Chapter 4 Customizing Delegated Administrator
After you have installed and configured Delegated Administrator with the configuration program (config-commda), you can customize your configuration to meet your particular needs. This chapter offers examples of how to customize certain Delegated Administrator features.
You should back up any existing Delegated Administrator configuration file before you begin customizing it.
Also, customized configuration data can be lost when you upgrade Delegated Administrator. Therefore, you should preserve your customized configuration before you upgrade Delegated Administrator or rerun the Delegated Administrator configuration program. For more information, see Preserve an Existing Configuration.
This chapter first lists the locations of the configuration files and explains how to redeploy a customized file to the proper location. The chapter then describes how to customize particular features. It includes the following topics:
-
Configuring the Preferred Mail Host Using the Service-Wide Default
-
Preventing New Users from Having Access to Instant Messaging
Deploying a Customized Configuration File
When you configure Delegated Administrator with the config-commda program, config-commda places the configuration files in a standard location for configuration data in the Delegated Administrator installation directory. The config-commda program then deploys the configuration files to the application repository of the Web container where you have deployed Delegated Administrator.
Thus, the deployed location of the configuration files varies, depending on which Web container you are using.
At runtime, Delegated Administrator uses the property values of the configuration files in their deployed locations——that is, in the Web container repository to which Delegated Administrator has been deployed.
To customize a configuration file, you will take these steps:
-
Edit the original configuration file located in the Delegated Administrator installation directory.
-
Use a script provided by Delegated Administrator to redeploy the configuration file to the Web container.
When you customize a configuration file, the new values do not take effect until the file has been redeployed to the Web container.
The remainder of this section describes the following topics:
Original (Standard) Locations of the Configuration Files
When Delegated Administrator is configured (after you run the config-commda program), the configuration files are located in the following directories:
Deployed Locations of the Configuration Files
After you run the config-commda program, the configuration files are deployed to the following locations, depending on which Web container you have chosen to deploy Delegated Administrator.
Deployed Location of Delegated Administrator Server File (resource.properties)
The resource.properties file is deployed to one of the following default locations:
- Web Server 6.x
-
/opt/SUNWwbsvr/https-hostname/webapps/https-hostname \ /commcli/WEB-INF/classes/sun/comm/cli/server/servlet
- Web Server 7.x
-
/var/opt/SUNWwbsvr7/https-hostname/webapps/hostname \ /commcli/WEB-INF/classes/sun/comm/cli/server/servlet
- Application Server 7.x
-
/var/opt/SUNWappserver7/domains/domain1/server1 \ /applications/j2ee-modules \ /commcli/WEB-INF/classes/sun/comm/cli/server/servlet
- Application Server 8.x
-
/var/opt/SUNWappserver/domains/domain1 \ /applications/j2ee-modules \ /commcli/WEB-INF/classes/sun/comm/cli/server/servlet
Deployed Location of Delegated Administrator Console Configuration Files
The following files are deployed to the same default location:
-
daconfig.properties
-
logger.properties
-
Resources.properties
-
Security.properties
These properties files are deployed to one of the following default locations, depending on the Web container you have chosen to deploy Delegated Administrator:
- Web Server 6.x
-
/opt/SUNWwbsvr/https-hostname/webapps/https-hostname \ /da/WEB-INF/classes/com/sun/comm/da/resources
- Web Server 7.x
-
/var/opt/SUNWwbsvr7/https-hostname/webapps/hostname \ /da/WEB-INF/classes/com/sun/comm/da/resources
- Application Server 7.x
-
/var/opt/SUNWappserver7/domains/domain1/server1 \ /applications/j2ee-modules \ /Delegated_Administrator/WEB-INF \ /classes/com/sun/comm/da/resources
- Application Server 8.x
-
/var/opt/SUNWappserver/domains/domain1 \ /applications/j2ee-modules \ /Delegated_Administrator/WEB-INF \ /classes/com/sun/comm/da/resources
To Deploy a Customized Configuration File
-
Log in as (or become) root and go to the following directory:
/opt/SUNWcomm/sbin
-
Run the appropriate deploy script to redeploy your customized configuration file to the Web container used by Delegated Administrator.
You must redeploy the configuration file to the Web container where you deployed Delegated Administrator the last time you ran the Delegated Administrator configuration program (config-commda).
