Chapter 5   Using an Existing Directory Server


If you're using an existing Directory Server that is already provisioned with users, you must make several changes in your Directory Information Tree (DIT) before iPlanet Directory Server Access Management Edition (DSAME) will recognize your user data. The number and scope of changes you must make will depend upon how your existing DIT is structured, and upon how you plan to use DSAME.

This chapter provides instructions for installing DSAME services against an existing directory that contains user data. It also explains how to configure DSAME to work with your DIT, and how to make the necessary changes to your existing directory entries.

Topics in this chapter include:

• Before You Begin

• Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME

• Step 2: Install DSAME Services

• Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema

• Step 4: (Optional) Configure Alternative Naming Attributes

• Step 5: Load DSAME LDIF into Your Directory

• Step 6: Load DSAME Service Attributes into Your Directory

• Step 7: (Optional) Add DSAME ACIs to Your Default Organization

• Step 8: Start DSAME

• Step 9: Add DSAME Object Classes and Attributes to Existing Directory Entries

• Step 10: Load the Modified LDIF Files

Before You Begin

---

The requisite directory modifications are complex. They require a high level of expertise in LDAP planning and implementation, as well as some familiarity with XML. The procedures are complicated and can be time-consuming. Be sure to plan accordingly for this phase of deployment.

---

Note	If you do not already have an existing directory that is provisioned with users, you do not need to perform the steps described in this chapter. See "Simple Installations With No Existing Directory Server".

---

Supported DITs and Unsupported DITs

While DSAME can be reconfigured to support most existing DITs, in some situations reconfiguration may not be recommended. To determine whether your DIT may be compatible with DSAME, see "DITs That Cannot Be Managed by DSAME".

Background for Examples Used in This Chapter

In order to illustrate the types of changes you'll need to make to your directory, we'll use a simple DIT for a fictitious company. The directory entries for this company, represented by o=madisonparc, contain two custom object classes. These are object classes that are not already defined in DSAME schema. If your DIT contains custom object classes, you'll also need to make changes to the DSAME XML files.

Basic DIT Structure

The examples used in this chapter are based on a simple DIT for a fictitious company. Figure 5-1 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups. This means that entries for these groups use the groupOfUniqueNames object class, which contains values naming the members of the group.

Figure 5-1    Directory Information Tree (DIT) used in examples in this chapter.

The following summarizes the use of groups in this sample DIT:

• There is one group containing the administrators for Engineering, and one group with the administrators for Sales.

• Very simple ACIs are set for the groups Engineering and Sales to allow members of these groups to manage their respective organizations.

• In each organization, there is a group that contains non-administrator users.

• There is another group at the root level, or top level. It contains all users in the directory.

Custom Object Classes

The fictitious company used in this example uses two object classes that are not included in the DSAME schema nor in the Directory Server 5.1 schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. In order to manage these extensions, changes must be made in the following three files:

• amEntrySpecific.xml
  (Changes are not required if you're modifying only user entries.)

• amUser.xml

• ums.xml

These changes are described in detail in the section "Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema". If you use custom object classes in your existing directory, you will need to make similar changes.

Step 1: Install Directory Server 5.1 and Configure it to Work with DSAME

---

DSAME will work only with iPlanet Directory Server 5.1. If you have a pre-5.1 version installed, you must upgrade to version 5.1 and migrate your data before you can install DSAME services. If your existing directory uses Directory Server 5.1, you'll need to install only DSAME schema. In either case, follow these instructions.

Step 1a: Back Up Your Directory Data

For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:

http://docs.iplanet.com/docs/manuals/directory.html

Step 1b: Install and Configure Directory Server 5.1 with DSAME Schema

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.

   If you've downloaded the product, unpack the product binaries file using the following command:

   gunzip -dc dsame-5.1-domestic-us.sparc-sun-solaris2.8.tar.gz | tar -xvof -

2. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.

   At the command line, enter aminstall.

   The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

   /var/opt/SUNWam/install

3. Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.

4. Do you wish to continue this installation without the required patches? Enter y for Yes to proceed with the installation. If you wish to install the patches, then enter n for No. For information on installing patches see "Patch Clusters for Solaris".

5. In the Installation Directory window, provide the following information, and then click Next:

   Select which component to install: Enter 2.

   What directory do you want to install the Directory Server in? Enter the path to the directory where Directory Server will be installed. Do not install Directory Server in the same directory as DSAME Services. Ideally, you would install DSAME Services and Directory Server on different computer systems.

   <Path> does not exist, create? If this prompt displays, DSAME can automatically creates a new for you. Enter y for Yes.

   What is the host name of the machine where the Directory Server will run? For example, in the fully qualified domain name mymachine.organizationname.madisonparc.com, the host computer system name is mymachine.

   What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).

   What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com

   What port should the LDAP server use? The following is an excerpt from iPlanet Directory Server Installation Guide regarding this topic:

   "Port numbers can be any number from 1 to 65535. Keep the following in mind when choosing a port number for your Directory Server:

   • The standard Directory Server (LDAP) port number is 389.

   • Port 636 is reserved for LDAP over SSL. Therefore, do not use port number 636 for your standard LDAP installation, even if 636 is not already in use. You can also use LDAP over TLS on the standard LDAP port.

   • Make sure the ports you choose are not already in use.

   • If you are using both LDAP and LDAPS communications, make sure the port numbers chosen for these two types of access are not identical."

   Directory Server Administration userid: Administration Server user ID is used only when the Directory Server is down and you are unable to log in as the configuration directory administrator. The existence of this user ID means that you can access Administration Server and perform disaster recovery activities such as starting Directory Server, reading log files, and so forth.

   Normally, Administration Server user and password should be identical to the configuration directory administrator ID and password.

   Admin password (8 chars minimum): Enter a password for the Directory Server administrator.

   Re-enter Admin password: Enter the password again to confirm it.

   What is the Directory Server admin port? The default port number is 58900

   System User: This is the user the server runs as. Example: nobody

   System Group: This is the group to which the user (above) belongs. Example: nobody.

   What is the root suffix of your directory tree? This is the root suffix of your existing directory tree. Enter a distinguished name (DN) that includes at least one type=value pair.

   Examples:

   o=isp

   o=madisonparc

   dc=sun,dc=com

   Do you want to configure this Directory Server for use by DSAME? Enter y for yes.

   Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.

   Directory Manager password (8 chars minimum): Enter a password for the Directory Manager. Confirm the password when prompted.

   Do you want to start the iPlanet Directory Server Access Management Edition Directory Server when installation is complete? If you enter y for Yes, then Directory Server will automatically start up immediately after installation. If you enter n for No, then you must restart Directory Server manually after installation.

