Complete Contents
Preface
Chapter 1 Gateway Features
Chapter 2 Setting Up the Gateway
Chapter 3 Gateway Localization
Chapter 4 Files Controlling Gateway Functionality
Chapter 5 Entry Types and Object Class Attributes
Chapter 6 Search Attributes, Features, and Results
Chapter 7 Customizing Color and Graphics
Appendix A .conf Parameters
Appendix B Gateway Directives Reference
Appendix C CGI Usage
Appendix D Gateway User Help
Previous Contents Index


Appendix D Gateway User Help

This appendix provides instructions for using the Directory Server 4.0 gateway interface. The information supplied here is intended to be repurposed as help topics that can be made available to gateway users from the Help button on gateway forms. Topics include:


Directory Tree Structure
The hierarchy of data in the directory can be represented by a tree. At the top of the directory tree is the root entry (or suffix). The root entry usually represents the organization entry for the directory (for example, o=airius.com). The directory may contain more than one root entry. Before adding new entries, make sure that you know which suffix the gateway is supporting.

Below the root entry are branches of the directory representing organizational units. For example:

o=Airius.com

ou=Marketing, o=Airius.com

ou=Accounting, o=Airius.com

Entries for people and resources within the organization appear below the organizational branches.

Distinguished Name Syntax

A directory entry is uniquely identified by its distinguished name (DN). The DN for an entry is represented as a series of comma-separated attributes and attribute values. The left-most value represents the entry's name. Each subsequent attribute represents a branch point above the entry. For example, this DN represents the entry named malonso in the subdirectory named people in the directory named airius.com:

uid=malonso, ou=people, o=airius.com

Unique Distinguished Names

The directory server interface will not permit duplicate entries. To avoid duplications, use distinguished names that be in with the person's user ID (uid) rather than the person's common name. Since email IDs are by definition unique within an organization, one common method is to use a person's email address as their user ID. For example:

jwatson@airius.com

becomes the DN

uid=jwatson, o=airius.com


Searching the Directory
The directory server interface provides two types of searches:

Both types of searches permit searching for any of the entry types described in Table D.1.

Table D.1 Entry Types That Can Be Specified

Type of Entry
Description
People
Entries that describe a person
NT People
Entries that describes an NT user.
Groups
Entries that describe a group. Groups may be defined System Administrators, Tech Writers, or all the people interested in Fishing, or all the Color Printers at the site. Groups can also contain other groups.
NT Groups
Entries that describe a group of NT users.
Organization
Entries that describe an organization. An organization is usually a single, large entity such as a corporation or a university. An organization represents a major, static, subdivision or branch of the directory.
Org-Units
Entries that describe an organization unit. Organizational units describe units within an organization, such as Accounting, Marketing, or Biology department.
Anything
Entries that match the specified search criteria. Anything useful when the entry you are searching for is not a person, group, or organization

After the directory server completes the search, the directory server interface displays the search results, which provide links to all matching entries. Clicking an entry displayed on the search results list displays detailed information about the entry. If the entry is a person, you can also choose to view the person's digital business card (vCard).

Performing a Standard Search

Depending on what is entered, Standard Search determines whether to find entries that exactly match the criteria, entries that contain the criteria, or entries that contain words or syllables that sound like the criteria. An LDAP search filter can also be used in the standard search field.

To perform a standard search:

  1. Select the Standard Search tab. The Standard Search form appears.
  2. Enter the value to find in the Search for field. This field is not case sensitive. Any of the following values can be entered:
  3. Click Submit. The form data is submitted to the directory server and the directory server searches for any entries that match exactly, match partially, or sound like the value supplied. Resulting matches are displayed in the search results table.
Name Search Functionality

When the search string specifies characters other than numbers or does not contain an at (@) symbol, the standard search attempts to find full names, first names, or last names that match exactly, match partially, or sound like the supplied value.

For example, specifying the string "son" could return:

Name and Initial Search Functionality

When the search string specifies the following items in the following order, the standard search executes a search for a first initial followed by a last name:

For example, specifying the string "P.Ande" could return

Similarly, if the search string specifies the following items in the following order, the standard search executes a search for a first name followed by a last initial:

For example, specifying the string "M.Pai" could return

Approximate (or "sounds-like") and substring searches are not performed in this case.

Searching for Phone Numbers

Standard search automatically searches for a phone number if the value entered consists only of numeric characters. This type of search is an "ends with" search. That is, the directory server searches for any phone numbers that end with the specified string. For example, entering the sting "123" results in the display of all phone number that end with 123. A single hyphen is permitted in the search string if at least one digit precedes it.

