Sun Java System Reference Configuration Series: Portal Service on Application Server Cluster

Previous: Appendix B Configuration Files

Appendix C Provisioning Users for Portal Services

This appendix provides information about how to populate Directory Server with user entries that support the reference configuration. In particular, the procedures described in this appendix provision users consistent with the User Management Specification.

Attributes of Portal Service Users

By deploying he reference configuration, in particular the Access Manager module, in accordance with the procedures in this guide, you create an LDAP schema with some basic user attributes. In particular, new user accounts will be provisioned with the following attributes:

sn: usernamecn: usernameuserPassword: *********inetUserStatus: Activeuid: usernameobjectClass: iplanetpreferencesobjectClass iplanet-am-managed-personobjectClass: topobjectClass: iplanet-am-user-serviceobjectClass: organizationalpersonobjectClass: inetadminobjectClass: inetorgpersonobjectClass: personobjectClass: sunamauthaccountlockoutobjectClass: inetuseriplanet-am-user-auth-config: (empty)

With these attributes alone, however, user accounts are not able to access the portal desktop or other portal services, such as the SRA Gateway, Netlet, or Proxylet services. To be authorized for portal services, a user entry must include the object classes that are shown in the following table.

Table C–1 Object Classes and Corresponding Services


objectClass	Corresponding Service
`sunportalportal1desktopperson`	portal1 Desktop
`sunportalportalpksubscriptionperson`	Access List
`iplanet-amauth-configuration-service`	Authentication Configuration
`sunmobileappabperson`	Mobile Address Book
`sunmobileappcalendarperson`	Mobile Calendar
`sunmobileappmailperson`	Mobile Mail
`sunportalnetfileservice`	NetFile
`sunportalgatewayaccessservice`	Gateway
`sunportalnetletservice`	Netlet
`sunportalproxyletservice`	Proxylet
`sunssoadapterperson`	SSO Adapter
`sunportalportal1pksubscriptionsperson`	portal1 Subscriptions

In provisioning users for portal services, objectClasses in the above table need to be added to all user entries, depending on the portal services desired by the user.

Provisioning Tool Choices

Several tools are available to perform the provisioning of users for portal services. These tools are described briefly, from the highest level, most general tools to the lowest level, most specific tools:

Identity Manager

Identity Manager is a set of tools that enable you to automate the provisioning and management of users in multiple user repositories. It can be used to provision an LDAP repository such as Directory Server using, for example, a data feed from a corporate human resources database. It provides users with a central password administrative service, and allows user credentials to be added to or removed from all applications when a new user joins or leaves a company. This tool is most likely to be used to provision users for portal services if Identity Manager is already being used company-wide as user provisioning and management framework.
Delegated Administrator

Delegated Administrator provisions users for Messaging Server and Calendar Server. Because Delegated Administrator is Access Manager-based, it offers the ability to provision portal service users as well. Delegated Administrator is most likely be used to provision users for portal services at sites that have a combination of portal, messaging, and calendar services, such as Telcos.
Access Manager tools

Access Manager provides both GUI and command-line tools to provision users for Access Manager services, such as portal and related services. These tools are the simplest way of provisioning users if only Portal Server and Access Manager are used in a deployed solution. These tools are described in more detail in Access Manager Provisioning Tools.
Directory-level commands

Directory-level commands such as ldapmodify can be used to add user entries to an LDAP directory. At this level, the directory is not aware of Access Manager or Portal Server. All object and attribute creation must be performed manually.

Access Manager Provisioning Tools

Access Manager Console

The Access Manager Console is the simplest tool to use to provision individual users for portal services.

To Provision a Single Portal Service User

The following procedure provisions a Developer Sample user, dsuser1, using the Access Manager Console.

Log in to the Access Manager Console if you are not already logged in.
1. Start a browser.
2. Go to the Access Manager Console login page using the load balancer URL:
  
  http://am.pstest.com/amconsole
  
  The Access Manager Console login page opens.
3. Log in to the Access Manager Console by typing the following values and clicking Login..
  
