Chapter 4 Managing Users and Groups

Previous Contents Index Next
Sun Java System Web Proxy Server 4.0.1 Administration Guide

Chapter 4
Managing Users and Groups

This chapter describes how to add, delete, modify, and manage the users and groups that can access the Proxy Server.

This chapter contains the following sections:

Accessing Information about Users and Groups

About Directory Services

Configuring Directory Services

Creating Users

Managing Users

Creating Groups

Managing Groups

Creating Organizational Units

Managing Organizational Units

Accessing Information about Users and Groups

The Administration Server provides access to application data about user accounts, group lists, access privileges, organizational units, and other user- and group-specific information.

User and group information is stored either in flat files in text format, or in a directory server such as Sun Java^™ System Directory Server, which supports LDAP (Lightweight Directory Access Protocol). LDAP is an open directory access protocol that runs over TCP/IP (Transmission Control Protocol/Internet Protocol) and is scalable to a global size and millions of entries.

About Directory Services

A directory service enables all user information to be managed from a single source. With Proxy Server, three different types of directory services can be configured: LDAP, key file, and digest file.

If no other directory service has been configured, the first new directory service created is set to the value default, irrespective of its type. When a directory service is created, the server_root/userdb/dbswitch.conf file is updated with directory service details.

This section contains the following topics:

LDAP Directory Services

Key File Directory Services

Digest File Directory Services

LDAP Directory Services

With an LDAP directory service, user and group information is stored in an LDAP-based directory server.

If the LDAP service is the default service, the dbswitch.conf file is updated as shown in the example below:

directory default ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcom
default:binddn cn=Directory Manager
default:encoded bindpw YWRtaW5hZG1pbg==

If the LDAP service is a non-default service, the dbswitch.conf file is updated as shown in the example below:

directory ldap ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcom
ldap:binddn cn=Directory Manager
ldap:encoded bindpw YWRtaW5hZG1pbg==

Key File Directory Services

A key file is a text file that contains the user’s password in a hashed format and the list of groups to which the user belongs. The key file format can only be used when the intent is to use HTTP Basic authentication. For more information about this authentication method, see Specifying Users and Groups.

When a key file-based database is created, the dbswitch.conf file is updated as shown in the example below:

directory keyfile file
keyfile:syntax keyfile
keyfile:keyfile D:\test22\keyfile\keyfiledb

Digest File Directory Services

A digest file stores user and group information based on encrypted user name and password.

The digest file format is meant to support the use of HTTP Digest authentication but also supports Basic authentication, so it can be used for both authentication methods. For more information about these methods, see Specifying Users and Groups.

When a digest-based database is created, the dbswitch.conf file is updated as shown in the example below:

directory digest file
digest:syntax digest
digest:digestfile D:\test22\digest\digestdb

Note

To configure distributed administration, the default directory service must be an LDAP-based directory service.

Configuring Directory Services

A directory service is created and configured on the Global Settings tab in the Administration Server. Users, groups, and organizational units are then created and managed on the Users and Groups tab in the Administration Server.

This section contains the following topics:

Creating Directory Services

Editing Directory Services

Creating Directory Services

To create directory services

Access the Administration Server and click the Global Settings tab.

Click the Configure Directory Service link.

From the Create New Service of Type drop-down list, select the type of directory service you want to create and click New. The configuration page for that directory service displays.

Provide configuration information, and then click Save Changes. For more information about specific fields, see the online Help.

Note

If no other directory service has been configured, the first new directory service created is set to the value default, irrespective of its type.

Editing Directory Services

To edit directory services

Access the Administration Server and click the Global Settings tab.

Click the Configure Directory Service link.

Click the link for the directory service you want to edit, make the desired changes, and then click Save Changes. For more information about specific fields, see the online Help.

Understanding Distinguished Names (DNs)

The Users and Groups tab in the Administration Server is used to create or modify users, groups, and organizational units. A user is an individual in the LDAP database, such as an employee of your company. A group is two or more users who share a common attribute. An organizational unit is a subdivision within your organization that uses the organizationalUnit object class. Users, groups, and organizational units are described in greater detail later in this chapter.

