This chapter describes how to add, delete, modify, and manage the users and groups that can access the Proxy Server.
This chapter contains the following sections:
The Administration Server provides access to application data about user accounts, group lists, access privileges, organizational units, and other user- and group-specific information.
User and group information is stored either in flat files in text format, or in a directory server such as Sun Java System Directory Server, which supports LDAP (Lightweight Directory Access Protocol). LDAP is an open directory access protocol that runs over TCP/IP (Transmission Control Protocol/Internet Protocol) and is scalable to a global size and millions of entries.
A directory service enables all user information to be managed from a single source. With Proxy Server, three different types of directory services can be configured: LDAP, key file, and digest file.
If no other directory service has been configured, the first new directory service created is set to the value default, irrespective of its type. When a directory service is created, the server-root/userdb/dbswitch.conf file is updated with directory service details.
This section describes directory services for LDAP, key files, and digest files.
With an LDAP directory service, user and group information is stored in an LDAP-based directory server.
If the LDAP service is the default service, the dbswitch.conf file is updated as shown in the example below:
directory default ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcomdefault:binddn cn=Directory Managerdefault:encoded bindpw YWRtaW5hZG1pbg==
If the LDAP service is a non-default service, the dbswitch.conf file is updated as shown in the example below:
directory ldap ldap://test22.india.sun.com:589/dc%3Dindia%2Cdc%3Dsun%2Cdc%3Dcomldap:binddn cn=Directory Managerldap:encoded bindpw YWRtaW5hZG1pbg==
A key file is a text file that contains the user’s password in a hashed format and the list of groups to which the user belongs. The key file format can only be used when the intent is to use HTTP Basic authentication. For more information about this authentication method, see Specifying Users and Groups.
When a key file-based database is created, the dbswitch.conf file is updated as shown in the example below:
directory keyfile filekeyfile:syntax keyfilekeyfile:keyfile D:\\test22\\keyfile\\keyfiledb
A digest file stores user and group information based on encrypted user name and password.
The digest file format is meant to support the use of HTTP Digest authentication but also supports Basic authentication, so it can be used for both authentication methods. For more information about these methods, see Specifying Users and Groups.
When a digest-based database is created, the dbswitch.conf file is updated as shown in the example below:
directory digest filedigest:syntax digestdigest:digestfile D:\\test22\\digest\\digestdb
To configure distributed administration, the default directory service must be an LDAP-based directory service.
A directory service is created and configured on the Global Settings tab in the Administration Server. Users, groups, and organizational units are then created and managed on the Users and Groups tab in the Administration Server.
This section describes how to create and edit directory services.
Access the Administration Server and click the Global Settings tab.
Click the Configure Directory Service link.
From the Create New Service of Type drop-down list, select the type of directory service you want to create and click New.
The configuration page for that directory service appears.
Provide configuration information, and then click Save Changes.
For more information about specific fields, see the online Help.
If no other directory service has been configured, the first new directory service created is set to the value default, irrespective of its type.
Access the Administration Server and click the Global Settings tab.
Click the Configure Directory Service link.
Click the link for the directory service you want to edit.
Make the desired changes, and then click Save Changes.
For more information about specific fields, see the online help.
The Users and Groups tab in the Administration Server is used to create or modify users, groups, and organizational units. A user is an individual in the LDAP database, such as an employee of your company. A group is two or more users who share a common attribute. An organizational unit is a subdivision within your organization that uses the organizationalUnit object class. Users, groups, and organizational units are described in greater detail later in this chapter.
Each user and group in your enterprise is represented by a distinguished name (DN) attribute. A DN attribute is a text string that contains identifying information for an associated user, group, or object. You use DNs whenever user or group directory entries are changed. For example, DN information must be provided each time you create or modify directory entries, configure access controls, and configure user accounts for applications such as mail or publishing. The Users and Groups interface of the Proxy Server is used to create or modify DNs.
