In this release of Delegated Administrator, you must use the custom service-provider template (da.provider.skeleton.ldif) provided by Delegated Administrator to create your own provider organizations and SPAs.
You also can install a sample provider organization (with subordinate organizations) and a sample SPA in your directory when you run the Delegated Administrator configuration program. You do this by choosing to Load Sample Organizations in the configuration program.
However, the sample organization template (da.sample.data.ldif) is meant to be used as an example, not as a template for creating your own provider organizations. For details about this example, see Sample Service-Provider Organization Data, later in this appendix.
Once you have created a provider organization and an SPA, the SPA can log into the Delegated Administrator console, create and manage subordinate organizations, and assign the SPA role to other users in the SPA’s organization. However, these SPAs can only manage the same provider organization.
To create another provider organization and an SPA to manage it, you should use the custom service-provider template again.
This section contains the following topics:
Entries Created by the Template shows an example of the organizations created when an edited copy of the template is installed in the directory.
Information Needed to Create a Provider Organization, Subordinate Organization, and SPA defines the parameters in the template required to create a provider organization, a subordinate shared organization, and an SPA.
Steps for Creating a Provider Organization and Service Provider Administrator explains how to edit the template and install the information in your directory.
Custom Service-Provider Template is a listing of the template.
When you install your edited copy of the custom service-provider template in the directory, the following entries are created:
A provider organization
A subordinate shared organization designated to hold the SPA user
One user in the subordinate organization to whom the SPA role is assigned
A placeholder node under which full organizations can be created. These full organizations will be managed by the SPA for this provider organization.
Figure A–2 shows an example of the entries created by installing the template. It is a Directory Information Tree (DIT) view of the organizations.
Figure A–2 is only an example. Your organization names, SPA user name, and DIT structure should be specific to your own installation.
The nodes in the example shown in Figure A–2 are as follows:
o=usergroup - The root suffix for user/group data.
o=siroe.com - The mail domain used by the provider organization.
o=MyProviderOrg - The provider organization node.
o=MySPAUserOrg - The subordinate shared organization designated to hold the provider organization users, including the user assigned the SPA role.
ou=people - The standard LDAP organization unit required for containing users.
uid=user1 - The uid of the user in the MySPAUserOrg organization who is assigned to be the SPA.
o=MyProviderOrgDomainsRoot - The placeholder node for holding full organizations subordinate to the MyProviderOrg provider organization.
To create a provider organization, one subordinate organization, and an SPA, you need to replace parameters in the custom service-provider template with information specific to your installation.
As you read about these parameters, you can look at a listing of the da.provider.skeleton.ldif shown in Custom Service-Provider Template. Or open the actual ldif file, located in the following directory:
da_base/lib/config-templates
For definitions of the attributes associated with these parameters, see “Chapter 5: Communications Services Delegated Administrator Classes and Attributes (Schema 2)” and “Chapter 3: Messaging Server and Calendar Server Attributes” in the Sun Java System Communications Services Schema Reference.
To create a provider organization and subordinate organization, edit the following parameters:
ugldapbasedn
Root suffix of user/group data in your directory.
Examples:
o=usergroup
dc=red,dc=iplanet,dc=com
maildomain_dn
Complete DN of the mail domain underneath which the provider organization will be created.
Examples:
o=siroe.com, o=usergroup
o=sesta.com,o=SharedDomainsRoot,o=Business,dc=red, \ dc=iplanet,dc=com |
maildomain_dn_str
The mail domain DN with all commas (,) replaced by underscores (_).
For example, if the mail domain DN is
o=siroe.com,o=SharedDomainsRoot,o=Business,dc=red, \ dc=iplanet,dc=com |
The mail domain DN string will be
o=siroe.com_o=SharedDomainsRoot_o=Business_dc=red_ \ dc=iplanet_dc=com |
providerorg
Name of the provider organization. The directory node where the provider organization resides will be given this name.
This parameter is used multiple times in the da.provider.skeleton.ldif template.
Examples:
sunProviderOrgDN: o=MyProviderOrg,o=siroe.com,o=usergroup
o=MyProviderOrg
sunBusinessOrgBase: o=MyProviderOrgdomainsroot, o=usergroup
servicepackage
Name of a service package that can be assigned to users in the organizations subordinate to the provider organization. This is a multivalued parameter.
In the “Provider Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
sunIncludeServices: <servicepackage>
For each service package you want to include in the provider organization, add one instance of the sunIncludeServices attribute and servicepackage parameter. Only those service packages listed here can be assigned to users in subordinate organizations.
