
Version 3.0;
acl "admin-serv"


deny with file = "/usr/suitespot/adminacl/admin-denymsg.html";


deny (all)
    (user = "anyone");


deny absolute (all)
group != "admin";


allow (all)
    (group = "admin-reduced") and
    (program = "Admin Preferences")

The first line that starts with "deny" tells the server what file to return if a user isn't allowed access to the server. The second deny message denies everyone access, but because the rule isn't absolute (like the next one), the server continues down the list to see if the user is allowed in a subsequent line. The third line is an absolute statement that denies anyone who isn't in the "admin" group in the LDAP directory. In this case, the "admin" group is the group specified for distributed administration.

The last rule explicitly allows access to the forms in the Admin Preferences section of the administration server to anyone in the "admin-reduced" group.

Restricting access

This section takes you through the process of restricting access to your administration server. The sections following this one describe in detail each option available when using access control. Keep in mind that most access-control rules use only a subset of the available options.

To create an access-control rule:

Go to the Server Manager and choose Global Settings|Restrict Access.
Specify the server that you want to control. For example, you can select admin-serv to set up access control for the administration server. The drop-down list contains an entry for each 3.x server you have installed in the server root.
Click the Edit ACL button. The right frame divides into two frames that you use to set the access control rules. If the server you chose already has access control, the rules will appear in the top frame. With the administration server, each ACL begins with two deny statements. The following figure briefly describes the function of each form element.

Figure J.3 The ACL form contains links that, when clicked, display another form in the bottom frame (not shown).

Click the New Line button. This adds a default ACL rule to the bottom row of the table. You can use the up and down arrows in the left column to move the rule, if needed.
Select the action you want to apply to the rule by clicking the Deny link. The bottom frame displays a form where you can check if you want to deny or allow access to the users, groups, or hosts you'll specify in the following steps.
Check the option you want, and then click Update.
Specify User-Group authentication by clicking the anyone link listed under the Users/Groups column. The bottom frame displays a form for configuring User-Group authentication. By default, there is no authentication, meaning anyone can access the server.
Check the options you want, and then click Update.
Specify the computers you want to include in the rule by clicking the anyplace link. The bottom frame displays a form where you can enter wildcard patterns of host names or IP address to allow or deny.
Check the options you want, and then click Update.
Specify the programs you want to restrict. Programs are the forms in the Server Manager for the server you selected. For example, you can restrict access to all forms for configuring the administration server by checking the "All Programs" radio button. If you want to restrict access to one or two sets of forms, choose the categories in the drop-down list. If you want to restrict access to one form in a category, type the name of the form in the "Program Items" field. For example, to restrict access to the access control form, type distacl in the Program Items field. For more information, see the "Access to programs" section later in this chapter.
Click Update to add the programs options to the rules for the line you're editing.
If you are familiar with ACL files, you can enter a customized ACL entry by clicking X under the Extra column. This area is useful if you use the access control API to customize ACLs.
Check Continue if you want the access-control rule to continue in a chain. This means the next line is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access-control entry, it's best to work from the most general restrictions to the most specific ones.
Repeat steps 4 through 10 for each rule you need. If you want the user to be redirected to another URL if their request is denied, check Redirection when denied. Click the link to specify the URL for redirection.
Click the Submit button to store the new access-control rules in the ACL file. If you click Revert, the server removes any changes you made to the rules from the time you first opened the 2-frame window. Be cautious when using Revert because you can't restore your edits. In most cases, it's probably better to delete the rule lines individually.

The following sections describe the options that appear in the bottom frame of the access-control window.

Specifying users and groups

You can restrict access to your administration server based on the user who requests a form. The administration server uses a list of users in the administrators group (the group you set up for distributed administration) to determine access rights for the user requesting a resource. The list of users are stored either in a database on the server computer or in an LDAP server, such as Netscape Directory Server. You should make sure the database has users and the administrators group in it before you set access control.

You can allow or deny access to everyone in the administrators group, or you can allow or deny specific people by using wildcard patterns or lists of users.

To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a form appears in the bottom frame. The following list describes the options in the form.