The following example represents a typical DN for an employee of Sun Microsystems:
uid=doe,e=doe@sun.com,cn=John Doe,o=Sun Microsystems Inc.,c=US
The abbreviations in this example mean the following:
uid is the user ID
e is the email address
cn is the user’s common name
o is the organization
c is the country
DNs may include a variety of name-value pairs, and are used to identify both certificate subjects and entries in directories that support LDAP.
If you do not currently have a directory, or you want to add a new subtree to an existing directory, you can use the directory server’s LDIF (Lightweight Directory Interchange Format) import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries. You can also export your current directory to LDIF using the directory server’s LDIF export function. This function creates an LDIF-formatted file that represents your directory. You can add or edit entries using the ldapmodify command-line utility, if available, along with the appropriate LDIF update statements.
To add entries to the database using LDIF, first define the entries in an LDIF file, then import the LDIF file from the directory server.
The Users and Groups tab in the Administration Server is used to create and modify user entries. A user entry contains information about an individual person or object in the database.
Be sure to protect server security by ensuring that users do not have unauthorized access to resources. Proxy Server uses an ACL-based authorization and authentication model. For more information about ACL-based security, see Chapter 8, Controlling Access to Your Server. For additional security information, also see Chapter 5, Using Certificates and Keys.
This section describes how to create users in LDAP-based authentication databases, key file authentication databases, and digest file authentication databases.
When user entries are added to an LDAP-based directory service, the services of an underlying LDAP-based directory server are used to authenticate and authorize users. This section lists guidelines to consider when using an LDAP-based authentication database, and describes how to add users through the Proxy Server Administration Server.
Consider the following guidelines when using the Proxy Server administration console to create new user entries in an LDAP-based directory service:
If you provide a given name (or first name) and a surname, the user’s full name and user ID are automatically completed. The user ID is generated as the first initial of the user’s first name followed by the user’s last name. For example, if the user’s name is Billie Holiday, the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choosing if you wish.
The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the directory server ldapmodify command-line utility, if available, to create a user, unique user IDs are not ensured. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.
The base DN specifies the distinguished name where directory lookups occur by default, and where all Proxy Server Administration Server entries are placed in your directory tree. A distinguished name (DN) is the string representation for the name of an entry in a directory server.
At a minimum, you must specify the following user information when creating a new user entry:
Surname or last name
Full name
User ID
If any organizational units are defined for your directory, you can specify where you want the new user to be placed using the Add New User To list on the Create User page in the Administration Server. The default location is your directory’s base DN, or root point.
Note the following information about directory server user entries:
User entries use the inetOrgPerson, organizationalPerson, and person object classes.
By default, the distinguished name for users is of the form:
cn=full name,ou=organization,...,o=base organization,c=country
For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory’s base DN is o=Ace Industry, c=US, then the DN is:
cn=Billie Holiday,ou=Marketing,o=Ace Industry,c=US
This format can be changed to a user ID (uid)-based distinguished name.
The values on the user form fields are stored as LDAP attributes.
The following table lists the fields and corresponding LDAP attributes that are displayed when creating or editing a new user in the Proxy Server interface.
User Field |
LDAP Attribute |
---|---|
Given Name | |
Surname | |
Full Name | |
User ID | |
Password | |
E-mail Address | |
Title | |
Phone Number |
To create a user entry, read the guidelines outlined in Guidelines for Creating LDAP-based User Entries, then perform the following procedure.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the LDAP directory service from the drop-down list and click Select.
Provide the information on the page that displays.
For more information about specific fields, see the online Help.
Also see Directory Server User Entries.
Click Create to create the user entry, or Create and Edit to create the user entry and proceed to the edit page for the entry just created.
A key file is a text file that contains the user’s password in a hashed format and the list of groups to which the user belongs.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the key file-based directory service from the drop-down list and click Select.
Type the information on the page that displays, and then click Create User.
For more information about specific fields, see the online Help.
A digest file authentication database stores user and group information in an encrypted form.
Access the Administration Server and click the Users and Groups tab.
Click the Create User link.