Example:
sunIncludeServices: gold sunIncludeServices: platinum sunIncludeServices: ruby sunIncludeServices: silver |
If you do not use the sunIncludeServices attribute (if you delete the line containing the servicepackage parameter), all service packages in the directory can be assigned.
domain_name
Domain name that can be assigned to subordinate organizations in the provider organization. This is a multivalued parameter.
In the “Provider Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
sunAssignableDomains: <domain_name>
The domain names in the sunAssignableDomains attribute are a subset (some or all) of the names listed in the mail domain organization’s sunPreferredDomain and associatedDomain attributes. (The mail domain is the organization under which this provider organization is created.)
For each domain name you want to include in the provider organization, add one instance of the sunAssignableDomains attribute and domain_name parameter. Only the domain names listed here can be assigned to subordinate organizations.
Example:
sunAssignableDomains: siroe.com sunAssignableDomains: siroe.net sunAssignableDomains: varrius.com sunAssignableDomains: sesta.com sunAssignableDomains: sesta.net |
provider_sub_org
Name of the shared organization in which the SPA user resides. When you install the edited ldif information in the directory, this organization is created as shared and subordinate to the provider organization. It is designated as the organization that contains the SPA user. Other users who are assigned the SPA role for this provider organization must reside in this subordinate shared organization.
In the “Provider Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
sunProviderOrgDN: o=<provider_sub_org>,o=<providerorg>,<maildomain_dn> |
The sunProviderOrgDN attribute identifies the organization designated for provider organization users, particularly the SPA user.
Example:
sunProviderOrgDN: o=MySPAUserOrg,o=MyProviderOrg,o=siroe.com,o=usergroup |
preferredmailhost
Machine name of the preferred mail host for the provider organization’s subordinate organization (in which the SPA user resides). You must use a fully qualified domain name (FQDN).
In the “Shared Subordinate Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
preferredMailHost: <preferredmailhost>
Example:
preferredMailHost: mail.siroe.com
available_domain_name
Domain name that can be assigned to a user in a particular subordinate organization. This is a multivalued parameter.
The values for available_domain_name are a proper subset of the values given for the sunAssignableDomains: <domain_name> attribute and parameter. Whereas domain_name applies to the entire provider organization, available_domain_name applies to a single subordinate organization.
In the “Shared Subordinate Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
sunAvailableDomainNames: <available_domain_name>
For each domain name you want this subordinate organization to inherit from the list of domain names in the provider organization’s sunAssignableDomains attribute, add one instance of the sunAvailableDomains attribute and available_domain_name parameter. Only the domain names listed here can be assigned to the subordinate organization.
Example:
sunAvailableDomainNames: siroe.com sunAvailableDomainNames: siroe.net sunAvailableDomainNames: varrius.com |
available_services
Service package available to a particular subordinate organization. This is a multivalued parameter.
The service packages assigned to the subordinate organization are a subset of those assigned to the entire provider organization with the sunIncludeServices attribute.
In the “Shared Subordinate Organization” section of the da.provider.skeleton.ldif file, you will see the following attribute:
sunAvailableServices: <available_services>
The format of the available_services parameter is
service package name: count |
where count is an integer. If count is absent, the default value is an unlimited number.
For each service package you want this subordinate organization to inherit from the service packages available in the provider organization’s sunIncludeServices attribute, add one instance of the sunAvailableServices attribute and available_services parameter.
Example:
sunAvailableServices: gold:1500 sunAvailableServices: platinum:2000 sunAvailableServices: silver:5000 |
To create an SPA, edit the following parameters:
spa_uid
The user ID for the SPA user.
Example:
uid: user1
spa_password
The password for the SPA user.
Example:
userPassword: x12P3&qrS
spa_firstname
The first name of the SPA user.
Example:
givenname: John
spa_lastname
The last name of the SPA user.
Example:
sn: Smith
spa_servicepackage
The service package assigned to the SPA user. For information about service packages, see Service Packages in Chapter 1, Delegated Administrator Overview.
Example:
inetCos: platinum
spa_mailaddress
The mail address of the SPA user. The domain part of the mail address must be one of the domain values that replace the available_domain_name parameter. That is, it must be a domain that has been made available for use in the subordinate organization in which the SPA user resides. For more information, see Parameters Defining the Provider and Subordinate Organization.
Example:
mail: user1@siroe.com
For instructions in how to edit the custom service-provider template and install the information in your directory, see Steps for Creating a Provider Organization and Service Provider Administrator.
