Chapter 3   Provisioning Family Accounts


A family account is a group of email users in the same domain. The family account is under the administrative control of a family group administrator, and has one user designated as the billable user who is responsible for paying the email account bills for this group of users. The family group administrator is a user responsible for creating and removing users from the group as well as elevating another user to be this family's administrator. Members are users who are under the administrative control of the family group administrator and whose email account is paid by the billable user. Family accounts are typically families, but can also be organizational departments where local administrative and billing responsibilities are desired. This chapter contains the following sections:

• "Creating a Family Account"

• "Creating a Family Group Administrator"

Creating a Family Account

---

Family accounts can be managed and created using the imadmin command line interface (see the iPlanet Messaging Server Reference Manual), the iPlanet Delegated Administrator for Messaging or by using LDAP. This section describes how to provision with LDAP.

Two steps are required for provisioning users in family accounts using LDAP:

1. Create a family account entry (Code Example 3-1).

2. Add the attribute line "memberOfManagedGroup: <FamilyGroupDN>" to each user entry in the family account (Code Example 3-2).

Code Example 3-1 shows an example of a family account entry.

Code Example 3-1    Family Account Entry

---

dn: cn=gsWarriors, ou=groups,o=sesta.com,o=ISP

objectclass: inetManagedGroup

objectclass: nsManagedDept

mnggrpbillableuser: uid=attles,ou=People,o=sesta.com,o=ISP

mnggrpmailquota: 1024000

mnggrpcurrentusers: 0

mnggrpdeletionpolicy: delete

cn: gsWarriors

mnggrpstatus: active

mnggrpmaxusers: 1000

nsdamodifiableby: cn=Family Group Administrators,cn=gsWarriors,ou=groups,o=sesta.com,o=ISP

• dn: cn=gsWarriors, ou=groups,o=sesta.com,o=ISP

  The distinguished name of the family account.

• objectclass: inetManagedGroup
  objectclass: nsManagedDept

  inetManagedGroup represents a family account. nsManagedDept stores information used by the iPlanet Delegated Administrator for Messaging.

• mnggrpbillableuser: uid=attles,ou=People,o=sesta.com,o=ISP

  DN of the user who is responsible for paying the bills for this group of users.

• mnggrpmailquota: 1024000

  Cumulative disk quota allowed for all users in the group.

• mnggrpcurrentusers: 0

  Current count of users in the group.

• cn: gswarriors

  Common name of the family account.

• mnggrpstatus: active

  Current status of the group—active, inactive or deleted. inactive temporarily suspends operation. deleted marks the entry for deletion, but does not mark the users for deletion. Missing value implies status is active. An illegal value is treated as inactive.

• mnggrpmaxusers: 1000

  Number of users allowed in the group.

• nsdamodifiableby: cn=Domain Organization Adminstrators, cn=gsWarriors,ou=groups,o=sesta.com,o=ISP

  Specifies the groups whose members can administer this family group. Refer to "Creating a Family Group Administrator".

Once the family account entry is created, members are added by setting the memberOfManagedGroup attribute in the user's entry to the family account DN. An example is shown below.

Code Example 3-2    LDIF Record for a Member of a Family Group

---

dn: uid=Antwan,ou=people,o=sesta.com,o=ISP

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: inetUser

objectClass: ipUser

objectClass: inetMailUser

objectClass: inetLocalMailRecipient

objectClass: nsManagedPerson

objectClass: userPresenceProfile

cn: Antwan

sn: James

initials: AJ

givenName: Ant

mail: aj@sesta.com

mailAlternateAddress: ant@sesta.com

mailDeliveryOption: mailbox

mailHost: manatee.siroe.com

uid: Antwan

dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

mailAllowedServiceAccess: +imap, imaps, pop3, smtp, http:*

inetUserStatus: active

mailUserStatus: active

mailQuota: -1

mailMsgQuota: 100

memberOfManagedGroup: cn=gsWarriors, ou=groups,o=sesta.com,o=ISP

Creating a Family Group Administrator

---

Delegated Admin Task Utility: imadmin family-admin add
Task Privilege: Top-level Administrator, Domain Administrator, or Family Group Administrator

The Family Group Administrator is a user responsible for creating and removing users from the family group. When a family group is created with the Delegated Administrator, another group called Family Group Administrators is also created below the DN of the family group entry. For example, if the family group is

cn=gsWarriors,ou=groups,o=sesta.com,o=isp

then a Family Administrator's group is also created. Its DN is:

cn=Family Group Administrators,cn=gsWarriors,ou=groups,o=sesta.com,o=isp

Members of this group have administrative privileges for the family group. The example below demonstrates how to provision a Family Group Administrator.

1. Make sure a group called Family Group Administrators is created below the DN of the family group entry and add the DN of the Family Group Administrator. This is automatically created when a Family Group is created with the Delegated Administrator.

   Code Example 3-3    Family Administrator Group Entry
   

   ---

   dn: cn=Family Group Administrators,cn=gsWarriors,ou=groups,o=sesta.com,o=isp

   objectclass: groupOfUniqueNames

   objectclass: nsManagedDept

   cn: Organization Administrators

   nsNumUsers: 1

   nsMaxUsers: Unlimited

   uniqueMember: uid=Dave,ou=people,ou=sesta.com,o=isp

2. Add memberof attribute to the new Family Group Administrator's entry:

   Code Example 3-4    Entry for a Family Group Administrator
   

   ---

   dn: uid=Dave,ou=people,o=sesta.com,o=isp

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   objectClass: inetUser

   objectClass: ipUser

   objectClass: inetMailUser

   objectClass: inetLocalMailRecipient

   objectClass: nsManagedPerson

   objectClass: userPresenceProfile

   cn: Dave Cowins

   sn: cowins

   initials: DC

   givenName: Dave

   mail: Dave.Cowins@sesta.com

   mailAlternateAddress: dcowins@florizel.com

   mailDeliveryOption: mailbox

   mailHost: manatee.siroe.com

   uid: Dave

   dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

   userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

   mailAllowedServiceAccess: +imap, imaps, pop3, http:*

   inetUserStatus: active

   mailUserStatus: active

   mailQuota: -1

   mailMsgQuota: 100

   memberOf: cn=Family Group Administrators,cn=gsWarriors,ou=groups,o=sesta.com,o=isp

3. ACIs are set at top level on root suffix. See Appendix A "Root and Domain ACI Examples."