Anyone (No Authentication) is the default and means anyone in the administrators group that you specified with distributed administration can access the form. However, the user might be denied access based on other settings, such as host name or IP address.
Authenticated people only lets you restrict users within the administrators group. If the username they enter isn't in the administrators group in the database, the access-control rule won't apply to them.
All in the authentication database matches any user who has an entry in the administrators group in the database.
Only the following people lets you specify certain users to match. You can list the users and groups of users individually by separating the entries with commas. Or, you can enter a wildcard pattern.
- Group matches all users in the groups you specify. The users in the groups you specify must also be in the "administrators" group you specified for distributed administration.
- User matches the individual users you specify.
Prompt for authentication lets you specify message text that appears in the authentication window. You can use this text to describe what the user needs to enter. Depending on the operating system the user has, they will see about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password and associate them with the prompt text. This means that if the user accesses areas of the server that have the same prompt, they won't have to retype their usernames and passwords. Conversely, if you want to force users to reauthenticate for various areas, you simply need to change the prompt for the ACL on that resource.

Specifying host names and IP addresses

You can restrict access to your administration server based on which computer the request comes from. You specify this restriction by using wildcard patterns that match the computers host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matched all hosts from that domain, such as *.netscape.com.

This setting doesn't affect the Host/IP setting for the administration server's superuser. That is, you can set different hostnames and IP addresses that the superuser must use when accessing the administration server.

To specify users from hostnames or IP addresses, follow the general directions for restricting access. When you click the From Host field (the link called anyplace), a form appears in the bottom frame. Check the Only from option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.

For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.

Access to programs

You can select areas of the administration server that administrators can access. You can choose groups of forms that appear in the top frame of the Server Manager (such as Cluster Management), or you can choose specific forms that appear as links in the left frame of the Server Manager (such as "New User" under User & Groups).

Access to programs affects the server you choose when restricting access. For example, if your administration server contains a Netscape Enterprise Server and a Netscape Collabra Server, you choose the server you want to restrict, and then you set up the access control rules for that server. In this case, you could allow some administrators to configure agents in the Netscape Enterprise Server, and then you could allow a different set of administrators to configure newsgroups in the Netscape Collabra Server.

To control access to a program in a server,

Go to the Server Manager forms for the administration server. Choose Global Settings|Restrict Access.
Use the drop-down list to choose the server whose administration access you want to restrict. The administration server is labeled "admin-serv." Other servers are labeled with their type and their server id (for example, https-mozilla).
When you select a server to restrict, you are restricting who can view the Server Manager forms and which forms they can use to configure that server. For example, you might allow some administrators to configure the Users & Groups section of the administration server and not allow them access to the Global Settings. After you choose a server, click Edit ACL. The two-frame access-control forms appear.
Each ACL begins with two deny lines (the default setting), one that restricts access to only those users in the "administrators" group set for distributed administration, and another that restricts access to all users. If you want to change either of these lines, you need to manually edit the ACL file. Click the New Line button to add a rule to the ACL. Each rule you create allows access to the server. By specifically allowing access for users, you reduce the risk that you'll allow access to users you don't want.
Choose the users, groups, hosts, and IP addresses you want to apply to this access control rule.
By default, administrators have access to all programs for a server. Click the All link under Programs in the top frame. The bottom frame displays a form that lists the programs for the server type you selected.
Check the radio button labeled "Only the following," and then select the Program Groups you want to apply to the rule. You can choose multiple groups by pressing the Control key and then clicking the groups you want.
The Program Groups listed use the same name as the buttons in the top frame of the Server Manager for the server type you selected. For example, in the administration server, there are buttons labeled Admin Preferences, Global Settings, and so on. When an administrator accesses the administration server, the server uses their username, host, and IP to determine what forms they'll see. If they have access to only one or two forms, they will only see those forms.
You can control access to a specific form within a group. Type the name of the form program in the Program Items field.
To determine the name of a form, place your pointer over the link in the left frame of the Server Manager and then view the text in the status bar of your browser. The last word after the + is the name for that form.

For example, suppose you have one person who administers a Netscape Directory Server and you want that person to have access only to the "Configure Directory Service" form. In this case, you would set up a rule that applies to them (host, IP, and so on), and then you would enter dsconfig in the Program Items name.
Click Update and then Submit to save the access control rule.

Writing customized expressions

You can enter custom expressions for an ACL. You can use this feature if you are familiar with the syntax and structure of ACL files. There are a few features available only by editing the ACL file or creating custom expressions. For example, you can restrict access to your server depending on the time of day, day of the week, or both.

