Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Installation and Configuration Guide |
Chapter 5 Using an Existing Directory Server
If you're using an existing Directory Server that is already provisioned with users, you must make several changes in your Directory Information Tree (DIT) before iPlanet Directory Server Access Management Edition (DSAME) will recognize your user data. The number and scope of changes you must make will depend upon how your existing DIT is structured, and upon how you plan to use DSAME.This chapter provides instructions for installing DSAME services against an existing directory that contains user data. It also explains how to configure DSAME to work with your DIT, and how to make the necessary changes to your existing directory entries.
Topics in this chapter include:
Before You Begin
Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME
Step 2: Install DSAME Services
Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema
Step 4: (Optional) Configure Alternative Naming Attributes
Step 5: Load DSAME LDIF into Your Directory
Step 6: Load DSAME Service Attributes into Your Directory
Step 7: (Optional) Add DSAME ACIs to Your Default Organization
Step 9: Add DSAME Object Classes and Attributes to Existing Directory Entries
Before You Begin
The requisite directory modifications are complex. They require a high level of expertise in LDAP planning and implementation, as well as some familiarity with XML. The procedures are complicated and can be time-consuming. Be sure to plan accordingly for this phase of deployment.
Note If you do not already have an existing directory that is provisioned with users, you do not need to perform the steps described in this chapter. See "Simple Installations With No Existing Directory Server".
Supported DITs and Unsupported DITs
While DSAME can be reconfigured to support most existing DITs, in some situations reconfiguration may not be recommended. To determine whether your DIT may be compatible with DSAME, see "DITs That Cannot Be Managed by DSAME".
Background for Examples Used in This Chapter
In order to illustrate the types of changes you'll need to make to your directory, we'll use a simple DIT for a fictitious company. The directory entries for this company, represented by o=madisonparc, contain two custom object classes. These are object classes that are not already defined in DSAME schema. If your DIT contains custom object classes, you'll also need to make changes to the DSAME XML files.
Basic DIT Structure
The examples used in this chapter are based on a simple DIT for a fictitious company. Figure 5-1 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups. This means that entries for these groups use the groupOfUniqueNames object class, which contains values naming the members of the group.
Figure 5-1    Directory Information Tree (DIT) used in examples in this chapter.
The following summarizes the use of groups in this sample DIT:
There is one group containing the administrators for Engineering, and one group with the administrators for Sales.
Very simple ACIs are set for the groups Engineering and Sales to allow members of these groups to manage their respective organizations.
In each organization, there is a group that contains non-administrator users.
There is another group at the root level, or top level. It contains all users in the directory.
Custom Object Classes
The fictitious company used in this example uses two object classes that are not included in the DSAME schema nor in the Directory Server 5.1 schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. In order to manage these extensions, changes must be made in the following three files:These changes are described in detail in the section "Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema". If you use custom object classes in your existing directory, you will need to make similar changes.
Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME
DSAME will work only with iPlanet Directory Server 5.1. If you have a pre-5.1 version installed, you must upgrade to version 5.1 and migrate your data before you can install DSAME services. If your existing directory uses Directory Server 5.1, you'll need to install only DSAME schema. In either case, follow these instructions.
Step 1a: Back Up Your Directory Data
For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:http://docs.iplanet.com/docs/manuals/directory.html
Step 1b: Install and Configure Directory Server 5.1 with DSAME Schema
You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.
Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.
- If you've downloaded the product, unpack the product binaries file using the following command:
- gunzip -dc dsame-5.1-domestic-us.sparc-sun-solaris2.8.tar.gz | tar -xvof -
Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.
- At the command line, enter aminstall.
- The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:
- /var/opt/SUNWam/install
Do you wish to continue this installation without the required patches? Enter y for Yes to proceed with the installation. If you wish to install the patches, then enter n for No. For information on installing patches see "Patch Clusters for Solaris".
In the Installation Directory window, provide the following information, and then click Next:
- Select which component to install: Enter 2.
- What directory do you want to install the Directory Server in? Enter the path to the directory where Directory Server will be installed. Do not install Directory Server in the same directory as DSAME Services. Ideally, you would install DSAME Services and Directory Server on different computer systems.
- <Path> does not exist, create? If this prompt displays, DSAME can automatically creates a new for you. Enter y for Yes.