   To restart Directory Server, with root permissions, enter the commands:

   cd Directory_Server_root/slapd-instance_name

   start-slapd

   Are all settings correct? Confirm that the settings you've entered are correct. If they are not, choose n for No and the installation program will prompt you for the setting information again.

6. Enter 5 to exit the installation program.

Step 1c: Migrate Existing Data to Directory Server 5.1

In this step, you will update your pre-5.1 data to work with Directory Server 5.1. This process, called migration, is performed by running the migrateInstance5 script that comes with Directory Server. The migration script performs the following tasks in sequence:

• Checks the schema configuration files, and notifies you of any changes between the standard configuration files and the ones present on your system.

• Creates a database for each suffix stored in the legacy Directory Server. (In Directory Server 5.0 you can have multiple databases, but just one suffix per database).

• Migrates the server parameters and database parameters. (In Directory Server 5.0, these are stored as LDAP entries in the dse.ldif file.)

• Migrates user-defined schema objects.

• Migrates indexes.

• Migrates standard server plug-ins.

• Migrates the certificate database, and SSL parameters.
  

  ---

  Note	Your existing user data must be migrated to Directory Server 5.1 before you go on to Step 2. Otherwise, DSAME may not be able to recognize your existing user data.

  ---

  
  

  You must run the script on the system where your existing Directory Server is installed. You must shut down your directory service before running the migration script. For detailed migration instructions, see the iPlanet Directory Server Installation Guide at: http://docs.iplanet.com/docs/manuals/directory.html

  Once you've migrated your data to Directory Server 5.1, you can skip to "Step 1e: Back Up Your Existing Data".

Step 1d: Install DSAME Schema

---

Note	The instructions in this section, Step 1d, assume that you have already deployed and provisioned Directory Server 5.1, but your existing directory tree does not contain DSAME 5.1 schema.

---

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software.

   If you've downloaded the product, unpack the product binaries file using the following command:

   gunzip -dc dsame-5.1-domestic-us.sparc-sun-solaris2.8.tar.gz | tar -xvof -

2. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.

   At the command line, enter aminstall.

   The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

   /var/opt/SUNWam/install

3. Read the License Agreement. At the prompt, Do you agree to the license terms? enter y for Yes.

4. When the following message displays, enter 3.

   Select which component to install: 1) DSAME Management and Policy Services 2) iPlanet Directory Server 5.1 3) iPlanet Directory Server Configuration for DSAME 4) DSAME Cross Domain Single Sign-On 5) Exit

5. Provide the following information when prompted:

   What is the host name of the machine where the iPlanet Directory Server is located? Enter the host name of the computer system where your existing Directory Server is installed.

   What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).

   What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com

   What port should the LDAP server use? Enter the port number used by the your existing Directory Server.

   What directory is the Directory Server installed in? Enter the full path to the directory where the your existing Directory Server is installed.

   What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.

   Will you be using an existing DIT and schema? Enter n for No.

   Do you want to restart the Directory Server when configuration is complete? Enter y for Yes.

   Are all settings correct? Enter y for Yes.

6. When the following message is displayed, enter 5 to exit the program.

   Select which option to install: 1) DSAME Management and Policy Services 2) iPlanet Directory Server 5.1 3) iPlanet Directory Server Configuration for DSAME 4) DSAME Cross Domain Single Sign-On 5) Exit

Step 1e: Back Up Your Existing Data

Back up your existing DIT before proceeding further with the other steps. Many of the changes described in this chapter must be done manually and can be error-prone.

For detailed information on backing up your directory, see the iPlanet Directory Server Installation Guide at:

http://docs.iplanet.com/docs/manuals/directory.html

Step 2: Install DSAME Services

---

You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binariers, you'll find the program in the directory where you untarred the binary files.

   At the command line, enter aminstall.

   The aminstall command accepts the following -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

   /var/opt/SUNWam/install

2. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

3. If the following message does not display, then skip to step 4.

   One or more components that are part of DSAME 5.1 have been detected on this system. ... If you are going to install components which already exist, you must uninstall them first. What would you like to do? 1) Remove existing components, then continue installation. 2) Continue installation without removing existing components. 3) Exit

   • If the above message above is displayed, and you want to re-install components listed in the message, then enter 1 to remove the existing components. After uninstallation, the installation program will automatically start again from the beginning.

   • If the above message above is displayed, and you want to install components that are not listed in the message, then enter 2 to proceed to the next step.

4. The following options are displayed.

   Select which option to install: 1) DSAME Management and Policy Services 2) iPlanet Directory Server 5.1 3) iPlanet Directory Server Configuration for DSAME 4) DSAME Cross Domain Single Sign-On 5) Exit

   When prompted, provide the following information:

   Select which component to install: Enter 1.

   Do you want to install the DSAME Management and Policy Services on iPlanet Application Server? By default, DSAME will be installed with its own Web Server which will power the DSAME services and user interface.

   • If you want to use the default Web Server that comes with DSAME, enter No, and then skip to Step 5.

   • If you want to use Application Server instead of the default Web Server to run DSAME services, and Application Server is already installed and running, provide the following information when prompted:

     What directory is the iPlanet Application Server installed in? Enter the full path to the directory where Application Server is installed.

     What is the host name of the machine running the iPlanet Application Server Webserver? This is the computer system where DSAME components and a either dedicated web Server or Application Server are installed together. In the name mycomputer.organizationname.madisonparc.com, the host name is mycomputer.

     What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).

     What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com

     What is the iPlanet Application Server Webserver port? Enter a port number for the Application Server that runs the DSAME services.

     Will you be using an existing DIT and schema? Enter y for Yes.

     What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a distinguished name (DN) that includes at least one type=value pair.

     Examples:

     o=isp

     o=madisonparc

     dc=sun,dc=com
     

     ---

     Note	The default organization uses the organization (o) object class. If you want to use a different naming attribute such as dc, you must follow the installation instructions in Chapter 5 "Using an Existing Directory Server".

     ---

     
     

     What is your organization name? Enter a name for the first organization to be created in your DSAME Directory Information Tree (DIT). This name will be displayed in the DSAME graphical user interface. Examples: iPlanet or iplanet.com.

     If you want the default organization to be the root suffix, enter a period (.).

     Is the existing iPlanet Directory Server installed on a local host or on a remote host? Enter l for Local if the Directory Server is installed on the same computer system as DSAME (it's "local" relative to DSAME). Enter r for Remote if the Directory System is installed on a different computer system, or remote from, the computer that runs DSAME services.

     What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.

     What port should the LDAP server use? Enter the port number used by the your existing Directory Server.

     Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.

     Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.

     Re-enter Directory Manager password: Enter the password again to confirm it.

     The Top Level Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Top Level Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation.