Each user and group in your enterprise is represented by a distinguished name (DN) attribute. A DN attribute is a text string that contains identifying information for an associated user, group, or object. You use DNs whenever user or group directory entries are changed. For example, DN information must be provided each time you create or modify directory entries, configure access controls, and configure user accounts for applications such as mail or publishing. The Users and Groups interface of the Proxy Server is used to create or modify DNs.

The following example represents a typical DN for an employee of Sun Microsystems:

uid=doe,e=doe@sun.com,cn=John Doe,o=Sun Microsystems Inc.,c=US

The abbreviations in this example mean the following:

uid is the user ID

e is the e-mail address

cn is the user's common name

o is the organization

c is the country

DNs may include a variety of name-value pairs, and are used to identify both certificate subjects and entries in directories that support LDAP.

Using LDIF

If you do not currently have a directory, or you want to add a new subtree to an existing directory, you can use the directory server’s LDIF (Lightweight Directory Interchange Format) import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries. You can also export your current directory to LDIF using the directory server’s LDIF export function. This function creates an LDIF-formatted file that represents your directory. You can add or edit entries using the ldapmodify command line utility (if available), along with the appropriate LDIF update statements.

To add entries to the database using LDIF, first define the entries in an LDIF file, then import the LDIF file from the directory server.

Creating Users

The Users and Groups tab in the Administration Server is used to create and modify user entries. A user entry contains information about an individual person or object in the database.

Note

Be sure to protect server security by ensuring that users do not have unauthorized access to resources. Proxy Server uses an ACL-based authorization and authentication model. For more information about ACL-based security, see Controlling Access to Your Server. For additional security information, also see Using Certificates and Keys.

This section contains the following topics:

Creating Users in LDAP-based Authentication Databases

Creating Users in Key File Authentication Databases

Creating Users in Digest File Authentication Databases

Creating Users in LDAP-based Authentication Databases

When user entries are added to an LDAP-based directory service, the services of an underlying LDAP-based directory server are used to authenticate and authorize users. This section lists guidelines to consider when using an LDAP-based authentication database, and describes how to add users through the Proxy Server Administration Server.

Guidelines for Creating LDAP-based User Entries

Consider the following guidelines when using the Proxy Server administration console to create new user entries in an LDAP-based directory service:

If you enter a given name (or first name) and a surname, the user’s full name and user ID are automatically completed. The user ID is generated as the first initial of the user’s first name followed by the user’s last name. For example, if the user’s name is Billie Holiday, the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choosing if you wish.

The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the directory server ldapmodify command line utility (if available) to create a user, unique user IDs are not ensured. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.

The base DN specifies the distinguished name where directory lookups occur by default, and where all Proxy Server Administration Server entries are placed in your directory tree. A DN is the string representation for the name of an entry in a directory server.

At a minimum, you must specify the following user information when creating a new user entry:

Surname or last name

Full name

User ID

If any organizational units are defined for your directory, you can specify where you want the new user to be placed using the Add New User To list on the Create User page in the Administration Server. The default location is your directory’s base DN, or root point.

Creating LDAP-based User Entries

To create a user entry, read the guidelines outlined in Guidelines for Creating LDAP-based User Entries, then perform the following procedure.

To create users in LDAP-based authentication databases

Access the Administration Server and click the Users and Groups tab.

Click the Create User link.

Select the LDAP directory service from the drop-down list and click Select.

Enter the information on the page that displays. For more information about specific fields, see the online Help. Also see Directory Server User Entries.

Click Create to create the user entry, or Create and Edit to create the user entry and proceed to the edit page for the entry just created.

Directory Server User Entries

Notes about directory server user entries:

User entries use the inetOrgPerson, organizationalPerson, and person object classes.

By default, the distinguished name for users is of the form:

cn=full name,ou=organization,...,o=base organization,c=country

For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory’s base DN is o=Ace Industry, c=US, then the DN is:

cn=Billie Holiday,ou=Marketing,o=Ace Industry,c=US

However, note that this format can be changed to a user ID (uid)-based distinguished name.

The values on the user form fields are stored as LDAP attributes.

The following table lists the fields and corresponding LDAP attributes that display when creating a new user in the Proxy Server interface.