- What is the host name of the machine where the Directory Server will run? For example, in the fully qualified domain name mymachine.organizationname.madisonparc.com, the host computer system name is mymachine.
- What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).
- What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com
- What port should the LDAP server use? The following is an excerpt from iPlanet Directory Server Installation Guide regarding this topic:
- "Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:
The standard Directory Server (LDAP) port number is 389.
Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.
Make sure the ports you choose are not already in use.
If you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical."
Enter 5 to exit the installation program.
- Directory Server Administration userid: Administration Server user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.
- Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.
- Admin password (8 chars minimum): Enter a password for the Directory Server administrator.
- Re-enter Admin password: Enter the password again to confirm it.
- What is the Directory Server admin port? The default port number is 58900
- System User: This is the user the server runs as. Example: nobody
- System Group: This is the group to which the user (above) belongs. Example: nobody.
- What is the root suffix of your directory tree? This is the root suffix of your existing directory tree. Enter a distinguished name (DN) that includes at least one type=value pair.
- Examples:
- o=isp
- o=madisonparc
- dc=sun,dc=com
- Do you want to configure this Directory Server for use by DSAME? Enter y for yes.
- Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.
- Directory Manager password (8 chars minimum): Enter a password for the Directory Manager. Confirm the password when prompted.
- Do you want to start the iPlanet Directory Server Access Management Edition Directory Server when installation is complete? If you enter y for Yes, then Directory Server will automatically start up immediately after installation. If you enter n for No, then you must restart Directory Server manually after installation.
- To restart Directory Server, with root permissions, enter the commands:
- cd Directory_Server_root/slapd-instance_name
- start-slapd
- Are all settings correct? Confirm that the settings you've entered are correct. If they are not, choose n for No and the installation program will prompt you for the setting information again.
Step 1c: Migrate Existing Data to Directory Server 5.1
In this step, you will update your pre-5.1 data to work with Directory Server 5.1. This process, called migration, is performed by running the migrateInstance5 script that comes with Directory Server. The migration script performs the following tasks in sequence:
Checks the schema configuration files, and notifies you of any changes between the standard configuration files and the ones present on your system.
Creates a database for each suffix stored in the legacy Directory Server. (In Directory Server 5.0 you can have multiple databases, but just one suffix per database).
Migrates the server parameters and database parameters. (In Directory Server 5.0, these are stored as LDAP entries in the dse.ldif file.)
Migrates user-defined schema objects.
Migrates standard server plug-ins.
Migrates the certificate database, and SSL parameters.
Note Your existing user data must be migrated to Directory Server 5.1 before you go on to Step 2. Otherwise, DSAME may not be able to recognize your existing user data.
- You must run the script on the system where your existing Directory Server is installed. You must shut down your directory service before running the migration script. For detailed migration instructions, see the iPlanet Directory Server Installation Guide at: http://docs.iplanet.com/docs/manuals/directory.html
- Once you've migrated your data to Directory Server 5.1, you can skip to "Step 1e: Back Up Your Existing Data".
Note The instructions in this section, Step 1d, assume that you have already deployed and provisioned Directory Server 5.1, but your existing directory tree does not contain DSAME 5.1 schema.
You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.
Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.
- If you've downloaded the product, unpack the product binaries file using the following command:
- gunzip -dc dsame-5.1-domestic-us.sparc-sun-solaris2.8.tar.gz | tar -xvof -
Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.
- At the command line, enter aminstall.
- The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:
- /var/opt/SUNWam/install
When the following message displays, enter 3.
Provide the following information when prompted:
When the following message is displayed, enter 5 to exit the program.
- What is the host name of the machine where the iPlanet Directory Server is located? Enter the host name of the computer system where your existing Directory Server is installed.
- What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).
- What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com
- What port should the LDAP server use? Enter the port number used by the your existing Directory Server.
- What directory is the Directory Server installed in? Enter the full path to the directory where the your existing Directory Server is installed.
- What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.
- Will you be using an existing DIT and schema? Enter n for No.
- Do you want to restart the Directory Server when configuration is complete? Enter y for Yes.
- Are all settings correct? Enter y for Yes.
Step 1e: Back Up Your Existing Data
Back up your existing DIT before proceeding further with the other steps. Many of the changes described in this chapter must be done manually and can be error-prone.For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:
http://docs.iplanet.com/docs/manuals/directory.html
Step 2: Install DSAME Services
You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binariers, you'll find the program in the directory where you untarred the binary files.
Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.
- At the command line, enter aminstall.
- The aminstall command accepts the following -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:
- /var/opt/SUNWam/install
If the following message does not display, then skip to step 4.
If the above message above is displayed, and you want to re-install components listed in the message, then enter 1 to remove the existing components. After uninstallation, the installation program will automatically start again from the beginning.
The following options are displayed.If the above message above is displayed, and you want to install components that are not listed in the message, then enter 2 to proceed to the next step.
- When prompted, provide the following information:
- Select which component to install: Enter 1.
- Do you want to install the DSAME Management and Policy Services on iPlanet Application Server? By default, DSAME will be installed with its own Web Server which will power the DSAME services and user interface.
If you want to use the default Web Server that comes with DSAME, enter No, and then skip to Step 5.
If you're using Application Server instead of the default Web Server that comes with DSAME, then skip to Step 6.If you want to use Application Server instead of the default Web Server to run DSAME services, and Application Server is already installed and running, provide the following information when prompted:
- What directory is the iPlanet Application Server installed in? Enter the full path to the directory where Application Server is installed.
- What is the host name of the machine running the iPlanet Application Server Webserver? This is the computer system where DSAME components and a either dedicated web Server or Application Server are installed together. In the name mycomputer.organizationname.madisonparc.com, the host name is mycomputer.
- What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).
- What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com
- What is the iPlanet Application Server Webserver port? Enter a port number for the Application Server that runs the DSAME services.
- Will you be using an existing DIT and schema? Enter y for Yes.
- What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a distinguished name (DN) that includes at least one type=value pair.
- Examples:
- o=isp
- o=madisonparc
- dc=sun,dc=com
Note The default organization uses the organization (o) object class. If you want to use a different naming attribute such as dc, you must follow the installation instructions in Chapter 5 "Using an Existing Directory Server".
- What is your organization name? Enter a name for the first organization to be created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: iPlanet or iplanet.com.
- If you want the default organization to be the root suffix, enter a period (.).
- Is the existing iPlanet Directory Server installed on a local host or on a remote host? Enter l for Local if the Directory Server is installed on the same computer system as DSAME (it's "local" relative to DSAME). Enter r for Remote if the Directory System is installed on a different computer system, or remote from, the computer that runs DSAME services.
- What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.
- What port should the LDAP server use? Enter the port number used by the your existing Directory Server.
- Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.
- Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.
- Re-enter Directory Manager password: Enter the password again to confirm it.
- The Top Level Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Top Level Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation.
- Admin password (8 chars minimum): Enter a password for the Super Administrator.
- Re-enter Admin password: Enter the Super Administrator password again to confirm it.
- Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.
- To start DSAME manually, perform the following:
Are all settings correct? If the settings displayed are not correct, enter n for No and the installation program will start again from close to the beginning. If the settings are correct, enter y for Yes to continue with the installation.
- If you're using the default Web Server that comes with DSAME, provide the following information when prompted:
- What directory do you want to install the Management and Policy Services in? Enter the path to the directory where DSAME Services will be installed. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.
- Do you want to use the existing JDK? Java support in DSAME requires Java Development Kit (JDK) of version 1.3.1 or higher. While a default JDK is provided, you can use your own JDK with the Web Server. If you want to use your own JDK version, then enter n for No and then enter the full path to the version of JDK you want to use. Otherwise, enter y for Yes.
- What is the host name of the machine where the DSAME Management and Policy Services will run? This is the computer system where DSAME components and Web Server are installed together. In the name mycomputer.organizationname.madisonparc.com, the host name is mycomputer.
- What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).
- What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com
- What is the DSAME Management and Policy Services port? Enter a default port number 58080 for the Web Server that runs the DSAME services.
- Web Server Administration user id: This is the server administrator who has access to the Web Server that runs DSAME services.
- Admin password (8 chars minimum): Enter a password for the Web Server Administrator.
- Re-enter Admin password: Re-enter the Web Server password to confirm it.
- What is the Web Server admin port? Enter the default port number 58888
- System User: This is the user the Directory Server will run as. If you have a Directory Server already running, enter the same System User used by that Directory Server. Example: nobody
- System Group: This is the group the user (above) belongs to. Example: nobody
- Will you be using an existing DIT and schema? Enter y for Yes.