     Admin password (8 chars minimum): Enter a password for the Super Administrator.

     Re-enter Admin password: Enter the Super Administrator password again to confirm it.

     Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.

     To start DSAME manually, perform the following:

     • Start the authentication modules.

       /DSAME_root/SUNWam/bin/amserver start

     • Make sure that DSAME web applications are ready for access:

       /AppServer_root/ias/bin/iascontrol start

     • Refresh the web connector.

       /AppServer_webconnector_dir/servers/start

5. If you're using Application Server instead of the default Web Server that comes with DSAME, then skip to Step 6.

   If you're using the default Web Server that comes with DSAME, provide the following information when prompted:

   What directory do you want to install the Management and Policy Services in? Enter the path to the directory where DSAME Services will be installed. Plan to install the DSAME Services and Directory Server in different directories. Ideally, you would install DSAME Services and Directory Server on different computer systems.

   Do you want to use the existing JDK? Java support in DSAME requires Java Development Kit (JDK) of version 1.3.1 or higher. While a default JDK is provided, you can use your own JDK with the Web Server. If you want to use your own JDK version, then enter n for No and then enter the full path to the version of JDK you want to use. Otherwise, enter y for Yes.

   What is the host name of the machine where the DSAME Management and Policy Services will run? This is the computer system where DSAME components and Web Server are installed together. In the name mycomputer.organizationname.madisonparc.com, the host name is mycomputer.

   What is the sub-domain name ("." for none)? For example, in the name mycomputer.organizationname.madisonparc.com, the sub-domain name is organizationname. If your host computer does not have a sub-domain, enter a period (.).

   What is the domain name? For example, in the name mycomputer.organizationname.madisonparc.com, the domain name is madisonparc.com

   What is the DSAME Management and Policy Services port? Enter a default port number 58080 for the Web Server that runs the DSAME services.

   Web Server Administration user id: This is the server administrator who has access to the Web Server that runs DSAME services.

   Admin password (8 chars minimum): Enter a password for the Web Server Administrator.

   Re-enter Admin password: Re-enter the Web Server password to confirm it.

   What is the Web Server admin port? Enter the default port number 58888

   System User: This is the user the Directory Server will run as. If you have a Directory Server already running, enter the same System User used by that Directory Server. Example: nobody

   System Group: This is the group the user (above) belongs to. Example: nobody

   Will you be using an existing DIT and schema? Enter y for Yes.

   What is the root suffix of your directory tree? This is the DSAME root suffix, or the point in your directory where you want DSAME to start managing entries. Enter a distinguished name (DN) that includes at least one type=value pair.

   Examples:

   o=isp

   o=madisonparc

   dc=sun,dc=com

   If you want the default organization to be the root suffix, enter a period (.).

   
   

   ---

   Note	The default organization uses the organization (o) object class. If you want to use a different naming attribute such as dc, you must follow the installation instructions in Chapter 5 "Using an Existing Directory Server".

   ---

   
   

   What is your organization name? Enter organization name with naming attribute prefixed. Example: o=iplanet.com or dc=iplanet.com.

   Is the existing iPlanet Directory Server installed on a local host or on a remote host? Enter l for Local if the Directory Server is installed on the same computer system as DSAME (it's "local" relative to DSAME). Enter r for Remote if the Directory System is installed on a different computer system, or remote from, the computer that runs DSAME services.

   What is the Directory Server Instance? Enter the instance identifier for the existing Directory Server.

   What port should the LDAP server use? Enter the port number used by the your existing Directory Server.

   Directory Manager DN: The Directory Server administrative user, or Directory Manager, is the administrator who has unlimited access to Directory Server data and configuration. The default DN for the Directory Manager is cn=Directory Manager. Enter the DN you specified when you first installed Directory Server.

   Directory Manager password (8 chars minimum): Enter a password for the Directory Manager.

   Re-enter Directory Manager password: Enter the password again to confirm it.

   What is the deployment URI prefix for the DSAME Management and Policy Services? The Universal Resource Identifier (URI) prefix tells the Web Server where to look for HTML pages associated with a DSAME service and also for other web application specific information like classes and jars. Enter the URI prefix specified during DSAME installation. The default is /amserver

   What is the deployment URI prefix for the DSAME Administration Console? The Universal Resource Identifier (URI) prefix tells the Web Server or Application Server where to look for HTML pages that the administration console needs to display and also for other web application specific information like classes and jars.

   The default URI prefix is amconsole. You can enter a different name.

   The Top-Level Administrator user id is: This is the Administrator who has unlimited access to all entries managed by DSAME. The Top-Level Administrator user id is hardcoded amAdmin. This ensures that the DSAME administrator role and its privileges are created and mapped properly in the Directory Server so that you can log into DSAME product immediately after installation. Since this is an administrator role, you can add other users to this role after installation.

   Admin password (8 chars minimum): Enter a password for the Super Administrator.

   Re-enter Admin password: Enter the Super Administrator password again to confirm it.

   Do you want to start the iPlanet Directory Server Access Management Edition Server when installation is complete? If you enter y for Yes, DSAME will automatically start up immediately after installation. If you enter n for No, you must start DSAME manually after installation.

   To start DSAME manually, at the command line enter the following command:

   /DSAME_root/SUNWam/bin/amserver start

6. Are all settings correct? If the settings displayed are not correct, enter n for No and the installation program will start again from close to the beginning. If the settings are correct, enter y for Yes to continue with the installation.

   Select which component to install: When you see the following options displayed, enter 5 to exit the installation program.

   Select which component to install: 1) DSAME Management and Policy Services 2) iPlanet Directory Server 5.1 3) iPlanet Directory Server Configuration for DSAME 4) DSAME Cross Domain Single Sign-On 5) Exit

   
   

   ---

   Note	After installation you will not be able to login to the DSAME administration console because the appropriate LDIF and XML files have not yet been loaded. See the following sections for instructions.

   ---

   
   

Step 3: (Optional) Add Your Custom Object Classes to DSAME Schema

---

If your existing DIT contains object classes you've created and that do not come with Directory Server, then you'll have to add those object classes and attributes to the DSAME schema. For background information, see"Understanding DSAME XMLs and DTDs" in the Programmer's Guide.

If you do not use custom object classes in your DIT, this step is not necessary. Skip to "Step 5: Load DSAME LDIF into Your Directory".

