Sun Java System Web Server 6.1 SP12 Administrator's Guide

Creating Users

The Users and Groups tab of the Administration Server allows you to create or modify user entries. A user entry contains information about an individual person or object in the database.

When you create a user, you must protect server security by ensuring that the user does not have unauthorized access to resources. Sun Java System Web server 6.1 provides you with a range of choices to enhance security:

For information on how to use J2SE/Servlet-based realm authentication to authenticate and authorize users, see Realm-based Security.
For information on how to use Access Control List (ACL)-based authorization and authentication techniques, see How Access Control Works.
For information on using the Native Realm functionality that bridges the Java-based security model and the ACL-based security model, see Configuring the Native Realm.

This section includes the following topics:

Creating a New User in an LDAP-based Authentication Database

When you add user entries to an LDAP-based directory service, the services of an underlying LDAP-based directory server are used to authenticate and authorize users. This section provides certain guidelines you need to consider while using an LDAP-based authentication database and describes how you can add users through the Administration Server.

Guidelines for Creating LDAP-based User Entries

Consider the following guidelines when using the administrator forms to create new user entries in an LDAP-based directory service:

If you enter a given name (or first name) and a surname, then the form automatically populates the user’s full name and user ID for you. The user ID is generated as the first initial of the user’s first name followed by the user’s last name. For example, if the user’s name is Billie Holiday, then the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choice.
The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server ldapmodify command line utility (if available) to create a user, that it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.
Note that the base DN specifies the distinguished name where directory lookups will occur by default, and where all Sun Java System Web Administration Server’s entries are placed in your directory tree. A “DN” is the string representation for the name of an entry in a directory server.
Note that at a minimum, you must specify the following user information when creating a new user entry:
- surname or last name
- full name
- user ID
If any organizational units have been defined for your directory, you can specify where you want the new user to be placed by using the Add New User To list. The default location is your directory’s base DN (or root point).

Note –

The user edit text fields for international information differs between the Administration Server and the Sun Java System Web Server Administration Console. In the Sun Java System Web Server Administration Console, in addition to the untagged cn fields, there is a preferred language cn field which doesn’t exist in the Administration Server.

How to Create a New User Entry

To create a user entry, read the guidelines outlined in Guidelines for Creating LDAP-based User Entries, then perform the following steps:

To create a user entry

Access the Administration Server and choose the Users and Groups tab.

Click New User.

Select the LDAP directory service from the Select Directory Service drop-down list, and click Select.

Add the required information to the page that displays.

For more information see Directory Server User Entries.

Click Create User or Create and Edit User.

For more information, see the New User page in the online help.

Directory Server User Entries

The following user entry notes may be of interest to the directory administrator:

User entries use the inetOrgPerson, organizationalPerson, and person object classes.
By default, the distinguished name for users is of the form:

cn=full name, ou=organization, ...,o=base organization, c=country

For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory’s base DN is o=Ace Industry, c=US, then the person’s DN is:

cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US

However, note that you can change this format to a uid-based distinguished name.
The values on the user form fields are stored as the following LDAP attributes (note that any stored information other than 'user’ and 'group’ requires a full Directory Server license):

Table 3–1 LDAP Attributes


User Field	Corresponding LDAP Attribute
Given Name	`givenName`
Surname	`sn`
Full Name	`cn`
User ID	`uid`
Password	`userPassword`
Email Address	`mail`

The following fields are also available when editing the user entry:

Table 3–2 User Entry LDAP Attributes


User Field	Corresponding LDAP Attribute
Title	`title`
Telephone	`telephoneNumber`

Sometimes a user’s name can be more accurately represented in characters of a language other than the default language. You can select your preferred language so that their names will be displayed in the characters of selected language, even if the default language is English. For more information regarding setting a user’s preferred language, see the Manage Users page in the online help.

Creating a New User in a Key File Authentication Database

To create a user entry in a key file authentication database

Access the Administration Server and choose the Users and Groups tab.

Click the New User link.

Select the file-based directory service ID from the Select Directory Service drop-down list and click Select.

Enter the following information:
- User ID (Required): Specifies a unique user name for the user.
  - Password: Specifies the password for the user.
  - Password (Again): Confirms the password entered in the Password field.
  - Groups: Specifies a comma-separated list of groups of which the user is a member.

Click Create User.

Creating a New User in a Digest File Authentication Database

To create a user entry in a digest file authentication database, which stores user and group information in an encrypted form, perform the following steps:

To create a user entry in a digest file authentication database

Access the Administration Server and choose the Users and Groups tab.

Click the New User link.

Select the digest-based directory service ID from the Select Directory Service drop-down list and click Select.

Enter the following information:
- User ID (Required) : Specifies a unique user name for the user.
  - Realm. Specifies the realm that will authenticate this user.
  - Password :. Specifies the password for the user.
  - Password (Again) : Confirms the password entered in the Password field.
  - Groups: Specifies a comma-separated list of groups of which the user is a member.

Click Create User.

Note –
The same realm string must be specified when creating an ACL that uses digest authentication using the Sun Java System Web Server ACL user interface. For more information, see Setting Access Control.