You use an ldif file, da.provider.skeleton.ldif, to perform the following procedure.
Create a mail domain in the directory.
If you have not already done so, create a mail domain in your directory. The provider organization and its subordinate shared organizations will use this mail domain.
Copy and rename the da.provider.skeleton.ldif file.
When you install Delegated Administrator, the da.provider.skeleton.ldif file is installed in the following directory:
da_base/lib/config-templates
Edit the following parameters in your copy of the da.provider.skeleton.ldif file. Replace the parameters with the correct values for your installation.
For definitions of the parameters, see Information Needed to Create a Provider Organization, Subordinate Organization, and SPA.
Some parameters are used more than once in the ldif file. You must search for and replace all instances of each parameter.
A few parameters represent values for multivalued attributes. You can copy and edit these parameters, together with their associated attribute names, to allow multiple instances of these attributes in your ldif file. Multivalued parameters are noted below.
<ugldapbasedn>
<maildomain_dn>
<maildomain_dn_str>
<providerorg>
<servicepackage> (multivalued)
<domain_name> (multivalued)
<provider_sub_org>
<preferredmailhost>
<available_domain_name> (multivalued)
<available_services> (multivalued)
<spa_uid>
<spa_password>
<spa_firstname>
<spa_lastname>
<spa_servicepackage>
<spa_mailaddress>
For definitions of the attributes associated with these parameters, see “Chapter 5: Communications Services Delegated Administrator Classes and Attributes (Schema 2)” and “Chapter 3: Messaging Server and Calendar Server Attributes” in the Sun Java System Communications Services Schema Reference.
Use the LDAP directory tool ldapmodify to install the provider organization and SPA in the directory.
For example, you could run the following command:
ldapmodify -D <directory manager> -w <password> \ -f <da.provider.finished.ldif> |
where
<directory manager> is the name of the Directory Server administrator.
<password> is the password of the Directory Service administrator.
<da.provider.finished.ldif> is the name of the edited ldif file to be installed as a new provider organization and SPA in the directory.
The template (da.provider.skeleton.ldif) contains parameters that you must modify to create a new provider organization and SPA.
The listing below shows the sections of the ldif file that have parameters. The listing does not include the entire file. Entries and ACIs required to support Access Manager are not included here.
You should only modify the parameters in the ldif file. Do not modify the sections of the file related to Access Manager.
# # The following parameterized values must be replaced. # # <ugldapbasedn> :: Root suffix for user/group data # <maildomain_dn> :: Complete dn of the mail domain underneath # which the provider organization will be # created. # <maildomain_dn_str> :: The maildomain dn with all ',' replaced # by '_'. E.g. # dn --\> o=siroe.com,o=SharedDomainsRoot, # o=Business,dc=red,dc=iplanet,dc=com # dn_str --> o=siroe.com_o=SharedDomainsRoot_ # o=Business_dc=red_dc=iplanet_dc=com # <providerorg> : Organization value for provider node. # <servicepackage> :: One for each service package to include. # All service packages in the system # may be assigned by leaving this value empty. # <domain_name> :: One for each DNS name which may be assigned # to a subordinate organization. # These names form a proper subset (some or # all) of the names listed in the <maildomain> # organization's sunpreferreddomain # and associateddomain attributes. # <provider_sub_org> :: Organization value for the shared subordinate # organization in which the Provider # Administrator resides. # <preferredmailhost> :: Name of the preferred mail host for the # provider's subordinate organization. # <available_domain_name> :: one for each DNS name that an organization # allows an organization admin to use when # creating a user's mail address. This is # a proper subset of the values given for # <domain_name> (sunAssignableDomains attribute). # <available_services> :: One for each service packags available to an # organization (sunAvailableServices attribute). # These service packages form a proper subset # of the ones assigned to a provider organization # - <servicepackage> (sunIncludeServices # attribute). Form is # <service package name>:<count> # where count is an integer. If count is absent # then default is unlimited. # <spa_uid> :: The uid for the service provider administrator. # <spa_password> :: The