Chapter 20       User Attributes


There are two places which house user attributes: the Service Management and User Management windows. The Service Management window contains default attributes for registered organizations. The User Management window contains user entry attributes.

• Service Management Attributes

• User Profile Attributes

• Unique User IDs

Service Management Attributes

---

The User Attributes in the Service Management window are dynamic attributes. The values applied to dynamic attributes are assigned to a role or an organization that is configured in DSAME. When the role is assigned to a user or a user is assigned to the organization, the dynamic attributes become a characteristic of the user. The User Attributes are divided into:

• User Preferred Language

• User Preferred Timezone

• Inherited Locale

• Admin DN Starting View

• Default User Status

• User Auth Modules

Default user values are set in Service Management for all DSAME registered organizations. These values can be set differently for separate organizations by registering the user service to the specific organization, creating a template and inputting a value other than the default value.

User Preferred Language

This field specifies the user's choice for the text language displayed in the DSAME console. The default value is en. This value maps a set of localization keys to the user session so that onscreen text appears in a language appropriate for the user.

User Preferred Timezone

This field specifies the time zone in which the user accesses the DSAME console. There is no default value.

Inherited Locale

This field specifies the locale for the user. The default value is en_US. Any value from Table 9-1 can be used.

Admin DN Starting View

If this user is a DSAME administrator, this field specifies the node that would be the starting point displayed in the DSAME console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.

---

Caution

If the Top Level Administrator wishes to assign a user the administration privileges to two different groups, the Admin DN Starting View should be specified as the DN of the level above BOTH groups. This holds true for any entries at the same level such as organizations, groups, or People Containers. This action could result in the user being able to manage an organization, group, or People Container that is not specifically assigned to them. It is up to the Top Level Administrator to decide on the ACI model and where to define the DN Starting View.

---

Default User Status

This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through DSAME. The default value is Active. Either of the following can be selected from the pull-down menu:

• Active - The user can authenticate through DSAME.

• Inactive - The user cannot authenticate through DSAME, but the user profile remains stored in the directory.

The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.

User Auth Modules

This option specifies individual user authentication modules to be accessed when the "User Based Auth" option is chosen in Core Authentication. The user will be presented with the configured authentication module(s) after entering the user id. The administrator can select one or more authentication services (from Anonymous, Certification, LDAP, Membership, RADIUS, SafeWord, and Unix) for the user to authenticate through.

---

Note	Currently, the SafeWord authentication service is supported only on the Solaris platform. The Unix authentication service is not supported on Windows 2000.

---

User Profile Attributes

---

The User Profile Attributes are default attributes for user profiles. These values are set in the User Profile view by an administrator or by the user when they log on. Administrators can add their own user attributes to the user profile or create a new service. For more information see iPlanet Directory Server Access Management Edition Programmer's Guide.

---

Note

DSAME does not enforce uniqueness for attributes within user entries. For example, userA and userB are both created in the same organization. For both, the email address attribute can be set jimb@madisonparc.com. The administrator can configure iPlanet Directory Server's attribute uniqueness plug-in to help enforce unique attribute values. For more information, see Unique User IDs at the end of this chapter or the iPlanet Directory Server Administrator's Guide.

---

Home Address

This field can take the home address of the user.

User Status

This option indicates whether the user is allowed to authenticate through DSAME. Only active users can authenticate through DSAME. The default value is Active. Either of the following can be selected from the pull-down menu:

• Active - The user can authenticate through DSAME.

• Inactive - The user cannot authenticate through DSAME, but the user profile remains stored in the directory.

  
  

  ---

  Note

  Changing the user status to Inactive only affects authentication through DSAME. The Directory Server uses the nsAccountLock attribute to determine user account status. User accounts inactivated for DSAME authentication can still perform tasks that do not require DSAME. To inactivate a user account in the directory, and not just for DSAME authentication, set the value of nsAccountLock to false. If delegated administrators at your site will be inactivating users on a regular basis, consider adding the nsAccountLock attribute to the iDSAME User Profile page. See the iPlanet Directory Server Access Management Edition Programmer's Guide for details.

  ---

  
  

First Name

This field takes the first name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the DSAME console.)

Last Name

This field takes the last name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the DSAME console.)

Full Name

This field takes the full name of the user.

Password

This field takes the password for the name specified in the UserId field.

Confirm Password

Password type attributes automatically set this field.

Email Address

This field takes the email address of the user.

Employee Number

This field takes the employee number of the user.

Telephone Number

This field takes the telephone number of the user.

Roles For This User

This field takes the valid DN for the roles that are applied to the user.

Groups for this User

This field takes the DN of the groups of which this user is a member.

Account Expiration Date

If this attribute is present, the authentication service will check the date disallow login if the user's account life is less than the current date. The format for this attribute is as follows:

(mm/dd/yy hh:mm)

---

Note	There is no error checking on syntax for this attribute. If incorrect, the user will not be able to login until it is corrected.

---

Unique User IDs

---

In order to enforce uid uniqueness within the DSAME application, the plug-in, available in iPlanet Directory Server, must be configured as follows:

dn: cn=uid uniqueness,cn=plugins,cn=config

objectClass: top

objectClass: nsSlapdPlugin

objectClass: extensibleObject

cn: uid uniqueness

nsslapd-pluginPath: /ids908/lib/uid-plugin.so

nsslapd-pluginInitfunc: NSUniqueAttr_Init

nsslapd-pluginType: preoperation

nsslapd-pluginEnabled: on

nsslapd-pluginarg0: attribute=uid

nsslapd-pluginarg1: markerObjectClass=nsManagedDomain

nsslapd-plugin-depends-on-type: database

nsslapd-pluginId: NSUniqueAttr

nsslapd-pluginVersion: 5.1

nsslapd-pluginVendor: Sun | Netscape Alliance

nsslapd-pluginDescription: Enforce unique attribute values

It is recommended that the nsManagedDomain object class is used to mark the organization in which uid uniqueness is desired. The plug-in is not enabled by default.

To configure the uniqueness of uids per organization, either add the DN for each organization in the plug-in entry or use the marker object class option and add nsManagedDomain to each top level organization entry.

nsslapd-pluginEnabled: on

nsslapd-pluginarg0: attribute=uid

nsslapd-pluginarg1: markerObjectClass=nsManagedDomain