The following customized expression shows how you could restrict access by time of day and day of the week. This example assumes you have two groups in your LDAP directory: the "regular" group gets access Monday through Friday, 8:00am to 5:00pm. The "critical" group gets access all the time.


allow (read)
{
	(group=regular and dayofweek="mon,tue,wed,thu,fri");
	(group=regular and (timeofday>=0800 and timeofday<=1700));
	(group=critical)
}

For more information on valid syntax and ACL files, see the on-line help.

Turning access control on and off

You can turn on access control depending on the server an administrator accesses. You could create and turn on access-control for a specific server on your computer and leave it off (default) for any other servers. For example, you could deny all access to the administration server's Server Manager forms only. With distributed administration on and access control off by default for any other servers, administrators could still access and configure the other servers, but they couldn't configure the administration server itself.

Note
This access control is in addition to the user being in the administrators group set for distributed administration. The administration server first checks that a user (other than superuser) is in the administrators group, and then it evaluates the access-control rules.

Responding when access is denied

You can choose the response a user sees when they are denied access. You can vary the message for each access-control object. By default, the user is sent a message that says the file wasn't found (the HTTP error code 404 Not Found is also sent).

To change what message is sent for a particular ACL:

In the ACL form, click the link called "Response when denied."
In the lower frame, check the radio button called Respond with the following file.
In the text field, type an absolute path to a text or HTML file you want to send to the user when they are denied access. Be sure the server has read access to this file on your system--it's a good idea to have the file in a directory under the server root. Make sure the file doesn't contain references to other files (such as style sheets) or images because they won't be sent. Click Update.
Make sure you submit the access control rule by clicking the Submit button in the top frame.

Figure J.4 The Server Administration page lets you manage your Netscape servers.

Using the Server Manager forms

As stated earlier, the collection of forms used to configure a single server is called the Server Manager. The administration server contains a Server Manager for each Netscape server installed on the computer, including one for the administration server itself.

The Server Administration page, shown in Figure J.4, contains links to each Server Manager.

To get to the Server Manager forms for the administration server, click any of the category buttons on the Server Administration page.
To get to the Server Manager forms for a particular server, click the button in the General Administration section that has the server's name on it. For directions on configuring a particular server, see that server's documentation or click Help in any on-line form.

After clicking on a button, you'll see the Server Manager--a three-frame page with buttons in the top frame and links in the left frame (see Figure J.5).

Figure J.5 The administration server's Server Manager forms appear in a three-frame page.

To use the Server Manager, you click a category button in the top frame (for example, Server Preferences), and then you click a link in the left frame (for example, Distributed Admin). A form appears in the remaining frame where you select options and specify values that configure the server. To submit your changes in the form, click the OK button. Click the Help button in any form to get specific directions on using that form.

To return to the Server Administration page (Figure J.4), click the Server Administration button in the top frame of the Server Manager.

Before you install or configure your servers

This section describes the issues you need to resolve before you install your Netscape SuiteSpot servers. You should also read the Administrator's Guide for each server before installation, because they might include other special considerations specific to that server type.

Setting up the SuiteSpot user and group

If you plan on installing multiple SuiteSpot servers on a single computer, create a SuiteSpot system group that includes the system user account you plan to use for each server installed on the computer. (During installation, you specify the user account you want the SuiteSpot server to use.) This gives any servers installed on the computer read and execute permissions to the files or directories owned by other servers (for example, the local directory of users and groups used in access control).

For example, if you're installing Netscape Messaging Server and Netscape Enterprise Server on the same computer, you might create a group called suitespot with system users mail and web.

Note
Creating the user and group is more important on UNIX systems, but you can also do this on Windows NT systems.

When you create these accounts, you should create them so that no other system users or groups have write access to the files owned by the servers. In particular, you'll want to write-protect the administration server's password file located at <server_root>/admin-serv/config/admpw. And you should consider protecting any encryption key-pair files and certificates (in the directory <server_root>/alias), and the local database (in the directory <server_root>/userdb).

Logging in to the administration server

When you first connect to the administration server, you must provide a user name and a password. If the administration server uses distributed administration, the forms that you see and the administrative privileges that you have depend on the user name you use when logging in.

Distributed administration lets multiple people log in to the administration server. Access control rules determine what forms each person can use. There are three general levels of users:

superuser is the user listed in the file <server_root>/admin-serv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all features in the administration server and sees all forms in the administration server except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as Netscape Directory Server. If you use the local database, superuser will always have access to the Users & Groups forms.
administrators bypass the Server Administration page and go directly to the Server Manager forms for a specific server, including the administration server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.
end users see a limited set of forms that allow them to change information specific to themselves, such as their password and any other information about themselves that is stored in the user database.