Table 4-1  LDAP Attributes - Creating User Entries

User Field

LDAP Attribute

Given Name

givenName

Surname

sn

Full Name

cn

User ID

uid

Password

userPassword

E-mail Address

mail

The following table lists the fields and corresponding LDAP attributes that also display when editing the user entry.

Table 4-2  LDAP Attributes - Editing User Entries

User Field

LDAP Attribute

Title

title

Phone Number

telephoneNumber

Creating Users in Key File Authentication Databases

A key file is a text file that contains the user’s password in a hashed format, and the list of groups to which the user belongs.

To create users in key file authentication databases

Access the Administration Server and click the Users and Groups tab.

Click the Create User link.

Select the key file-based directory service from the drop-down list and click Select.

Enter the information on the page that displays, and then click Create User. For more information about specific fields, see the online Help.

Creating Users in Digest File Authentication Databases

A digest file authentication database stores user and group information in an encrypted form.

To create users in digest file authentication databases

Access the Administration Server and click the Users and Groups tab.

Click the Create User link.

Select the digest file-based directory service from the drop-down list and click Select.

Enter the information on the page that displays, and then click Create User. For more information about specific fields, see the online Help.

Note

The same realm string must be specified when creating an ACL that uses Digest authentication using the Proxy Server ACL user interface. For more information, see Setting Access Control.

Managing Users

User attributes are edited from the Manage Users page on the Administration Server Users and Groups tab. From this page you can find, change, rename, and delete user entries.

This section contains the following topics:

Finding User Information

Editing User Information

Managing a User’s Password

Renaming Users

Removing Users

Finding User Information

Before you can edit a user entry you must first find and display the entry, as described in the following procedure.

To find user information

Access the Administration Server and click the Users and Groups tab.

Click the Manage Users link.

Select a directory service from the drop-down list and click Select. For key file or digest file directory services, a list of users displays. For LDAP-based directory services, search fields display.

Find user information:

For key file or digest file directory services, click the link for the user to display the edit page and make changes. For more information about specific fields, see the online Help.

For LDAP-based directory services, do the following:

In the Find User field, enter a descriptive value for the entry you want to edit. You can enter any of the following:

A name. Enter a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.

A user ID. If you enter only a partial user ID, any entries that contain the string are returned.

A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.

An e-mail address. Any search string containing an at symbol (@) is assumed to be an e-mail address. If an exact match cannot be found, a search is performed to find all e-mail addresses that begin with the search string.

An asterisk (*) to see all entries currently in your directory. You can achieve the same result by leaving the field blank.

Any LDAP search filter. Any string that contains an equal sign (=) is considered a search filter.

As an alternative, use the drop-down menus in the Find All Users Whose section to narrow the results of your search. For more information, see Building Custom Search Queries.

In the Look Within field, select the organizational unit under which you want to search for entries. The default is the directory’s root point (topmost entry).

In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.

At any stage in this process, click the Find button. All users matching your search criteria will be displayed.

Click the link for the entry you want to display.

Building Custom Search Queries

For LDAP services, the Find All Users Whose section enables you to build a custom search filter. Use the fields to narrow search results returned by a Find User search.

The left drop-down list specifies the attribute on which the search will be based. The following tables lists the available search attribute options.

Table 4-3  Search Attribute Options

Option

Searches for a Match

Full name

Each entry’s full name

Last name

Each entry’s last name, or surname

User ID

Each entry’s user ID

Phone number

Each entry’s phone number

E-mail address

Each entry’s e-mail address

The center drop-down list specifies the type of search to perform. The following tables lists the available search type options.

Table 4-4  Search Type Options

Option

Description

Contains

Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know a user’s name probably contains the word "Dylan," use this option with the search string "Dylan" to find the user’s entry.

Is

Causes an exact match to be found (specifies an equality search). Use this option when you know the exact value of a user’s attribute. For example, you know the exact spelling of the user’s name.

Isn’t

Returns all entries whose attribute value does not exactly match the search string. Use this option to find all users in the directory whose name is not "John Smith." Note that use of this option can cause an extremely large number of entries to be returned.

Sounds like

Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value but do not know the spelling. For example, you do not know if a user’s name is spelled "Sarret," "Sarette," or "Sarett."