Searching for Email Addresses

Standard search searches for matching email addresses if an at (@) symbol is provided. Standard Search first searches for any email addresses that exactly match the value entered. For example, specifying the string "rafi@" could return the exact match:

or, if no match exists for "rafi@" in the directory, the search could return:

Using LDAP Search Filters

An LDAP search filter can be used to search for entries with a specific attribute value. The standard search assumes that any string containing an equal sign is an LDAP search filter. For example, specifying "cn=*eve*" will initiate a substring search for any common name containing the string "eve".

When specifying attributes within an LDAP search filter, use the attribute label used by the directory server internally rather than the attribute field name as displayed in the gateway's search results.

Advanced Search

The advanced search is designed to search for entries that have specific values for certain attributes (for example, a person entry whose email address is a specified value). Advanced search also allows searches for entries that do not include a specified attribute value (For example, all the people whose last name is not "Smith").

Advanced search performs an exact search, returning entries that exactly match the words entered. There are four fields used to construct an advanced search. Constructed as follows, these four fields represent a sentence specifying the search:

Find: [a type of entry] where the: [attribute] [type of search] [search string]

The options for the first three of these fields are provided in pull-down menus. The fourth field contains the actual search string. For example:

Find: [People] where the: [Last Name] [is] [Supriya]

Find: [People] where the: [Full Name] [sounds like] [Lloyd Daniels]

Performing an Advanced Search

  1. Select the Advanced Search tab. the The Advanced Search form appears.
  2. Select the type of entry to search for.
  3. Select the attribute to search for from the "where the" field pull-down menu. The choices available depend on the entry type selected in the Find field (see Table D.2).
  4. Select the matching type to use in the search.
  5. Enter the search string in the text box and click "Search." The form data is submitted and the directory server searches for entries that exactly match the value supplied. The resulting matches are displayed as a search results list.

Table D.2 Advanced Search Attributes

Find Field
Searches Attributes That Can Be Specified
People or NT People
full name, last name, phone number, email address, user ID, or title
Groups or NT Groups
description, owner, or NT Group Type (for NT Groups)
Organizations
location, phone number, or description
Anything
name or description

Viewing Search Results

When search form data is submitted, the search results displayed depend on whether there were no matches, a single match, or multiple matches.

No matches

A search result that returns no matches means one of the following has occurred:

A Single match

When a single match is returned in a response to an "is" search, the gateway displays all details for the entry.

Multiple matches

When multiple matches are found in response to a search, the gateway displays a table listing each of the matching entries and relevant information for each entry, such as the entry's phone number and email address.

Search Tips

Numeric Values

When search for a numeric value, such as a room number or a telephone number, be sure to include all spaces and leading zeroes.

Blank Spaces

The directory server interface strips all leading and trailing blank spaces from the search criteria.


Authentication
Authentication is the process of enabling users to perform operations on the directory. By default, access to the directory is denied to all users with the exception of the directory administrator. The directory administrator defines the user permissions that grant or restrict access to information in the directory.

Access Control

Using the access control mechanism, the directory administrator can allow or deny access:

Following are some of the access restrictions and access grants the directory administrator can set up by applying permissions to the directory:

The interface prompts the user to authenticate before allowing modifications to the directory. A user who does not authenticate is allowed those permissions enabled for anonymous access.

For more information, see the Netscape Directory Server Administrator's Guide and the Netscape Directory Server Deployment Guide.

Authenticating to the Directory

Users can explicitly choose to authenticate by clicking the Authentication tab or wait until the DS interface automatically prompts for authentication before continuing with an operation. To authenticate to the directory:

  1. Click on the Authentication tab. The Authentication tab appears.
  2. Enter the name you want to use to identify yourself to the directory server. To authenticate as a regular user, enter your name as it appears in the directory server (common name or full name). Do not enter the user ID or login for a local operating system. To authenticate as the privileged directory user, click the Authenticate as Directory Manager button. The directory server displays a table of matching entries.
  3. Select the link that corresponds to your directory entry (if the name is unique in the directory, the system skips this step). The system prompts for a password.
  4. Enter the password and click Continue.
  5. Click Return to main to continue to the default gateway.
Maintaining Authentication Credentials

By default, authentication credentials are set to last for 120 minutes before expiring. The expiration time is configurable by the directory administrator. When authentication credentials expire while a directory operation is being performed, re-authentication is necessary before completing the operation.

Logging Out of the Directory

To unauthenticate:

  1. Click on the authentication tab. The Authentication form appears.
  2. Click the Discard Authentication Credentials button. The user is returned to anonymous access privileges.
Troubleshooting Authentication Problems

The following table lists common authentication problems, possible causes, and actions that may be taken to resolve the problem.

