|Previous Contents Index Next|
|iPlanet Directory Server Access Management Edition Administration Guide|
Chapter 2 Service Management
This chapter describes the service management features of iPlanet Directory Server Access Management Edition (DSAME). The Service Management interface provides a way to view, manage and configure all DSAME services and their values (both default and customized) in addition to configuring DSAME console display settings. This chapter contains the following sections:
Definition of a Service
A service is a group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. For instance, in developing a payroll service, a developer might decide to include attributes that define an employee name, an hourly rate and a tax exemption. When the service is registered to an organization, that organization can use these attributes in the configuration of its entries.
DSAME defines services using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directory:
For more information on defining a DSAME service, see the iPlanet Directory Server Access Management Edition Programmer's Guide.
DSAME Services Defined
The default services provided with DSAME are defined by XML files located in the following directory:
Some of these services, when configured through the Service Management interface, define values for the DSAME application. Others are registered to a specific organization configured within DSAME and are used to define default values for the organization.
The Administration service allows for the configuration of the DSAME Administration Console at both the application level (similar to a Preferences or Options menu for the DSAME application) as well as at a configured organization level (Preferences or Options specific to a configured organization).
There are six authentication services including a base service. This allows the administrator the opportunity to choose the method with which each defined organization would have their user's authorization verified.
The Core service is the general configuration base for the DSAME authentication services. It must be registered and configured to use any of the specific services. It allows the administrator to define default values that will be picked up for those not specifically set in the Anonymous, Certificate-based, LDAP, Membership and RADIUS, SafeWord and Unix services.
This service allows for log in without specifying a user name and password. Anonymous connections have limited access to the server and are customized by the administrator.
This service allows login through a personal digital certificate (PDC). iPlanet Certificate Management System (CMS) can be installed as a Certificate Authority. For more information on CMS, see the documentation set located at http://docs.iplanet.com/docs/manuals/cms.html
This service allows for authentication using LDAP bind, an operation which associates a password with a particular LDAP entry.
This service allows a new user to self-register for authentication with a login and password.
This service allows for authenticating users using an external Remote Authentication Dial-In User Service (RADIUS) server.
This service allows for authenticating users using a SafeWord server.
This service allows for authenticating users using a Unix server.
The Logging service is where the administrator configures values for the DSAME application logging function. Examples include log file size and log file location.
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other DSAME services such as session, authentication and logging.
The Platform service is where additional servers can be added to the DSAME configuration as well as other options applied at the top level of the DSAME application.
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time.
URL Policy Agent
The URL Policy Agent is configured by navigating to the Policy Management window in the graphical user interface. It defines user privileges to web resources, allowing an administrator to allow or deny access to http and https-based URLs.
Default user preferences are defined through the user service. (These include time zone, locale and DN starting view).
The attributes that make up a DSAME service are classified as one of the following types: Dynamic, Policy, User, Organization or Global. Using these types to subdivide the attributes in each service allows for a more consistent arrangement of the service schema and easier management of the service parameters.
A dynamic attribute can be assigned to a DSAME configured role or organization. When the role is assigned to a user or a user is created in an organization, the dynamic attribute then becomes a characteristic of the user. For example, a role is created for an organization's employees. This role might contain the organization's address and a fax number, two things that remain static for all employees. When the role is assigned to each employee, these dynamic attributes are inherited by them.
Policy attributes are privilege attributes. Policy attributes are configured through the Policy Management interface as discussed in Chapter 3 "Policy Management." Once a policy is configured, they may be assigned to roles or organizations. That is the only difference between dynamic and policy attributes; dynamic attributes are assigned directly to a role or an organization and policy attributes are used to configure policies and then applied to a role or an organization. DSAME currently has only one service which uses policy attributes, the URL Policy Agent. These specific policy attributes deny or allow users access to web resources.
These attributes are assigned directly to each user. They are not inherited from a role or an organization and, typically, are different for each user. Examples of user attributes include userid, employee number and password. User attributes can be added or removed from the User service by modifying the dpUser.xml file. For more information, see the iPlanet Directory Server Access Management Edition Programmer's Guide.
Organization attributes are assigned to organizations only. In that respect, they work as dynamic attributes. They differ from dynamic attributes, though, as they are not inherited by entries in the subtrees. Additionally, no object classes are associated with organization attributes. Attributes listed in the authentication services are defined as organization attributes because authentication is done at the organization level rather than at a subtree or user level.
Global attributes are applied across the DSAME configuration. They can not be applied to users, roles or organizations as the goal of global attributes is to customize the DSAME application. There is only one instance of a global attribute in the DSAME configuration. There are no object classes associated with global attributes. Examples of global attributes include log file size, log file location, port number or a server URL that DSAME can use to access data.
Services are configured and managed through the Service Management window. Organization-specific services which are not covered by the DSAME default service packages can be written using XML (based on the DSAME services document type definition or DTD) and added into the interface under the Other Configuration heading. Instructions on how this is done can be found in the iPlanet Directory Server Access Management Edition Programmer's Guide. Part 2, "Attribute Reference Guide" describes the default services and the definitions of their corresponding attributes.
The Service Management View is for displaying service configurations on a global level. In other words, it is a view of the default configurations of all available services in DSAME, whether registered or not. When a service is registered and activated by an organization, the initial default data assigned to the service is that which is displayed under the service's Service Management page. Figure 2-1 is a screenshot of the graphical user interface.
Figure 2-1    Service Management View
Access the Service Management view by choosing Service Management in the View menu. The navigation pane will display a list of all defined DSAME services. To set the global default values for a service, select the Properties arrow next to the name of the service. The attributes for the service will be displayed in the data pane.
Previous Contents Index Next
Copyright © 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 09, 2002