o.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

     perl update-o.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389.

5. To check the results, open the ldif file that is created (for example: o-update.ldif) and verify that the appropriate changes were made.

Step 10b: Mark People Containers

To each people container, add the iplanet-am-managed-people-container object class.

Example:

objectClass: top

objectClass: organizationalunit

objectclass: iplanet-anm-managed-people-container

...

dn: ou=Sales Users,o=Sales,o=madisonparc

objectClass: top

objectClass: organizationalunit

objectclass: iplanet-am-managed-people-container

...

To Mark People Containers Using the Sample Script

1. Copy update-people.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. For each people container branch to be modified, provide the DN for the organization above it. Example:

     $domain{"hostedCompanyA"} = "ou=hostedCompanyA, o=isp";

     $domain{"hostedCompanyB"} = "ou=hostedCompanyB, o=isp";

4. In the directory where the script is located, at the command line enter the following:

     perl update-people.pl

5. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

   Enter People Container: Enter the name of the people container that contains the uids you want to modify. Example: People

6. To check the results, open the LDIF file that is created (for example: people-update.ldif) and verify that the appropriate changes were made.

Step 10c: Mark Organizational Units

To each container, or organizational unit, add the following object class:   iplanet-am-managed-org-unit

Example:

objectClass: top

objectClass: organizationalunit

objectclass: iplanet=am-managed-org-unit

dn: cn=Engineering Admins,o=Engineering,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

uniquemember: uid=engadmin,ou=Engineering Users,o=Engineering,o=madisonparc

dn: cn=Engineering Users,o=Engineering,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

uniquemember: uid=enguser1,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser2,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser3,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser4,ou=Engineering Users,o=eng,o=madisonparc

dn: ou=Groups,o=Sales, o=madisonparc

objectClass: top

objectClass: organizationalunit

objectclass: iplanet=am-managed-org-unit

To Mark Organizational Units Using the Sample Script

1. Copy update-ou.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc

3. In the directory where the script is located, at the command line enter the following:

     perl update-ou.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: ou-update.ldif) and verify that the appropriate changes were made.

Step 10d: Mark Users

1. To each user entry, add the following object classes:
   • iplanet-am-web-agent-service

   • iplanet-am-managed-person

   • iplanet-am-user-service

   • inetuser

   • iPlanetPreferences

   • inetOrgPerson

2. To each user entry, add the following attribute value:

     inetuserstatus: active

Example:

objectClass: top

objectClass: organizationalunit

dn: uid=engadmin,ou=Engineering Users,o=Engineering,o=madisonparc

objectClass: inetorgperson

objectClass: organizationalperson

objectClass: person

objectClass: top

objectClass: iplanet-am-web-agent-service

objectClass: iplanet-am-managed-person

objectClass: iplanet-am-user-service

objectClass: inetuser

objectClass: iPlanetPreferences

objectClass: inetOrgPerson

inetuserstatus:active

cn: engadmin

sn: engadmin

userPassword: engadmin

dn: uid=enguser1,ou=Engineering Users,o=Engineering,o=madisonparc

objectClass: inetorgperson

objectClass: organizationalperson

objectClass: person

objectClass: top

objectClass: madisonparc-user

objectClass: iplanet-am-web-agent-service

objectClass: iplanet-am-managed-person

objectClass: iplanet-am-user-service

objectClass: inetuser

objectClass: iPlanetPreferences

objectClass: inetOrgPerson

inetuserstatus:active

madisonparc-user-id: 11111

madisonparc-user-building: SCA16

cn: enguser1

sn: enguser1

userPassword: enguser1

To Mark Users Using the Sample Script

1. Copy udpate-users.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. Set the $base-component variable to the base suffix of the DIT. Example:
     madisonparc

4. In the directory where the script is located, at the command line enter the following:

     perl udpate-users.pl

5. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

6. To check the results, open the LDIF file that is created (for example: users-update.ldif) and verify that the appropriate changes were made.

Step 10e: Mark Static Groups

To each group entry containing values for the uniquemember attribute, add the following object classes:

• iplanet-am-managed-static-group

• iplanet-am-managed-group

Example

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=enguser1,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser2,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser3,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser4,ou=Engineering Users,o=eng,o=madisonparc

dn: ou=Groups,o=Sales, o=madisonparc

objectClass: top

objectClass: organizationalunit

dn: cn=Sales Admins,o=Sales,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=salesadmin,ou=Sales Users,o=Sales,o=madisonparc

dn: cn=Sales Users,o=Sales,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=salesuser1,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser2,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser3,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser4,ou=Sales Users,o=sales,o=madisonparc

:

To Mark Static Groups Using the Sample Script

1. Copy update-static-groups.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

     perl update-static-groups.pl

   When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

4. To check the results, open the LDIF file that is created (for example: static-groups-update.ldif) and verify that the appropriate changes were made.

Step 10f: Mark Filtered (Dynamic) Groups

In filtered groups, users are included in a single group based on their DN.

Add the following object classes (no attribute) to each filtered group:

• iplanet-am-managed-group

• iplanet-am-managed-filtered-group

• groupofurls

To Mark Filtered Groups Using the Sample Script

1. Copy update-filtered-groups.pl to the following directory:

   Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
   o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

     perl update-filtered-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: update-filtered-groups-update.ldif) and verify that the appropriate changes were made.

Step 10g: Mark Assignable Dynamic Groups

An assignable dynamic group is similar to a filtered group, but uses a DN in the user entry to point to the group.

Add the following object classes to each assignable dynamic group:

• iplanet-am-managed-group

• iplanet-am-managed-assignable-group

• groupofurls

To Mark Assignable Dynamic Groups Using the Sample Script

1. Copy update-assignable-dynamic-groups.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

     perl update-assignable-dynamic-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: assignable-dynamic-groups-update.ldif) and verify that the appropriate changes were made.

Step 10h: Mark Group Containers

Group containers are organizational units (ou) that contain groups. To each group container, add the following object class:

  iplanet-am-managed-groupcontainer

To Mark Group Containers Using the Sample Script

1. Copy update-groups.pl to the following directory:

     Directory_Server_root\shared\bin

2. Set the $base variable to the base suffix of the DIT. Example:
     o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

     perl update-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: groups-update.ldif) and verify that the appropriate changes were made.

Results of DSAME and Directory Modifications

---

After making the modifications in the previous steps, all entries in the DIT will be manageable by DSAME. The existing ACIs for the organization administrators do not have to be modified. Even though DSAME uses roles and ACIs by default, your existing groups and ACIs will still work.

You can convert a groups-based DIT to one that leverages roles and ACIs. If you choose to do this, you can use the DSAME organization administrator roles and assign them to your existing organizationList administrators.