In the examples in this section, the company Madison Park uses two object classes that do not come with the DSAME schema. An auxiliary object class madisonparc-org is in every organization entry, and an auxiliary object class madisonparc-user is in every user entry. Code Example 5-1    MadisonParc's Customized Schema  

---

dn: cn=schema

attributeTypes: ( madisonparc-org-description-oid NAME

`madisonparc-org-description' DESC `org description'

SYNTAX 1.3.6.1.1466.115.121.1.15

SINGLE-VALUE X-ORIGIN `madisonparc'

attributeTypes: ( madisonparc-org-city-oid NAME

`madisonparc-org-city' DESC `org city location'

SYNTAX 1.3.6.1.4.1.1666.115.121.1.15

SINGLE-VALUE X-ORIGIN `madisonparc' )

attributeTypes: ( madisonparc-user-id-oid NAME

`madisonparc-user-id' DESC `user madisonparc id'

SYNTAX 1.3.6.1.4.1.1666.115.121.1.15

SINGLE-VALUE X-ORIGIN `madisonparc' )

attributeTypes: ( madisonparc-user-building-oid NAME

`madisonparc-user-building' DESC `priority of a service

with respect to its siblings'

SYNTAX 1.3.6.1.4.1.1666.115.121.1.15

SINGLE-VALUE X-ORIGIN `madisonparc' )

objectClasses: ( madisonparc-org-oid NAME

`madisonparc-org' DESC `custom attributes

for madisonparc org' SUP top MAY

(madisonparc-org-description $ madisonparc-org-city )

X-ORIGIN `madisonparc' )

objectClasses: ( madisonparc-user-oid NAME

`madisonparc-user' DESC `custom attributes

for madisonparc user' SUP top MAY

( madisonparc-user-id $ madisonparc-user-building )

X-ORIGIN `madisonparc' )

In order to manage these extensions, changes must be made in the following three files:

• amEntrySpecific.xml (for organization data)

• amUser.xml (for user data)

• ums.xml

Step 3a: Add Attributes to the Organization Schema

In this step, you will modify two services files:

• amEntrySpecific.xml

• amEntrySpecific.properties.

The DSAME console uses the information in amEntrySpecific.xml for display purposes. Each DSAME abstract entry may have a subschema in this XML file. In the following example, you would add the two attributes from the madisonparc-org object class to the organization subschema. If the DIT contained customized organizational units, groups, or people containers, you would add or modify their subschemas in the same XML file.

The subschema name for an organizational unit will be OrganizationalUnit. The subschema name for a people container will be PeopleContainer.

---

Note

The User subschema is not configured here in the amEntrySpecific.xml file, but in the amuser.xml file (see "Step3b: Add Attributes to the User Schema".) Although any service XML file may describe an attribute that is for a user only, the amentryspecific.xml file can serve as a default place holder for user attributes that are not tied to a particular service.

---

To Add Attributes from a Custom Organization to the Organization Subschema

---

Note	In XML, attribute names must be all lowercase. When DSAME retrieves attributes names from Directory Server, it converts all names to lowercase.

---

1. In the following file:

   DSAME_root/SUNWam/config/xml/amEntrySpecific.xml

   add the attributes from the custom object class to the subschema Organization. For example, the following two attributes from the custom object class madisonparc-org were added to the file.

   <AttributeSchema name="madisonparc-org-description"

   type="single"

   syntax="string"

   any="required"

   />

   <AttributeSchema name="madisonparc-org-city"

   type="single"

   syntax="string"

   any="required|filter"

   />

2. Also in the amEntrySpecific.xml file, create internationalization (i18n) keys (also called index keys or localization keys) for each attribute. All i18n Keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute.

   <AttributeSchema name="madisonparc-org-description"

   type="single"

   syntax="string"

   any="required"

   i18nKey="o3"

   />

   <AttributeSchema name="madisonparc-org-city"

   type="single"

   syntax="string"

   any="required|filter"

   i18nKey="o4"

   />

3. In the following file, add the values for i18n Keys you created in Step 2:

   DSAME_root/SUNWam/locale/amEntrySpecific.properties

   Example:

   
   

   ---

   g1=Member List

   g2=Users Can Subscribe to this Group

   dg1=Membership Filter

   r1=Membership Filter

   o1=Full DNS name

   o2=Organization Status

   o3=Org Description

   o4=Organization Location

All the attributes listed in the subschema are displayed in the Administration Console when the organization is displayed. If an attribute is not listed, the Administration Console will not display the attribute.

---

Tip	If an attribute has no i18n Key, it will not be displayed on the administration console. If you add an attribute, and you don't see it in the administration console, be sure to check the i18n Key and properties.

---

The "any" attribute

The any attribute in the XML descriptions may have five possible values: filter, display, adminDisplay, userReadOnly, required, or optional. The values tell the Console whether the attribute should appear in the GUI. Typically, required and optional are not both displayed at the same time; they are mutually exclusive.

filter. The attribute is displayed in a search page.

display. The attribute is read/write for administrators and regular users.

adminDisplay. The attribute is read/write for administrators and is not displayed for regular users.

userReadOnly. The attribute is read/write for administrators but is readonly for regular users. It is displayed as a label for regular users so that it is not editable.For e.g. the display, adminDisplay, and userReadOnly settings are usedwhen displaying the user profilepage and can be used to customize the page.

required.The attribute is displayed in the create page and requires a value during creation of the entry. If any=required, the attribute must have a value or the Console will not allow the Create operation. Use an empty string (" ") to tell the Administration Console to display nothing.

optional.The attribute is displayed in the create page but does not require a value during creation of the entry. If any=optional, the attribute will appear on the Create page without an asterisk. This would indicate that you don't have to give it a value to create the entry. In the Create User page, the UserId is a required attribute but the First Name is optional.

In the following example, both attributes will be displayed on the Organization page, and both attributes are required for creation. This is indicated by the use of the required value. Only the madisonparc-org-city attribute will be used on the Search page in DSAME Administration Console, as indicated by the use of the filter value.

<AttributeSchema name="madisonparc-org-description"

type="single"

syntax="string"

any="required"

i18nKey="o3"

/>

<AttributeSchema name="madisonparc-org-city"

type="single"

syntax="string"

any=required|filter

i18nKey="o4"

/>

The "type" attribute

The type attribute can use a string, string list, single choice, multiple choice, or boolean value. For example, if the madisonparc-org-city attribute can have only one of the cities Concord, San Francisco, or Palo Alto, as a valid value, then you would make this attribute a single choice; each city would be one of the choices. The DSAME Administration Console would display a list containing only these cities. If multiple cities were allowed, the attribute could be a multiple choice.

Step3b: Add Attributes to the User Schema

In this step, you will modify two files for services:

• amUser.xml

• amUser.properties

The amUser.xml file is where user attributes are described, just as organization and group schema are described in the amEntrySpecific.xml (see Step 2). The file amUser.xml describes the User service for DSAME. Note that any service may describe an attribute that is for a user only. This file is just the default placeholder for user attributes that are not tied to a particular service.