Select the digest file-based directory service from the drop-down list and click Select.
Type the information on the page that displays, and then click Create User.
For more information about specific fields, see the online Help.
The same realm string must be specified when creating an ACL that uses Digest authentication using the Proxy Server ACL user interface. For more information, see Setting Access Control.
You can edit user attributes on the Manage Users page of the Administration Server Users and Groups tab. On this page you can find, change, rename, and delete user entries.
This section describes the following topics:
Before you can edit a user entry you must first find and display the entry. For LDAP-based directory services, you can provide descriptive values for the entry you want to edit.
You can provide any of the following information.:
A name. Enter a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.
A user ID. If you enter only a partial user ID, any entries that contain the string are returned.
A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.
An email address. Any search string containing an at symbol (@) is assumed to be an email address. If an exact match cannot be found, a search is performed to find all email addresses that begin with the search string.
Any LDAP search filter. Any string that contains an equal sign (=) is considered a search filter.
An asterisk (*) to see all entries currently in your directory. You can achieve the same result by leaving the field blank.
For LDAP services, the Find All Users Whose section enables you to build a custom search filter. Use the fields to narrow search results returned by a Find User search.
The left drop-down list specifies the attribute on which the search will be based. The following tables lists the available search attribute options.
Table 4–2 Search Attribute Options
Option |
Searches for a Match |
---|---|
Full name |
Each entry’s full name |
Last name |
Each entry’s last name, or surname |
User ID |
Each entry’s user ID |
Phone number |
Each entry’s phone number |
E-mail address |
Each entry’s e-mail address |
The center drop-down list specifies the type of search to perform. The following tables lists the available search type options.
Table 4–3 Search Type Options
Option |
Description |
---|---|
Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know a user’s name probably contains the word "Dylan," use this option with the search string "Dylan" to find the user’s entry. |
|
Causes an exact match to be found (specifies an equality search). Use this option when you know the exact value of a user’s attribute. For example, you know the exact spelling of the user’s name. |
|
Returns all entries whose attribute value does not exactly match the search string. Use this option to find all users in the directory whose name is not "John Smith." Note that use of this option can cause an extremely large number of entries to be returned. |
|
Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value but do not know the spelling. For example, you do not know if a user’s name is spelled "Sarret," "Sarette," or "Sarett." |
|
Causes a substring search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know a user’s name starts with "Miles," but do not know the rest of the name. |
|
Causes a substring search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know a user’s name ends with "Dimaggio," but do not know the rest of the name. |
The right text field is used to enter a search string. To display all user entries contained in the directory specified in the Look Within field, type an asterisk (*) or leave this field blank.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Users link.
Select a directory service from the drop-down list and click Select.
For key file or digest file directory services, a list of users displays. For LDAP-based directory services, search fields display.
Find user information:
For key file or digest file directory services, click the link for the user to display the edit page and make changes. For more information about specific fields, see the online Help.
For LDAP-based directory services, do the following:
In the Find User field, enter a descriptive value for the entry you want to edit.
As an alternative, use the drop-down menus in the Find All Users Whose section to narrow the results of your search. For more information, see Building Custom Search Queries.
In the Look Within field, select the organizational unit under which you want to search for entries.
The default is the directory’s root point, the topmost entry.
In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.
At any stage in this process, click the Find button.
All users matching your search criteria will be displayed.
Click the link for the entry you want to display.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Users link.
Display the user entry as described in Finding User Information.
Make the desired changes.
For more information about specific fields, see the online Help.
To change an attribute value that is not displayed by the edit user page, use the directory server ldapmodify command-line utility, if available.
For information about changing a user’s user ID, see Renaming Users.
The following procedure describes how to change or create user passwords.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Users link.
Display the user entry as described in Finding User Information.
Make the desired changes.
For more information about specific fields, see the online Help.
For LDAP databases, you can also disable the user’s password by clicking the Disable Password button on the page used to edit user password information, accessed from the Manage Users page. This action prevents the user from logging into a server without your having to delete the user’s directory entry. You can allow access for the user again by providing a new password.