Use the deploy script that applies both to your customized configuration file and to the correct Web container.
For example, to redeploy the resource.properties file to Web Server 6, run this command:
# ./config-wbsvr-commcli
For a list of the deploy scripts, see Configuration File Deploy Scripts.
Configuration File Deploy Scripts
There are two deploy scripts for each Web container. One script deploys the Delegated Administrator server files. The other deploys Delegated Administrator console files:
-
Delegated Administrator server configuration file: resource.properties.
-
Delegated Administrator console configuration files: daconfig.properties, Security.properties, Resources.properties, and logger.properties.
The deploy scripts are as follows:
- Web Server 6
-
-
Deploy script for Delegated Administrator server file (resource.properties):
config-wbsvr-commcli
-
Deploy script for Delegated Administrator console files:
config-wbsvr-da
To run the scripts, enter these commands:
# ./config-wbsvr-commcli # ./config-wbsvr-da
-
- Web Server 7.x
-
-
Deploy script for Delegated Administrator server file (resource.properties):
config-wbsvr7x-commcli
-
Deploy script for Delegated Administrator console files:
config-wbsvr7x-da
To run the scripts, enter these commands:
# ./config-wbsvr7x-commcli # ./config-wbsvr7x-da
-
- Application Server 7.x
-
-
Deploy script for Delegated Administrator server file (resource.properties):
config-appsvr-commcli
-
Deploy script for Delegated Administrator console files:
config-appsvr-da
To run the scripts, enter these commands:
# ./config-appsvr-commcli deploy # ./config-appsvr-da deploy
You must use the argument deploy with these commands.
-
- Application Server 8.x
-
-
Deploy script for Delegated Administrator server file (resource.properties):
config-appsvr8x-commcli
-
Deploy script for Delegated Administrator console files:
config-appsvr8x-da
To run the scripts, enter these commands:
# ./config-appsvr8x-commcli deploy # ./config-appsvr8x-da deploy
You must use the argument deploy with these commands.
-
Configuring the Preferred Mail Host Using the Service-Wide Default
If you want the Preferred Mail Host and Preferred Mail Store to be set using the server-wide default, you can perform the tasks described in this section.
If you need to remove the Preferred Mail Host field from the console (specifically, from the New Organization Wizard and Organization Properties screens), you can should take the following steps:
-
Edit the Security.properties file. This step is described in this section.
-
Enable the MailHostStorePlugin. This step is described in the following section, Adding Plug-ins for Delegated Administrator.
The Security.properties file lets you customize the Delegated Administrator console for all or for individual roles.
To remove the Preferred Mail Host from the console
-
Add the lines shown below to the Security.properties file.
# Remove Preferred Mail Host from UI *.NewOrganizationPage6.PreferredMailHostProperty=INVISIBLE *.NewOrganizationSummaryPage.PreferredMailHostSummaryProperty=INVISIBLE *.OrgProperties.MailHostName=INVISIBLE *.OrgProperties.MailHostNameText=INVISIBLE *.OrgProperties.MailHostValue=INVISIBLE
The Security.properties file is located in the following directory:
da-base/data/da/WEB-INF/classes/com/sun/comm/da/resources
CAUTION: You may add lines to this file for your own customization, but do not edit the lines already present. Editing existing lines could result in exceptions being thrown on the console.
-
Redeploy the edited Security.properties file to the Web container used by the Delegated Administrator console.
Before the change can take effect, you must run the script that deploys the customized Security.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
Syntax and Values for Security.properties File Properties
The properties in the file are of the form: Security Element Name=Permission
A Security Element Name is of the form:Role Name.Container View Name.Console Element Name
A Security Element specifies the Console element and role for which the permission is being defined. If you do not know an element name, view the source of a page to match the name on the page to the Console element you are interested in.
The names on the page are fully qualified names. You need to pick up only the last two elements of the name, which form Container View Name.Console Element Name.
Valid role names for Delegated Administrator are as follows:
“ProviderAdminRole” (SPA) For information about this role, see Appendix A, Service Provider Administrator and Service Provider Organizations.
“OrganizationAdminRole” (OA)
“Top-levelAdminRole” (TLA)
“*” (applies a permission to all roles unless it is overridden for a specific role)
A permission must be one of the following strings:
-
EDITABLE– indicates that the security element is editable.
-
NONEDITABLE– indicates that the security element is read-only.