When displaying a user's attributes, the DSAME Administration Console gets all attributes from all services that are subschema type User, and displays them using the same values as used in the amEntrySpecific.xml file (see "The "any" attribute" and "The "type" attribute"). In the following examples, a few attributes from the madisonparc-user object class are added to the file, thus it is not necessary to create a new service. It's only necessary to modify, or extend, the iplanetamuserservice.

Additional Notes About the amUser.xml File

The file amUser.xml contains a special attribute. The any=display attribute tells DSAME whether to display the attribute in the user profile page. This is a misleading name since it implies access control. It is strictly used for display. If this attribute is set to no then the console will not display the attribute.

Also note that the attributes are defined under subschema User and not Dynamic. Any attribute defined under User is physically an attribute in the user entry. If you want the attribute to be a role-based or organization-based attribute, then you would define it under the Dynamic subschema. For background information, see"Understanding DSAME XMLs and DTDs" in the Programmer's Guide.

For example, you could make the madison-user-building attribute Dynamic, and have DSAME create a role with this attribute. This way if all employees in a division moved to a different building, you would only have to modify the role attribute instead having to modify of every single user entry.

To Add Attributes from a Custom Organization to the User Subschema

1. In the following file, add the attributes from the custom object class to the User subschema:

   DSAME_root/SUNWam/config/xml/amUser.xml

2. For example, the following two attributes from the custom object class madisonparc-user were added to the file:

   <AttributeSchema name="madisonparc-user_id"

   type=single

   syntax=string

   any=required|display

   i18nKey=u13

   />

   <AttributeSchema name="madisonparc-user-building"

   type=single

   syntax=string

   any=required|filter|display

   i18nKey=u14

3. In the amUser.xml file, create i18n Keys (also called index keys or localization keys) for each attribute. All i18n Keys in an organization must be made up of unique strings. The DSAME Administration Console will use this key to look up the display name for the attribute. See the example above.

4. Add values for the i18n Keys created in the previous step to the following file: DSAME_root/SUNWam/locale/amUser.properties

   Example:

   
   

   ---

   iwtUser-desc=Default User Profile

   u1=User Name

   u2=First Name

   u3=Last Name

   u4=Full Name

   u5=Password

   u6=Email Address

   u7=Employee Number

   u8=Telephone Number

   u9=Manager

   u10=Home Address

   u11=User Status

   u12=User Auth Modules

   u13=User Id

   u14=Employee Building

   The value is the exact field to be displayed on the administration console page; the key will be localized for the locale. In this example, the administration console will display the text fields "User Id" and "Employee Building."

Step 3c: Modify the Creation Templates

In this step, you will modify the ums.xml file.

In Figure 5-3, the sample DIT has new object classes for both users and organizations. To expose the new object classes in the UI, you would modify the Creation Templates for both users and organizations in the ums.xml file. The Creation Templates configure DSAME to add or allow specific object classes and attributes when these entries are created.

To Modify the Creation Templates

Make the following modifications in the file DSAME_root/SUNWam/config/ums/ums.xml

1. Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="required" /> element, add the following:

   <Value>objectClass=madisonparc-org</Value>

   Example:

   
   

   ---

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicOrganization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.Organization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=organization</Value>

   <Value>objectClass=nsManagedDomain</Value>

   <Value>objectClass=inetDomain</Value>

   <Value>objectClass=iplanet-am-managed-org</Value>

   <Value>objectClass=madisonparc-org</Value>

   <Value>o</Value>

   <Value>inetdomainstatus=Active</Value>

   </AttributeValuePair>

2. Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair><Attribute name="optional" /> element, add the following:

   <Value>objectClass=madisonparc-user</Value>

   Example: (Continued)

   
   

   ---

   <SubConfiguration name="CreationTemplates" >

   <SubConfiguration name="BasicUser" id="CreationUmsObjects">

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicUser</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.User</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=person</Value>

   <Value>objectClass=organizationalPerson</Value>

   <Value>objectClass=inetOrgPerson</Value>

   <Value>objectClass=iPlanetPreferences</Value>

   <Value>objectClass=iplanet-am-user-service</Value>

   <Value>objectClass=inetuser</Value>

   <Value>objectClass=iplanet-am-managed-person</Value>

   <Value>objectClass=madisonparc-user</Value>

   <Value>cn=default</Value>

   <Value>sn=default</Value>

   <Value>uid</Value>

   <Value>inetuserstatus=Active</Value>

   </AttributeValuePair>

   
   

3. Under <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:.

   <Value>madisonparc-org-description</Value>

   <Value>madisonparc-org-city</Value>

   Example:
   

   ---

   <SubConfiguration name="BasicOrganization" id="CreationUmsObjects">

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicOrganization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.Organization</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=organization</Value>

   <Value>objectClass=nsManagedDomain</Value>

   <Value>objectClass=inetDomain</Value>

   <Value>objectClass=iplanet-am-managed-org</Value>

   <Value>objectClass=madisonparc-org</Value>

   <Value>o</Value>

   <Value>inetdomainstatus=Active</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="namingattribute" />

   <Value>o</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="optional" />

   <Value>*</Value>

   <Value>madisonparc-org-description</Value>

   <Value>madisonparc-org-city</Value>

   </AttributeValuePair>

4. Under <SubConfiguration name="BasicUser" id="CreationUmsObjects">, in the <AttributeValuePair> <Attribute name="optional" /> element, add the following:

   <Value>madisonparc-user-id</Value>

   <Value>madisonparc-user-building</Value>

   Example:

   
   

   ---

   <SubConfiguration name="BasicUser" id="CreationUmsObjects">

   <AttributeValuePair> <Attribute name="name" />

   <Value>BasicUser</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="javaclass" />

   <Value>com.iplanet.ums.User</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="required" />

   <Value>objectClass=top</Value>

   <Value>objectClass=person</Value>

   <Value>objectClass=organizationalPerson</Value>

   <Value>objectClass=inetOrgPerson</Value>

   <Value>objectClass=iPlanetPreferences</Value>

   <Value>objectClass=iplanet-am-user-service</Value>

   <Value>objectClass=inetuser</Value>

   <Value>objectClass=iplanet-am-managed-person</Value>

   <Value>objectClass=madisonparc-user</Value>

   <Value>cn=default</Value>

   <Value>sn=default</Value>

   <Value>uid</Value>

   <Value>inetuserstatus=Active</Value>

   </AttributeValuePair>

   <AttributeValuePair> <Attribute name="optional" />

   <Value>nsroledn</Value>

   <Value>madisonparc-user-id</Value>

   <Value>madisonparc-user-building</Value>

   <Value>*</Value>

Step 4: (Optional) Configure Alternative Naming Attributes

---

If you used a naming attribute other than o=organization to define organizations in your DIT, you must modify the ums.xml file to accommodate the non-standard naming attributes. If you used a naming attribute other than uid=username to define users in your DIT, your must make similar modifications in the ums.xml file. For detailed reference information, see "Using Alternative Naming Attributes".