- What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a distinguished name (DN) that includes at least one type=value pair.
- Examples:
- o=isp
- o=madisonparc
- dc=sun,dc=com
- If you want the default organization to be the root suffix, enter a period (.).
Note The default organization uses the organization (o) object class. If you want to use a different naming attribute such as dc, you must follow the installation instructions in Chapter 5 "Using an Existing Directory Server".
- What is your organization name? Enter organization name with naming attribute prefixed. Example: o=iplanet.com or dc=iplanet.com.
- Is the existing iPlanet Directory Server installed on a local host or on a remote host? Enter l for Local if the Directory Server is installed on the same computer system as DSAME (it's "local" relative to DSAME). Enter r for Remote if the Directory System is installed on a different computer system, or remote from, the computer that runs DSAME services.
- What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.
- What port should the LDAP server use? Enter the port number used by the your existing Directory Server.
- Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.
- Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.
- Re-enter Directory Manager password: Enter the password again to confirm it.
- What is the deployment URI prefix for the DSAME Management and Policy Services? The Universal Resource Identifier (URI) prefix tells the Web Server where to look for HTML pages associated with a DSAME service and also for other web application specific information like classes and jars. Enter the URI prefix specified during DSAME installation. The default is /amserver
- What is the deployment URI prefix for the DSAME Administration Console? The Universal Resource Identifier (URI) prefix tells the Web Server or Application Server where to look for HTML pages that the administration console needs to display and also for other web application specific information like classes and jars.
- The default URI prefix is amconsole. You can enter a different name.
- The Top-Level Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Top-Level Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation. Since this is an administrator role, you can add other users to this role after installation.
- Admin password (8 chars minimum): Enter a password for the Super Administrator.
- Re-enter Admin password: Enter the Super Administrator password again to confirm it.
- Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.
- To start DSAME manually, at the command line enter the following command:
- /DSAME_root/SUNWam/bin/amserver start
- Select which component to install: When you see the following options displayed, enter 5 to exit the installation program.
Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema
If your existing DIT contains object classes you've created and that do not come with Directory Server, then you'll have to add those object classes and attributes to the DSAME schema. For background information, see"Understanding DSAME XMLs and DTDs" in the Programmer's Guide.If you do not use custom object classes in your DIT, this step is not necessary. Skip to "Step 5: Load DSAME LDIF into Your Directory".
In the examples in this section, the company Madison Park uses two object classes that do not come with the DSAME schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry.
In order to manage these extensions, changes must be made in the following three files:
Step 3a: Add Attributes to the Organization Schema
In this step, you will modify two services files:The DSAME console uses the information in amEntrySpecific.xml for display purposes. Each DSAME abstract entry may have a subschema in this XML file. In the following example, you would add the two attributes from the madisonparc-org object class to the organization subschema. If the DIT contained customized organizational units, groups, or people containers, you would add or modify their subschemas in the same XML file.
The subschema name for an organizational unit will be OrganizationalUnit. The subschema name for a people container will be PeopleContainer.
Note The User subschema is not configured here in the amEntrySpecific.xml file, but in the amuser.xml file (see "Step3b: Add Attributes to the User Schema".) Although any service XML file may describe an attribute that is for a user only, the amentryspecific.xml file can serve as a default place holder for user attributes that are not tied to a particular service.
To Add Attributes from a Custom Organization to the Organization Subschema
Note In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.
In the following file:
All the attributes listed in the subschema are displayed in the Administration Console when the organization is displayed. If an attribute is not listed, the Administration Console will not display the attribute.
Also in the amEntrySpecific.xml file, create internationalization (i18n) keys (also called index keys or localization keys) for each attribute. All i18n Keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute.
- DSAME_root/SUNWam/config/xml/amEntrySpecific.xml
- add the attributes from the custom object class to the subschema Organization. For example, the following two attributes from the custom object class madisonparc-org were added to the file.
