Chapter 3 Managing Users and Groups

This chapter describes how to add, delete, and edit the users and groups who can access your Sun Java System Web Server.

This chapter includes the following sections:

• Accessing Information About Users and Groups

• About Directory Services

• Configuring a Directory Service

• Creating Users

• Managing Users

• Creating Groups

• Managing Groups

• Creating Organizational Units

• Managing Organizational Units

Accessing Information About Users and Groups

The Administration Server provides access to your application data about user accounts, group lists, access privileges, organization units, and other user- and group-specific information.

User and group information is stored either in flat files in a text format or in a directory server such as Sun Java System Directory Server, which supports Lightweight Directory Access Protocol (LDAP). LDAP is an open directory access protocol that runs over TCP/IP and is scalable to a global size and millions of entries.

About Directory Services

A directory server such as Sun Java System Directory Server allows you to manage all your user information from a single source. You can also configure the directory server to allow your users to retrieve directory information from multiple, easily accessible network locations.

In Sun Java System Web Server 6.1, you can configure three different types of directory services to authenticate and authorize users and groups. If no other directory service is configured, the new directory service created will be set to the value default, irrespective of its type.

When you create an a directory service, the server-root/userdb/dbswitch.conf file is updated with the directory service details.

Types of Directory Services

The different types of directory services supported by Sun Java System Web Server 6.1 are:

• LDAP: Stores user and group information in an LDAP-based directory server.

  If the LDAP service is the default service, the dbswitch.conf file is updated as shown in the example below:

  directory default ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcom
  default:binddn cn=Directory Manager
  default:encoded bindpw YWRtaW5hZG1pbg==

  If the LDAP service is a non-default service, the dbswitch.conf file is updated as shown in the example below:

  directory ldap ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcom
  ldap:binddn cn=Directory Manager
  ldap:encoded bindpw YWRtaW5hZG1pbg==

• Key File: A key file is a text file that contains the user’s password in a hashed format, and the list of groups to which the user belongs. The users and groups stored in a key file are used for authorization and authentication by the file realm alone; these bear no relationship to system users and groups. For more information about the file realm, see File realm.

  The key file format can only be used when the intent is to use HTTP Basic authentication. For more information about this authentication method, see Specifying Users and Groups.

  When you create a key file-based database, the dbswitch.conf file is updated as shown in the example below:

  directory keyfile file
  keyfile:syntax keyfile
  keyfile:keyfile D:\test22\keyfile\keyfiledb

• Digest File: Stores user and group information based on encrypted username and password.

  The digest file format is meant to support using HTTP Digest authentication. It does, however, also support Basic authentication, so it can be used for both authentication methods. For more information about these methods, see Specifying Users and Groups.

  When you create a digest-based database, the dbswitch.conf file is updated as shown in the example below:

  directory digest file
  digest:syntax digest
  digest:digestfile D:\test22\digest\digestdb

---

Note –

If you want to set up distributed administration, the default directory service must be an LDAP-based directory service.

---

Configuring a Directory Service

To configure the directory services preferences

1. Access the Administration Server and choose the Global Settings tab.

2. Click Configure Directory Service.

3. From the Create New Service of Type drop-down list, choose the type of directory service you want to create.

4. Click New.

   You can now configure the directory service information in the page corresponding to the type of directory service you have selected.

   ---

   Note –

   If no other directory service is configured, the new directory service created will be set to the value default, irrespective of its type.

   ---

5. Click Save Changes to save your changes.

   Once you create and configure directory services, you can assign directory services per virtual server. The rights and permissions associated with the directory service is later used by the server to evaluate and enforce access control rules. For more information, see Choosing a Directory Service for a Virtual Server.

Understanding Distinguished Names (DNs)

Use the Users and Groups tab of the Administration Server to create or modify users, groups, and organizational units. A user is an individual in your LDAP database, such as an employee of your company. A group is two or more users who share a common attribute. An organizational unit is a subdivision within your company that uses the organizationalUnit object class. Users, groups, and organizational units are described further later in this chapter.

