Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Installation and Configuration Guide |
Chapter 10 Using an Existing Directory Server
If you're using an existing Directory Server that is already provisioned with users, you must make several changes in your Directory Information Tree (DIT) before iPlanet Directory Server Access Management Edition (DSAME) will recognize your user data. The number and scope of changes you must make will depend upon how your existing DIT is structured, and upon how you plan to use DSAME.This chapter provides instructions for installing DSAME services against an existing directory that contains user data. It also explains how to configure DSAME to work with your DIT, and how to make the necessary changes to your existing directory entries.
Topics in this chapter include:
Before You Begin
Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME
Step 2: Install DSAME Services
Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema
Step 4: (Optional) Configure Alternative Naming Attributes
Step 5: Load DSAME LDIF into Your Directory
Step 6: Load DSAME Service Attributes into Your Directory
Step 7: (Optional) Add DSAME ACIs to Your Default Organization
Step 8: Remove Unnecessary Files
Step 10: Add DSAME Object Classes and Attributes to Existing Directory Entries
Before You Begin
The requisite directory modifications are complex. They require a high level of expertise in LDAP planning and implementation, as well as some familiarity with XML. The procedures are complicated and can be time-consuming. Be sure to plan accordingly for this phase of deployment.
Note If you do not already have an existing directory that is provisioned with users, you do not need to perform the steps described in this chapter. See "Simple Installations with No Existing Directory Server".
Supported DITs and Unsupported DITs
While DSAME can be reconfigured to support most existing DITs, in some situations reconfiguration may not be recommended. To determine whether your DIT may be compatible with DSAME, see "DITs That Cannot Be Managed by DSAME".
Background for Examples Used in This Chapter
In order to illustrate the types of changes you'll need to make to your directory, we'll use a simple DIT for a fictitious company. The directory entries for this company, represented by o=madisonparc, contain two custom object classes. These are object classes that are not already defined in DSAME schema. If your DIT contains custom object classes, you'll also need to make changes to the DSAME XML files.
Basic DIT Structure
The examples used in this chapter are based on a simple DIT for a fictitious company. Figure 10-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups. This means that entries for these groups use the groupOfUniqueNames object class, which contains values naming the members of the group.
Figure 10-1    Directory Information Tree (DIT) Used in Examples in this Chapter.
The following summarizes the use of groups in this sample DIT:
There is one group containing the administrators for Engineering, and one group with the administrators for Sales.
Very simple ACIs are set for the groups Engineering and Sales to allow members of these groups to manage their respective organizations.
In each organization, there is a group that contains non-administrator users.
There is another group at the root level, or top level. It contains the all users in the directory.
Custom Object Classes
The fictitious company used in this example uses two object classes that are not included in the DSAME schema nor in the Directory Server 5.1 schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. In order to manage these extensions, changes must be made in the following three files:These changes are described in detail in the section "Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema". If you use custom object classes in your existing directory, you will need to make similar changes.
Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME
DSAME will work only with iPlanet Directory Server 5.1. If you have a pre-5.1 version installed, you must upgrade to version 5.1 and migrate your data before you can install DSAME services.
Step 1a: Back Up Your Directory Data
For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:http://docs.iplanet.com/docs/manuals/directory.html
Step 1b: Install and Configure Directory Server 5.1 with DSAME Schema
You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software. If you've downloaded the product, unzip the product binaries file.
Once you've exited the installation program, iPlanet recommends that you optimize the Directory Server for use with the DSAME Policy service and Management service. For detailed instructions, see "Step 1d: Optimizing Directory Server for DSAME" in this chapter.Run the setup.exe program. You'll find the program in the root directory of the CD-ROM. If you've downloaded the product binariers, you'll find the program in the directory where you unzipped the binary files.
Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.
- Double-click the setup.exe icon.
- Installation messages are written to log files in the following directory:
- C:\Documents and Settings\username.hostname.*\
Local Settings\Temp\
In the Installation Directory, provide the following information:
In the Components to Be Installed/Uninstalled window, select only iPlanet Directory Server. De-select all other components.
- Install DSAME in this directory: Enter the full path to the directory where you want to install DSAME components. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.
In the Directory Schema window, provide the following information, and then click Next:
In the iPlanet Directory Server Information window, provide the following information, and then click Next:
- Root Suffix: This is the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one naming_attribute=value pair. Examples:
- o=isp
- o=madisonparc
- dc=sun,dc=com,l=us
- If you want the default organization to be the root suffix, then enter a period (.).
