Chapter 6   Provisioning Messaging Server Administrators


This chapter describes how to provision the different types of Messaging Server Administrators (Table 6-1). It contains the following sections:

• "Administrator Types"

• "Creating a Configuration Administrator"

• "Creating Message Store Administrators"
  • "To Create a Message Store Administrator for a Specific Messaging Server"

  • "To Create a Message Store Administrator for the Entire Mail System Topology"

  • "To Create a Message Store Administrator for a Specific Domain"

• "Creating Top-level Administrators"

• "Creating Domain Administrators"

• "Creating a Domain Organization Administrator"

Administrator Types

---

iPlanet Message Server administrators are classified by two sets of privileges:

• Privileges to configure messaging server (Server Administrators).

• Privileges to add, modify, and delete users and groups in the system (Messaging Directory Administrators).

Table 6-1    Messaging Server Administrators and Privileges (1 of 2)

Administrator	Description/Scope of Privileges	Permissions/Creation
Server Administrators:
Configuration Administrator	Can configure all servers and modify all directory data in the entire topology. Has system-level access to modify the MTA. Unrestricted access to all resources in the Console. Can provide server access to other administrators.	Config Admin user ID is automatically created when messaging server is first installed. For more information see Managing Servers with Netscape Console. Permissions granted by ACIs at: o=NetscapeRoot Admin Account: uid=admin,ou=adminstrators, ou=topologymanagement,o=NetscapeRoot) Group DN: cn=configuration administrators, ou=groups, ou=topologymanagment, o=NetscapeRoot
Directory Manager	Can modify anything in directory. Can configure directory. For security, the Configuration Administrator should not be the same as the Directory Manager.	Directory Manager user ID is created when the Directory Server is installed. Directory Manager credentials are stored in the directory server configuration file slapd.conf. Typical Account: cn = Directory Manager
Message Store Administrator	System level admins can view mailboxes & specify access control. Using proxy authorization rights, can log in as any user. Can specify partition for a mailbox and run message store utilities. Domain-level admins can't do partitions. Have limited access to message store utilities.	This administrator is created by the Messaging Server Console or command line utilities. System-wide MS Admin Group DN: Specified in store.serviceAdminGroupDN Domain MS Admin Group DN: cn=Store Administrators,ou=Groups, <OrgTreeDomainSuffix> Server MS Administrator is specified in server configuration variable store.admin
Messaging Directory Administrators:
Top-level Administrator (Also called Service Administrator.)	Creates/modifies/deletes mail users, mailing lists, family accounts, and domains in an entire Messaging Server namespace via DA GUIs or CLIs. Automatically gets all message store privileges for all servers in the topology.	Top-level Administrator is automatically created at installation time. ACIs stored on root node. Group DN: cn = Service Administrators, ou=groups,<OrgTreeRoot>
Domain Administrator	Creates/modifies/deletes mail users, mailing lists, and family accounts in a hosted domain via DA GUI or CLIs. By default, is a message store admin for the hosted domain.	Top-level Administrator can create Domain Administrator. ACIs in OrgTree root and DC root and the OrgTree domain node. Group DN: cn = Domain Administrators, ou=groups,<OrgTreeDomain>
Domain Organization Administrator	Creates/modifies/deletes mail users and mailing lists in a domain organization via DA GUI or CLIs.	Top-level or Domain Administrator can create Domain Organization Administrator. ACIs in root and Domain Organization node. Group DN: cn = Organization Administrator, <DomainOrgDN>
Family Group Administrator	Adds and removes family members in a family group. Can grant administrative access to other members of group. See "Creating a Family Group Administrator"	Top-level & Domain Admin can create Family Group Administrator. Permissions stored in LDAP. Group DN: cn=Family Group Administrators, <FamilyGrpDN>
Mail List Owner	Two sets of rights: ability to create & ability to add/remove members to mailing list.	Top-level, Domain, or Domain Organization Admin can grant permissions to mailing list owner. nsDACapability grants creation privileges (see "Adding Mailing List Creation Privileges"). owner grants management privileges (see "Assigning Mailing List Owners").

---

Note	The Netscape Console documentation at (http://docs.iplanet.com/docs/manuals/console.html) provides detailed information on using the console.

---

Creating a Configuration Administrator

---

A Configuration Administrator is automatically created at installation time. Additional Configuration Administrators can be created by other Configuration Administrators through the Console. See the he Netscape Console documentation at (http://docs.iplanet.com/docs/manuals/console.html) for more information.

Creating Message Store Administrators

---

Message Store Administrators have privileges and scope. Privileges are as follows:

• View and monitor user mailboxes through IMAP.

• Specify access control for a message store through IMAP.

• Execute message store command line utilities requiring proxy authentication (for example, MoveUser)

• Using proxy authorization rights, can log in as any user.