Starts with

Causes a substring search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know a user’s name starts with "Miles," but do not know the rest of the name.

Ends with

Causes a substring search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know a user’s name ends with "Dimaggio," but do not know the rest of the name.

The right text field is used to enter a search string. To display all user entries contained in the directory specified in the Look Within field, enter an asterisk (*) or leave this field blank.

Editing User Information

To edit user entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Users link.

Display the user entry as described in Finding User Information.

Make the desired changes. For more information about specific fields, see the online Help.

Note

You may want to change an attribute value that is not displayed by the edit user page. In this situation, use the directory server ldapmodify command line utility, if available.

For information about changing a user’s user ID, see Renaming Users.

Managing a User’s Password

The following procedure describes how to change or create user passwords.

To change or create user passwords

Access the Administration Server and click the Users and Groups tab.

Click the Manage Users link.

Display the user entry as described in Finding User Information.

Make the desired changes. For more information about specific fields, see the online Help.

For LDAP databases you can also disable the user’s password by clicking the Disable Password button on the page used to edit user password information (accessed from the Manage Users page). Doing this prevents the user from logging into a server, without your having to delete the user’s directory entry. You can allow access for the user again by entering a new password.

Renaming Users

For LDAP databases, the rename feature changes only the user ID. All other fields are left intact. You cannot use the rename feature to move the entry from one organizational unit to another.

To rename user entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Users link.

Display the user entry as described in Finding User Information.

Click the Rename User button on the edit user page, enter the user ID on the page that displays, and click Save Changes.

Note

You can specify that the Administration Server no longer retains the old values when an entry is renamed by setting the keepOldValueWhenRenaming parameter to false (the default). This parameter is found in the following file:

server_root/proxy-admserv/config/dsgw-orgperson.conf

Removing Users

To remove user entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Users link.

Display the user entry as described in Finding User Information.

Click Delete User (LDAP) or Remove User (key file and digest file).

Creating Groups

A group is an object that describes a set of objects in an LDAP database. A Sun Java System server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the Marketing division of your company. These employees might belong to a group called Marketing.

For LDAP services, there are two ways to define the membership of a group: statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a common name (CN) and contains uniqueMembers and/or memberURLs and/or memberCertDescriptions. For static groups, the members do not share a common attribute, except for the cn=groupname attribute.

Dynamic groups enable you to use an LDAP URL to define a set of rules that match only for group members. For dynamic groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and those employees are already in the LDAP database under ou=Sales,o=Airius.com, you would define a dynamic group with the following member URL:

ldap:///ou=Sales,o=sun??sub?(uid=*)

This group would subsequently contain all objects that have a uid attribute in the tree below the ou=Sales,o=sun point. Thus, all Sales members.

For static and dynamic groups, members can share a common attribute from a certificate if the memberCertDescription is used. Note that this only applies if the ACL uses the SSL method.

Once a new group has been created, you can add users (members) to it.

This section contains the following topics:

About Static Groups

About Dynamic Groups

About Static Groups

For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group does not change unless a user is added to or deleted from the group.

Guidelines for Creating Static Groups

Consider the following guidelines when using the Administration Server interface to create new static groups:

Static groups can contain other static or dynamic groups.

If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory’s root point (topmost entry).

For more information about editing groups, see Editing Group Entries.

Creating Static Groups

To create static groups

Access the Administration Server and click the Users and Groups tab.

Click the Create Group link.

Select New Group from the Type of Group drop-down list, and then click Go.

Enter the information on the Create Group page. For more information about specific fields, see the online Help.

Click Create to create the group, or Create and Edit to create the group and proceed to the edit page for the group just created.

About Dynamic Groups

For LDAP services, Proxy Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.

How Dynamic Groups are Implemented

Proxy Server implements dynamic groups in the LDAP server schema as objectclass=groupOfURLs. A groupOfURLs class can have zero or more memberURL attributes, each of which is an LDAP URL that describes a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:

ldap:///o=mcom.com??sub?(department=marketing)

This example describes a set that consists of all objects below o=mcom.com whose department is marketing. The LDAP URL can contain a search base DN, a scope, and a filter, but not a host name and port. This means you can only refer to objects on the same LDAP server. All scopes are supported. For more information about LDAP URLs, see Guidelines for Creating Dynamic Groups.