- Install DSAME Schema: Select this option. Click the checkbox until a checkmark displays.
In The Administration Server that Manages Directory Server window, provide the following information, and then click Next:
- Host: Enter the fully qualified domain name for the computer system where Directory Server will be installed.
- Port: Enter a port number. Directory Server typically uses port 389.
- Installation Directory: Enter the full path to the directory where Directory Server will be installed.
- Directory Manager: Enter the distinguished name (DN) of the user who has unrestricted access to Directory Server. Example: cn=Directory Manager.
- Password: Enter a password for the Directory Server administrator.The password must be at least eight characters in length.
- Confirm Password: Enter the password again to confirm it.
In the Currently Selected Settings window, review the configuration information that you've entered. If you need to make changes, click Back. Otherwise, click Next to proceed.
- Administrator: This administrator user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator (typically, cn=Directory Manager). The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.
- Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.
- Port: Enter a port number. The Administration Server that manages Directory Server typically uses port 8900.
- Password: Enter a password for the Directory Server administrator. The password must be minimum eight characters in length.
- Confirm Password: To confirm the Administrator password, enter it again.
In the Ready to Install window, review the installation information. If you need to make changes, click Back. Otherwise, click Next to begin the installation.
In the Installation Summary window, click Details for a detailed summary of the configuration information that was processed during Installation. Then click Exit to end the program.
Step 1c: Migrate Existing Data to Directory Server 5.1
In this step, you will update your pre-5.1 data to work with Directory Server 5.1. This process, called migration, is performed by running the migrateInstance5 script that comes with Directory Server. The migration script performs the following tasks in sequence:
Checks the schema configuration files, and notifies you of any changes between the standard configuration files and the ones present on your system.
Creates a database for each suffix stored in the legacy Directory Server. (In Directory Server 5.0 you can have multiple databases, but just one suffix per database).
Migrates the server parameters and database parameters. (In Directory Server 5.0, these are stored as LDAP entries in the dse.ldif file.)
Migrates user-defined schema objects.
Migrates standard server plug-ins.
Migrates the certificate database, and SSL parameters.
Note Your existing user data must be migrated to Directory Server 5.1 before you go on to Step 2. Otherwise, DSAME may not be able to recognize your existing user data.
- You must run the script on the system where your existing Directory Server is installed. You must shut down your directory service before running the migration script. For detailed migration instructions, see the iPlanet Directory Server Installation Guide at: http://docs.iplanet.com/docs/manuals/directory.html.
Step 1d: Optimizing Directory Server for DSAME
You can optimize DSAME page handling and search performance by modifying the Directory Server configuration. The following measures are necessary when any organization in your directory exceeds 4000 users:
To Add Appropriate Indexes to Your Directory
Start the Directory Server console. In the directory where Directory Server is installed, double-click the startconsole.exe icon, and then log in.
In iPlanet Console, in the navigation tree, double -click the Directory Server icon.
In iPlanet Console, in the navigation tree, locate and double -click the Directory Server icon.
In the Directory Server console, click the Configuration tab.
In the navigation tree, click the Data icon, and then click Database Settings.
In the right pane, click Default Indexes.
To add the memberof attribute, click Add Attribute, and then do the following:
In the Select Attributes window, select the memberof attribute and then click OK.
To add a substring index for the uid attribute, in the Default Indexes list, select the uid attribute. Then check the boxes for Equality, Presence, and Substring.In the Default Indexes list, select the memberof attribute and then check the boxes for Equality, Presence, and Substring.
To Reset the Lookthroughlimit Parameter
In iPlanet Console, in the navigation tree, locate and double -click the Directory Server icon.
In the Directory Server console, click the Configuration tab.
In the navigation tree, double-click the Data icon and then click the Database Settings.
In the right pane, click LDBM Plug-in Settings.
In the Look Through Limit field, enter a number greater than the number of entries that Directory Server will check in response to a search request.
To Reset the Sizelimit Parameter
By default, the Administration Console displays up to 2000 entries. If you want to display more than 2000 entries, you can reset the value of the iPlanet Directory Server attribute nsslapd-sizelimit to a greater number that is appropriate for your directory size. You can also reset the value at -1 for no limit. For more information, see the Directory Server documentation.