Table D.3 Authentication Problems

Problem
Possible Cause
Possible Action
Search results are empty.
No entries match the search string entered, or user authentication required.
Try a different search operation or authenticate to the directory.
Search results in missing entries or attribute information.
You are not authenticated properly or do not have privileges required to access the information (in which case the directory server responds as if the information does not exist).
Make sure you are properly authenticated. Verify with the system administrator that you have access to the directory information you need.
Operation fails after completion.
The directory is failing the operation because of improper authentication or because authentication has expired. This occurs because the LDAP protocol does not allow the interface to know whether authentication is required before trying an operation.
Make sure you are properly authenticated and that your authentication has not timed out.
A table of entries is displayed instead of a specific entry.
The full name is not unique or the name entered does not exist in the directory.
If your entry is not displayed, click Cancel and try to authenticate again. Be sure to use full name and not user ID.
User name is correct, but authentication fails anyway.
Password is incorrect.
Click retry and re-enter your password.


Adding Entries Using the New Entry Form
The New Entry form on the default gateway (dsgw.conf) can be used to add the following types of entries:

Directory authentication is required before entries can be added to the directory using the gateway's New Entry form.

Adding a Person Entry

  1. Click on the New Entry tab to bring up the New Entry form.
  2. For type of entry, select Person.
  3. Enter a user name for the person.
  4. Specify a directory location for the entry. ou=People is the most common location for a new user. ou=Special Users can be chosen as a location for entries with more privileges than People entries. Choose Other to specify a DN for a directory location other than ou=People or ou=Special Users.
  5. Click Continue to submit the new person entry (to cancel the operation, use the browser's Back button). The New Person window appears.
  6. Enter values for all required fields. Full name and Last Name are required fields on the default gateway. (Values for Manager, Admin, and See Also can be added after the entry is saved.)
  7. Click the Save New Person entry button at the top of the window. The gateway confirms that the new entry has been added and displays all information fields that can be modified.
Adding an NT Person Entry

When creating an NT Person entry, make sure that the subtree where the entry is placed is the subtree used by the directory's NT Synchronization Service to synchronize entries. When an NT Person entry is placed in another location, it is not synchronized with the Windows network

Required fields for an NT Person entry include:

Adding a Group Entry

  1. Click on the New Entry tab to bring up the New Entry form.
  2. For type of entry, select Group.
  3. Enter a name for the group.
  4. Specify a directory location for the entry. ou=Groups is the common location for group entries. ou=Special Users can be chosen as a location for entries with more privileges than People entries. Choose Other to specify the DN for a directory location other than ou=People or ou=Special Users.
  5. Click Continue to submit the new group entry (to cancel the operation, use the browser's Back button). The New Group window appears.
  6. Enter a value for Name. (Values for Owner, See Also, and Group Members can be modified after the entry has been saved.)
  7. Click the Save New Group button at the top of the window. The gateway confirms that the new entry has been added and displays all information fields that can be modified.
Adding an NT Group

Required fields for an NT Group include:

Adding an Organizational Unit Entry

  1. Click on the New Entry tab to bring up the New Entry form.
  2. For type of entry, select Organizational Unit.
  3. Enter a name for the organizational unit.
  4. Specify a directory location for the entry. ou=People is a common location for adding new organizational units. Choose This Organization to specify the DN for an organizational unit directly under the root entry. Choose Other to specify the DN for a location under a different root entry.
  5. Click Continue to submit the new organizational unit entry (to cancel the operation, use the browser's Back button). The New Organizational Unit window appears.
  6. Fill in the information fields for the new organizational unit and click the Save New Organizational Unit button at the top of the window. The gateway confirms that the new entry has been added and displays all information fields that can be modified.
There are many methods of setting up the directory tree structure for an enterprise. For detailed information, refer to the Netscape Directory Server Deployment Guide.

Adding an Organization Entry

An organization can only be added when the directory is initially populated. Organizations added must match the directory tree structure specified during directory server installation. The New Entry form can not be used to create a new root entry.

  1. Click the New Entry tab to bring up the New Entry form.
  2. For type of entry, select Organization.
  3. Enter a name for the organization.
  4. Specify a directory location for the entry. The DN specified must appear under the root entry specified during directory server installation. For example, if the root entry is o=Airius.com, then the DN must include o=Airius.com.
  5. Click Continue to submit the new organization entry (to cancel the operation, use the browser's Back button). A New Organization window appears.
  6. Fill in the information fields for the new organization and click the Save New Organization button at the top of the window. The gateway confirms that the new entry has been added and displays all information fields that can be modified.

 

© Copyright 1999 Netscape Communications Corporation