password for the service provider # administrator. # <spa_firstname> :: First name of the service provider # administrator. # <spa_lastname> :: Last name of the service provider # administrator. # <spa_servicepackage> :: Service package assigned to the service # provider administrator. # <spa_mailaddress> :: The spa's mail address. The domain part of the # mail address must be one of the values used for # <available_domain_name>. # # # Provider Organization # dn: o=<providerorg>,<maildomain_dn> changetype: add o: <providerorg> objectClass: top objectClass: sunismanagedorganization objectClass: sunmanagedorganization objectClass: organization objectClass: sunManagedProvider sunAllowBusinessOrgType: full sunAllowBusinessOrgType: shared sunBusinessOrgBase: o=<providerorg>domainsroot,<ugldapbasedn> sunIncludeServices: <servicepackage> sunAssignableDomains: <domain_name> sunAllowMultipleDomains: true sunAllowOutsideAdmins: false sunProviderOrgDN: o=<provider_sub_org>,o=<providerorg>,<maildomain_dn> # . # . # [Entries and ACIs required by Access Manager] # . # . # # Full Organizations node # dn: o=<providerorg>DomainsRoot,<ugldapbasedn> changetype: add o: <providerorg>DomainsRoot objectClass: top objectClass: organization objectClass: sunmanagedorganization # . # . # [Entries and ACIs required by Access Manager] # . # . # # Provider Admin Role shared organizations # dn: cn=Provider Admin Role,o=<providerorg>,<maildomain_dn> changetype: add cn: Provider Admin Role objectClass: ldapsubentry objectClass: nssimpleroledefinition objectClass: nsroledefinition objectClass: nsmanagedroledefinition objectClass: iplanet-am-managed-role objectClass: top iplanet-am-role-description: Provider Admin # # Provider Admin Role full organizations # dn: cn=Provider Admin Role,o=<providerorg>DomainsRoot,<ugldapbasedn> changetype: add cn: Provider Admin Role objectClass: ldapsubentry objectClass: nssimpleroledefinition objectClass: nsroledefinition objectClass: nsmanagedroledefinition objectClass: iplanet-am-managed-role objectClass: top iplanet-am-role-description: Provider Admin # # Shared Subordinate Organization. Includes 1 user who is # the Provider Administrator. # dn: o=<provider_sub_org>,=<providerorg>,<maildomain_dn> changetype: add preferredMailHost: <preferredmailhost> sunNameSpaceUniqueAttrs: uid o: <provider_sub_org> objectClass: inetdomainauthinfo objectClass: top objectClass: sunismanagedorganization objectClass: sunnamespace objectClass: sunmanagedorganization objectClass: organization objectClass: sunDelegatedOrganization objectClass: sunMailOrganization sunAvailableDomainNames: <available_domain_name> sunAvailableServices: <available_services> sunOrgType: shared sunMaxUsers: -1 sunNumUsers: 1 sunMaxGroups: -1 sunNumGroups: 0 sunEnableGAB: true sunAllowMultipleServices: true inetDomainStatus: active sunRegisteredServiceName: GroupMailService sunRegisteredServiceName: DomainMailService sunRegisteredServiceName: UserMailService sunRegisteredServiceName: iPlanetAMAuthService sunRegisteredServiceName: UserCalendarService sunRegisteredServiceName: iPlanetAMAuthLDAPService sunRegisteredServiceName: DomainCalendarService # . # . # [Entries and ACIs required by Access Manager] # . # . dn: ou=People,o=<provider_sub_org>,o=<providerorg>,<maildomain_dn> changetype: add ou: People objectClass: iplanet-am-managed-people-container objectClass: organizationalUnit objectClass: top dn: ou=Groups,o=<provider_sub_org>,o=<providerorg>,<maildomain_dn> changetype: add ou: Groups objectClass: iplanet-am-managed-group-container objectClass: organizationalUnit objectClass: top # . # . # [Entries and ACIs required by Access Manager] # . # . # # User - provider administrator # dn: uid=<spa_uid>,ou=People,o=<provider_sub_org>,o=<providerorg>, \ <maildomain_dn> changetype: add sn: <spa_lastname> givenname: <spa_firstname> cn: <spa_firstname> <spa_lastname> uid: <spa_uid> iplanet-am-modifiable-by: cn=Top-level Admin Role,<ugldapbasedn> objectClass: inetAdmin objectClass: top objectClass: iplanet-am-managed-person objectClass: iplanet-am-user-service objectClass: iPlanetPreferences objectClass: person objectClass: organizationalPerson objectClass: inetuser objectClass: inetOrgPerson objectClass: ipUser objectClass: inetMailUser objectClass: inetLocalMailRecipient objectClass: inetSubscriber objectClass: userPresenceProfile objectClass: icsCalendarUser mailhost: <preferredmailhost> mail: <spa_mailaddress> maildeliveryoption: mailbox mailuserstatus: active inetCos: <spa_servicepackage> inetUserStatus: Active nsroledn: cn=Provider Admin Role,o=<providerorg>,<maildomain_dn> userPassword: <spa_password>