Step 1e: Back Up Your Existing Data
Back up your existing DIT before proceeding further with the other steps. Many of the changes described in this chapter must be done manually and can be error-prone.For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:
http://docs.iplanet.com/docs/manuals/directory.html
Step 2: Install DSAME Services
You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software. If you've downloaded the product, unzip the product binaries file.
Run the setup.exe program. You'll find the program in the root directory of the CD-ROM. If you've downloaded the product binariers, you'll find the program in the directory where you unzipped the binary files.
Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.
- Double-click the setup.exe icon.
- Installation messages are written to log files in the following directory:
- C:\Documents and Settings\username.hostname.*\
Local Settings\Temp\
In the Installation Directory window, provide the following information:
In the Components to Be Installed window, select only DSAME Management and Policy Services. De-select all other components.
- Install DSAME in this directory: Enter the path to the directory where DSAME Services will be installed. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.
In the iPlanet Web Server Information window, provide the following information about the Web Server that will run DSAME services, and then click Next:
In The Web Server that Runs DSAME Services window, provide the following information about the computer system where DSAME will be installed, and then click Next:
- Administrator: Enter a user name for the administrator who will access and manage the Web Server when necessary.
- Port: Enter a port number. Typically, this administration port is set to 8888.
- Password: Enter the password for the Administrator specified above. The password must be a minimum of 8 characters in length.
- Confirm Password: To confirm the Administrator password, enter it again.
In the Directory Schema window, provide the following information, and then click Next:
- Host: Enter the name of the computer system where DSAME will be installed.
- Port: Enter the port number of the Web Server that will run DSAME services.
- Protocol: If the Web Server that will run DSAME services will not be using Secure Socket Layer (SSL) protocol, then select HTTP. If it will be SSL-enabled, then select HTTPS.
- Domain: Enter the domain name of the computer system where DSAME will be installed.
- Deployment URI: Enter the Deployment Universal Resource Identifier (URI) that was specified when DSAME was installed. The default is /amserver.
In the next Directory Schema window, provide the following information, and then click Next:
- Do you want DSAME to run in iPlanet-compliance mode? In most cases, select No. The iPlanet-compliant DIT uses specialized directory objects, and its tree structure is optimized for use by hosting companies. For detailed information about the iPlanet-compliance mode, see "Compliant vs. Default DIT".
In the iPlanet Directory Server Information window, provide the following information, and then click Next:
- Root Suffix of Your Directory Tree: This is the point in your directory where you want DSAME to start managing entries. Enter a relative distinguished name (RDN) that includes at least one naming_attribute=value pair.
- Examples:
- o=isp
- o=madisonparc
- dc=sun,dc=com,l=us
- Organization Name: Enter a name for the first organization to be used or created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: iPlanet or iplanet.com.
- Directory Component Node: Enter the point in the DIT where DSAME will start managing entries. Example: o=isp.
In the DSAME Super Administrator Information window, provide the following information, and then click Next:
- Host: Enter the fully qualified domain name for the computer system where Directory Server will be installed.
- Port: Enter a port number. Directory Server typically uses port 389.
- Directory Manager: Enter the distinguished name (DN) of the user who has unrestricted access to Directory Server. Example: cn=Directory Manager.
- Password: Enter a password for the Directory Server administrator.The password must be a minimum of eight characters in length.
In the Currently Selected Settings window, review the configuration information that you've entered. If you need to make changes, click Back. Otherwise, click Next to proceed.
- User name: The user name for the Super administrator is amAdmin This name cannot be reconfigured.
- Password: Enter the password for the user amAdmin. the password must be a minimum of 8 characters in length.
- Confirm Password: To confirm the amAdmin password, enter it again.
In the Ready to Install window, review the installation information. If you need to make changes, click Back. Otherwise, click Next to begin the installation.
In the Installation Summary window, click Details for a detailed summary of the configuration information that was processed during installation. Then click Exit to end the program.
Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema
If your existing DIT contains object classes you've created and that do not come with Directory Server, then you'll have to add those object classes and attributes to the DSAME schema. For background information, see "Understanding DSAME XMLs and DTDs" in the Programmer's Guide.If you do not use custom object classes in your DIT, this step is not necessary. Skip to "Step 5: Load DSAME LDIF into Your Directory".
In the examples in this section, the company Madison Park uses two object classes that do not come with the DSAME schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry.