To Configure Alternative Naming Attributes for Organizations

The following steps assume that dc is the naming attribute used for an organization. Perform the modifications in the file:

DSAME_root/SUNWam/config/ums/ums.xml

1. Replace any appearance of o=org with dc=org.

2. In the BasicOrganization section, replace value of o with dc.

3. In the BasicOrganizationSearch SubConfiguration section, replace value of o with dc.

4. In the BasicOrganization section, change the objectClass of organization to domain. If you use ou for an organization, then you need to change it to organizationalUnit.

To Configure Alternative Naming Attributes for Users

The following steps assume that cn is the naming attribute used for users.

Make the following modifications in the following directories:

DSAME_root/SUNWam/config/ums

DSAME_root/SUNWam/config/xml

1. In the file ldif/installExisting.ldif, with two exceptions, replace uid with cn. The exceptions are:
   • The occurrence under ACI.

   • The uid: amAdmin attribute in the amAdmin entry.

2. In xml/amAuth.xml, replace uid with cn for user naming attribute.

3. In xml/amMembership.xml, replace uid with cn for the user naming attribute.

4. In xml/amAuthLDAP.xml, replace uid with cn for the user naming attribute.

5. In AMConfig.properties, replace uid=amAdmin with cn=amAdmin.

6. In ums/ums.xml, in BasicUser subconfiguration, replace uid with cn for namingattribute.

7. In ums/ums.xml, in BasicUser required values, change cn=default to cn and uid to uid=default.

Step 5: Load DSAME LDIF into Your Directory

---

The installExisting.ldif file contains DSAME-specific entries that are loaded into Directory Server during installation. Typically, you will not need to modify this file before it gets loaded during the installation process.

You can use the ldapmodify utility that comes with Directory Server to load installExisting.ldif. In the MadisonParc example, when you load the LDIF, the following occurs:

• Users and marker object classes required for DSAME are added to o=madisonparc and o=Engineering,o=madisonparc

• Default roles for organization and help desk administrators are created.

• Default Access Control Instructions (ACIs) for those administrator entries are set up.
  
  

Before You Begin

1. Make sure that you're using the appropriate version of ldapmodify. Follow these procedures:
   • Make sure that your path is set to use the ldapmodify command that is shipped with iPlanet Directory Server 5.1. (Do not use the version shipped with Solaris, which is found in /bin or /usr/bin.)

   • You will also need to add /usr/iplanet/servers/lib to your LD_LIBRARY_PATH to pick up Directory Server libraries. At the command line, enter:

     which ldapmodify

     Directory_Server_root/shared/bin/ldapmodify will be displayed.

2. DSAME provides two different LDIF files to help you make the necessary modifications. Determine which file and instructions you should use.
   • If the DSAME default organization is at any level below the root suffix of your directory tree, then use the instructions in the section "To Load the installExisting.ldif File."

   • If your root suffix is entered as period (.) for the DSAME default organization, then use the instructions in the section "To Load the installrootorg.ldif File."

To Load the installExisting.ldif File

1. Go to the following directory:

   cd DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ldif

   If DSAME is installed on iPlanet Application Server, then go to:

   cd DSAME_root/ias/APPS/modules/amserver/WEB-INF/config/ldif

2. At the command line, enter the following:

   ldapmodify -v -c -D "cn=Directory manager" -w password -a -f installExisting.ldif
   

   ---

   Note	You must specify the -c option. Be sure you install only installExisting.ldif, and no other files in the same directory.

   ---

   
   

   If you encounter error messages regarding "already existing" entries or values for the default organization, see "Step 7: (Optional) Add DSAME ACIs to Your Default Organization".

The DSAME administration user amAdmin will be created under the ou=People,o=Engineering,o=madisonparc people container. This is the top level administrator for DSAME. This administrator has read and write access to the entire subtree for o=madisonparc. You can add one of your users to this top level administrator role after the DSAME console is started.

Figure 5-2    Directory Information Tree (DIT) Used in Examples in This Chapter.

To Load the installrootorg.ldif File

1. Go to the following directory:

   cd DSAME_root/SUNWam/web-apps/services/WEB-INF/config/ldif

   If DSAME is installed on iPlanet Application Server, then go to:

   cd DSAME_root/ias/APPS/modules/amserver/WEB-INF/config/ldif

2. At the command line, enter the following:

   ldapmodify -v -c -D "cn=Directory manager" -w password -a -f installrootorg.ldif
   

   ---

   Note	You must specify the -c option. Be sure you install only installrootorg.ldif, and none of the other files in the same directory.

   ---

   
   

Step 6: Load DSAME Service Attributes into Your Directory

---

You can load the ums.xml file and all services files with the same command.

1. Go to the following directory:

   cd DSAME_root/SUNWam/config/ums

2. Run the following command:

   amserveradmin amAdmin_DN password

If you see any parsing errors, you should go back and double-check the changes you made in the previous steps. Also examine the syntax in the amUser.xml and amEntrySpecific.xml files, and make sure you've used the correct syntax. If you need to look at syntax examples, look at the other service XML files located in the following directory:

DSAME_root/SUNWam/config/xml

Step 7: (Optional) Add DSAME ACIs to Your Default Organization

---

You only need to perform this step if, during installation, you specified an existing organization as your default organization. (By default, DSAME creates one new organization with the an RDN o=iplanet. If you accepted the default RDN, skip to the Step 8: Start DSAME.

In this step, you will manually add the DSAME default ACIs to the organization you specified as the default, or first, organization.

1. Copy the DSAME default organization ACIs a text file.
   • If you loaded the file installExisting.ldif, then copy the ACI's from the following file:

     DSAME_root/web-apps/services/WEB-INF/config/ldif

   • If you loaded the file installrootorg.ldif, then copy the ACI's from the following file:

     DSAME_root/web-apps/services/WEB-INF/config/ldif

   • If you loaded the file installrootorg.ldif on Application Server, then copy the ACI's from the following file:

     DSAME_root/ias/APPS/modules/amserver/WEB-INF/config/ldif

2. In the directory where your ldapmodify utility is located, enter the following command:

   ldapmodify -D bind_DN -w password -p port_number -h hostname -a -f textfile_name

Step 8: Start DSAME

---

At this point, you can start the DSAME server and you will be able to log in to the DSAME Administration Console as amAdmin user. You should see the root suffix and organization you specified during installation. In the MadisonParc example, you would see o=madisonparc and o=Engineering. You will not be able to see the rest of your entries since they do not yet contain the DSAME marker object classes.