Each user and group in your enterprise is represented by a Distinguished Name (DN) attribute. A DN attribute is a text string that contains identifying information for an associated user, group, or object. You use DNs whenever you make changes to a user or group directory entry. For example, you need to specify DN information each time you create or modify directory entries, set up access controls, and set up user accounts for applications such as mail or publishing. The users and groups interface of the Sun Java System Web Server Administration Console helps you create or modify DNs.

The following example represents a typical DN for an employee of Sun Microsystems:

uid=doe,e=doe@sun.com,cn=John Doe,o=Sun Microsystems Inc.,c=US

The abbreviations before each equal sign in this example have the following meanings:

• uid: user ID

• e: email address

• cn: the user’s common name

• o: organization

• c: country

DNs may include a variety of name-value pairs. They are used to identify both certificate subjects and entries in directories that support LDAP.

Using LDIF

Use the Directory Server's Administration Server LDIF import function to create a directory, or if you want add a new subtree to an existing directory. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries. You can also export your current directory to LDIF using the Directory Server’s LDIF export function. This function creates an LDIF-formatted file that represents your directory. Add or edit entries using the ldapmodify command along with the appropriate LDIF update statements.

To add entries to the database using LDIF, first define the entries in an LDIF file, then import the LDIF file from Directory Server.

Creating Users

The Users and Groups tab of the Administration Server allows you to create or modify user entries. A user entry contains information about an individual person or object in the database.

When you create a user, you must protect server security by ensuring that the user does not have unauthorized access to resources. Sun Java System Web server 6.1 provides you with a range of choices to enhance security:

• For information on how to use J2SE/Servlet-based realm authentication to authenticate and authorize users, see Realm-based Security.

• For information on how to use Access Control List (ACL)-based authorization and authentication techniques, see How Access Control Works.

• For information on using the Native Realm functionality that bridges the Java-based security model and the ACL-based security model, see Configuring the Native Realm.

This section includes the following topics:

• Creating a New User in an LDAP-based Authentication Database

• Creating a New User in a Key File Authentication Database

• Creating a New User in a Digest File Authentication Database

Creating a New User in an LDAP-based Authentication Database

When you add user entries to an LDAP-based directory service, the services of an underlying LDAP-based directory server are used to authenticate and authorize users. This section provides certain guidelines you need to consider while using an LDAP-based authentication database and describes how you can add users through the Administration Server.

• Guidelines for Creating LDAP-based User Entries

• How to Create a New User Entry

• Directory Server User Entries

Guidelines for Creating LDAP-based User Entries

Consider the following guidelines when using the administrator forms to create new user entries in an LDAP-based directory service:

• If you enter a given name (or first name) and a surname, then the form automatically populates the user’s full name and user ID for you. The user ID is generated as the first initial of the user’s first name followed by the user’s last name. For example, if the user’s name is Billie Holiday, then the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choice.

• The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server ldapmodify command line utility (if available) to create a user, that it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.

• Note that the base DN specifies the distinguished name where directory lookups will occur by default, and where all Sun Java System Web Administration Server’s entries are placed in your directory tree. A “DN” is the string representation for the name of an entry in a directory server.

• Note that at a minimum, you must specify the following user information when creating a new user entry:

  • surname or last name

  • full name

  • user ID

  If any organizational units have been defined for your directory, you can specify where you want the new user to be placed by using the Add New User To list. The default location is your directory’s base DN (or root point).

---

Note –

The user edit text fields for international information differs between the Administration Server and the Sun Java System Web Server Administration Console. In the Sun Java System Web Server Administration Console, in addition to the untagged cn fields, there is a preferred language cn field which doesn’t exist in the Administration Server.

---

How to Create a New User Entry

To create a user entry, read the guidelines outlined in Guidelines for Creating LDAP-based User Entries, then perform the following steps:

To create a user entry

1. Access the Administration Server and choose the Users and Groups tab.

2. Click New User.

3. Select the LDAP directory service from the Select Directory Service drop-down list, and click Select.

4. Add the required information to the page that displays.

   For more information see Directory Server User Entries.

