test

Sun Java System Access Manager 7.1 Administration Reference

Console Properties

The Console properties contain services that enable you to configure the Access Manager console and to define console properties for different locales and character sets. The Console properties contain the following:

Administration

The Administration service enables you to configure the Access Manager console at both the application level as well as at a configured realm level (Preferences or Options specific to a configured realm). The Administration service attributes are global and realm attributes. The attributes are:

Federation Management

Enables Federation Management. It is selected by default. To disable this feature, deselect the field The Federation Management tab will not appear in the console.

User Management

Enables User Management. This is enabled by default. This attribute is applicable when Access Manager is installed in legacy mode.

People Containers

This attribute is deselected by default and is applicable only when Access Manager is installed in legacy mode. Selecting this attribute will display people containers under the Directory Management tab. It is recommended that you use a single people container in your DIT and then use roles to manage accounts and services. The default behavior of the Access Manager console is to hide the People Containers. However, if you have multiple people containers in your DIT, select this attribute to display People Containers as managed objects.

Organizational Unit Containers

This attribute is deselected by default and is applicable when Access Manager is installed in legacy mode. Selecting this attribute will display containers in the Directory Management tab.

Group Containers

This attribute is deselected by default and is applicable when Access Manager is installed in legacy mode. Selecting this attribute will display group containers in the Directory Management tab.

Managed Group Type

Specifies whether subscription groups created through the console are static or dynamic. The console will either create and display subscription groups that are static or dynamic, not both. (Filtered groups are always supported regardless of the value given to this attribute.) The default value is dynamic.

In the examples above, the LDAP filter would return all users whose uid begins with g or whose email address ends with example.com, respectively. Filtered groups can only be created within the User Management view by choosing Membership by Filter.

An administrator can select one of the following:

Default Role Permissions

Defines a list of default access control instructions (ACIs) or permissions that are used to grant administrator privileges when creating new roles. Select one of these ACIs for the level of privilege you wish. Access Manager ships with four default role permissions:

No Permissions — No permissions are to be set on the role.

Organization Admin — The Organization Administrator has read and write access to all entries in the configured organization.

Organization Help Desk Admin — The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.

Organization Policy Admin — The Organization Policy Administrator has read and write access to all policies in the realm. The Organization Policy Administrator can not create a referral policy.

Domain Component Tree

The Domain Component tree (DC tree) is a specific DIT structure used by many Sun Java System components to map between DNS names and realm entries.

When this option is enabled, the DC tree entry for an realm is created, provided that the DNS name of the realm is entered at the time the realm is created. The DNS name field will appear in the realm Create page. This option is only applicable to top-level realms, and will not be displayed for subrealms.

Any status change made to the inetdomainstatus attribute through the Access Manager SDK in the realm tree will update the corresponding DC tree entry status. (Updates to status that are not made through the Access Manager SDK will not be synchronized.) For example, if a new realm, sun, is created with the DNS name attribute sun.com , the following entry will be created in the DC tree:

dc=sun,dc=com,o=internet,root suffix

The DC tree may optionally have its own root suffix configured by setting com.iplanet.am.domaincomponent in AMConfig.properties. By default, this is set to the Access Manager root. If a different suffix is desired, this suffix must be created using LDAP commands. The ACIs for administrators that create realms required modification so that they have unrestricted access to the new DC tree root.

Administrative Groups

Specifies whether to create the DomainAdministrators and DomainHelpDeskAdministrators groups. If enabled, these groups are created and associated with the Organization Admin Role and Organization Help Desk Admin Role, respectively. Once created, adding or removing a user to one of these associated roles automatically adds or removes the user from the corresponding group. This behavior, however, does not work in reverse. Adding or removing a user to one of these groups will not add or remove the user in the user's associated roles.

The DomainAdministrators and DomainHelpDeskAdministrators groups are only created in realms that are created after this option is enabled.

Note –

This option does not apply to subrealms, with the exception of the root realm. At the root realm, the ServiceAdministrators and ServiceHelpDesk Administrators groups are created and associated with the Top-level Admin and Top-level Help Desk Admin roles, respectively. The same behavior applies.