-
VISIBLE– indicates that the security element is visible and read-only.
-
INVISIBLE– indicates that the security element is invisible.
Adding Plug-ins for Delegated Administrator
You can customize Delegated Administrator to support the following plug-ins:
-
By default, this plug-in is disabled. If no preferredmailhost is supplied when a business organization is created, an exception will be raised. If the plug-in is enabled, values from the flat file (described later in this section) will be used only if the corresponding attribute is absent.
-
Uses the domain value to return the desired DSN address. The default implementation is to return the string MAILER-DAEMON@<domain>.
-
Generates a unique id string. The default implementation generates a GUID to return to the caller.
Enabling the Plug-Ins
To enable these plug-ins, edit the commcli servlet resource.properties file, located in the following directory:
da-base/data/WEB-INF/classes/sun/comm/cli/server/servlet/ \ resource.properties |
(By default, da-base is /opt/SUNWcomm.)
The plug-ins are located in the resource.properties file in a section headed as follows:
######################## # Plugin Configuration # ########################## |
Each has "plugin" as the suffix. The current list looks like:
jdapi-mailhoststoreplugin=disabled jdapi-mailhoststorepluginclass=sun.comm.cli.server.util.MailHostStorePlugin jdapi-mailhoststorepluginfile=/tmp/mailhostmailstore jdapi-maildomainreportaddressplugin=enabled jdapi-maildomainreportaddresspluginclass=sun.comm.cli.server. util.MailDomainReportAddressPlugin jdapi-uidautogenerationplugin=disabled jdapi-uidautogenerationpluginclass=sun.comm.cli.server.util.UidPlugin |
After you edit the resource.properties file, redeploy it to the Web container used by the Delegated Administrator server.
Before the changes can take effect, you must run the script that deploys the customized resource.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
Plug-In Format
Each plug-in has at least two lines, which take the following form:
-
jdapi-<name>plugin= “enabled” | “disabled”
-
jdapi-<name>pluginclass=sun.comm.cli.server.util/ \ <java class name>
To enable a plug-in, change “disabled” to “enabled”.
Plug-in classes are supplied for all the plug-ins listed in this section. The classes are located in the following directory:
da-base/data/WEB-INF/classes/sun/comm/cli/server/util
You do not need to do anything with these classes.
Additional Flat File Required for MailHostStorePlugin
The MailHostStorePlugin requires a flat file, which is included in a third line for the plug-in. The plug-in reads the value in the flat file and uses it to set attribute values. If the plug-in is enabled, the file must be present, or an error will occur.
-
jdapi-mailhoststoreplugin o jdapi-mailhoststoreplugininf=<full file name> o file has one line o value is that for : o preferredmailhost attribute o preferredmailmessagestore attribute o form o <mailhost>:<mailpartition>
Adding a Custom Object Class When You Create an LDAP Object
You can enable Delegated Administrator to add a custom object class to the LDAP entry of a new user, group, resource, or organization. To accomplish this task, you customize the appropriate object-creation template installed in the directory by Access Manager.
For example, the BasicUser creation template determines which object classes and attributes are added to a user entry when you create a new user. You can update the BasicUser creation template with your custom object class. Thereafter, the custom object class will be added to each new user entry together with the standard object classes.
The following procedure describes how to customize the BasicUser template. You can follow the same procedure to customize the BasicGroup, BasicResource, and BasicOrganization creation templates.
To add a custom object class to the user-creation
process
-
Make sure your custom object class is defined in the directory schema.
-
Locate the following directory entry:
ou=basicuser,ou=creationtemplates,ou=templates,ou=default, ou=globalconfig,ou=1.0,ou=dai,ou=services, o=$Root_Suffix
where $Root_Suffix is the root suffix of your directory.
-
Add the following attribute:value to the entry:
sunkeyValue:required=objectClass=$Your_Custom_Objectclass.
where $Your_Custom_Objectclass is your custom object class.
Customizing the User Log-In
When you run the Delegated Administrator configure program (config-commda), the value you use to log in to Delegated Administrator is set to be a uid.
For example, if you intend to log in as the TLA, and the TLA’s uid is john.doe, you would use john.doe to log in to Delegated Administrator.
You can customize Delegated Administrator to enable you to use additional values for the user log-in. For example, you could add the mail address (mail).