The DNs are included automatically, without having to add each individual to the group. The group changes dynamically, because Proxy Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.

Note

Proxy Server uses the cn attribute as the group name for ACLs.

The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named staff, the ACL code looks up an object with an object class of groupOfanything and a CN set to staff. The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).

Note

Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group's membership is the union of its static and dynamic members.

Dynamic Group Impact on Server Performance

Using dynamic groups impacts server performance. If you are testing group membership, and the DN is not a member of a static group, Proxy Server checks all dynamic groups in the database's base DN. Proxy Server determines if each memberURL matches by checking its base DN and scope against the DN of the user, and then performs a base search using the user DN as base DN and the filter of the memberURL. This procedure can involve a large number of individual searches.

Guidelines for Creating Dynamic Groups

Consider the following guidelines when using the Administration Server interface to create new dynamic groups:

Dynamic groups cannot contain other groups.

Enter the group's LDAP URL using the following format (without host and port info, as these parameters are ignored):

ldap:///base_dn?attributes?scope?(filter)

The following table lists the required parameters for the LDAP URL.

Table 4-5   Required Parameters for the LDAP URL

Parameter Name

Description

base_dn

The DN of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as o=mcom.com.

attributes

A list of attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, cn,mail,telephoneNumber). If no attributes are specified, all attributes are returned. This parameter is ignored for dynamic group membership checks.

scope

This parameter is required.

The scope of the search, which can be one of these values:

base retrieves information only about the distinguished name (base_dn) specified in the URL.

one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope.

sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.

(filter)

This parameter is required.

Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server interface, you must specify this attribute. The parentheses are required.

The attributes, scope, and (filter) parameters are identified by their positions in the URL. If you do not want to specify any attributes, you must still include the question marks (?) delimiting that field.

Continuing with the guidelines for creating dynamic groups:

If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory's root point (topmost entry).

For more information about editing groups, see Editing Group Entries.

Creating Dynamic Groups

To create dynamic groups

Access the Administration Server and click the Users and Groups tab.

Click the Create Group link.

Select Dynamic Group from the Type of Group drop-down list and click Go.

Enter the information on the Create Group page. For more information about specific fields, see the online Help.

Click Create to create the group, or Create and Edit to create the group and proceed to the edit page for the group just created.

Managing Groups

For LDAP services, the Administration Server enables you to edit groups and manage group memberships from the Manage Groups page on the Administration Server Users and Groups tab.

This section contains the following topics:

Finding Group Entries

Editing Group Entries

Adding Group Members

Adding Groups to the Group Members List

Removing Entries from the Group Members List

Managing Owners

Managing See Alsos

Renaming Groups

Removing Groups

Finding Group Entries

Before you can edit a group entry you must first find and display the entry, as described in the following procedure.

To find group entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link.

Enter the name of the group you want to find in the Find Group field. You can enter any of the following:

A name. Enter a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.

An asterisk (*) to see all groups currently residing in your directory. You can achieve the same result by leaving the field blank.

Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

As an alternative, use the Find All Groups Whose section to build a custom search filter and narrow the results of your search. For more information, see The Find All Groups Whose Section.

In the Look Within field, select the organizational unit under which you want to search for entries. The default is the directory’s root point (topmost entry).

In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.

At any stage in this process, click the Find button. All groups matching your search criteria will be displayed.

Click the link for the entry you want to display.

The Find All Groups Whose Section

For LDAP services, the Find All Groups Whose section enables you to build a custom search filter. Use the fields in this section to narrow the search results that are otherwise returned by Find Group.

The left drop-down list specifies the attribute on which the search is based. The following options are available:

Name. Searches each entry’s full name for a match.

Description. Searches each group entry’s description for a match.

The center drop-down list specifies the type of search to perform. The following options are available:

Contains. Causes a sub-string search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know a group’s name probably contains the word "Administrator," use this option with the search string "Administrator" to find the group entry.

Is. Causes an exact match to be found. Use this option when you know the exact value of a group’s attribute. For example, you know the exact spelling of the group’s name.