5. Click Create User or Create and Edit User.

   For more information, see the New User page in the online help.

Directory Server User Entries

The following user entry notes may be of interest to the directory administrator:

• User entries use the inetOrgPerson, organizationalPerson, and person object classes.

• By default, the distinguished name for users is of the form:

  cn=full name, ou=organization, ...,o=base organization, c=country

  For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory’s base DN is o=Ace Industry, c=US, then the person’s DN is:

  cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US

  However, note that you can change this format to a uid-based distinguished name.

• The values on the user form fields are stored as the following LDAP attributes (note that any stored information other than 'user’ and 'group’ requires a full Directory Server license):

Table 3–1 LDAP Attributes

User Field	Corresponding LDAP Attribute
Given Name	givenName
Surname	sn
Full Name	cn
User ID	uid
Password	userPassword
Email Address	mail

The following fields are also available when editing the user entry:

Table 3–2 User Entry LDAP Attributes

User Field	Corresponding LDAP Attribute
Title	title
Telephone	telephoneNumber

• Sometimes a user’s name can be more accurately represented in characters of a language other than the default language. You can select your preferred language so that their names will be displayed in the characters of selected language, even if the default language is English. For more information regarding setting a user’s preferred language, see the Manage Users page in the online help.

Creating a New User in a Key File Authentication Database

To create a user entry in a key file authentication database

1. Access the Administration Server and choose the Users and Groups tab.

2. Click the New User link.

3. Select the file-based directory service ID from the Select Directory Service drop-down list and click Select.

4. Enter the following information:

   • User ID (Required): Specifies a unique user name for the user.

     • Password: Specifies the password for the user.

     • Password (Again): Confirms the password entered in the Password field.

     • Groups: Specifies a comma-separated list of groups of which the user is a member.

5. Click Create User.

Creating a New User in a Digest File Authentication Database

To create a user entry in a digest file authentication database, which stores user and group information in an encrypted form, perform the following steps:

To create a user entry in a digest file authentication database

1. Access the Administration Server and choose the Users and Groups tab.

2. Click the New User link.

3. Select the digest-based directory service ID from the Select Directory Service drop-down list and click Select.

4. Enter the following information:

   • User ID (Required) : Specifies a unique user name for the user.

     • Realm. Specifies the realm that will authenticate this user.

     • Password :. Specifies the password for the user.

     • Password (Again) : Confirms the password entered in the Password field.

     • Groups: Specifies a comma-separated list of groups of which the user is a member.

5. Click Create User.

   ---

   Note –

   The same realm string must be specified when creating an ACL that uses digest authentication using the Sun Java System Web Server ACL user interface. For more information, see Setting Access Control.

   ---

Managing Users

Use the Administration Server Manage User form to edit user attributes such as find, change, rename, and delete user entries.

Some, but not all, Sun Java System servers add additional forms to this area that allow you to manage product-specific information. For example, if a messaging server is installed under your Administration Server, then an additional form is added that allows you to edit messaging server-specific information. See the server documentation for details on these additional management capabilities.

This section includes the following topics:

• Finding User Information

• Editing User Information

• Managing a User’s Password

• Renaming Users

• Removing Users

Finding User Information

Before you can edit a user entry, you must display the associated information. To find the specific user information, perform the following steps:

To find the specific user information

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Users.

3. Select a directory service from the Select Directory Service drop-down list and click Select.

   For directory services of type Key File or Digest File, a list of users is displayed. For directory services of type LDAP Server, search fields are displayed.

4. Find user information.

   For Key File and Digest File, click the link for the user to display the edit form and make changes. For detailed information about the edit form, see the online help.

   For LDAP Server, do the following:

   1. In the Find user field, enter some descriptive value for the entry that you want to edit. You can enter any of the following in the search field:

      • A name: Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

        • A user ID:

          • A telephone number: If you enter only a partial number, any entries that have telephone numbers ending in the search number will be returned.

          • An email address: Any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.

          • An asterisk (*) to see all of the entries currently in your directory. You can achieve the same effect by simply leaving the field blank.