For LDAP databases, the rename feature changes only the user ID. All other fields are left intact. You cannot use the rename feature to move the entry from one organizational unit to another.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Users link.
Display the user entry as described in Finding User Information.
Click the Rename User button on the edit user page.
Type the user ID on the page that is displayed, and click Save Changes.
You can specify that the Administration Server no longer retains the old values when an entry is renamed by setting the keepOldValueWhenRenaming parameter to false (the default). This parameter is found in the following file:
server-root/proxy-admserv/config/dsgw-orgperson.conf
Access the Administration Server and click the Users and Groups tab.
Click the Manage Users link.
Display the user entry as described in Finding User Information.
Click the appropriate button.
A group is an object that describes a set of objects in an LDAP database. A Sun Java System server group consists of users who share a common attribute. For instance, the set of objects might be a number of employees who work in the Marketing division of your company. These employees might belong to a group called Marketing.
For LDAP services, the two ways to define the membership of a group are statically and dynamically. Static groups enumerate their member objects explicitly. A static group is a common name (CN) and contains uniqueMembers or memberURLs or memberCertDescriptions. For static groups, the members do not share a common attribute except for the cn=groupname attribute.
Dynamic groups enable you to use an LDAP URL to define a set of rules that match only for group members. For dynamic groups, the members do share a common attribute or set of attributes that are defined in the memberURL filter. For example, if you need a group that contains all employees in Sales, and those employees are already in the LDAP database under ou=Sales,o=Airius.com, you would define a dynamic group with the following member URL:
ldap:///ou=Sales,o=sun??sub?(uid=*)
This group would subsequently contain all objects that have a uid attribute in the tree below the ou=Sales,o=sun point.
For static and dynamic groups, members can share a common attribute from a certificate if the memberCertDescription is used. This sharing of common attribute only applies if the ACL uses the SSL method.
Once a new group has been created, you can add users (members) to it.
This section contains the following topics:
For LDAP services, the Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group does not change unless a user is added to or deleted from the group.
Consider the following guidelines when using the Administration Server interface to create new static groups:
Static groups can contain other static or dynamic groups.
If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory’s root point, the topmost entry.
For more information about editing groups, see Editing Group Entries.
Access the Administration Server and click the Users and Groups tab.
Click the Create Group link.
Select New Group from the Type of Group drop-down list, and then click Go.
Type the information on the Create Group page.
For more information about specific fields, see the online Help.
Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.
For LDAP services, Proxy Server enables you to create a dynamic group when you want to group users automatically based on any attribute, or when you want to apply ACLs to specific groups that contain matching DNs. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. If you apply a search filter for department=marketing, the search returns a group including all DNs containing the attribute department=marketing. You can then define a dynamic group from the search results based on this filter. Subsequently, you can define an ACL for the resulting dynamic group.
Proxy Server implements dynamic groups in the LDAP server schema as objectclass=groupOfURLs. A groupOfURLs class can have zero or more memberURL attributes, each of which is an LDAP URL that describes a set of objects in the directory. The members of the group would be the union of these sets. For example, the following group contains just one member URL:
ldap:///o=mcom.com??sub?(department=marketing)
This example describes a set that consists of all objects below o=mcom.com whose department is marketing. The LDAP URL can contain a search base DN, a scope, and a filter, but not a host name and port. Therefore you can only refer to objects on the same LDAP server. All scopes are supported. For more information about LDAP URLs, see Guidelines for Creating Dynamic Groups.
The DNs are included automatically without having to add each individual to the group. The group changes dynamically because Proxy Server performs an LDAP server search each time a group lookup is needed for ACL verification. The user and group names used in the ACL file correspond to the cn attribute of the objects in the LDAP database.
Proxy Server uses the cn attribute as the group name for ACLs.
