Sun Java System Identity Server 2004Q2 Administration Guide |
Chapter 41
User AttributesThere are two places which house user attributes: the Service Configuration and User Management windows. The Service Configuration window contains default attributes for registered organizations. The User Management window contains user entry attributes.
User Service AttributesThe User Service Attributes are dynamic attributes. The values applied to dynamic attributes are assigned to a role or an organization that is configured in Identity Server. When the role is assigned to a user or a user is assigned to the organization, the dynamic attributes become a characteristic of the user. The User Attributes are divided into:
Default user values are set for all Identity Server registered organizations. These values can be set differently for separate organizations by registering the user service to the specific organization, creating a template and inputting a value other than the default value.
User Preferred Language
This field specifies the user’s choice for the text language displayed in the Identity Server console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.
User Preferred Timezone
This field specifies the time zone in which the user accesses the Identity Server console. There is no default value.
Inherited Locale
This field specifies the locale for the user. The default value is en_US. Any value from Table 20-1 on page 253 can be used.
Administrator DN Starting View
If this user is a Identity Server administrator, this field specifies the node that would be the starting point displayed in the Identity Server console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.
Default User Status
This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through Identity Server. The default value is Active. Either of the following can be selected from the pull-down menu:
The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user’s profile.
User Profile AttributesThe User Profile Attributes are default attributes for user profiles. These values are set in the User Profile view by an administrator or by the user when they log on. Administrators can add their own user attributes to the user profile or create a new service. For more information see Identity Server Developer’s Guide.
First Name
This field takes the first name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Identity Server console.)
Last Name
This field takes the last name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Identity Server console.)
Full Name
This field takes the full name of the user.
Password
This field takes the password for the name specified in the UserId field.
Password (Confirm)
Confirmation of the password.
Email Address
This field takes the email address of the user.
Employee Number
This field takes the employee number of the user.
Telephone Number
This field takes the telephone number of the user.
Home Address
This field can take the home address of the user.
User Status
This option indicates whether the user is allowed to authenticate through Identity Server. Only active users can authenticate through Identity Server. The default value is Active. Either of the following can be selected from the pull-down menu:
- Active – The user can authenticate through Identity Server.
- Inactive – The user cannot authenticate through Identity Server, but the user profile remains stored in the directory.
Account Expiration Date
If this attribute is present, the authentication service will disallow login if the current date and time has passed the specified Account Expiration Date. The format for this attribute is as follows:
(mm/dd/yyyy hh:mm)
User Authentication Configuration
This attribute sets the authentication method for the user. The default authentication method is LDAP. One or more authentication methods can be selected by clicking the Edit link. If more than on method is selected, then the user may have to successfully authenticate to all of selected methods.
User Alias List
The field defines a list of aliases that may be applied to the user. In order to use any aliases configured in this attribute, the LDAP service has to be modified by adding the iplanet-am-user-alias-list attribute to the User Entry Search Attributes field in the LDAP service.
Preferred Locale
This field specifies the locale for the user. The default value is en_US. Any value from Table 20-1 on page 253 can be used.
You can use one of the following attributes in the pull-down menu:
Success URL
This field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML
Failure URL
This field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML
Unique User IDsIn order to enforce uid uniqueness within the Identity Server application, the plug-in, available in Directory Server, must be configured as follows:
dn: cn=uid uniqueness,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: uid uniqueness
nsslapd-pluginPath: /ids908/lib/uid-plugin.so
nsslapd-pluginInitfunc: NSUniqueAttr_Init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: attribute=uid
nsslapd-pluginarg1: markerObjectClass=nsManagedDomain
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: NSUniqueAttr
nsslapd-pluginVersion: 6.1
nsslapd-pluginVendor: Sun | SunONE
nsslapd-pluginDescription: Enforce unique attribute values
It is recommended that the nsManagedDomain object class is used to mark the organization in which uid uniqueness is desired. The plug-in is not enabled by default.
To configure the uniqueness of uids per organization, either add the DN for each organization in the plug-in entry or use the marker object class option and add nsManagedDomain to each top-level organization entry.
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: attribute=uid
nsslapd-pluginarg1: markerObjectClass=nsManagedDomain