To start DSAME

To start DSAME manually, at the command line enter the following command:

/DSAME_root/SUNWam/bin/amserver start

To log into the Administration Console

1. Go to the appropriate URL:
   • If DSAME services are running on iPlanet Web Server, go to the login URL using the form:

     http://host.domain:port/amconsole

     where host is the host name of the system, domain is the domain name of the server that runs DSAME services, and port is the DSAME services port number.

     Example: http://tintin.india.sun.com:58080/amconsole

   • If DSAME services are running on iPlanet Application Server, go to the login URL using the form:

     http://iaswebconnector_host:iaswebconnector_port/NASApp/amserver

     where host is the host name of the web connector, port is the web connector port number, and NASApp is the Universal Resource Identifier (URI) prefix automatically assigned to Application Server.

2. In the Login page, enter the Top-Level Administrator user id and password you specified at installation.

Step 9: Add DSAME Object Classes and Attributes to Existing Directory Entries

---

In this step, you modify your existing directory entries to include the necessary DSAME object classes and attributes. You can think of the DSAME object classes as markers that indicate the directory entries you want to manage through DSAME. These markers enable DSAME to recognize the entries in your directory. The object classes contain special attributes that are necessary to achieve delegated administration.

Before You Begin

There are a number of resources you can use to facilitate the remaining steps for using an existing directory.

Examples Used in This Section

The examples used in this chapter are based on the MadisonParc DIT. Figure 5-3 shows two organizations, Engineering and Sales, under the root. All groups in this example are static groups.

Figure 5-3    The MadisonParc DIT.

Utilities and Scripts You Can Use

You can make these modifications by using iPlanet Directory Server Console, or by using the ldapmodify or db2ldif utilities that come with Directory Server. For detailed information on how to make directory changes by using the Console or by using these utilities, see the documentation for iPlanet Directory Server at:

http://docs.iplanet.com/docs/manuals/directory.html

You can also use the sample scripts that are included in this product. The sample scripts require Perl 5.x or later. You'll find the sample scripts in the following location:

DSAME_root/SUNWam/migration

While these samples should prove useful, they are only tools to assist you in properly formatting the DIT and other data. Each script has one or more variables at the top of the file that must be edited before the script is executed. After each script is executed, it generates an LDAP Data Interchange Format (LDIF) file.

If you encounter error messages regarding "already existing" entries or values, you must add the object classes or attributes manually. See the iPlanet Directory Server documentation for detailed instructions.

Steps for using each sample script are included in this chapter in the instructions for marking each object class.

---

Note

Before you can follow the steps for using the sample scripts, you must copy the following sample script files from DSAME_root/SUNWam/migration into the directory Directory_Server_root/shared/bin: update-users.pl update-static-groups.pl update-assignable-dynamic-groups.pl update-filtered-groups.pl update-people.pl update-ou.pl update-o.pl update-groups.pl Also note that the changes made by using these scripts cannot be automatically undone. Be sure to back up your data before running each script.

---

Related Information

Detailed reference information is provided in Appendix A "DSAME ObjectClasses and Attributes." See information on the following topics:

• Using DSAME Object Classes as Markers

• Using Alternative Naming Attributes

• DITs That Cannot Be Managed by DSAME

• Object Class and Attribute Descriptions

Two Approaches to Modifying the Existing DIT

You can use one of two approaches for modifying the DIT. One option is to make all the necessary modifications to your DIT before loading the DSAME LDIF and XML configuration files. This procedure is more error-prone, but may be faster if you have experience using LDAP.

The other option is to make a few modifications in your LDIF and XML files, and then start DSAME to make sure those modifications were done correctly. This second approach is the recommended approach. For example, you may want to add the DSAME object classes for each of your organizations, restart DSAME, and verify that your organizations appear in the DSAME Administration Console. Then add marker classes for groups, check them and so forth.

Step 9a: Mark Organizations

If you used an existing organization as your default organization during installation, you do not have to make these changes. The installation program automatically added these object classes and attributes. Skip to Step 10b.

In this step you will:

1. Add the following object classes to each organization entry:
   • iplanet-am-managed-org

   • inetDomain

2. Add the following attribute to each organization entry:
   • inetDomainStatus

In the MadisonParc example, these object classes and attributes were automatically added to the default organization, o=Engineering, which was the organization specified and created during DSAME installation. The object classes and attributes were manually added to the o=Sales organization.

Example:

objectClass: top

objectClass: organization

objectClass: madisonparc-org

madisonparc-org-description: Engineering Organization

madisonparc-org-city: Santa Clara

aci: (targetattr = "*")(version 3.0; acl "madisonparc Org admin"; allow (all)groupdn="ldap:///cn=Engineering Admins,o=Engineering,o=madisonparc";)

objectclass: iplanet-am-managed-org

objectlcass: inetDomain

inetDomainStatus: Active

dn: o=Sales,o=madisonparc

objectClass: top

objectClass: organization

objectClass: madisonparc-org

madisonparc-org-description: Sales Organization

madisonparc-org-city: Menlo Park

aci: (targetattr = "*")(version 3.0; acl "madisonparc Org admin"; allow (all)groupdn="ldap:///cn=Sales Admins,o=Sales,o=madisonparc";)

objectclass: iplanet-am-managed-org

objectlcass: inetDomain

inetDomainStatus: Active

To Mark Organizations Using the Sample Script

1. Copy update-o.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc

3. In the directory where the script is located, enter the following command:

   perl update-o.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the ldif file that is created (for example: o-update.ldif) and verify that the appropriate changes were made.

Step 9b: Mark People Containers

To each people container, add the iplanet-am-managed-people-container object class.

Example:

objectClass: top

objectClass: organizationalunit

objectclass: iplanet-am-managed-people-container

...

dn: ou=Sales Users,o=Sales,o=madisonparc

objectClass: top

objectClass: organizationalunit

objectclass: iplanet-am-managed-people-container

...

To Mark People Containers Using the Sample Script

1. Copy update-people.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example:
   o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

   perl update-people.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

   Enter People Container: Enter the name of the people container that contains the uids you want to modify. Example: People

5. To check the results, open the LDIF file that is created (for example: people-update.ldif) and verify that the appropriate changes were made.