In order to manage these extensions, changes must be made in the following three files:
Step 3a: Add Attributes to the Organization Schema
In this step, you will modify two services files:The DSAME console uses the information in amEntrySpecific.xml for display purposes. Each DSAME abstract entry may have a subschema in this XML file. In the following example, you would add the two attributes from the madisonparc-org object class to the organization subschema. If the DIT contained customized organizational units, groups, or people containers, you would add or modify their subschemas in this same XML file.
The subschema name for an organizational unit will be OrganizationalUnit. The subschema name for a people container will be PeopleContainer.
Note The User subschema is not configured here in the amEntrySpecific.xml file, but in the amuser.xml file (see "Step3b: Add Attributes to the User Schema".) Although any service XML file may describe an attribute that is for a user only, the amentryspecific.xml file can serve as a default placeholder for user attributes that are not tied to a particular service.
Note In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.
"> To Add Attributes from a Custom Organization to the Organization Subschema
Note In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.
In the file DSAME_root\web-apps\services\WEB-INF\config\xml\
All the attributes listed in the subschema are displayed in the Administration Console when the organization is displayed. If an attribute is not listed, the Administration Console will not display the attribute.
amEntrySpecific.xml,
Also in the amEntrySpecific.xml file, create i18N keys (also called index keys or localization keys) for each attribute. All i18N keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute.
- add the attributes from the custom object class to the subschema Organization. For example, the following two attributes from the custom object class madisonparc-org were added to the file:
type="single" syntax="string" any="required" /> <AttributeSchema name="madisonparc-org-city" type="single" syntax="string" any=required|filter />
type="single" syntax="string" any="required" i18nKey="o3" /> <AttributeSchema name="madisonparc-org-city" type="single" syntax="string" any=required|filter i18nKey="o4" /> In the following file, add the values for i18n keys you created in Step 2:
The "any" attribute
The any attribute in the XML descriptions may have three possible values: required, optional, or filter. Typically, required and optional are not both displayed at the same time; they are mutually exclusive.required. This value tells Admin Console whether the attribute should appear on the Create page. If any=required, the attribute must have a value or the Console will not allow the Create operation. Use an empty string ("") to tell the Admin Console to display nothing.
optional. This value tells Admin Console whether the attribute should appear on the Create page. If any=optional, the attribute will appear on the Create page without an asterisk. This would indicate that you don't have to give it a value to create the entry.
filter. This value tells the Console whether to use this attribute on the Search page or in organizations.
In the following example, both attributes will be displayed on the Organization page, and both attributes are required for creation. This is indicated by the use the required value. Only the madisonparc-org-city attribute will be used on the Search page in DSAME Administration Console, as indicated by the use of the filter value.
Example:
type="single" syntax="string" any="required" i18nKey="o3" /> <AttributeSchema name="madisonparc-org-city" type="single" syntax="string" any=required|filter i18nKey="o4" />
The "type" attribute
The type attribute can use a string, string list, single choice, multiple choice, or boolean value. For example, if the madisonparc-org-city attribute can have only one of the cities Concord, San Francisco, or Palo Alto, as a valid value, then you would make this attribute a single choice; each city would be one of the choices. The DSAME Administration Console would display a list containing only these cities. If multiple cities were allowed, the attribute could be a multiple choice.
Step3b: Add Attributes to the User Schema
In this step, you will modify two files for services:The amUser.xml file is where user attributes are described, just as organization and group schema are described in the amEntrySpecific.xml (see Step 2). The file amUser.xml describes the User service for DSAME. Note that any service may describe an attribute that is for a user only. This file is just the default placeholder for user attributes that are not tied to a particular service.
When displaying a user's attributes, the DSAME Administration Console gets all attributes from all services that are subschema type User, and displays them using the same values as used in the amEntrySpecific.xml file (see "The "any" attribute" and "The "type" attribute"). In the following examples, a few attributes from the madisonparc-user object class are added to the file, thus it is not necessary to create a new service. It's only necessary to modify, or extend, the amUser service.
Additional Notes About the amUser.xml File
The file amUser.xml contains the special any attribute. The any=display attribute tells DSAME whether to display the attribute in the user profile page. This is a misleading name since it implies access control. It is strictly used for display. If this attribute is set to no then the console will not display the attribute.Also note that the attributes are defined under subschema User and not Dynamic. Any attribute defined under User is physically an attribute in the user entry. If you want the attribute to be a role-based or organization-based attribute, then you would define it under the Dynamic subschema. For background information, see "Understanding DSAME XMLs and DTDs" in the Programmer's Guide.