Compliance User Deletion

Specifies whether a user's entry will be deleted, or just marked as deleted, from the directory. This attribute is only applicable when Access Manager is installed in legacy mode.

When a user's entry is deleted and this option is selected (true), the user's entry will still exist in the directory, but will be marked as deleted. User entries that are marked for deletion are not returned during Directory Server searches. If this option is not selected, the user's entry will be deleted from the directory.

Dynamic Administrative Roles ACIs

This attribute defines the access control instructions for the administrator roles that are created dynamically when a group or realm is configured using Access Manager. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.

Note –

Administrators at the realm level have a wider scope of access than do group administrators. But, by default, when a user is added to a group administrator role, that user can change the password of anyone in the group. This would include any realm administrator who is a member of that group.

The Container Help Desk Admin role has read access to all entries in a realm and write access to the userPassword attribute in user entries only in this container unit.

The Realm Help Desk Admin has read access to all entries in a realm and write access to the userPassword attribute. When a sub—realm is created, remember that the administration roles are created in the sub-realm, not in the parent realm.

The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.

The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that realm.

ThePeople Container Admin is by default, any user entry in an newly created realm is a member of that realm's People Container. The People Container Administrator has read and write access to all user entries in the realm's People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.

Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the realm has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.

The Group Admin has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created. When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group's creator, or anyone that has access to the Group Administrator Role.

The Top-level Admin has read and write access to all entries in the top-level realm. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.

The Organization Administrator has read and write access to all entries in a realm. When a realm is created, the Organization Admin role is automatically generated with the necessary privileges to manage the realm.

User Profile Service Classes

Lists the services that will have a custom display in the User Profile page. The default display generated by the console may not be sufficient for some services. This attribute creates a custom display for any service, giving full control over what and how the service information is displayed. The syntax is as follows:

service name | relative url()

Services that are listed in this attribute will not display in the User Create pages. Any data configuration for a custom service display must be performed the User Profile pages.

DC Node Attribute List

Defines the set of attributes that will be set in the DC tree entry when an object is created. The default parameters are:

maildomainwelcomemessage 

preferredmailhost 

mailclientattachmentquota 

mailroutingsmarthost 

mailaccessproxyreplay 

preferredlanguage 

domainuidseparator 

maildomainmsgquota 

maildomainallowedserviceaccess 

preferredmailmessagestore 

maildomaindiskquota 

maildomaindiskquota 

objectclass=maildomain 

mailroutinghosts 

Search Filters for Deleted Objects

Defines the search filters for objects to be removed when User Compliance Deletion mode is enabled.

Default People Container

Specifies the default people container into which the user is created.

Default Groups Container

Specifies the default groups container into which the group is created.

Default Agents Container

Specifies the default agent container into which the agent is created. The default is Agents.

Groups Default People Container

Specifies the default People Container where users will be placed when they are created. There is no default value. A valid value is the DN of a people container. See the note under Groups People Container List attribute for the People Container fallback order.

Groups People Container List

Specifies a list of People Containers from which a Group Administrator can choose when creating a new user. This list can be used if there are multiple People Containers in the directory tree. (If no People Containers are specified in this list or in the Groups Default People Container field, users are created in the default Access Manager people container, ou=people.) There is no default value for this field.

The syntax for this attribute is:

dn of group | dn of people container

When a user is created, this attribute is checked for a container in which to place the entry. If the attribute is empty, the Groups Default People Container attribute is checked for a container. If the latter attribute is empty, the entry is created under ou=people .

This attribute is only applicable when Access Manager is installed in legacy mode. There is no default value.

User Profile Display Class

Specifies the Java class used by the Access Manager console when it displays the User Profile pages.

End User Profile Display Class

Specifies the Java class used by the Access Manager console when it displays the End User Profile pages.

Show Roles on User Profile Page

Specifies whether to display a list of roles assigned to a user as part of the user's User Profile page. If the parameter is not enabled (the default), the User Profile page shows the user's roles only for administrators.