          • Any LDAP search filter: Any string that contains an equal sign (=) is considered a search filter.

            As an alternative, use the drop-down menus in the “Find all users whose” field to narrow the results of your search.

   2. In the Look within field, select the organizational unit under which you want to search for entries.

      The default is the directory’s root point (or top most entry).

   3. In the Format field, choose either On-Screen or Printer.

   4. Click Find.

      All users in the selected organizational unit are displayed.

   5. In the resulting table, click the entry you want to edit.

      The user edit form is displayed. Edit the information as described in the online help.

   6. Click Save Changes.

      The changes are made immediately.

Building Custom Search Queries

For LDAP services, the “Find all users whose” field allows you to build a custom search filter. Use this field to narrow down the search results returned by a “Find user” search.

The “Find all users whose” field provides the following search criteria:

• The left-most drop-down list allows you to specify the attribute on which the search will be based.

The available search attribute options are described in the following table:

Table 3–3 Search Attribute Options

Option Name	Description
full name	Search each entry’s full name for a match.
last name	Search each entry’s last name, or surname for a match.
user id	Search each entry’s user id for a match.
phone number	Search each entry’s phone number for a match.
email address	Search each entry’s email address for a match.
unit name	Search each entry’s unit name for a match.
description	Search each organizational unit entry’s description for a match.

• In the center drop-down list, select the type of search you want to perform.

The available search type options are described in the following table:

Table 3–4 Search Type Options

Option Name	Description
contains	Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an user’s name probably contains the word “Dylan,” use this option with the search string “Dylan” to find the user’s entry.
is	Causes an exact match to be found. That is, this option specifies an equality search. Use this option when you know the exact value of an user’s attribute. For example, if you know the exact spelling of the user’s name, use this option.
isn’t	Returns all the entries whose attribute value does not exactly match the search string. That is, if you want to find all the users in the directory whose name is not “John Smith,” use this option. Be aware, however, that use of this option can cause an extremely large number of entries to be returned to you.
sounds like	Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but you are unsure of the spelling. For example, if you are not sure if a user’s name is spelled “Sarret,” “Sarette,” or “Sarett,” use this option.
starts with	Causes a substring search to be performed. Returns all the entries whose attribute value starts with the specified search string. For example, if you know a user’s name starts with “Miles,” but you do not know the rest of the name, use this option.
ends with	Causes a substring search to be performed. Returns all the entries whose attribute value ends with the specified search string. For example, if you know a user’s name ends with “Dimaggio,” but you do not know the rest of the name, use this option.

• In the right-most text field, enter your search string.

To display all of the users entries contained in the Look within directory, enter either an asterisk (*) or simply leave this text field blank.

Editing User Information

To change a user's entry

1. Access the Administration Server and choose the Users and Groups tab.

2. Display the user entry as described in Finding User Information.

3. Edit the field corresponding to the attribute that you wish to change.

   For more information about the specific fields, see the online help of these pages.

   ---

   Note –

   It is possible that you will want to change an attribute value that is not displayed by the edit user form. In this situation, use the Directory Server ldapmodify command line utility, if available.

   ---

   For LDAP databases, also note that you can change the user’s first, last, and full name field from the edit form, but to fully rename the entry (including the entry’s distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see Renaming Users.

Managing a User’s Password

The password you set for user entries is used by the various servers for user authentication.

To change or create a user's password

1. Access the Administration Server and choose Users and Groups tab.

2. Display the user entry as described in Finding User Information.

3. Make the desired changes.

   For more information, see the Manage Users page in the online help.

   ---

   Note –

   You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However, note that while on UNIX/Linux platforms, the installer can give “rw” permissions to a group for the configuration files, on Windows platforms, the user must belong to the “Administrators” group.

   ---

   For LDAP databases, you can also disable the user’s password by clicking the Disable Password button. Doing this prevents the user from logging into a server without deleting the user’s directory entry. You can allow access for the user again by using the Password Management Form to enter a new password.