The mapping from an ACL to an LDAP database is defined both in the dbswitch.conf file (which associates the ACL database names with actual LDAP database URLs) and the ACL file (which defines which databases are to be used for which ACL). For example, if you want base access rights on membership in a group named staff, the ACL code looks up an object with an object class of groupOfanything and a CN set to staff. The object defines the members of the group, either by explicitly enumerating the member DNs (as is done for groupOfUniqueNames for static groups), or by specifying LDAP URLs (for example, groupOfURLs).
Groups can be both static and dynamic. A group object can have both objectclass=groupOfUniqueMembers and objectclass=groupOfURLs. Therefore, both uniqueMember and memberURL attributes are valid. The group’s membership is the union of its static and dynamic members.
Using dynamic groups affects server performance. If you are testing group membership and the DN is not a member of a static group, Proxy Server checks all dynamic groups in the database’s base DN. Proxy Server determines whether each memberURL matches by checking its base DN and scope against the DN of the user. Proxy Server then performs a base search using the user DN as the base DN and the filter of the memberURL. This procedure can involve a large number of individual searches.
Consider the following guidelines when using the Administration Server interface to create new dynamic groups:
Dynamic groups cannot contain other groups.
LDAP URLs use the following format without host and port info, as these parameters are ignored:
ldap:///base-dn?attributes?scope?(filter)
The attributes, scope, and (filter) parameters are identified by their positions in the URL. If you do not want to specify any attributes, you must still include the question marks (?) delimiting that field.
If organizational units are defined for your directory, specify where you want the new group to be placed using the Add New Group To list on the Create Group page in the Administration Server interface. The default location is your directory’s root point, the topmost entry.
For more information about editing groups, see Editing Group Entries.
The following table lists the required parameters for the LDAP URL.
Table 4–4 Required Parameters for the LDAP URL
Access the Administration Server and click the Users and Groups tab.
Click the Create Group link.
Select Dynamic Group from the Type of Group drop-down list and click Go.
Provide the information on the Create Group page.
For more information about specific fields, see the online Help.
Click Create to create the group, or Create and Edit to create the group and display the edit page for the group just created.
For LDAP services, the Administration Server enables you to edit groups and manage group memberships on the Manage Groups page on the Administration Server Users and Groups tab.
This section describes the following tasks:
Before you can edit a group entry, you must first find and display the entry, as described in the following procedure.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link.
Type the name of the group you want to find in the Find Group field.
You can provide any of the following:
An asterisk (*) to see all groups currently residing in your directory. You can achieve the same result by leaving the field blank.
Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.
As an alternative, use the Find All Groups Whose section to build a custom search filter and narrow the results of your search. For more information, see Find All Groups Whose.
A name. Provide a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.
In the Look Within field, select the organizational unit under which you want to search for entries.
The default is the directory’s root point, the topmost entry.
In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.
To display all groups meeting your criteria at any stage in this process, click the Find button.
Click the link for the entry you want to display.
For LDAP services, the Find All Groups Whose section enables you to build a custom search filter. Use the fields in this section to narrow the search results that are otherwise returned by Find Group.
The left drop-down list specifies the attribute on which the search is based. The following options are available:
Name. Searches each entry’s full name for a match.
Description. Searches each group entry’s description for a match.
The center drop-down list specifies the type of search to perform. The following options are available:
Contains. Causes a sub-string search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know a group’s name probably contains the word “Administrator”, use this option with the search string “Administrator” to find the group entry.
Is. Causes an exact match to be found. Use this option when you know the exact value of a group’s attribute. For example, you know the exact spelling of the group’s name.
Isn’t. Returns all entries whose attribute value does not exactly match the search string. Use this option if you want to find all groups in the directory whose name does not contain “administrator.” Be aware, however, that using this option can cause an extremely large number of entries to be returned.
Sounds like. Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but are unsure of the spelling. For example, you do not know if a group’s name is spelled “Sarret’s list,” “Sarette’s list,” or “Sarett’s list.”
Starts with. Causes a sub-string search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know a group’s name starts with “Product,” but do not know the rest of the name.