For example, you could make the madison-user-building attribute Dynamic, and have DSAME create a role with this attribute. This way if all employees in a division moved to a different building, you would only have to modify the role attribute instead having to modify of every single user entry.
To Add Attributes from a Custom Organization to the User Subschema
In the following file, add the attributes from the custom object class to the User subschema:
For example, the following two attributes from the custom object class madisonparc-user were added to the file:
type=single syntax=string any=required|display i18nKey=u13 /> <AttributeSchema name=madisonparc-user-building type=single syntax=string any=required|filter|display i18nKey=u14 In the amUser.xml file, create i18N keys (also called index keys or localization keys) for each attribute. All i18N keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute. See the example above.
Add values for the i18nKeys created in the previous step to the following file: DSAME_root\web-apps\services\WEB-INF\classes\amUser.properties
Step 3c: Modify the Creation Templates
In this step, you will modify the ums.xml file.In Figure 10-3, the sample DIT has new object classes for both users and organizations. To expose the new object classes in the UI, you would modify the Creation Templates for both users and organizations in the ums.xml file. The Creation Templates configure DSAME to add or allow specific object classes and attributes when these entries are created.
To Modify the Creation Templates
Make the following modifications in the file DSAME_root\web-apps\services\config\ums\ums.xml
Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="required" /> element, add the following:
Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair><Attribute name="optional" /> element, add the following:
- <Value>objectClass=madisonparc-org</Value>
Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:.
- <Value>objectClass=madisonparc-user</Value>
Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:
- <Value>madisonparc-org-description</Value>
- <Value>madisonparc-org-city</Value>
- <Value>madisonparc-user-id</Value>
- <Value>madisonparc-user-building</Value>
Step 4: (Optional) Configure Alternative Naming Attributes
If you used a naming attribute other than o=organization to define organizations in your DIT, your must modify the ums.xml file to accommodate the non-standard naming attributes. If you used a naming attribute other than uid=username to define users in your DIT, your must make similar modifications in the ums.xml file. For detailed reference information, see "Using Alternative Naming Attributes".
To Configure Alternative Naming Attributes for Organizations
The following steps assume that dc is the naming attribute used for an organization. Perform the modifications in the following file:DSAME_root\web-apps\service\WEB-INF\config\ums\ums.xml
Replace any appearance of o=org with dc=org.
In the BasicOrganization section, replace value of o with dc.
In the BasicOrganizationSearch SubConfiguration section, replace value of o with dc.
In the BasicOrganization section, change the objectclass of organization to domain. If you use ou for an organization, then you need to change it to organizationalUnit.
To Configure Alternative Naming Attributes for Users
The following steps assume that cn is the naming attribute used for users.Make modifications in the following directory:
DSAME_root\web-apps\services\WEB-INF\config
In the file ldif\installExisting.ldif, with two exceptions, replace uid with cn. The exceptions are:
In xml\amAuth.xml, replace uid with cn for user naming attribute.
In xml\amMembership.xml, replace uid with cn for the user naming attribute.
In xml\amAuthLDAP.xml, replace uid with cn for the user naming attribute.
In AMConfig.properties, replace uid=amAdmin with cn=amAdmin.
In ums\ums.xml, in BasicUser subconfiguration, replace uid with cn for namingattribute.
In ums\ums.xml, in BasicUser required values, change cn=default to cn and uid to uid=default.
Step 5: Load DSAME LDIF into Your Directory
The installExisting.ldif file contains DSAME-specific entries that are loaded into Directory Server during installation. Typically, you will not need to modify this file before it gets loaded during the installation process.You can use the ldapmodify utility that comes with Directory Server to load installExisting.ldif. In the MadisonParc example, when you load the LDIF, the following occurs:
Users and marker object classes required for DSAME are added to o=madisonparc and o=Engineering,o=madisonparc
Default roles for organization and help desk administrators are created.
Default Access Control Instructions (ACIs) for those administrator entries are set up.