Show Groups on User Profile Page

Specifies whether to display a list of groups assigned to a user as part of the user's User Profile page. If this parameter is not enabled (the default), the User Profile page shows the user's groups only for administrators.

User Self Subscription to Group

This parameter specifies whether users can add themselves to groups that are open to subscription. If the parameter is not enabled (the default), the user profile page allows the user's group membership to be modified only by an administrator. This parameter applies only when the Show Groups on User Profile Page option is selected.

User Profile Display Options

This menu specifies which service attributes will be displayed in the user profile page. An administrator can select from the following:

UserOnly

Display viewable User schema attributes for services assigned to the user. User service attribute values are viewable by the user when the attribute contains the keyword Display. See the Access Manager Developer's Guide for details.

Combined

Display viewable User and Dynamic schema attributes for services assigned to the user.

User Creation Default Roles

This listing defines roles that will be assigned to newly created users automatically. There is no default value. An administrator can input the DN of one or more roles.

This field only takes a full Distinguished Name address, not a role name. The roles can only be Access Manager roles, not LDAP (Directory Server) roles.

Administrative Console Tabs

This field lists the Java classes of modules that will be displayed at the top of the console. The syntax is i18N key | java class name.

The i18N key is used for the localized name of the entry in the console.

Maximum Results Returned From Search

This field defines the maximum number of results returned from a search. The default value is 200.

Do not set this attribute to a large value (greater than 1000) unless sufficient system resources are allocated.

Note –

Access Manager is preconfigured to return a maximum size of 4000 search entries. This value can be changed through the console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (in this example, nsSizeLimit: -1 means unlimited):

dn: cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX
changetype: modify
replace:nsSizeLimit
nsSizeLimit: -1

Then, run ldapmodify. For example:

setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1:
$LD_LIBRARY_PATH

./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f  newConfig.xml

Modifications to this attribute done through LDAPModify will take precedence to those made through the Access Manager Console.

Timeout For Search

Defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, the search terminates and returns an error. The default is 5 seconds.

Note –

Directory Server is been preconfigured with a timeout value of 120 seconds. This value can be changed through the Directory Server console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (this example changes the timeout from 120 seconds to 3600 seconds):

dn: cn=config
changetype: modify
replace:nsslapd-timelimit
nsslapd-timelimit: 3600

Then, run ldapmodify. For example:

setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1:
$LD_LIBRARY_PATH

./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f  newConfig.xml

JSP Directory Name

Specifies the name of the directory that contains the JSP files for a realm. It allows administrator to have different appearance (customization) for different realm. The default value for this attribute is console. This attribute is applicable only when Access Manager is installed in legacy mode.

Online Help Documents

This field lists the online help links that will be created on the main Access Manager help page. This allows other applications to add their online help links in the Access Manager page. The format for this attribute is:

linki18nkey | html page to load | i18n properties file | remote server

The remote server attribute is an optional argument that allows you to specify the remote server on which the online help document is located. The default value is:

DSAME Help|/contents.html|amAdminModlueMsgs

This attribute is only applicable when Access Manager is installed in legacy mode.

Required Services

This field lists the services that are dynamically added to the users' entries when they are created. Administrators can choose which services are added at the time of creation. This attribute is not used by the console, but by the Access Manager SDK. Users that are dynamically created by the amadmin command line utility will be assigned the services listed in this attribute.

User Search Key

This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn.

For example, if you enter j* in the Name field in the Navigation frame, users whose names begins with "j" or "J" will be displayed.

User Search Return Attribute

This field defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is uid cn. This will display the user ID and the user's full name.

The attribute name that is listed first is also used as the key for sorting the set of users that will be returned. To avoid performance degradation, use an attribute whose value is set in a user's entry.

User Creation Notification List

This field defines a list of email addresses that will be sent notification when a new user is created. Multiple email addresses can be specified, as in the following syntax:

e-mail|locale|charset

e-mail|locale|charset

e-mail|locale|charset

The notification list also accepts different locales by using the -|locale option.

See Supported Language Localesfor a list of locales.