Ends with. Causes a sub-string search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know a group’s name ends with “development,” but do not know the rest of the name.
In the right text field, enter a search string. To display all group entries contained in the Look Within directory, enter an asterisk (*) or leave this field blank.
The following procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link.
Locate the group you want to edit as described in Finding Group Entries.
Make the desired changes.
For more information about specific fields and buttons, see the online Help.
You may want to change an attribute value that is not displayed by the group edit page. In this situation, use the directory server ldapmodify command line utility, if available.
The following procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link.
Locate and display the group you want to manage as described in Finding Group Entries, and click the Edit button next to Group Members.
Any existing group members are listed on the page that displays. Search fields also display.
To add user entries to the list of members, Users must be selected in the Find drop-down list.
To add group entries to the group, Groups must be selected.
In the Matching text field, enter a search string. Provide information for any of the following options:
A name. Enter a full or partial name. All entries whose name matches the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.
A user ID. If you enter only a partial user ID, any entries that contain the string are returned.
A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.
An e-mail address. Any search string containing an at symbol (@) is assumed to be an e-mail address. If an exact match cannot be found, a search is performed to find all e-mail addresses that begin with the search string.
Enter an asterisk (*) or leave this field blank to see all entries or groups currently residing in your directory.
Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.
Click Add to find all matching entries in the LDAP database and add them to the group.
(Optional) If the search returns any entries you do not want added to the group, click the corresponding checkbox in the Remove From List column. You can also construct a search filter to match the entries you want removed from the group, and then click Remove. For more information, see Removing Entries From the Group Members List.
When the list of group members is complete, click Save Changes. The entries are added to the group member list.
For LDAP services, you can add groups instead of individual members to the group’s members list. Any users belonging to the included group will then become a member of the receiving group. For example, if Neil Armstrong is a member of the Engineering Managers group and you make the Engineering Managers group a member of the Engineering Personnel group, then Neil Armstrong is also a member of the Engineering Personnel group.
To add a group to the members list of another group, add the group as if it were a user entry. For more information, see Adding Group Members.
This procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link.
Locate the group you want to manage.
For more information, see Finding Group Entries. and click the Edit button next to Group Members.
Indicate the members that you want to remove.
To remove only a few members, click the corresponding checkbox in the Remove From List column.
To remove members based on common criteria, construct a search filter to match the entries you want removed from the group, and then click Remove.
For more information about creating a search filter, see Adding Group Members.
Click Save Changes.
The entries are deleted from the group members list.
For LDAP services, a group owners list is managed in the same way as a group members list.
The following table lists the topics in this guide that provide more information.
Table 4–5 Managing Owners
To |
See |
---|---|
Add owners to the group | |
Add groups to the owners list | |
Remove entries from the owners list |
See Alsos are references to other directory entries that might be relevant to the current group. These references enable users to easily find entries for people and other groups that are related to the current group. You manage See Alsos the same way you manage the group members list.
The following table lists the topics in this guide that provide more information.
Table 4–6 Managing See Alsos
To |
See |
---|---|
Add users to See Alsos | |
Add groups to See Alsos | |
Remove entries from See Alsos |
This procedure applies to LDAP services only. When you rename a group entry, only the group’s name is changed. You cannot use the Rename Group feature to move the entry from one organizational unit to another. For example, a business might have the following organizations:
Organizational units for Marketing and Product Management
A group named Online Sales under the Marketing organizational unit
In this example, you can rename the group from Online Sales to Internet Investments, but you cannot rename the entry such that Online Sales under the Marketing organizational unit becomes Online Sales under the Product Management organizational unit.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link and locate the group you want to manage as described in Finding Group Entries.
Click the Rename Group button.
Specify a new group name on the page that displayed, and click Save Changes.
This procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Groups link.
Locate the group you want to manage as described in Finding Group Entries and click Delete Group.
Individual members of the group are not removed. Only the group entry is removed.
For LDAP services, an organizational unit can include a number of groups and usually represents a division, department, or other discrete entity. A DN can exist in more than one organizational unit.