<AttributeSchema name="madisonparc-org-description" type="single" syntax="string" any="required" /> <AttributeSchema name="madisonparc-org-city" type="single" syntax="string" any="required|filter" />
In the following file, add the values for i18n Keys you created in Step 2:
The "any" attribute
The any attribute in the XML descriptions may have five possible values: filter, display, adminDisplay, userReadOnly, required, or optional. The values tell the Console whether the attribute should appear in the GUI. Typically, required and optional are not both displayed at the same time; they are mutually exclusive.filter. The attribute is displayed in a search page.
display. The attribute is read/write for administrators and regular users.
adminDisplay. The attribute is read/write for administrators and is not displayed for regular users.
userReadOnly. The attribute is read/write for administrators but is readonly for regular users. It is displayed as a label for regular users so that it is not editable.For e.g. the display, adminDisplay, and userReadOnly settings are usedwhen displaying the user profilepage and can be used to customize the page.
required.The attribute is displayed in the create page and requires a value during creation of the entry. If any=required, the attribute must have a value or the Console will not allow the Create operation. Use an empty string (" ") to tell the Administration Console to display nothing.
optional.The attribute is displayed in the create page but does not require a value during creation of the entry. If any=optional, the attribute will appear on the Create page without an asterisk. This would indicate that you don't have to give it a value to create the entry. In the Create User page, the UserId is a required attribute but the First Name is optional.
In the following example, both attributes will be displayed on the Organization page, and both attributes are required for creation. This is indicated by the use of the required value. Only the madisonparc-org-city attribute will be used on the Search page in DSAME Administration Console, as indicated by the use of the filter value.
The "type" attribute
The type attribute can use a string, string list, single choice, multiple choice, or boolean value. For example, if the madisonparc-org-city attribute can have only one of the cities Concord, San Francisco, or Palo Alto, as a valid value, then you would make this attribute a single choice; each city would be one of the choices. The DSAME Administration Console would display a list containing only these cities. If multiple cities were allowed, the attribute could be a multiple choice.
Step3b: Add Attributes to the User Schema
In this step, you will modify two files for services:The amUser.xml file is where user attributes are described, just as organization and group schema are described in the amEntrySpecific.xml (see Step 2). The file amUser.xml describes the User service for DSAME. Note that any service may describe an attribute that is for a user only. This file is just the default placeholder for user attributes that are not tied to a particular service.
When displaying a user's attributes, the DSAME Administration Console gets all attributes from all services that are subschema type User, and displays them using the same values as used in the amEntrySpecific.xml file (see "The "any" attribute" and "The "type" attribute"). In the following examples, a few attributes from the madisonparc-user object class are added to the file, thus it is not necessary to create a new service. It's only necessary to modify, or extend, the iplanetamuserservice.
Additional Notes About the amUser.xml File
The file amUser.xml contains a special attribute. The any=display attribute tells DSAME whether to display the attribute in the user profile page. This is a misleading name since it implies access control. It is strictly used for display. If this attribute is set to no then the console will not display the attribute.Also note that the attributes are defined under subschema User and not Dynamic. Any attribute defined under User is physically an attribute in the user entry. If you want the attribute to be a role-based or organization-based attribute, then you would define it under the Dynamic subschema. For background information, see"Understanding DSAME XMLs and DTDs" in the Programmer's Guide.
For example, you could make the madison-user-building attribute Dynamic, and have DSAME create a role with this attribute. This way if all employees in a division moved to a different building, you would only have to modify the role attribute instead having to modify of every single user entry.
To Add Attributes from a Custom Organization to the User Subschema
In the following file, add the attributes from the custom object class to the User subschema:
For example, the following two attributes from the custom object class madisonparc-user were added to the file:
In the amUser.xml file, create i18n Keys (also called index keys or localization keys) for each attribute. All i18n Keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute. See the example above.
Add values for the i18n Keys created in the previous step to the following file: DSAME_root/SUNWam/locale/amUser.properties
- Example:
- The value is the exact field to be displayed on the administration console page; the key will be localized for the locale. In this example, the administration console will display the text fields "User Id" and "Employee Building."
Step 3c: Modify the Creation Templates
In this step, you will modify the ums.xml file.In Figure 5-3, the sample DIT has new object classes for both users and organizations. To expose the new object classes in the UI, you would modify the Creation Templates for both users and organizations in the ums.xml file. The Creation Templates configure DSAME to add or allow specific object classes and attributes when these entries are created.
To Modify the Creation Templates
Make the following modifications in the file DSAME_root/SUNWam/config/ums/ums.xml
Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="required" /> element, add the following:
Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair><Attribute name="optional" /> element, add the following:
- <Value>objectClass=madisonparc-org</Value>
Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:.
