Previous Contents Index Next |
iPlanet Messaging Server 5.2 Provisioning Guide |
Chapter 6 Provisioning Messaging Server Administrators
This chapter describes how to provision the different types of Messaging Server Administrators (Table 6-1). It contains the following sections:
"Administrator Types"
"Creating a Configuration Administrator"
"Creating Message Store Administrators"
"To Create a Message Store Administrator for a Specific Messaging Server"
"Creating Top-level Administrators""To Create a Message Store Administrator for the Entire Mail System Topology"
"To Create a Message Store Administrator for a Specific Domain"
Administrator Types
iPlanet Message Server administrators are classified by two sets of privileges:
Privileges to configure messaging server (Server Administrators).
Privileges to add, modify, and delete users and groups in the system (Messaging Directory Administrators).
Table 6-1    Messaging Server Administrators and Privileges (1 of 2)
Administrator
Description/Scope of Privileges
Permissions/Creation
Server Administrators:
Can configure all servers and modify all directory data in the entire topology. Has system-level access to modify the MTA.
Unrestricted access to all resources in the Console. Can provide server access to other administrators.
Config Admin user ID is automatically created when messaging server is first installed. For more information see Managing Servers with Netscape Console.
Permissions granted by ACIs at: o=NetscapeRoot
Admin Account: uid=admin,ou=adminstrators, ou=topologymanagement,o=NetscapeRoot)
Group DN: cn=configuration administrators, ou=groups, ou=topologymanagment, o=NetscapeRoot
Can modify anything in directory. Can configure directory.
For security, the Configuration Administrator should not be the same as the Directory Manager.
Directory Manager user ID is created when the Directory Server is installed.
Directory Manager credentials are stored in the directory server configuration file slapd.conf. Typical Account: cn = Directory Manager
System level admins can view mailboxes & specify access control. Using proxy authorization rights, can log in as any user. Can specify partition for a mailbox and run message store utilities.
Domain-level admins can't do partitions. Have limited access to message store utilities.
This administrator is created by the Messaging Server Console or command line utilities.
System-wide MS Admin Group DN: Specified in store.serviceAdminGroupDN
Domain MS Admin Group DN: cn=Store Administrators,ou=Groups, <OrgTreeDomainSuffix>
Server MS Administrator is specified in server configuration variable store.admin
Messaging Directory Administrators:
Top-level Administrator (Also called Service Administrator.)
Creates/modifies/deletes mail users, mailing lists, family accounts, and domains in an entire Messaging Server namespace via DA GUIs or CLIs.
Automatically gets all message store privileges for all servers in the topology.
Top-level Administrator is automatically created at installation time.
Group DN: cn = Service Administrators, ou=groups,<OrgTreeRoot>
Creates/modifies/deletes mail users, mailing lists, and family accounts in a hosted domain via DA GUI or CLIs.
Top-level Administrator can create Domain Administrator.
ACIs in OrgTree root and DC root and the OrgTree domain node.
Group DN: cn = Domain Administrators, ou=groups,<OrgTreeDomain>
Creates/modifies/deletes mail users and mailing lists in a domain organization via DA GUI or CLIs.
Top-level or Domain Administrator can create Domain Organization Administrator.
Adds and removes family members in a family group. Can grant administrative access to other members of group. See "Creating a Family Group Administrator"
Top-level & Domain Admin can create Family Group Administrator.
Two sets of rights: ability to create & ability to add/remove members to mailing list.
Top-level, Domain, or Domain Organization Admin can grant permissions to mailing list owner.
nsDACapability grants creation privileges (see "Adding Mailing List Creation Privileges"). owner grants management privileges (see "Assigning Mailing List Owners").
Note The Netscape Console documentation at (http://docs.iplanet.com/docs/manuals/console.html) provides detailed information on using the console.
Creating a Configuration Administrator
A Configuration Administrator is automatically created at installation time. Additional Configuration Administrators can be created by other Configuration Administrators through the Console. See the he Netscape Console documentation at (http://docs.iplanet.com/docs/manuals/console.html) for more information.
Creating Message Store Administrators
Message Store Administrators have privileges and scope. Privileges are as follows:
View and monitor user mailboxes through IMAP.
The scope of the administrator's privileges can be:Specify access control for a message store through IMAP.