How the User Log-In Value Is Set
The config-commda program sets this value to uid with the loginAuth-idAttr property in the resource.properties file, as shown in the following example:
loginAuth-searchBase=<$rootSuffix> servicepackage-cosdefbasedn = <$rootSuffix> loginAuth-idAttr-1=uid |
where <$rootSuffix> is the root suffix in your directory.
Adding a User Log-In Value
You can set additional values for the user log-in by editing the resource.properties file.
The resource.properties file is located in
da-base/data/WEB-INF/classes/sun/comm/cli/server/servlet/ \ resource.properties |
For example, to enable you to use a mail address (such as john.doe@sesta.com) to log in, you could add the following line to the resource.properties file:
loginAuth-searchBase=<$rootSuffix> servicepackage-cosdefbasedn = <$rootSuffix> loginAuth-idAttr-1=uid loginAuth-idAttr-2=mail |
where <$rootSuffix> is the root suffix in your directory.
Note that you must add an increment to the loginAuth-idAttr property for each new value. In this example, a second value is added, so you add -2 to loginAuth-idAttr.
You can add multiple instances of the loginAuth-idAttr property:
loginAuth-idAttr-1=uid loginAuth-idAttr-2=mail | loginAuth-idAttr-n=<login-in value> |
After you edit the resource.properties file, redeploy it to the Web container used by the Delegated Administrator server.
Before the changes can take effect, you must run the script that deploys the customized resource.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
Requiring Service Packages for New Users
By default, Delegated Administrator lets you create a new user without assigning a service package to the user.
You can change the default setting so that all new users must have at least one service package assigned to them.
To require new users to have a service package assigned
to them
-
Open the daconfig.properties file in a text editor.
The daconfig.properties file is located by default in the following directory:
da-base/data/da/WEB-INF/classes/com/sun/comm/da/resources
-
Change the value of the user.atleastOneServicePackage property from false to true.
By default, this value is false.
For example:
user.atleastOneServicePackage=true
After you set this value to true, when you use the Create New User wizard in the Delegated Administrator console, you must assign at least one service package to successfully create the new user.
-
Redeploy the edited daconfig.properties file to the Web container used by the Delegated Administrator console.
Before the change can take effect, you must run the script that deploys the customized daconfig.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
Adding a New Calendar Time Zone
You can customize Delegated Administrator by adding a new Calendar Server time zone. Delegated Administrator can then provision organizations, users, groups, and resources with the new time zone.
To add a new time zone, perform the following tasks. To administer the new time zone with the Delegated Administrator utility, you must perform only the first task. To administer the new time zone through Delegated Administrator console, you must perform both tasks.
Once the time zone has been added, you can set it as the default time zone for newly created users by performing the following task:
To add a new time zone in Delegated Administrator
You must perform this task before you can use either the commadmin utility or the Delegated Administrator console to provision users with the new time zone. This task updates Access Manager with the new time zone value. After this task is completed, you can use commadmin to assign the new time zone to users.
-
Add the time zone in Calendar Server.
To accomplish this step, you must edit the timezones.ics file and other Calendar Server files. For instructions, see “Adding a New Time Zone” in the chapter, “Managing Calendar Server Time Zones” in the Sun Java System Calendar Server Administration Guide.
-
Back up the UserCalendarService.xml and DomainCalendarService.xml files.
The xml files are located by default in the following directory:
da-base/lib/services
-
Edit the UserCalendarService.xml and DomainCalendarService.xml files to add the new time zone in Delegated Administrator.
-
In both the UserCalendarService.xml and DomainCalendarService.xml files, find the following entry heading:
<AttributeSchema name="icstimezone" type="single choice" syntax="string" any="optional|adminDisplay"> <ChoiceValues> -
Add the new time zone value to the list of <ChoiceValues>.
-
-
Run the Access Manager amadmin utility to delete the current service and add the updated service.
For both the UserCalendarService.xml and DomainCalendarService.xml files, run the following amadmin commands:
./amadmin -u <admin> -w <password> -r CalendarService
./amadmin -u <admin> -w <password> -s da_base/lib/services/CalendarService.xml
where CalendarService is either UserCalendarService or DomainCalendarService.
Note –If you also intend to make the new time zone your default, you can run these amadmin commands after you have performed both tasks. For details, see To change the default time zone in Delegated Administrator.