Renaming Users

For LDAP databases, the rename feature changes only the user’s name, all other fields are left intact. In addition, the user’s old name is still preserved so searches against the old name will still find the new entry.

When you rename a user entry, you can only change the user’s name. You cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have organizational units for Marketing and Accounting and an entry named “Billie Holiday” under the Marketing organizational unit. You can rename the entry from Billie Holiday to Doc Holiday, but you cannot rename the entry such that Billie Holiday under the Marketing organizational unit becomes Billie Holiday under the Accounting organizational unit.

To rename a user entry

1. Access the Administration Server and choose the Users and Groups tab.

2. Display the user entry as described in Finding User Information.

   If you are using common name-based DNs, specify the user’s full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.

3. Click Rename User.

4. Change the Given Name, Surname, Full Name, or UID fields appropriately to match the new distinguished name for the entry.

5. You can specify that the Administration Server no longer retains the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this parameter in the following file:

   server_root/admin-serv/config/dsgw-orgperson.conf

   For more information, see the Manage Users page in the online help.

Removing Users

To delete user entry

1. Access the Administration Server and choose the Users and Groups tab.

2. Display the user entry as described in Finding User Information.

3. Click Remove User (key file and digest file) or Delete User (LDAP).

   For more information, see the Manage Users page in the online help.

Creating Groups

A group is an object that describes a set of objects in an LDAP database. A Sun Java System Web Server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the marketing division of your company, hence belongs to a group called Marketing.

For LDAP services, there are two ways to define membership of a group: statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a CN and contains uniqueMembers and/or memberURLs and/or memberCertDescriptions. For static groups, the members do not share a common attribute except for the CN=<Groupname> attribute.

Dynamic groups allow you to use a LDAP URL to define a set of rules that match only for group members. For Dynamic Groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and they are already in the LDAP database under

“ou=Sales,o=Airius.com,” you did define a dynamic group with the following memberurl:

ldap:///ou=Sales,o=sun??sub?(uid=*)

This group would subsequently contain all objects that have an uid attribute in the tree below the “ou=Sales,o=sun” point, thus all the Sales members.

For static and dynamic groups, members can share a common attribute from a certificate if you use the memberCertDescription. Note that these will only work if the ACL uses the SSL method.

Once you create a new group, you can add users, or members, to it.

This section includes the following topics:

• Static Groups

• Dynamic Groups

Static Groups

For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group doesn’t change unless you add a user to it or delete a user from it.

Guidelines for Creating Static Groups

Consider the following guidelines when using the Administration Server forms to create new static groups:

• Static groups can contain other static or dynamic groups.

• You can optionally add a description for the new group.

• If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry.

• When you are finished entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.

Creating a Static Group Entry

To create a static group entry, perform the following steps:

To create a static group entry

1. Access the Administration Server and choose the Users and Groups tab.

2. Click New Group.

3. Enter the required information and click OK.

   For more information, see the New Group page in the online help.

Dynamic Groups

A dynamic group has an objectclass of groupOfURLs, and has zero or more memberURL attributes, each of which is a LDAP URL that describes a set of objects.

For LDAP services, Sun Java System Web Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.

This section includes the following topics:

• How Sun Java System Web Server Implements Dynamic Groups

• Groups Can Be Static and Dynamic

• Dynamic Group Impact on Server Performance

• Guidelines for Creating Dynamic Groups

• Creating a Dynamic Group

How Sun Java System Web Server Implements Dynamic Groups

Sun Java System Web Server implements dynamic groups in the LDAP server schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:

ldap:///o=mcom.com??sub?(department=marketing)

This example describes a set that consists of all objects below "o=mcom.com" whose department is "marketing." The LDAP URL can contain a search base DN, a scope and filter, however, not a hostname and port. This means that you can only refer to objects on the same LDAP server. All scopes are supported.

The DNs are included automatically without having to add each individual to the group. The group changes dynamically, because Sun Java System Web Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.

---

Note –

Sun Java System Web Server uses the cn (commonName) attribute as group name for ACLs.

---

The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf configuration file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named "staff," the ACL code looks up an object that has an object class of groupOf<anything> and a CN set to "staff." The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).