- <Value>objectClass=madisonparc-user</Value>
- Example: (Continued)
Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:
- <Value>madisonparc-org-description</Value>
- <Value>madisonparc-org-city</Value>
- Example:
- <Value>madisonparc-user-id</Value>
- <Value>madisonparc-user-building</Value>
Step 4: (Optional) Configure Alternative Naming Attributes
If you used a naming attribute other than o=organization to define organizations in your DIT, you must modify the ums.xml file to accommodate the non-standard naming attributes. If you used a naming attribute other than uid=username to define users in your DIT, your must make similar modifications in the ums.xml file. For detailed reference information, see "Using Alternative Naming Attributes".
To Configure Alternative Naming Attributes for Organizations
The following steps assume that dc is the naming attribute used for an organization. Perform the modifications in the file:DSAME_root/SUNWam/config/ums/ums.xml
Replace any appearance of o=org with dc=org.
In the BasicOrganization section, replace value of o with dc.
In the BasicOrganizationSearch SubConfiguration section, replace value of o with dc.
In the BasicOrganization section, change the objectClass of organization to domain. If you use ou for an organization, then you need to change it to organizationalUnit.
To Configure Alternative Naming Attributes for Users
The following steps assume that cn is the naming attribute used for users.Make the following modifications in the following directories:
In the file ldif/installExisting.ldif, with two exceptions, replace uid with cn. The exceptions are:
In xml/amAuth.xml, replace uid with cn for user naming attribute.
In xml/amMembership.xml, replace uid with cn for the user naming attribute.
In xml/amAuthLDAP.xml, replace uid with cn for the user naming attribute.
In AMConfig.properties, replace uid=amAdmin with cn=amAdmin.
In ums/ums.xml, in BasicUser subconfiguration, replace uid with cn for namingattribute.
In ums/ums.xml, in BasicUser required values, change cn=default to cn and uid to uid=default.
Step 5: Load DSAME LDIF into Your Directory
The installExisting.ldif file contains DSAME-specific entries that are loaded into Directory Server during installation. Typically, you will not need to modify this file before it gets loaded during the installation process.You can use the ldapmodify utility that comes with Directory Server to load installExisting.ldif. In the MadisonParc example, when you load the LDIF, the following occurs:
Users and marker object classes required for DSAME are added to o=madisonparc and o=Engineering,o=madisonparc
Default roles for organization and help desk administrators are created.
Default Access Control Instructions (ACIs) for those administrator entries are set up.
Make sure that you're using the appropriate version of ldapmodify. Follow these procedures:
Make sure that your path is set to use the ldapmodify command that is shipped with iPlanet Directory Server 5.1. (Do not use the version shipped with Solaris, which is found in /bin or /usr/bin.)
DSAME provides two different LDIF files to help you make the necessary modifications. Determine which file and instructions you should use.You will also need to add /usr/iplanet/servers/lib to your LD_LIBRARY_PATH to pick up Directory Server libraries. At the command line, enter:
If the DSAME default organization is at any level below the root suffix of your directory tree, then use the instructions in the section "To Load the installExisting.ldif File."
If your root suffix is entered as period (.) for the DSAME default organization, then use the instructions in the section "To Load the installrootorg.ldif File."
To Load the installExisting.ldif File
Go to the following directory:
The DSAME administration user amAdmin will be created under the ou=People,o=Engineering,o=madisonparc people container. This is the top level administrator for DSAME. This administrator has read and write access to the entire subtree for o=madisonparc. You can add one of your users to this top level administrator role after the DSAME console is started.
At the command line, enter the following:
- cd DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ldif
- If DSAME is installed on iPlanet Application Server, then go to:
- cd DSAME_root/ias/APPS/modules/amserver/WEB-INF/config/ldif
- ldapmodify -v -c -D "cn=Directory manager" -w password -a -f installExisting.ldif
Note You must specify the -c option. Be sure you install only installExisting.ldif, and no other files in the same directory.
- If you encounter error messages regarding "already existing" entries or values for the default organization, see "Step 7: (Optional) Add DSAME ACIs to Your Default Organization".
Figure 5-2    Directory Information Tree (DIT) Used in Examples in This Chapter.