-
Restart your Web container to enable the changes to take effect.
-
To enable the Delegated Administrator console to show the new time zone, see To display and administer the new time zone in the Delegated Administrator console.
To display and administer the new time zone in the
Delegated Administrator console
This task adds the new time zone to the list of time zones displayed in the console. Next, the task enables the new time zone value to be saved in the directory.
To display the time zone in the console, you must add the new value to the Resources.properties file.
To allow the console to store the time zone in the directory, you must add the new value to two lists in the daconfig.properties file. The first list specifies the actual value stored in the LDAP directory. The second list enables the console to map the (possibly localized) display value of the time zone to the stored value.
-
Edit the Resources.properties file, located under your Delegated Administrator data directory.
The Resources.properties file is located by default in the following directory:
da-base/data/da/WEB-INF/classes/com/sun/ \ comm/da/resources
To edit Resources.properties, search for the rsrc.Timezone property and add the new time zone to the appropriate list. You can localize this display value of the new time zone.
-
Locate the list of time zone values in the daconfig.properties file, located under your Delegated Administrator data directory.
The daconfig.properties file is located by default in the following directory:
da-base/data/da/WEB-INF/classes/com/sun/ \ comm/da/resources
To find the list of time zone values, search for the following line:
#Timezone values - only English
These are the values stored in the LDAP directory. The new time zone must be in English; this is the required format for the values stored in the directory.
-
Add the new time zone to the list.
For example, to add America/Miami to the list, assuming Timezone1 currently has 24 values, you would add
rsrc.Timezone1-25=America/Miami
This value would be the 25th time zone displayed in the Americas drop-down list in the console. Note that the time zone may be displayed in another language, depending on what you specified in the Resources.properties file in the preceding task.
-
Locate the reverse-time zone mappings list in the daconfig.properties file.
This list keys the localized time zone value (displayed in the console) to the actual value, which you specified in Step 2, above.
To find the list of reverse mappings, search for the following line:
#reverse timezone mappings - used by DA in getting localized tz value
-
Add the new value to the reverse-mapping list.
For example, to add America/Miami to the list, you would add
rsrcKey-America-Miami=rsrc.Timezone1-25
-
Redeploy the edited daconfig.properties and Resources.properties files to the Web container used by the Delegated Administrator console.
Before the change can take effect, you must run the script that deploys the customized daconfig.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
After you edit and redeploy the daconfig.properties and Resources.properties files, the new time zone will appear in the appropriate list boxes in the Delegated Administrator console. It will be saved in the directory whenever you select the time zone in the Delegated Administrator console and click Save.
To change the default time zone in Delegated
Administrator
-
In the UserCalendarService.xml and DomainCalendarService.xml files, edit the following value:
<DefaultValues> <Value>America/Denver</Value> </DefaultValues>You can find <DefaultValues> under the following entry in the xml files:
<AttributeSchema name="icstimezone"
-
Run the Access Manager amadmin utility to delete the current service and add the updated service.
For both the UserCalendarService.xml and DomainCalendarService.xml files, run the following amadmincommands:
./amadmin -u <admin> -w <password> -r DomainCalendarService
./amadmin -u <admin> -w <password> -s da_base/lib/services/DomainCalendarService.xml
-
Restart your Web container to enable the changes to take effect.
Preventing New Users from Having Access to Instant Messaging
If Sun Java System Instant Messaging (IM) is installed and configured to use LDAP for storing user properties, when Delegated Administrator creates a new user, the object classes required to provide access to IM service are automatically added to the user's LDAP entry.
You can prevent new users from being given the required IM object classes during user creation. To do so, you change a property value in the Delegated Administrator server resource.properties file.
To disable Instant Messaging service for new users
-
Open the resource.properties file in a text editor.
The resource.properties file is located by default in the original (standard) location in the Delegated Administrator installation path:
da-base/data/WEB-INF/classes/sun/comm/cli/server/servlet
-
Change the value of the im-provision property from true to false.
By default, this value is true.
For example:
im-provision=false
-
Redeploy the edited resource.properties file to the Web container used by the Delegated Administrator server.
Before the change can take effect, you must run the script that deploys the customized resource.properties file to your Web container.
For instructions on how to deploy a customized properties file to a particular Web container, see To Deploy a Customized Configuration File.
- © 2010, Oracle Corporation and/or its affiliates