Isn’t. Returns all entries whose attribute value does not exactly match the search string. Use this option if you want to find all groups in the directory whose name does not contain "administrator." Be aware, however, that using this option can cause an extremely large number of entries to be returned.

Sounds like. Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but are unsure of the spelling. For example, you do not know if a group’s name is spelled "Sarret’s list," "Sarette’s list," or "Sarett’s list."

Starts with. Causes a sub-string search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know a group’s name starts with "Product," but do not know the rest of the name.

Ends with. Causes a sub-string search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know a group’s name ends with "development," but do not know the rest of the name.

In the right text field, enter a search string. To display all group entries contained in the Look Within directory, enter an asterisk (*) or leave this field blank.

Editing Group Entries

To edit group entries

This procedure applies to LDAP services only.

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link.

Locate the group you want to edit as described in Finding Group Entries.

Make the desired changes. For more information about specific fields and buttons, see the online Help.

Note

You may want to change an attribute value that is not displayed by the group edit page. In this situation, use the directory server ldapmodify command line utility, if available.

Adding Group Members

To add members to a group

This procedure applies to LDAP services only.

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link.

Locate and display the group you want to manage as described in Finding Group Entries, and click the Edit button next to Group Members. Any existing group members are listed on the page that displays. Search fields also display.

To add user entries to the list of members, Users must be selected in the Find drop-down list.

To add group entries to the group, Groups must be selected.

In the Matching text field, enter a search string. Enter any of the following options:

A name. Enter a full or partial name. All entries whose name matches the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.

A user ID. If you enter only a partial user ID, any entries that contain the string are returned.

A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.

An e-mail address. Any search string containing an at symbol (@) is assumed to be an e-mail address. If an exact match cannot be found, a search is performed to find all e-mail addresses that begin with the search string.

Enter an asterisk (*) or leave this field blank to see all entries or groups currently residing in your directory.

Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

Click Add to find all matching entries in the LDAP database and add them to the group. If the search returns any entries you do not want added to the group, click the corresponding checkbox in the Remove From List column. (Note that you can also construct a search filter to match the entries you want removed from the group, and then click Remove. For more information, see Removing Entries from the Group Members List.)

When the list of group members is complete, click Save Changes. The entries are added to the group member list.

Adding Groups to the Group Members List

For LDAP services, you can add groups instead of individual members to the group’s members list. Doing so causes any users belonging to the included group to become a member of the receiving group. For example, if Neil Armstrong is a member of the Engineering Managers group, and you make the Engineering Managers group a member of the Engineering Personnel group, then Neil Armstrong is also a member of the Engineering Personnel group.

To add a group to the members list of another group, add the group as if it were a user entry. For more information, see Adding Group Members.

Removing Entries from the Group Members List

This procedure applies to LDAP services only.

To remove entries from the group members list

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link.

Locate the group you want to manage as described in Finding Group Entries, and click the Edit button next to Group Members.

For each member that you want to remove from the list, click the corresponding checkbox in the Remove From List column. You can also construct a search filter to match the entries you want removed from the group, and then click Remove. For more information about creating a search filter, see Adding Group Members.

Click Save Changes. The entries are deleted from the group members list.

Managing Owners

For LDAP services, a group owners list is managed in the same way as a group members list.

The following table lists the topics in this guide that provide more information.

Table 4-6  Managing Owners

To

See

Add owners to the group

Adding Group Members

Add groups to the owners list

Adding Groups to the Group Members List

Remove entries from the owners list

Removing Entries from the Group Members List

Managing See Alsos

See Alsos are references to other directory entries that may be relevant to the current group. They enable users to easily find entries for people and other groups that are related to the current group. You manage See Alsos the same way you manage the group members list.

The following table lists the topics in this guide that provide more information.

Table 4-7  Managing See Alsos

To

See

Add users to See Alsos

Adding Group Members

Add groups to See Alsos

Adding Groups to the Group Members List

Remove entries from See Alsos

Removing Entries from the Group Members List

Renaming Groups

This procedure applies to LDAP services only. When you rename a group entry, only the group’s name is changed. You cannot use the Rename Group feature to move the entry from one organizational unit to another. For example, a business might have the following organizations:

Organizational units for Marketing and Product Management

A group named Online Sales under the Marketing organizational unit

In this example, you can rename the group from Online Sales to Internet Investments, but you cannot rename the entry such that Online Sales under the Marketing organizational unit becomes Online Sales under the Product Management organizational unit.

