Chapter 1   Product Overview


This chapter provides an overview of the features of iPlanet Directory Server Access Management Edition (DSAME). It contains the following sections:

• Directory Server Access Management Edition

• Features of DSAME

• Installing DSAME

• The DSAME Console

Directory Server Access Management Edition

---

iPlanet DSAME is a set of tools used to leverage the management and security potential of Directory Server, iPlanet's Lightweight Directory Access Protocol-based (LDAP) data store. DSAME integrates Directory Server with a user authentication and single sign-on function which increases data security. It also allows administrators to initiate user entry management based on roles, an entry grouping mechanism which appears as an attribute in a user entry. Lastly, developers can define and manage the configuration parameters of a multitude of default and custom-made services. All three of these functions are accessed through a customizable graphical user interface, the web-based DSAME console.

Features of DSAME

---

DSAME is built on top of an installation of iPlanet Directory Server, version 5.1. The concept is to give directory administrators a more consistent and intuitive interface to work from as well as features used to extend the capabilities of Directory Server.

Service Management

Configuration parameters for default and custom-made business services can be specified with DSAME's service management component. Using XML and the DTD defined within the DSAME framework, service developers can define the parameters of a corporate service (such as a mail service, a billing service or a logging service) and manage the service's parameters or attributes. In addition, DSAME allows service administrators to define the value of these attributes.

Policy Management

DSAME also provides a component to define, modify or remove the rules that control access to business resources. Collectively, these rules are referred to as policy. Policies can be role-based or organization-based and can offer privileges or define constraints.

Authentication

DSAME provides a plug-in solution for user authentication. The criteria needed to authenticate a particular user is based on the authentication service configured for each organization in the DSAME enterprise. Before being allowed access to a DSAME session, a user must pass through authentication successfully.

Single Sign-On

Once the user is authenticated, DSAME's API for Single Sign-On (SSO) takes over. Each time the authenticated user tries to access a protected page, the SSO API determines whether the user has the permissions required based on their authentication credentials. If the user is valid, access to the page is given without additional authentication. If not, the user will be prompted to authenticate again.

URL Policy Agents

The URL Policy Agent is installed onto a Web Server. It is a specific instance of the DSAME policy component. This agent serves as an additional authentication step when a user sends a request for a web resource that lives on the protected web server. This authentication is in addition to any user authentication check which the resource must do. The agent protects the web server; the resource is protected by the authentication plug-in.

User Management

The user management component allows for the creation and management of user-related objects. User, role, group, people container, organization, sub-organization and organizational unit objects can be defined, modified or deleted using either the DSAME console or the command line interface.

DSAME Console

This HTML-based console provides a graphical user interface for businesses to manage the DSAME enterprise. The console has default administrators with varying degrees of privileges used to create and manage the services, policies and users. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with DSAME. These administrators are the:

• Top Level Administrator with read and write access to all entries within the DSAME enterprise.

• Top Level Help Desk Administrator with read access of all entries within the DSAME enterprise.

• Organization Administrator with read and write access to all entries within its organization.

• Organization Help Desk Administrator with read access of all entries within its organization.

• Organizational Unit Administrator with read and write access to all organizational unit entries.

• Organizational Unit Help Desk Administrator with read access of all organizational unit entries.

• People Container Administrator with read and write access to all users within its people container.

• Group Administrator with read and write access to all members of its group.

Installing DSAME

---

The goal of DSAME is to provide an interface for managing user objects, policies and services for organizations using iPlanet Directory Server. When the DSAME installer is run, an instance of Directory Server is installed. This instance serves as the data store for DSAME. In addition, three modules are integrated into the Directory Server: the Policy module, the Management module, and the URL Policy Agent module.

The Policy module consists of the logging module, Single Sign-On (SSO) SDK and the Authentication SPI. The Management module provides policy, user and service management functions through either the DSAME console or the command line interface. The URL Policy Agent validates a user's SSO and web resource access. All of these functions can be accessed through a web browser using the DSAME console.

---

Note	The DSAME installer can install the three DSAME modules into an existing Directory Server. For information on how this is done, please see the iPlanet Directory Server Access Management Edition Installation and Deployment Guide.

---

The DSAME Console

---

The DSAME console is divided into three sections: the location pane, the navigator pane and the data pane. By using all three panes the administrator is able to navigate the directory, perform user and service configurations and create policies.

Figure 1-1    The DSAME Console

Location Pane

The Location pane runs along the top of the console. The uppermost View menu allows the administrator to switch between the three different management views:

• Service Management as discussed in Chapter 2

• Policy Management as discussed in Chapter 3

• User Management as discussed in Chapter 4

The Location field provides a trail to the administrator's position in the directory tree. This path is used for navigational purposes.

The Currently Logged In field displays the name of the user that is currently running the console with a link to their user profile.

The Documentation link opens a browser window containing an HTML version of Part 2 of this documentation, the Attribute Reference Guide.

The Logout link allows the user to log out of the DSAME.

Navigation Pane

The Navigation pane is the left portion of the console. The Directory Object portion (within the grey box) displays the name of the directory object that is currently open and its Properties link. (Most objects displayed in the Navigation pane will have a corresponding Properties link. Selecting this link will render the object's attributes in the Data frame to the right.) The Show menu lists the directories under the selected directory object. Depending on the number of sub-directories, a paging mechanism is provided.

Data Pane

The Data pane is the right portion of the console. This is where all object attributes and their values are displayed and configured and where entries are selected for their respective group, role or organization.