Before You Begin
You can use the version of ldapmodify that comes with Directory Server 5.x, or you can use the version that comes with DSAME. If your Directory Server is installed on a computer system other than the one where DSAME services are installed, you can use the ldapmodify utility that comes with DSAME. You'll find ldapmodify in this directory of the DSAME installation:To run commands in the following procedures, open a DOS prompt window and set the path to the ldapmodify tool, for example:
set PATH=DSAME_root/tools;%PATH%"
To Load the installExisting.ldif File
Go the following the directory:
The DSAME administration user amAdmin will be created under the ou=People,o=Engineering,o=madisonparc people container. This is the top level administrator for DSAME. This administrator has read and write access to the entire subtree for o=madisonparc. You can add one of your users to this top level administrator role after the DSAME console is started.Run the following command:
- ldapmodify -v -c -D "cn=Directory manager" -w password -a -f installExisting.ldif
Note You must specify the -c option. Be sure you install only installExisting.ldif, and none of the other LDIF files in the same directory.
- If you encounter error messages regarding "already existing" entries or values for the default organization, see "Step 7: (Optional) Add DSAME ACIs to Your Default Organization".
Figure 10-2    Directory Information Tree (DIT) Used in Examples in This Chapter.
Step 6: Load DSAME Service Attributes into Your Directory
You can load the ums.xml file and all services files with the same command.
Go to the following directory: DSAME_root\web-apps\services\WEB-INF\config\ums
If you see any parsing errors, you should go back and double-check the changes you made in the previous steps. Also examine the syntax in the amUser.xml and amEntrySpecific.xml files, and make sure you've used the correct syntax. If you need to look at syntax examples, look at the other service XML files located in the following directory:At the command line, enter the following command:
Step 7: (Optional) Add DSAME ACIs to Your Default Organization
You only need to perform this step if, during installation, you specified an existing organization as your default organization. (By default, DSAME creates one new organization with the an RDN o=iplanet. If you accepted the default RDN, skip to the Step 8.)In this step, you will manually add the DSAME default ACIs to the organization you specified as the default, or first, organization.
Copy the DSAME default organization ACIs from the following file to a text file:
In the directory where your ldapmodify utility is located, enter the following command:
Step 8: Remove Unnecessary Files
The following files contain password tags that were swapped during DSAME installation. These files are unnecessary now and can be deleted:
DSAME_root\web-apps\services\WEB-INF\config\ldif\*.ldif
DSAME_root\web-apps\services\WEB-INF\config\ums\dpserveradmin
Tip As an alternative to deleting the files, you can change the passwords contained in the files.
Step 9: Start DSAME
At this point, you can start the DSAME server and you will be able to log in to the DSAME Administration Console as amAdmin user. You should see the root suffix and organization you specified during installation. In the Madison Park example, you would see o=madisonparc and o=Engineering. You will not be able to see the rest of your entries since they do not yet contain the DSAME marker object classes.
To start DSAME
You can start DSAME by using one of the following methods:
Enter the following commands in a DOS prompt window:
From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Start.
To log into the Administration Console
Use a browser to go to the following URL:http://localhost.sub-domain.domain:port number/URI_prefix/console
At installation, the default URI_prefix is amserver.
Step 10: Add DSAME Object Classes and Attributes to Existing Directory Entries
In this step, you modify your existing directory entries to include the necessary DSAME object classes and attributes. You can think of the DSAME object classes as markers that indicate the directory entries you want to manage through DSAME. These markers enable DSAME to recognize the entries in your directory. The object classes contain special attributes that are necessary to achieve delegated administration.
Before You Begin
There are a number of resources you can use to facilitate the remaining steps for using an existing directory.
Examples Used in This Section
The examples used in this chapter are based on the MadisonParc DIT. Figure 10-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups.
Figure 10-3    The MadisonParc DIT.
Utilities and Scripts You Can Use
You can make these modifications by using iPlanet Directory Server Console, or by using the ldapmodify or db2ldif utilities that come with Directory Server. For detailed information on how to make directory changes by using the Console or by using these utilities, see the documentation for iPlanet Directory Server at:http://docs.iplanet.com/docs/manuals/directory.html
You can also use the sample scripts that are included in this product. The sample scripts require Perl 5.x or later. You'll find the sample scripts in the following location:
While these samples should prove useful, they are only tools to assist you in properly formatting the DIT and other data. Each script has one or more variables at the top of the file that must be edited before the script is executed. After each script is executed, it generates an LDAP Data Interchange Format (LDIF) file.