To rename groups

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link and locate the group you want to manage as described in Finding Group Entries.

Click the Rename Group button, specify a new group name on the page that displays, and click Save Changes.

Removing Groups

This procedure applies to LDAP services only.

To remove groups

Access the Administration Server and click the Users and Groups tab.

Click the Manage Groups link.

Locate the group you want to manage as described in Finding Group Entries and click Delete Group.

Note

Individual members of the group are not removed. Only the group entry is removed.

Creating Organizational Units

For LDAP services, an organizational unit can include a number of groups and usually represents a division, department, or other discrete entity. A DN can exist in more than one organizational unit.

To create organizational units

Access the Administration Server and click the Users and Groups tab.

Click the Create Organizational Unit link.

Enter the information and click Create. For more information about specific fields, see the online Help.

Notes about organizational units:

New organizational units are created using the organizationalUnit object class.

The distinguished name for new organizational units is of the form:

ou=new organization,ou=parent organization,...,o=base organization,c=country

For example, if you create a new organization called Accounting within the organizational unit West Coast, and your base DN is o=Ace Industry,c=US, then the new organization unit’s DN is:

ou=Accounting,ou=West Coast,o=Ace Industry,c=US

Managing Organizational Units

For LDAP services, organizational units are edited and managed from the Manage Organizational Units page on the Administration Server Users and Groups tab.

This section contains the following topics:

Finding Organizational Units

Editing Organizational Unit Attributes

Renaming Organizational Units

Removing Organizational Units

Finding Organizational Units

This procedure applies to LDAP services only.

To find organizational units

Access the Administration Server and click the Users and Groups tab.

Click the Manage Organizational Units link.

Enter the name of the unit you want to find in the Find Organizational Unit field. You can enter any of the following:

A name. Enter a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.

An asterisk (*) to see all groups currently residing in your directory. You can achieve the same result by leaving the field blank.

Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

As an alternative, use the drop-down menus in the Find All Units Whose section to narrow the results of your search. For more information, see The Find All Units Whose Section.

In the Look Within field, select the organizational unit under which you want to search for entries. The default is the root point of the directory (topmost entry).

In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.

At any stage in this process, click the Find button. All organizational units matching your search criteria will be displayed.

Click the link for the entry you want to display.

The Find All Units Whose Section

For LDAP services, the Find All Units Whose section enables you to build a custom search filter. Use the fields in this section to narrow the search results that are otherwise returned by Find Organizational Unit.

The left drop-down list specifies the attribute on which the search is based. The following options are available:

Unit name. Searches each entry’s full name for a match.

Description. Searches each organizational unit entry’s description for a match.

The center drop-down list specifies the type of search to perform. The following options are available:

Contains. Causes a sub-string search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an organizational unit’s name probably contains the word "Administrator," use this option with the search string "Administrator" to find the organizational unit entry.

Is. Causes an exact match to be found. Use this option when you know the exact value of an organizational unit’s attribute. For example, you know the exact spelling of the organizational unit’s name.

Isn’t. Returns all entries whose attribute value does not exactly match the search string. That is, use this option if you want to find all organizational units in the directory whose name does not contain "administrator." Be aware, however, that use of this option can cause an extremely large number of entries to be returned.

Sounds like. Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but are unsure of the spelling. For example, you do not know if an organizational unit’s name is spelled "Sarret’s list," "Sarette’s list," or "Sarett’s list."

Starts with. Causes a sub-string search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know an organizational unit’s name starts with "Product," but do not know the rest of the name.

Ends with. Causes a sub-string search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know an organizational unit’s name ends with "development," but do not know the rest of the name.

In the right text field, enter a search string. To display all organizational unit entries contained in the Look Within directory, enter an asterisk (*) or leave this field blank.

Editing Organizational Unit Attributes

This procedure applies to LDAP services only.

To edit organizational unit entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Organizational Units link.

Locate the organizational unit you want to edit as described in Finding Organizational Units.