The following table helps illustrate what access different users get and what affects how they access the administration server.

Table J.1 What the administration server does when different users log in

Option

superuser

administrator
(distributed administration)

end user

The user name and password is checked against entry in

<server_root>/admin-serv/config/admpw

LDAP directory or local database

LDAP directory or local database

Can user create users and groups in a local database?

YES

YES

NO

Can user create users and groups in an LDAP directory?

YES, but only if there is an entry matching the superuser name.

YES, provided the administrators group has create permission

NO

If LDAP directory is down, can the user access the administration server?

YES

NO

NO

What forms are viewable in administration server?

All, except User & Groups depends on the superuser having an account in the LDAP directory (if used).

Depends on access control.
If no access control is used, see all forms

End-user forms only

Option	superuser	administrator (distributed administration)	end user
The user name and password is checked against entry in	`<server_root>/admin-serv/config/admpw`	LDAP directory or local database	LDAP directory or local database
Can user create users and groups in a local database?	YES	YES	NO
Can user create users and groups in an LDAP directory?	YES, but only if there is an entry matching the superuser name.	YES, provided the administrators group has create permission	NO
If LDAP directory is down, can the user access the administration server?	YES	NO	NO
What forms are viewable in administration server?	All, except User & Groups depends on the superuser having an account in the LDAP directory (if used).	Depends on access control. If no access control is used, see all forms	End-user forms only

If you want to check different areas of the administration server, create a group and user for distributed administration and then create an end-user. To log in as different users and see what they get, insert the username in the URL for the administration server. For example, http://user1@myserver.mozilla.com:12345. If you don't insert the user's name, most web browsers will authenticate you using the last password you entered for that URL. (Netscape Navigator and Netscape Communicator cache the user name, password, and URL for a single-session, so when you close the application, the information is discarded.)

When distributed administration is off

When distributed administration is turned off, you can only log in to the administration server using its superuser name and password. You configure this user name and password when you first install your administration server.

Logging in as the superuser gives you full access to all the forms and servers running under the administration server. The exception to this is the Users & Groups area of the administration server. Although you have full access to the Users & Groups forms, you might not have the appropriate permissions set in the directory that allow you to manage users. This is an issue only if you are using a directory server to manage users and groups--if you are using the local directory, you automatically have full access to directory management because the local directory does not support access control lists.

Warning
If you are using a directory server to manage users and groups, then make sure to create a user entry in your directory that corresponds to your administration server superuser, and grant that entry full read, write, search, and compare permissions for the directory. Netscape Directory Server version 1.02 or later has the ability to automatically create the minimum required superuser user name and access-control information. For more information, see the on-lineon- line documentation that is available with your Netscape Directory Server.

When distributed administration is on

If you enabled distributed administration, then you can log in as the superuser, an administrator, or an end user. The administration server identifies what type of a user you are by using the following process:

When you login, you enter your login user ID. This must correspond to the unique user ID attribute value set for your entry in the directory server. The format of your user ID will depend on the policies in use at your site, but by default the administration server Users & Groups form suggests a user ID by appending the user's last name to the first initial of their first name. For example, someone named Barbara Jensen would by default be given a user ID of bjensen.
User IDs are not case sensitive in the directory server. Therefore, a user ID of bjensen is the same as BJENSEN.
If you use the superuser user name and password when logging in to the administration server, then you are granted full access to all the servers and forms under the administration server. The exception to this is that you might not have full directory access if you are using the directory server.

Note
If you are using a directory server to manage users and groups, then make sure to create a user entry in your directory that corresponds to your administration server superuser. Also make sure to create the appropriate administrators group (discussed below) and grant that group full read, write, search, and compare permissions for the directory. Finally, make sure you add your administration server's superuser to the administrator's group. Netscape Directory Server version 1.02 or later has the ability to automatically perform these minimum actions for you. For more information, see the on-line documentation that is available with your Netscape Directory Server.