Execute message store command line utilities requiring proxy authentication (for example, MoveUser)
For a single domain (in addition, domain-level admins can't specify partitions and have limited access to certain message store commands).
For a single message store (that is, the message store of a single messaging server).
For all the message stores in a mail system topology.
Top-level Administrators automatically have system-wide message store privileges.
Messaging Server Administrators created during installation automatically have message store privileges for the installed server.
Top-level Administrators created during installation or at the console automatically have message store privileges for the entire topology.
Domain Administrators created on the iPlanet Delegated Administrator for Messaging automatically have message store privileges for the users in the domain on which they are installed.
To Create a Message Store Administrator for a Specific Messaging Server
Privileges required: Configuration Administrator or access to the mailsrv account on the Messaging Server machine.Note that Configuration Administrators automatically receive Message Store privileges on the installed server. Server-specific Message Store Administrators can be created by Console (see the iPlanet Message Server Administration Guide) or by command line:
where configutil is a utility that enables you to change configuration options, store.admins is the Message Store Administrator parameter, and adminlist is a space separated list of fully-qualified UIDs (if in the default domain) or <uid>@<domain> if in a hosted domain. Refer to the iPlanet Messaging Server Reference Manual for details.
- configutil -o store.admin -v "adminlist"
To Create a Message Store Administrator for the Entire Mail System Topology
Privileges required: Top-level Administrator or access to the mailsrv account on the Messaging Server machine.By "entire mail system topology" we mean all the message stores for all the messaging servers under a common user/group directory root. By default topology-wide message store administrative privileges are only granted to members of the group cn=Service Administrators,ou=groups,<OrgTreeRoot>. However, it is possible to change these message store privileges to another group by resetting the configuration value store.serviceAdminGroupDN. Note that if you do this, members of cn=Service Administrators,ou=groups,<OrgTreeRoot> will no longer have message store privileges unless they are also added to the new group.
In the example below, we will change the system-wide Message Store Administrator group from cn=Service Administrators,ou=groups,o=isp to cn=System-wide Store Administrators,ou=groups,o=isp and we'll add Biff as an administrator.
Create System-wide Store Administrators Group and Add a Member.
Set store.serviceAdminGroupDN to the DN of the System-wide Message Store Administrators Group.
- First create a group called System-wide Store Administrators and add a member using the uniqueMember attribute.
Set memberof attribute in the user entry.
- configutil -o store.serviceAdminGroupDN -v "cn=System-wide Store Administrators,ou=groups,o=isp"
- This must be done on each server in the system.
To Create a Message Store Administrator for a Specific Domain
Privileges required: Domain Administrator, or Top-level AdministratorDomain Message Store Administrators can be created as follows:
By using the iPlanet Delegated Administrator for Messaging GUI to convert a user into a Delegated Administrator.
The following example grants the user Biff message store privileges in sesta.com through LDAP.
Create Store Administrators Group and add a member.
- Create a group called Store Administrators in the domain node of the Organization Tree. Add the inetMailAdministrator object class and set the attribute mailAdminRole to storeadmin to the group entry. Add a member using the uniqueMember attribute. See the LDIF data below.
- Note that the ACIs are created automatically at installation, and this group is created whenever a domain is created with the Delegated Administrator or Console.
objectclass: groupOfUniqueNames
objectclass: inetMailAdministrator
cn: Store Administrators
- The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).
- inetMailAdministrator specifies attributes that confer administrative privileges to this group.
mailAdminRole: storeadmin
- This is the common name of the group of which Message Store Administrators must be a member.
uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp
- The type of administrative privileges conferred on this group.
- DN of a member. In this example there is only one member in this group.
Specify the memberOf attribute in the user's entry to
cn=Store Administrators,ou=groups,o=sesta.com,o=isp
dn: uid=Biff,ou=People,o=sesta.com,o=isp
memberOf: cn=Store Administrators,ou=groups,o=sesta.com,o=isp
- The DN of the user designated to be a Message Store Administrator to this group.
- DN of a group to which Biff belongs.
Creating Top-level Administrators
Task Privilege: Top-level AdministratorA Top-level administrator has directory and message store privileges to the entire messaging system. A default Top-level Administrator is created at installation, but additional Top-level Administrators can created by adding users to the following group:
cn=Service Administrators,ou=Groups,o=<OrgTreeRoot>
and by specifying the memberOf attribute in the user's entry to
cn=Service Administrators,o=groups,o=<OrgTreeRoot>The example below makes Biff Fanning a Top-level Administrator. Note that the installer creates the appropriate ACIs for this entry. If you are creating the directory from scratch, see Appendix A "Root and Domain ACI Examples."