The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at AccessManager-base/SUNWam/locale .

User Deletion Notification List

This field defines a list of email addresses that will be sent notification when a user is deleted. Multiple email addresses can be specified, as in the following syntax:

e-mail|locale|charset

e-mail|locale|charset

e-mail|locale|charset

The notification list also accepts different locales by using the -|locale option.

See for a list of localSupported Language Locales.

The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at AccessManager-base/SUNWam/locale .

The default sender ID is DSAME.

User Modification Notification List

Defines a list of attributes and email addresses associated with the attribute. When a user modification occurs on an attribute defined in the list, the email address associated with the attribute will be sent notification. Each attribute can have a different set of addresses associated to it. Multiple email address can be specified, as in the following syntax:

attrName e-mail| locale|charset e-mail |locale|charset .....

attrName e-mail| locale|charset e-mail |locale|charset .....

The -self keyword may be used in place of one of the addresses. This sends mail to the user whose profile was modified. For example, assume the following:

manager someuser@sun.com|self|admin@sun.com

Mail will be sent to the address specified in the manager attribute, someuser@sun.com, admin@sun, the person who modified the user (self).

The notification list also accepts different locales by using the -|locale option. For example, to send the notification to an administrator in France:

manager someuser@sun.com|self|admin@sun.com|fr SeeSupported Language Locales for a list of locales.

The attribute name is the same as it appears in the Directory Server schema, and not as the display name in the console.

Maximum Entries Displayed per Page

This attribute allows you to define the maximum rows that can be displayed per page. The default is 25. For example, if a user search returns 100 rows, there will be 4 pages with 25 rows displayed in each page.

Event Listener Classes

This attribute contains a list of listeners that receive creation, modification and deletion events from the Access Manager console.

Pre and Post Processing Classes

This field defines a list of implementation classes through plug-ins that extend the com.iplanet.am.sdk.AMCallBack class to receive callbacks during pre and post processing operations for users, realm, roles and groups. The operations are:

You must enter the full class name of the plug-in and then change the class path of your web container (from the Access Manager installation base) to include the full path to the location of the plug-in class

External Attributes Fetch

This option enables callbacks for plug-ins to retrieve external attributes (any external application-specific attribute). External attributes are not cached in the Access Manager SDK, so this attribute allows you enable attribute retrieval per realm level. By default, this option is not enabled

Invalid User ID Characters

This attribute defines a list of characters that are not allowed in a user's name. Each character must be separated by the | character. For example:

*|(|)|&|!

UserID and Password Validation Plug-in Class

This class provides a userID and password validation plug-in mechanism. The methods of this class need to be overridden by the implementation plug-in modules that validate the userID and/or password for the user. The implementation plug-in modules will be invoked whenever a userID or password value is being added or modified using the Access Manager console, the amadmin command line interface, or using the SDK.

The plug-ins that extend this class can be configured per realm. If a plug-in is not configured for an realm, then the plug-in configured at the global level will be used.

If the validation of the plug-in fails, the plug-in module can throw an exception to notify the application to indicate the error in the userID or password supplied by the user.

Globalization Settings

The Globalization Settings service contains global attributes that enable you to configure Access Manager for different locales and character sets. The attributes are:

Charsets Supported By Each Locale

This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set. The format is as follows:

To add a New Supported Charset, click Add and define the following parameters:

Locale

The new locale you wish to add. SeeSupported Language Locales for more information.

Supported Charsets

Enter the supported charset for the specified locale. Charsets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn

To edit any existing Supported Charset, click the name in the Supported Charset table. Click OK when you are finished.

Charset Aliases

This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA charsets and vice versa.

To add a New Charset Alias, click Add button and define the following parameters:

MIME name

The IANA mapping name. For example, Shift_JIS

Java Name

The Java character set to map to the IANA character set.

To edit any existing Charset Alias, click the name in the table. Click OK when you are finished.

Auto Generated Common Name Format

This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):

en_us = {givenname} {initials} {sn}

For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:

zh = {sn}{givenname}({uid})

The display is:

OneUser 11111