If you do not use the superuser user name and password when logging in, then the administration server searches for your user ID in the directory. How this search is performed is determined by whether you are using a directory server or a Netscape local directory:

Directory server

The administration server logs into (binds to) the directory using the Bind DN set for the administration server in Global Settings|Configure Directory Service. If no Bind DN is set for the administration server, then an anonymous search is attempted.
The search is conducted for the subtree identified in the Base DN field of your administration server's Global Settings|Configure Directory Service form. Also the administration server looks for the matching uid attribute, that is, the user name, not surname (sn) or common name (cn).
For information on uid, sn, and cn attributes, see the "Object classes and attributes" appendix that is available with your administration server's on-line documentation.

Local database

The search is performed on the database directly. No access control permissions or Bind DNs are required. The search starts with the directory's root point (top most entry), and the match is performed on the uid (user name) attribute.

Once a matching entry has been found, the administration server attempts to log into (bind to) the directory using that entry's distinguished name. The administration server uses the password that you provided to the login prompt. If the log in fails, then either you entered a user ID that is unknown to the directory, or you entered an incorrect password. Either way, you are offered a chance to try the log in procedure again.
If you log in as a user who is a member of the administrators group for distributed administration, you are given administration-level access to the administration server, depending on how access control is configured. If you log in as a user who is not a member of the administrators group, then you will be given end-user access if it is enabled for your administration server; if end-user access isn't enabled, you'll get an access denied message.

Directory server	The administration server logs into (binds to) the directory using the Bind DN set for the administration server in Global Settings\|Configure Directory Service. If no Bind DN is set for the administration server, then an anonymous search is attempted. The search is conducted for the subtree identified in the Base DN field of your administration server's Global Settings\|Configure Directory Service form. Also the administration server looks for the matching uid attribute, that is, the user name, not surname (sn) or common name (cn). For information on uid, sn, and cn attributes, see the "Object classes and attributes" appendix that is available with your administration server's on-line documentation.
Local database	The search is performed on the database directly. No access control permissions or Bind DNs are required. The search starts with the directory's root point (top most entry), and the match is performed on the uid (user name) attribute.

For information on distinguished names, directory services and how to use them with your administration server, and how to configure your administration server to use directory services, see the chapter "Chapter 5: User and group management."

For detailed information on binding to the directory server, creating directory server users and groups, setting directory server access control privileges, and performing directory searches, see the Netscape Directory Server Administrator's Guide.

Stopping the administration server

If you enable end-user access to the administration server, you should keep the administration server running as often as possible. If you don't enable end-user access, consider shutting down the administration server when you aren't using it. This minimizes chances of a break in, which could happen if someone learns any of your superuser or administrator passwords.

To shut down the administration server from the Server Manager:

Go to the Server Manager and choose Server Preferences|Shut Down.
Click Shut down the administration server.

You can also stop and restart the administration server service or daemon, depending on the computer operating system you use:

UNIX
To stop the administration server, go to your server root directory and type
./stop-admin. To start the server, type ./start-admin. If the server is already running, you can type ./restart-admin.

NT
To stop the administration server, go to Control Panel|Services. Select the "Netscape Administration Server 3.5" service and click Stop. To restart it, click Start.

What to do next

Before you read the rest of this book, you need to install at least one of your SuiteSpot servers. The following six steps offer installation guidelines to follow.

Create a system user and group that your servers will use. This is more important for UNIX systems than Windows NT.
Install Netscape Directory Server and create one "superuser" account, and then create and add users to an "administrators" group. These accounts are crucial if you want to administer users and groups from the administration server.
Install other SuiteSpot servers that use the 2.x administration server. See the Quick Start card that comes in the SuiteSpot package for a list of servers using the 2.x administration server. When installing, you should use the default server-root directory. For more information, consult the documentation for those servers.
Install SuiteSpot servers that use the 3.x administration server. Make sure you install the 3.x servers to a different server-root directory. If you installed 2.x into non-default directory, specify the directory to the 2.x administration server during the 3.x installation. For more information, consult the documentation for those servers.
Install any servers you need to run on other computers. If you want to use cluster management, make sure they all use the same superuser account or create at least one common administrator account.
Set up any clusters you need.

Chapter 5: User and group management

The Netscape administration server lets you manage the users and groups that access the services provided by your Netscape servers. Because you manage users and groups from the administration server, you use the same interface for user and group management regardless of the type of servers, or the number of servers, that you are running at your site. This common management scheme provides simplified server administration by letting you maintain a single directory of users for all your Netscape servers.

This chapter contains basic information about the differences between using a local database and a director service such as Netscape Directory Server. The on-line help contains directions for creating and managing users and groups from the administration server forms.