To Load the installrootorg.ldif File
Go to the following directory:
At the command line, enter the following:
- cd DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ldif
- If DSAME is installed on iPlanet Application Server, then go to:
- cd DSAME_root/ias/APPS/modules/amserver/WEB-INF/config/ldif
Step 6: Load DSAME Service Attributes into Your Directory
You can load the ums.xml file and all services files with the same command.If you see any parsing errors, you should go back and double-check the changes you made in the previous steps. Also examine the syntax in the amUser.xml and amEntrySpecific.xml files, and make sure you've used the correct syntax. If you need to look at syntax examples, look at the other service XML files located in the following directory:
Step 7: (Optional) Add DSAME ACIs to Your Default Organization
You only need to perform this step if, during installation, you specified an existing organization as your default organization. (By default, DSAME creates one new organization with the an RDN o=iplanet. If you accepted the default RDN, skip to the Step 8: Start DSAME.In this step, you will manually add the DSAME default ACIs to the organization you specified as the default, or first, organization.
Copy the DSAME default organization ACIs a text file.
If you loaded the file installExisting.ldif, then copy the ACI's from the following file:
In the directory where your ldapmodify utility is located, enter the following command:If you loaded the file installrootorg.ldif, then copy the ACI's from the following file:
If you loaded the file installrootorg.ldif on Application Server, then copy the ACI's from the following file:
Step 8: Start DSAME
At this point, you can start the DSAME server and you will be able to log in to the DSAME Administration Console as amAdmin user. You should see the root suffix and organization you specified during installation. In the MadisonParc example, you would see o=madisonparc and o=Engineering. You will not be able to see the rest of your entries since they do not yet contain the DSAME marker object classes.
To start DSAME
To start DSAME manually, at the command line enter the following command:/DSAME_root/SUNWam/bin/amserver start
To log into the Administration Console
Go to the appropriate URL:
If DSAME services are running on iPlanet Web Server, go to the login URL using the form:
In the Login page, enter the Top-Level Administrator user id and password you specified at installation.
If DSAME services are running on iPlanet Application Server, go to the login URL using the form:
- http://host.domain:port/amconsole
- where host is the host name of the system, domain is the domain name of the server that runs DSAME services, and port is the DSAME services port number.
- Example: http://tintin.india.sun.com:58080/amconsole
Step 9: Add DSAME Object Classes and Attributes to Existing Directory Entries
In this step, you modify your existing directory entries to include the necessary DSAME object classes and attributes. You can think of the DSAME object classes as markers that indicate the directory entries you want to manage through DSAME. These markers enable DSAME to recognize the entries in your directory. The object classes contain special attributes that are necessary to achieve delegated administration.
Before You Begin
There are a number of resources you can use to facilitate the remaining steps for using an existing directory.
Examples Used in This Section
The examples used in this chapter are based on the MadisonParc DIT. Figure 5-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups.
Figure 5-3    The MadisonParc DIT.
Utilities and Scripts You Can Use
You can make these modifications by using iPlanet Directory Server Console, or by using the ldapmodify or db2ldif utilities that come with Directory Server. For detailed information on how to make directory changes by using the Console or by using these utilities, see the documentation for iPlanet Directory Server at:You can also use the sample scripts that are included in this product. The sample scripts require Perl 5.x or later. You'll find the sample scripts in the following location:
While these samples should prove useful, they are only tools to assist you in properly formatting the DIT and other data. Each script has one or more variables at the top of the file that must be edited before the script is executed. After each script is executed, it generates an LDAP Data Interchange Format (LDIF) file.
If you encounter error messages regarding "already existing" entries or values, you must add the object classes or attributes manually. See the iPlanet Directory Server documentation for detailed instructions.
Steps for using each sample script are included in this chapter in the instructions for marking each object class.
Related Information
Detailed reference information is provided in Appendix A "DSAME ObjectClasses and Attributes." See information on the following topics:
Using DSAME Object Classes as Markers
Using Alternative Naming Attributes
Two Approaches to Modifying the Existing DIT
You can use one of two approaches for modifying the DIT. One option is to make all the necessary modifications to your DIT before loading the DSAME LDIF and XML configuration files. This procedure is more error-prone, but may be faster if you have experience using LDAP.The other option is to make a few modifications in your LDIF and XML files, and then start DSAME to make sure those modifications were done correctly. This second approach is the recommended approach. For example, you may want to add the DSAME object classes for each of your organizations, restart DSAME, and verify that your organizations appear in the DSAME Administration Console. Then add marker classes for groups, check them and so forth.