Groups Can Be Static and Dynamic

A group object can have both objectclass = groupOfUniqueMembers and objectclass = groupOfURLs; therefore, both "uniqueMember" and "memberURL" attributes are valid. The group’s membership is the union of its static and dynamic members.

Dynamic Group Impact on Server Performance

There is a server performance impact when using dynamic groups. If you are testing group membership, and the DN is not a member of a static group, Sun Java System Web Server checks all dynamic groups in the database’s baseDN. Sun Java System Web Server accomplishes this task by checking if each memberURL matches by checking its baseDN and scope against the DN of the user, and then performing a base search using the user DN as baseDN and the filter of the memberURL. This procedure can amount to a large number of individual searches.

Guidelines for Creating Dynamic Groups

Consider the following guidelines when using the Administration Server forms to create new dynamic groups:

• Dynamic groups cannot contain other groups.

• Enter the group’s LDAP URL using the following format (without host and port info, since these parameters are ignored):

  ldap:///<basedn>?<attributes>?<scope>?<(filter)>

  The required parameters are described in the following table:

Table 3–5 Dynamic Groups: Required Parameters

Parameter Name	Description
<base_dn>	The Distinguished Name (DN) of the search base, or point from which all searches are performed in the LDAP directory. This parameter is often set to the suffix or root of the directory, such as "o=mcom.com".
<attributes>	A list of the attributes to be returned by the search. To specify more than one, use commas to delimit the attributes (for example, "cn,mail,telephoneNumber"); if no attributes are specified, all attributes are returned. Note that this parameter is ignored for dynamic group membership checks.
<scope>	The scope of the search, which can be one of these values:  base retrieves information only about the distinguished name (<base_dn>) specified in the URL. one retrieves information about entries one level below the distinguished name (<base_dn>) specified in the URL. The base entry is not included in this scope. sub retrieves information about entries at all levels below the distinguished name (<base_dn>) specified in the URL. The base entry is included in this scope. This parameter is required.
<(filter)>	Search filter to apply to entries within the specified scope of the search. If you are using the Administration Server forms, you must specify this attribute. Note that the parentheses are required.  This parameter is required.

The <attributes>, <scope>, and <(filter)> parameters are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.

• You can optionally also add a description for the new group.

• If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory’s root point, or top-most entry.

• When you are finish entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.

Creating a Dynamic Group

To create a dynamic group entry within the directory

1. Access the Administration Server and choose the Users and Groups tab.

2. Click New Group.

3. Select Dynamic Group from the Type of Group drop-down list.

4. Enter the required information and click OK.

   For more information, see the New Group page in the online help.

Managing Groups

For LDAP services, the Administration Server enables you to edit groups and manage group memberships from the Manage Group form. This section describes the following topics:

• Finding Group Entries

• Editing Group Attributes

• Adding Group Members

• Adding Groups to the Group Members List

• Removing Entries from the Group Members List

• Managing Owners

• Managing See Alsos

• Removing Groups

• Renaming Groups

Finding Group Entries

Before you can edit a group entry, first you must find and display the entry.

To find a group

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Groups.

3. Enter the name of the group that you want to find in the Find group field.

   You can enter any of the following values in the search field:

   • A name: Enter a full name or a partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

     • An asterisk (*) to see all of the groups currently residing in your directory. You can achieve the same effect by simply leaving the field blank.

     • Any LDAP search filter: Any string that contains an equal sign (=) is considered to be a search filter.

       As an alternative, use the drop-down menus in “Find all groups whose” to narrow the results of your search.

4. In the Look within field, select the organizational unit in which you want to search for entries.

   The default is the directory’s root point, or top-most entry.

5. In the Format field, choose either On-Screen or Printer.

6. Click Find.

   All the groups matching your search criteria are displayed.

7. In the resulting table, click the name of the entry that you want to edit.

The “Find all groups whose” Field

For LDAP services, the “Find all groups whose” field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find groups.

To display all of the group entries contained in the Look within directory, enter either an asterisk (*) or simply leave this text field blank.