Step 9c: Mark Organizational Units

To each container that is an organizational unit, add the following object class:   iplanet-am-managed-org-unit

Example:

objectClass: top

objectClass: organizationalunit

objectClass: inetAdmin

objectclass: iplanet-am-managed-org-unit

dn: cn=Engineering Admins,o=Engineering,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

uniquemember: uid=engadmin,ou=Engineering Users,o=Engineering,o=madisonparc

dn: cn=Engineering Users,o=Engineering,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

uniquemember: uid=enguser1,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser2,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser3,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser4,ou=Engineering Users,o=eng,o=madisonparc

dn: ou=Groups,o=Sales, o=madisonparc

objectClass: top

objectClass: organizationalunit

objectClass: inetAdmin

objectclass: iplanet-am-managed-org-unit

To Mark Organizational Units Using the Sample Script

1. Copy update-ou.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example:  o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

   perl update-ou.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: ou-update.ldif) and verify that the appropriate changes were made.

Step 9d: Mark Users

To each user entry, add the following object classes:

• iplanet-am-web-agent-service

• iplanet-am-managed-person

• iplanet-am-user-service

• inetuser

• iPlanetPreferences

• inetOrgPerson

Example:

objectClass: top

objectClass: organizationalunit

dn: uid=engadmin,ou=Engineering Users,o=Engineering,o=madisonparc

objectClass: inetorgperson

objectClass: organizationalperson

objectClass: person

objectClass: top

objectClass: iplanet-am-web-agent-service

objectClass: iplanet-am-managed-person

objectClass: iplanet-am-user-service

objectClass: inetuser

objectClass: iPlanetPreferences

objectClass: inetOrgPerson

inetuserstatus:active

cn: engadmin

sn: engadmin

userPassword: engadmin

dn: uid=enguser1,ou=Engineering Users,o=Engineering,o=madisonparc

objectClass: inetorgperson

objectClass: organizationalperson

objectClass: person

objectClass: top

objectClass: madisonparc-user

objectClass: iplanet-am-web-agent-service

objectClass: iplanet-am-managed-person

objectClass: iplanet-am-user-service

objectClass: inetuser

objectClass: iPlanetPreferences

objectClass: inetOrgPerson

inetuserstatus:active

madisonparc-user-id: 11111

madisonparc-user-building: SCA16

cn: enguser1

sn: enguser1

userPassword: enguser1

To Mark Users Using the Sample Script

1. Copy udpate-users.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example: o=madisonparc

3. Set the $base-component variable to the base suffix of the DIT. Example:
   madisonparc

4. In the directory where the script is located, at the command line enter the following:

   perl udpate-users.pl

5. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

6. To check the results, open the LDIF file that is created (for example: users-update.ldif) and verify that the appropriate changes were made.

Step 9e: Mark Static Groups

To each group entry containing values for the uniquemember attribute, add the following object classes:

• iplanet-am-managed-static-group

• iplanet-am-managed-group

Example

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=enguser1,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser2,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser3,ou=Engineering Users,o=eng,o=madisonparc

uniquemember: uid=enguser4,ou=Engineering Users,o=eng,o=madisonparc

dn: ou=Groups,o=Sales, o=madisonparc

objectClass: top

objectClass: organizationalunit

dn: cn=Sales Admins,o=Sales,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=salesadmin,ou=Sales Users,o=Sales,o=madisonparc

dn: cn=Sales Users,o=Sales,o=madisonparc

objectClass: top

objectClass: groupofuniquenames

objecClass: iplanet-am-managed-static-group

objecClass: ipanet-am-managed-group

uniquemember: uid=salesuser1,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser2,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser3,ou=Sales Users,o=sales,o=madisonparc

uniquemember: uid=salesuser4,ou=Sales Users,o=sales,o=madisonparc

:

To Mark Static Groups Using the Sample Script

1. Copy update-static-groups.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DIT to be managed by DSAME. Example:  o=madisonparc.

3. In the directory where the script is located, at the command line enter the following:

   perl update-static-groups.pl

   When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

4. To check the results, open the LDIF file that is created (for example: static-groups-update.ldif) and verify that the appropriate changes were made.

Step 9f: Mark Filtered (Dynamic) Groups

In filtered groups, users are included in a single group based on their DN.

Add the following object classes (no attribute) to each filtered group:

• iplanet-am-managed-group

• iplanet-am-managed-filtered-group

To Mark Filtered Groups Using the Sample Script

1. Copy update-filtered-groups.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DITto be managed by DSAME. Example: o=madisonparc

3. In the directory where the script is located, at the command line enter the following:

   perl update-filtered-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: update-filtered-groups-update.ldif) and verify that the appropriate changes were made.

Step 9g: Mark Assignable Dynamic Groups

An assignable dynamic group is similar to a filtered group, but uses a DN in the user entry to point to the group.

Add the following object classes to each assignable dynamic group:

• iplanet-am-managed-group

• iplanet-am-managed-assignable-group

To Mark Assignable Dynamic Groups Using the Sample Script

1. Copy update-assignable-dynamic-groups.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DITto be managed by DSAME. Example: o=madisonparc

3. In the directory where the script is located, at the command line enter the following:

   perl update-assignable-dynamic-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: assignable-dynamic-groups-update.ldif) and verify that the appropriate changes were made.

Step 9h: Mark Group Containers

Group containers are organizational units (ou) that contain groups. To each group container, add the following object class:

iplanet-am-managed-group-container

To Mark Group Containers Using the Sample Script

1. Copy update-groups.pl to the following directory:

   Directory_Server_root/shared/bin

2. Set the $base variable to the base suffix of the DITto be managed by DSAME. Example:   o=madisonparc.

3. In the directory where the script is located, at the command line enter the following command:

   perl update-groups.pl

4. When prompted, provide the following information:

   Enter Host Name: Enter the name of the computer system in which your Directory Server is installed.

   Enter Bind User Name: Enter a username that has sufficient privileges for accessing the entire directory. Example: cn=Directory Manager

   Enter Bind password: Enter the password for the user you specified above.

   Enter port number: Enter the Directory Server port number. Example: 389

5. To check the results, open the LDIF file that is created (for example: groups-update.ldif) and verify that the appropriate changes were made.

Step 10: Load the Modified LDIF Files

---

After you run the scripts in the previous steps, the various LDIF files are created in the same directory where the Perl scripts are run. Until now, no changes have actually been made in the directory. Before loading the modified files into the directory, it is a good practice to inspect the files to make sure that all DSAME object classes and attributes have been properly added to the existing directory entries. Once you're satisfied that the appropriate changes have been made, load each file using the following ldapmodify command:

ldapmodify -h hostname -p port -D bind_user, -w password -a -c -f filename.ldif

Results of DSAME and Directory Modifications

---

After making the modifications in the previous steps, all entries in the DIT will be manageable by DSAME. The existing ACIs for the organization administrators do not have to be modified. Even though DSAME uses roles and ACIs by default, your existing groups and ACIs will still work.

You can convert a groups-based DIT to one that leverages roles and ACIs. If you choose to do this, you can use the DSAME organization administrator roles and assign them to your existing organizationList administrators.