Step 9a: Mark Organizations
If you used an existing organization as your default organization during installation, you do not have to make these changes. The installation program automatically added these object classes and attributes. Skip to Step 10b.
Add the following object classes to each organization entry:
In the MadisonParc example, these object classes and attributes were automatically added to the default organization, o=Engineering, which was the organization specified and created during DSAME installation. The object classes and attributes were manually added to the o=Sales organization.Add the following attribute to each organization entry:
Example:
To Mark Organizations Using the Sample Script
Copy update-o.pl to the following directory:
Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc
In the directory where the script is located, enter the following command:
When prompted, provide the following information:
To check the results, open the ldif file that is created (for example: o-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9b: Mark People Containers
To each people container, add the iplanet-am-managed-people-container object class.Example:
To Mark People Containers Using the Sample Script
Copy update-people.pl to the following directory:
Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example:
o=madisonparc.In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: people-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
- Enter People Container: Enter the name of the people container that contains the uids you want to modify. Example: People
Step 9c: Mark Organizational Units
To each container that is an organizational unit, add the following object class: iplanet-am-managed-org-unitExample:
To Mark Organizational Units Using the Sample Script
Copy update-ou.pl to the following directory:
Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc.
In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: ou-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9d: Mark Users
To each user entry, add the following object classes:
Example:
To Mark Users Using the Sample Script
Copy udpate-users.pl to the following directory:
Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc
Set the $base-component variable to the base suffix of the DIT. Example:
madisonparcIn the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: users-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9e: Mark Static Groups
To each group entry containing values for the uniquemember attribute, add the following object classes:Example
To Mark Static Groups Using the Sample Script
Copy update-static-groups.pl to the following directory:
Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc.
In the directory where the script is located, at the command line enter the following:
To check the results, open the LDIF file that is created (for example: static-groups-update.ldif) and verify that the appropriate changes were made.
- perl update-static-groups.pl
- When prompted, provide the following information:
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9f: Mark Filtered (Dynamic) Groups
In filtered groups, users are included in a single group based on their DN.Add the following object classes (no attribute) to each filtered group:
To Mark Filtered Groups Using the Sample Script
Copy update-filtered-groups.pl to the following directory:
Set the $base variable to the base suffix of the DITto be managed by DSAME. Example: o=madisonparc
In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: update-filtered-groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9g: Mark Assignable Dynamic Groups
An assignable dynamic group is similar to a filtered group, but uses a DN in the user entry to point to the group.Add the following object classes to each assignable dynamic group:
To Mark Assignable Dynamic Groups Using the Sample Script
Copy update-assignable-dynamic-groups.pl to the following directory:
Set the $base variable to the base suffix of the DITto be managed by DSAME. Example: o=madisonparc
In the directory where the script is located, at the command line enter the following:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: assignable-dynamic-groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 9h: Mark Group Containers
Group containers are organizational units (ou) that contain groups. To each group container, add the following object class:
To Mark Group Containers Using the Sample Script
Copy update-groups.pl to the following directory:
Set the $base variable to the base suffix of the DITto be managed by DSAME. Example: o=madisonparc.
In the directory where the script is located, at the command line enter the following command:
When prompted, provide the following information:
To check the results, open the LDIF file that is created (for example: groups-update.ldif) and verify that the appropriate changes were made.
- Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.
- Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager
- Enter Bind password: Enter the password for the user you specified above.
- Enter port number: Enter the Directory Server port number. Example: 389
Step 10: Load the Modified LDIF Files
After you run the scripts in the previous steps, the various LDIF files are created in the same directory where the Perl scripts are run. Until now, no changes have actually been made in the directory. Before loading the modified files into the directory, it is a good practice to inspect the files to make sure that all DSAME object classes and attributes have been properly added to the existing directory entries. Once you're satisfied that the appropriate changes have been made, load each file using the following ldapmodify command:ldapmodify -h hostname -p port -D bind_user, -w password -a -c -f filename.ldif
Results of DSAME and Directory Modifications
After making the modifications in the previous steps, all entries in the DIT will be manageable by DSAME. The existing ACIs for the organization administrators do not have to be modified. Even though DSAME uses roles and ACIs by default, your existing groups and ACIs will still work.You can convert a groups-based DIT to one that leverages roles and ACIs. If you choose to do this, you can use the DSAME organization administrator roles and assign them to your existing organizationList administrators.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 13, 2002