For more information regarding how to build a custom search filter, see Building Custom Search Queries.

Editing Group Attributes

To edit a group entry (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Groups.

3. Locate the group you want to edit, and type the desired changes.

   For more information regarding how to find specific entries, refer to the concepts outlined in Finding Group Entries.

   ---

   Note –

   You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However,while on UNIX/Linux platforms, the installer can give “rw” permissions to a group for the configuration files, but on Windows platforms, the user must belong to the “Administrators” group.

   ---

   For more information about editing group attributes, see the Manage Groups page in the online help.

   ---

   Note –

   It is possible that you will want to change an attribute value that is not displayed by the group edit form. In this situation, use the Directory Server ldapmodify command line utility, if available.

   ---

Adding Group Members

To add members to a group (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Groups.

3. Locate the group you want to manage as described in Finding Group Entries, and click Edit under Group Members.

   Sun Java System Web Server displays a new form that enables you to search for entries. If you want to add user entries to the list, make sure Users are shown in the Find drop-down list. If you want to add group entries to the group, make sure Group is shown.

4. In the right-most text field, enter a search string. Enter any of the following options:

   • A name: Enter a full name or a partial name. All entries whose name matches the search string is returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sounds like the search string are found.

   • A user ID: if you are searching for user entries.

   • A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.

   • An email address: Any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.

   • Enter either an asterisk (*) or simply leave this text field blank to see all of the entries or groups currently residing in your directory.

   • Any LDAP search filter: Any string that contains an equal sign (=) is considered to be a search filter.

5. Click Find and Add to find all the matching entries and add them to the group.

   If the search returns any entries that you do not want add to the group, click the box in the Remove from list? column. You can also construct a search filter to match the entries you want remove and then click Find and Remove.

6. When the list of group members is complete, click Save Changes.

   The currently displayed entries are now members of the group.

   For more information about adding groups members, see the Edit Members page in the online help.

Adding Groups to the Group Members List

For LDAP services, you can add groups (instead of individual members) to the group’s members list. Doing so causes any users belonging to the included group to become a member of the receiving group. For example, if Neil Armstrong is a member of the Engineering Managers group, and you make the Engineering Managers group a member of the Engineering Personnel group, then Neil Armstrong is also a member of the Engineering Personnel group.

To add a group to the members list of another group, add the group as if it were a user entry. For more information, see Adding Group Members.

Removing Entries from the Group Members List

To delete an entry from the group members list (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Groups locate the group you want to manage as described in Finding Group Entries, and click Edit under Group Members.

3. For each member that you want to remove from the list, click the corresponding box under the Remove from list? column.

   Alternatively, you can construct a filter to find the entries you want to remove and click the Find and Remove button. For more information on creating a search filter, see Adding Group Members.

4. Click Save Changes. The entry(s) are deleted from the group members list.

Managing Owners

For LDAP services, you manage a group’s owners list the same way as you manage the group members list. The following table identifies which section to read for more information:

Table 3–6 Additional Information

Task You Want to Complete	Read Section
Add owners to the group	Adding Group Members..
Add groups to the owners list	Adding Groups to the Group Members List..
Remove entries from the owners list	Removing Entries from the Group Members List..

Managing See Alsos

“See alsos” are references to other directory entries that may be relevant to the current group. They allow users to easily find entries for people and other groups that are related to the current group.

You manage see alsos the same way as you manage the group members list. The following table shows you which section to read for more information:

Table 3–7 Additional Information

Task You Want to Complete	Read Section
Add users to see alsos	Adding Group Members..
Add groups to see alsos	Adding Groups to the Group Members List..
Remove entries from see alsos	Removing Entries from the Group Members List..

Removing Groups

To delete a group (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Groups locate the group you want to manage as described in Finding Group Entries, and click Delete Group.

   ---

   Note –

   The Administration Server does not remove the individual members of the group(s) you remove; only the group entry is removed.

   ---

Renaming Groups

To rename a group (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click the Manage Groups link and locate the group you want to manage as described in Finding Group Entries.