Creating Domain Administrators
Delegated Admin Utility: imadmin admin add
Task Privilege for Provisioning: Top-level AdministratorA domain administrator is a user who has privileges to add, delete, and modify users and groups in a particular domain using the Delegated Administrator or the command line utilities. Only Top-level Administrators can create Hosted Domain Administrators.
Once the Domain Administrator's group has been created and the ACI rules have been set, it no longer has to be done again. To create new administrators, simply add them to the group. The following LDIF examples create a Domain Administrators group and add Biff as a member of this group.
Create a Domain Administrators group and add a user to the group.
objectclass: groupOfUniqueNames
- Create a group called Domain Administrators in the hosted domain node of the Organization Tree and add the DN of the user designated to be a Domain Administrator to this group. Also, add the object class inetMailAdministrator and the attribute value pair mailadminrole: storeadmin. (Note that this group with ACIs is automatically created when a domain is created with the Delegated Administrator.) Specify the uniqueMember attribute in the Domain Administrator's Group to the DN of the new Domain Administrator. This is shown below.
objectClass: nsManagedDept
objectClass: inetMailAdministrator
cn: Domain Administrators
- The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).
mailadminrole: storeadmin
- This is common name of the group of which domain administrators must be a member.
uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp
- Grants message store administrator privileges to members of this group.
Verify Domain Administrators ACI Rules.
- uniqueMember specifies the distinguished names of the members of this list. In this example there is only one member in this group.
Add memberOf to User Entry.
- Domain administrator ACI rules are created automatically when you create a hosted domain using the Delegated Administrator or command line utilities like imadmin domain create. If you are provisioning hosted domains using LDAP, you will need to add ACI rules. An example is shown Appendix A "Root and Domain ACI Examples."
dn: uid=Biff,ou=People,o=sesta.com,o=isp
- Specify the memberOf attribute to
cn=Domain Administrators,o=groups,o=sesta.com,o=isp in the user's entry.
memberOf: cn=Domain Administrators,o=sesta.com,o=isp
- The DN of the user designated to be a domain administrator for this domain.
- DN of the group to which this user belongs.
Creating a Domain Organization Administrator
A Domain Organization Administrator is a user of an organization who has privileges to add, delete, and modify users and groups in a particular organization using the Delegated Administrator or the command line utilities. Multiple Domain Organization Administrators can be contained in a hosted domain, and Domain Organization Administrators can be nested. Only Top-level Administrators can create Organization Administrators.Once the Organization Administrator's group has been created and the ACI rules have been set, it no longer has to be done again. To create new administrators, simply add them to the group. The example below shows how to create an Organization Administrator, Biff, for ou=east,o=siroe.com,o=isp.
Figure 6-1    Creating a Domain Organization Administrator
See "Creating a Domain Organization" for how to create a domain organization.
Create a group called Domain Organization Administrators in the domain organization node of the organization tree and add the DN of the Domain Organization Administrator of this group.
dn: cn=Organization Administrators,ou=groups,ou=east,o=siroe.com,o=isp
objectclass: nsManagedDept
objectclass: inetAdmin
objectclass: groupOfUniqueNames
cn: Organization Administrators
- nsManagedDept attributes to support Delegated Administrator. inetAdmin provides attributes to support administration. The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).
uniqueMember: uid=Biff,ou=People,o=east.siroe.com,o=isp
Add Domain Organization Administrator ACI Rules.
Specify the memberOf attribute in the Domain Organization Administrator's entry.
- You must add and modify the appropriate ACI rules to the domain organization. In this example that would be ou=east,o=siroe.com,o=isp. An example is shown Appendix A "Root and Domain ACI Examples."
dn: uid=Biff,ou=People,o=eng.siroe.com,o=isp
- Specify the memberOf attribute to cn=Domain Organization Administrators,o=east.siroe.com,o=isp in uid=Biff,ou=people,o=sesta.com,o=isp
memberOf: cn=Organization Administrators,ou=groups,ou=east,o=siroe.com,o=isp
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated February 13, 2002