New organizational units are created using the organizationalUnit object class.
The distinguished name for new organizational units is of the form:
ou=new organization,ou=parent organization,...,o=base organization,c=country
Access the Administration Server and click the Users and Groups tab.
Click the Create Organizational Unit link.
Enter the information and click Create.
For more information about specific fields, see the online help.
For example, if you create a new organization called Accounting within the organizational unit West Coast, and your base DN is o=Ace Industry,c=US, then the new organization unit’s DN is:
ou=Accounting,ou=West Coast,o=Ace Industry,c=US
For LDAP services, organizational units are edited and managed from the Manage Organizational Units page on the Administration Server Users and Groups tab.
This section contains the following topics:
This procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Organizational Units link.
Enter the name of the unit you want to find in the Find Organizational Unit field.
You can enter any of the following:
A name. Enter a full or partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sound like the search string are found.
An asterisk (*) to see all groups currently residing in your directory. You can achieve the same result by leaving the field blank.
Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.
As an alternative, use the drop-down menus in the Find All Units Whose section to narrow the results of your search. For more information, see Find All Units Whose .
In the Look Within field, select the organizational unit under which you want to search for entries.
The default is the root point of the directory (topmost entry).
In the Format field, specify whether the output should be formatted for display on screen or for printing to a printer.
At any stage in this process, click the Find button.
All organizational units matching your search criteria will be displayed.
Click the link for the entry you want to display.
For LDAP services, the Find All Units Whose section enables you to build a custom search filter. Use the fields in this section to narrow the search results that are otherwise returned by Find Organizational Unit.
The left drop-down list specifies the attribute on which the search is based. The following options are available:
Unit name. Searches each entry’s full name for a match.
Description. Searches each organizational unit entry’s description for a match.
The center drop-down list specifies the type of search to perform. The following options are available:
Contains. Causes a sub-string search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an organizational unit’s name probably contains the word “Administrator,” use this option with the search string “Administrator” to find the organizational unit entry.
Is. Causes an exact match to be found. Use this option when you know the exact value of an organizational unit’s attribute. For example, you know the exact spelling of the organizational unit’s name.
Isn’t. Returns all entries whose attribute value does not exactly match the search string. That is, use this option if you want to find all organizational units in the directory whose name does not contain “administrator.” Be aware, however, that use of this option can cause an extremely large number of entries to be returned.
Sounds like. Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but are unsure of the spelling. For example, you do not know if an organizational unit’s name is spelled “Sarret’s list,” “Sarette’s list,” or “Sarett’s list.”
Starts with. Causes a sub-string search to be performed. Returns all entries whose attribute value starts with the specified search string. For example, you know an organizational unit’s name starts with “Product,” but do not know the rest of the name.
Ends with. Causes a sub-string search to be performed. Returns all entries whose attribute value ends with the specified search string. For example, you know an organizational unit’s name ends with “development,” but do not know the rest of the name.
In the right text field, enter a search string. To display all organizational unit entries contained in the Look Within directory, enter an asterisk (*) or leave this field blank.
This procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Organizational Units link.
Locate the organizational unit you want to edit as described in Finding Organizational Units.
Make the desired changes.
For more information about specific fields, see the online Help.
To change an attribute value that is not displayed by the organizational unit edit page, use the directory server ldapmodify command-line utility, if available.
This procedure applies to LDAP services only. When you rename an organizational unit entry, only the organizational unit’s name is changed. You cannot use the rename feature to move the entry from one organizational unit to another.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Organizational Units link.
Locate the organizational unit you want to edit as described in Finding Organizational Units.
Click the Rename button.
Type the new organizational unit name on the page that displays, and click Save Changes.
This procedure applies to LDAP services only.
Access the Administration Server and click the Users and Groups tab.
Click the Manage Organizational Units link.
Locate the organizational unit you want to delete as described in Finding Organizational Units.
Click the Delete button and then click OK in the resulting confirmation box.