3. Click Rename Group and type the new group name in the resulting dialog box.

   When you rename a group entry, you only change the group’s name. You cannot use the Rename Group feature to move the entry from one organizational unit to another. For example, a business might have the following organizations:

   • organizational units for Marketing and Product Management

   • a group named Online Sales under the Marketing organizational unit

   In this example, you can rename the group from Online Sales to Internet Investments, but you cannot rename the entry such that Online Sales under the Marketing organizational unit becomes Online Sales under the Product Management organizational unit.

Creating Organizational Units

For LDAP services, an organizational unit can include a number of groups, and it usually represents a division, department, or other discrete business group. A DN can exist in more than one organizational unit.

To create an organizational unit

1. Access the Administration Server and choose the Users and Groups tab.

2. Click the New Organizational Unit link and enter the required information.

   For more information, see the New Organizational Unit page in the online help.

   The following notes may be of interest to the directory administrator:

   • New organizational units are created using the organizationalUnit object class.

   • The distinguished name for new organizational units is of the form:

     ou=new organization, ou=parent organization, ...,o=base organization, c=country

   For example, if you create a new organization called Accounting within the organizational unit West Coast, and your Base DN is o=Ace Industry, c=US, then the new organization unit’s DN is:

   ou=Accounting, ou=West Coast, o=Ace Industry, c=US

Managing Organizational Units

For LDAP services, you edit and manage organizational units from the Organizational Unit Edit form. This section describes the following tasks:

• Finding Organizational Units

• Editing Organizational Unit Attributes

• Renaming Organizational Units

• Deleting Organizational Units

Finding Organizational Units

To find organizational units (LDAP services only)

1. Access the Administration Server and choose the Users and Groups tab.

2. Click Manage Organizational Units.

3. Type the name of the unit you want to find in the Find organizational unit field. You can enter any of the following in the search field:

   • A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

     • An asterisk (*) to see all of the groups currently residing in your directory. You can achieve this same result by simply leaving the field blank.

     • Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

       As an alternative, use the drop-down menus in the Find all units whose field to narrow the results of your search.

4. In the Look within field, select the organizational unit under which you want to search for entries.

   The default is the root point of the directory.

5. In the Format field, choose either On-Screen or Printer.

6. Click Find.

   All the organizational units matching your search criteria are displayed.

7. In the resulting table, click the name of the organizational unit that you want to find.

The “Find all units whose” Field

For LDAP services, the “Find all units whose” field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find organizational unit.

To display all of the group entries contained in the Look within directory, enter either an asterisk (*) or simply leave this text field blank.

For more information regarding how to build a custom search filter, see Building Custom Search Queries.

Editing Organizational Unit Attributes

To change a organizational unit entry (LDAP services only) , access the Administration Server and perform the following

To change a organizational unit entry

1. Locate the organizational unit you want to edit as described in Finding Organizational Units.

   The organizational unit edit form is displayed.

2. Change the displayed fields as desired and click Save Changes.

   The changes are made immediately.

   ---

   Note –

   It is possible that you will want to change an attribute value that is not displayed by the organizational unit edit form. In this situation, use the Directory Server ldapmodify command line utility, if available.

   ---

Renaming Organizational Units

To rename an organizational unit entry (LDAP services only), access the Administration Server and perform the following

To rename an organizational unit entry

1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.

2. Locate the organizational unit you want to edit as described in Finding Organizational Units.

3. Click Rename.

4. Enter the new organizational unit name in the resulting dialog box.

   ---

   Note –

   When you rename an organizational unit entry, you can only change the organizational unit’s name. You cannot use the rename feature to move the entry from one organizational unit to another. For more information, see Renaming Organizational Units..

   ---

Deleting Organizational Units

To delete an organizational unit entry (LDAP services only), access the administration Server and perform the following

To delete an organizational unit entry

1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.

2. Locate the organizational unit you want to delete as described in Finding Organizational Units.

3. Click the Delete button.

4. Click OK in the resulting confirmation box.

   The organizational unit is immediately deleted.