The directory service

The Users & Groups area of the administration server is actually an interface to a directory service. Directory services are a type of software that allows you to maintain information, such as contact information or identification information for the people in your organization. You use a directory service in the administration server to store user information, such as user IDs, email addresses, certificates and so forth. This information is typically used when controlling access to a server.

You have a choice of the type of directory service you can use with your administration server: You can use a Netscape Directory Server or you can use the local database.

Netscape Directory Server

Based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP), Netscape Directory Server is a robust, scalable server designed to manage an enterprise-wide directory of users and resources. Using the directory server, you can manage all of your user information from a single source. You can also configure the directory server to allow your users to retrieve directory information from multiple, easily accessible network locations.

The use of a directory server to manage your servers' users and groups is recommended for large organizations consisting of up to a million users. Directory server is also ideal for organizations spread across physically different locations, and for organizations where balancing the access load to their directory is important. Finally, the directory server is recommended for those organizations interested in enhancing directory availability by placing their directory services on multiple servers.

For more information about the directory server, or about directory services in general, see the Netscape Directory Server Administrator's Guide, which comes with Netscape Directory Server.

The local directory

The Netscape local directory is bundled with every administration server, and it provides many of the core directory functions available from the directory server. The local directory is intended for sites running a stand-alone Netscape server (such as a enterprise or messaging server).

The local directory has the following limitations when compared to the Netscape Directory Server:

The local directory cannot communicate across the network (it does not use the LDAP protocol). This means your users cannot use an LDAP client to perform directory access. They can, however, access the information through the administration server.
The local directory supports no more than 1,000 entries.
The local directory is slower on lookups than the directory server because the local directory does not cache entries.
The local directory does not perform schema checking. This means that the directory will not stop you from using object classes and attributes that are unknown to it.
The local directory does not perform any kind of access-control checking; however, you can configure access to the directory using the administration server.
The local directory cannot be replicated.
You can use only two of the directory server's command-line utilities with the local directory: ldapsearch, which allows you to search the directory, and ldapmodify, which allows you to add, delete, and modify directory entries.

Directory service clients

You must use a directory service client to obtain information from and to put information into a directory service. If you are using the Netscape Directory Server, then any directory client that can use the LDAP protocol can use your directory. This is one of the primary differences between a true directory service and the local database bundled with the administration server: The database can communicate only with the local administration server, whereas the directory server can communicate with any LDAP-capable client.

Gateways

The administration server is actually a type of directory service client known as a gateway. That is, the administration server acts as a gateway between the communication protocol used by your web browser (HTML) and the protocol used by the directory server (LDAP). Of course, if you are using the local database then the gateway skips the LDAP protocol and accesses the local database directly.

When you first install your administration server, you must configure your server to communicate either with the local directory or with the directory server. If you use a directory server, you need to make sure it has at least one user account that the administration server can use to access it. This is usually the administration server superuser account. Beyond that, you'll experience no difference when using the Users & Groups forms.

For more information on how to use the Users & Groups forms, see the on-line documentation that is available with your administration server.

Command-line clients

Both the directory server and the Netscape local directory offer command-line tools that allow you to search the directory and perform directory modifications from the command line. This allows you to create custom shell scripts or batch files to perform routine, automated tasks on your directory.

Netscape Directory Server provides many command-line tools to help you administer and maintain your directory. The local directory, however, provides two tools for your use: ldapmodify and ldapsearch. These are actually identical to the ldapmodify and ldapsearch command-line tools shipped with the directory server, except that the -C option has been added so that they can work with the local directory.

For more information on the ldapmodify and ldapsearch command-line tools bundled with your administration server, see the on-line documentation. For more information on the command-line tools bundled with the directory server, see the Netscape Directory Server Administrator's Guide.

Authenticating users to directory services

Any time you perform an operation on a directory service, you must identify yourself to the service. This identification process is known as authentication. You can also think of this process as logging into the directory service.

Authentication allows a directory service to know if you have sufficient permissions to perform operations in the directory. Examples of directory operations are:

searching the directory
adding entries (such as users and groups) to the directory
deleting entries from the directory
modifying entries in the directory

Usually authentication is not required if all you want to do is search the directory. When you access a directory without providing authentication credentials, you are performing anonymous access.

When you log in to the administration server, the username and password that you provide are automatically used by the Users & Groups forms when they are communicating with a directory server.