If you encounter error messages regarding "already existing" entries or values, you must add the object classes or attributes manually. See the iPlanet Directory Server documentation for detailed instructions.
Steps for using each sample script are included in this chapter in the instructions for marking each object class.
Related Information
Detailed reference information is provided in Appendix A "DSAME Object Classes and Attributes." See page 247 in this manual for information on the following topics:
Using DSAME Object Classes as Markers
Using Alternative Naming Attributes
Two Approaches to Modifying the Existing DIT
You can use one of two approaches for modifying the DIT. One option is to make all the necessary modifications to your DIT before loading the DSAME LDIF and XML configuration files. This procedure is more error-prone, but may be faster if you have experience using LDAP.The other option is to make a few modifications in your LDIF and XML files, and then start DSAME to make sure those modifications were done correctly. This second approach is the recommended approach. For example, you may want to add the DSAME object classes for each of your organizations, restart DSAME, and verify that your organizations appear in the DSAME Administration Console. Then add marker classes for groups, check them and so forth.
Step 10a: Mark Organizations
If you used an existing organization as your default organization during installation, you do not have to make these changes. The installation program automatically added these object classes and attributes. Skip to Step 10b.
Add the following object classes to each organization entry:
In the MadisonParc example, these object classes and attributes were automatically added to the default organization, o=Engineering, which was the organization specified and created during DSAME installation. The object classes and attributes were manually added to the o=Sales organization.Add the following attributes to each organization entry:
Example:
To Mark Organizations Using the Sample Script
Copy update-o.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the ldif file that is created (for example: o-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389.
Step 10b: Mark People Containers
To each people container, add the iplanet-am-managed-people-container object class.Example:
To Mark People Containers Using the Sample Script
Copy update-people.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.For each people container branch to be modified, provide the DN for the organization above it. Example:
In the directory where the script is located, at the command line enter the following:
- $domain{"hostedCompanyA"} = "ou=hostedCompanyA, o=isp";
- $domain{"hostedCompanyB"} = "ou=hostedCompanyB, o=isp";
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: people-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
- Enter People Container: Enter the name of the people container that contains the uids you want to modify. Example: People
Step 10c: Mark Organizational Units
To each container, or organizational unit, add the following object class: iplanet-am-managed-org-unitExample:
To Mark Organizational Units Using the Sample Script
Copy update-ou.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparcIn the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: ou-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
To each user entry, add the following object classes:
Example:To each user entry, add the following attribute value:
To Mark Users Using the Sample Script
Copy udpate-users.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.Set the $base-component variable to the base suffix of the DIT. Example:
madisonparcIn the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: users-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 10e: Mark Static Groups
To each group entry containing values for the uniquemember attribute, add the following object classes:Example
To Mark Static Groups Using the Sample Script
Copy update-static-groups.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
To check the results, open the LDIF file that is created (for example: static-groups-update.ldif) and verify that the appropriate changes were made.
- perl update-static-groups.pl
- When prompted, provide the following information:
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 10f: Mark Filtered (Dynamic) Groups
In filtered groups, users are included in a single group based on their DN.Add the following object classes (no attribute) to each filtered group:
To Mark Filtered Groups Using the Sample Script
Copy update-filtered-groups.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: update-filtered-groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 10g: Mark Assignable Dynamic Groups
An assignable dynamic group is similar to a filtered group, but uses a DN in the user entry to point to the group.Add the following object classes to each assignable dynamic group:
To Mark Assignable Dynamic Groups Using the Sample Script
Copy update-assignable-dynamic-groups.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: assignable-dynamic-groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 10h: Mark Group Containers
Group containers are organizational units (ou) that contain groups. To each group container, add the following object class:iplanet-am-managed-groupcontainer
To Mark Group Containers Using the Sample Script
Copy update-groups.pl to the following directory:
Set the $base variable to the base suffix of the DIT. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Results of DSAME and Directory Modifications
After making the modifications in the previous steps, all entries in the DIT will be manageable by DSAME. The existing ACIs for the organization administrators do not have to be modified. Even though DSAME uses roles and ACIs by default, your existing groups and ACIs will still work.You can convert a groups-based DIT to one that leverages roles and ACIs. If you choose to do this, you can use the DSAME organization administrator roles and assign them to your existing organizationList administrators.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated March 27, 2002