  Input Field
  
  Value
  
  User ID
  
  amadmin
  
  Password
  
  access-manager-admin-password
  
  The Access Manager Console opens.

Click on the DeveloperSample link.

The link is found in the left pane under Organizations.

The DeveloperSample organization opens in the right pane.

View DelveloperSample users.

Select Users in the View pull-down menu in the left pane.

Define a new user.
1. Click New
  
  The New User wizard opens in the right pane.
2. Enter the user name and password.
3. Select the services desired.
  
  For example, if you select portal1Desktop, the new user will be able to log in and view the portal desktop.
  
  d. Click Finish.
  
  The New User wizard closes and the new user entry is saved.

Input Field	Value
User ID	amadmin
Password	`access-manager-admin-password`

`amadmin` Command

The amadmin command is the best tool to use to provision large numbers of users for portal services. Using this command-line option, you can write a script or create an input file that provisions any number of users.

To Provision Multiple Portal Service Users

The following procedure provisions a Developer Sample user, dsuser1, using an XML input file to first create a user entry and then another input file to specify portal services for the user entry. Multiple users can be created by using this same procedure.

Create a new user entry for dsuser1.

Create an XML file that specifies the basic user attributes.

An example CreateUserRequest.xml file follows:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
    Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms.
-->
 <!DOCTYPE Requests
    PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN"
           "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
>
 
<!--  CREATE REQUESTS -->
<Requests>
<PeopleContainerRequests DN="ou=People,o=DeveloperSample,dc=pstest,dc=com">
     <CreateUser createDN="dsuser1">
           <AttributeValuePair>
              <Attribute name="cn"/>
              <Value>dsuser1</Value>
           </AttributeValuePair>
           <AttributeValuePair>
              <Attribute name="sn"/>
              <Value>dsuser1</Value>
           </AttributeValuePair>
           <AttributeValuePair>
              <Attribute name="userPassword"/>
              <Value>dsuser1</Value>
           </AttributeValuePair>
     </CreateUser>
</PeopleContainerRequests>
</Requests>

Run the amadmin command with CreateUserRequest.xml as an input file.

# /opt/SUNWam/bin/amadmin -u amadmin -w password -t CreateUserRequest.xml

The output should resemble the following:
PeopleContainer: ou=People,o=DeveloperSample,dc=pstest,dc=com Create Users: uid=dsuser1,ou=People,o=DeveloperSample,dc=pstest,dc=com Success 0: Successfully completed.

Add portal services to the dsuser1 entry.

Create an XML file that specifies the portal services to add.

An example AddUserServeice.xml file follows:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
    Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
    Use is subject to license terms.
-->
<!DOCTYPE Requests
    PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN"
           "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
>
  
<!--  USER REQUESTS -->
<Requests>
   <UserRequests DN="uid=dsuser1,ou=People,o=DeveloperSample,dc=pstest,dc=com">
       <RegisterServices>
           <Service_Name>sunportalnetletservice </Service_Name>
           <Service_Name>sunportalproxyletservice </Service_Name>
           <Service_Name>sunportalgatewayaccessservice </Service_Name>
           <Service_Name>sunportalportal1desktopservice </Service_Name>
           <Service_Name>iplanet-am-auth-configuration-service </Service_Name>
       </RegisterServices>
   </UserRequests>
</Requests>

This input file adds the following portal services:

Proxylet
Access List
portal Desktop
Authentication Configuration
Netlet

Run the amadmin command with AddeUserServices.xml as an input file.

# /opt/SUNWam/bin/amadmin -u amadmin -w password -t AddUserServices.xml

The output should resemble the following:

User: uid=dsuser1,ou=People,o=DeveloperSample,dc=pstest,dc=com
Registered services:
  sunportalproxyletservice
  ...
   sunportalnetletservice
Success 0: Successfully completed.

Previous: Appendix B Configuration Files