Make the desired changes. For more information about specific fields, see the online Help.

Note

You may want to change an attribute value that is not displayed by the organizational unit edit page. In this situation, use the directory server ldapmodify command line utility, if available.

Renaming Organizational Units

This procedure applies to LDAP services only. When you rename an organizational unit entry, only the organizational unit’s name is changed. You cannot use the rename feature to move the entry from one organizational unit to another.

To rename organizational unit entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Organizational Units link.

Locate the organizational unit you want to edit as described in Finding Organizational Units.

Click the Rename button, enter the new organizational unit name on the page that displays, and click Save Changes.

Removing Organizational Units

This procedure applies to LDAP services only.

To delete organizational unit entries

Access the Administration Server and click the Users and Groups tab.

Click the Manage Organizational Units link.

Locate the organizational unit you want to delete as described in Finding Organizational Units.

Click the Delete button and then click OK in the resulting confirmation box.

Previous      Contents      Index      Next

Part No: 819-3650-10. Copyright 2005 Sun Microsystems, Inc. All rights reserved.


Note	To configure distributed administration, the default directory service must be an LDAP-based directory service.


Note	If no other directory service has been configured, the first new directory service created is set to the value default, irrespective of its type.


Note	Be sure to protect server security by ensuring that users do not have unauthorized access to resources. Proxy Server uses an ACL-based authorization and authentication model. For more information about ACL-based security, see Controlling Access to Your Server. For additional security information, also see Using Certificates and Keys.

User Field	LDAP Attribute
Given Name	givenName
Surname	sn
Full Name	cn
User ID	uid
Password	userPassword
E-mail Address	mail


Note	The same realm string must be specified when creating an ACL that uses Digest authentication using the Proxy Server ACL user interface. For more information, see Setting Access Control.

Option	Searches for a Match
Full name	Each entry’s full name
Last name	Each entry’s last name, or surname
User ID	Each entry’s user ID
Phone number	Each entry’s phone number
E-mail address	Each entry’s e-mail address

Option	Description
Contains	Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know a user’s name probably contains the word "Dylan," use this option with the search string "Dylan" to find the user’s entry.
Is	Causes an exact match to be found (specifies an equality search). Use this option when you know the exact value of a user’s attribute. For example, you know the exact spelling of the user’s name.
Isn’t	Returns all entries whose attribute value does not exactly match the search string. Use this option to find all users in the directory whose name is not "John Smith." Note that use of this option can cause an extremely large number of entries to be returned.
Sounds like	Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value but do not know the spelling. For example, you do not know if a user’s name is spelled "Sarret," "Sarette," or "Sarett."
Starts with	Causes a substring search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know a user’s name starts with "Miles," but do not know the rest of the name.
Ends with	Causes a substring search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know a user’s name ends with "Dimaggio," but do not know the rest of the name.


Note	You may want to change an attribute value that is not displayed by the edit user page. In this situation, use the directory server ldapmodify command line utility, if available.


Note	You can specify that the Administration Server no longer retains the old values when an entry is renamed by setting the keepOldValueWhenRenaming parameter to false (the default). This parameter is found in the following file: server_root/proxy-admserv/config/dsgw-orgperson.conf


Note	Proxy Server uses the cn attribute as the group name for ACLs.


Note	Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group's membership is the union of its static and dynamic members.

Parameter Name	Description
base_dn	The DN of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as o=mcom.com.
attributes	A list of attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, cn,mail,telephoneNumber). If no attributes are specified, all attributes are returned. This parameter is ignored for dynamic group membership checks.
scope	This parameter is required. The scope of the search, which can be one of these values: base retrieves information only about the distinguished name (base_dn) specified in the URL. one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope. sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.
(filter)	This parameter is required. Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server interface, you must specify this attribute. The parentheses are required.

To	See
Add owners to the group	Adding Group Members
Add groups to the owners list	Adding Groups to the Group Members List
Remove entries from the owners list	Removing Entries from the Group Members List

To	See
Add users to See Alsos	Adding Group Members
Add groups to See Alsos	Adding Groups to the Group Members List
Remove entries from See Alsos	Removing Entries from the Group Members List


Note	Individual members of the group are not removed. Only the group entry is removed.