Warning
If you need to change your superuser password, make sure you change it in the directory server before you change it in the administration server. For information on allowing anonymous access to the directory server, see the Netscape Directory Server's Administrator's Guide.

Distinguished names

A distinguished name (DN) is the string representation for the name of an entry in a directory server or in a local directory. You use DNs when naming entries using the LDAP Data Interchange Format (LDIF), when using the LDAP command-line clients, when configuring the directory server, and so forth.

Traditionally, a DN consists of the following items in this order:

A common name or a user ID
A list of regional or organizational attributes
A country designation

This string of identifying attributes uniquely locates the entry within your directory. If you choose, you can also use this naming structure to uniquely identify your entries within the global directory tree as defined in the X.500 standard.

Distinguished name syntax

The traditional syntax for a DN string representation is as follows:


cn=common name, [street=address, l=locality, st = state or province, ou=organizational unit, o=organization], c=country name

A DN can consist of virtually any attributes you want to use. However, if you are using the Netscape Directory Server and schema checking is turned on, then the attributes must be recognized by the directory server, and the attribute must be allowed by the entry's object classes.

(For more information on object classes and attributes, and your directory server's schema, see Appendix A of the on-line documentation.)

Generally, however, a DN begins with a specific common name and gives increasingly broader areas of identification, ending with the country name. Note, however, that the DN attributes you use, and the order in which you organize them, is up to you. The only requirement is that DN attributes must be separated by a comma and can optionally use a space following the separator.

Using uid-based distinguished names

One common variation on the traditional distinguished name identified here is to use a user ID (uid) in the place of a common name (cn). Because user IDs are typically unique values across an enterprise, basing your distinguished name on user IDs allows you to avoid cn collision problems caused by people who share the same name. By default, the administration server uses cn-based distinguished names, but you can change this behavior so that it creates uid-based distinguished names instead. You do this by editing the file:


<server_root>/admin-serv/config/dsgw-orgperson.conf

and setting the useUidForDN variable to true.

Distinguished name usage

Once you have organized your directory structure, you must always specify the DN attributes in the same order because a DN represents a path through the directory tree. For example, the following DNs do not represent the same entry:


cn=Ralph Swenson, ou=Accounting, o=Ace Industry, c=US 
cn=Ralph Swenson, o=Ace Industry, ou=Accounting, c=US

Also, distinguished names representing branch points in the directory do not typically begin with a common name value. Rather, they usually begin with some subelement in the directory path. For example, if your directory contained entries of the form:


	cn=name, ou=Marketing, o=Ace Industry, c=US

then your directory would also contain the entries:


	o=Ace Industry, c=US
	ou=Marketing, o=Ace Industry, c=US

These two entries must appear in the directory before the entries represented by a common name can appear.

For more information on your directory's organization, see "Planning your directory structure."

Distinguished name examples

The following are some examples of distinguished names:


cn=Wally Henderson,ou=Product Development,o=Bait and Tackle Inc, st=Minnesota,c=US


cn=Retch Sweeny, ou=Product Test, o=Bait and Tackle Inc, st=Michigan, c=US

cn=printer3b, l=room 308, o=Acme Programming Ltd, c=US

Distinguished name attributes

The various standard attributes that comprise a DN are as follows:

Table J.2


Attribute	Name	Definition
c	country	Identifies the name of the country under which the entry resides. Must be the two-letter country code. For example: `c=US` `c=GB`
cn	common name	Identifies the person or object defined by the entry. For example: `cn=Wally Henderson` `cn=Database Administrators` `cn=printer3b`
uid	user ID	Identifies the person or object defined by the entry. DNs based on uids are often preferred over cn-based DNs because they avoid duplicated distinguished names caused by people who share the same name.
l	locality	Identifies the locality in which the entry resides. The locality could be a city, county, township, or other geographic region. For example: `l=Tucson` `l=Pacific Northwest` `l=Anoka County`
o	organization	Identifies the organization in which the entry resides. For example: `o=Netscape Communications Corp` `o=Public Power & Gas`
ou	organizational unit	Identifies a unit within the organization. For example: `ou=Sales` `ou=Manufacturing`
st	state or province name	Identifies the state or province in which the entry resides. For example: `st=Iowa` `st=British Columbia`
street	street address	Identifies the street address at which the entry resides. For example: `street=494 Rice Creek Terrace`