• Specify partition for a mailbox.

The scope of the administrator's privileges can be:

• For a single domain (in addition, domain-level admins can't specify partitions and have limited access to certain message store commands).

• For a single message store (that is, the message store of a single messaging server).

• For all the message stores in a mail system topology.

• Top-level Administrators automatically have system-wide message store privileges.

• Messaging Server Administrators created during installation automatically have message store privileges for the installed server.

• Top-level Administrators created during installation or at the console automatically have message store privileges for the entire topology.

• Domain Administrators created on the iPlanet Delegated Administrator for Messaging automatically have message store privileges for the users in the domain on which they are installed.

To Create a Message Store Administrator for a Specific Messaging Server

Privileges required: Configuration Administrator or access to the mailsrv account on the Messaging Server machine.

Note that Configuration Administrators automatically receive Message Store privileges on the installed server. Server-specific Message Store Administrators can be created by Console (see the iPlanet Message Server Administration Guide) or by command line:

configutil -o store.admin -v "adminlist"

where configutil is a utility that enables you to change configuration options, store.admins is the Message Store Administrator parameter, and adminlist is a space separated list of fully-qualified UIDs (if in the default domain) or <uid>@<domain> if in a hosted domain. Refer to the iPlanet Messaging Server Reference Manual for details.

To Create a Message Store Administrator for the Entire Mail System Topology

Privileges required: Top-level Administrator or access to the mailsrv account on the Messaging Server machine.

By "entire mail system topology" we mean all the message stores for all the messaging servers under a common user/group directory root. By default topology-wide message store administrative privileges are only granted to members of the group cn=Service Administrators,ou=groups,<OrgTreeRoot>. However, it is possible to change these message store privileges to another group by resetting the configuration value store.serviceAdminGroupDN. Note that if you do this, members of cn=Service Administrators,ou=groups,<OrgTreeRoot> will no longer have message store privileges unless they are also added to the new group.

In the example below, we will change the system-wide Message Store Administrator group from cn=Service Administrators,ou=groups,o=isp to cn=System-wide Store Administrators,ou=groups,o=isp and we'll add Biff as an administrator.

1. Create System-wide Store Administrators Group and Add a Member.

   First create a group called System-wide Store Administrators and add a member using the uniqueMember attribute.

   Code Example 6-1    Creating the System-wide Message Store Administrators Group
   

   ---

   dn: cn=System-wide Store Administrators,ou=groups,o=isp

   objectclass: groupOfUniqueNames

   cn: System-wide Store Administrators

   uniqueMember: uid=Biff,ou=people,o=sesta.com,o=isp

2. Set store.serviceAdminGroupDN to the DN of the System-wide Message Store Administrators Group.

   configutil -o store.serviceAdminGroupDN -v "cn=System-wide Store Administrators,ou=groups,o=isp"

   This must be done on each server in the system.

3. Set memberof attribute in the user entry.

   Code Example 6-2    Example User Entry for a System-wide Message Store Administrator
   

   ---

   dn: uid=Biff,ou=people,o=sesta.com,o=isp

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   objectClass: inetUser

   objectClass: ipUser

   objectClass: inetMailUser

   objectClass: inetLocalMailRecipient

   objectClass: nsManagedPerson

   objectClass: userPresenceProfile

   cn: Biff Fanning

   sn: fanning

   initials: BTF

   givenName: Biff

   mail: Biff.Fanning@sesta.com

   mailAlternateAddress: bfanning@florizel.com

   mailDeliveryOption: mailbox

   mailHost: manatee.siroe.com

   uid: biff

   dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

   userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

   mailAllowedServiceAccess: +imap, imaps, pop3, smtp, http:*

   inetUserStatus: active

   mailUserStatus: active

   mailQuota: -1

   mailMsgQuota: 100

   memberOf: cn=System-wide Store Administrators,ou=groups o=sesta.com,o=isp

To Create a Message Store Administrator for a Specific Domain

Privileges required: Domain Administrator, or Top-level Administrator

Domain Message Store Administrators can be created as follows:

• By using the iPlanet Delegated Administrator for Messaging GUI to convert a user into a Delegated Administrator.

• By provisioning through LDAP.

The following example grants the user Biff message store privileges in sesta.com through LDAP.

1. Create Store Administrators Group and add a member.

   Create a group called Store Administrators in the domain node of the Organization Tree. Add the inetMailAdministrator object class and set the attribute mailAdminRole to storeadmin to the group entry. Add a member using the uniqueMember attribute. See the LDIF data below.

   Note that the ACIs are created automatically at installation, and this group is created whenever a domain is created with the Delegated Administrator or Console.

Code Example 6-3    Creating the Store Administrator Group

---

dn: cn=Store Administrators,ou=Groups,o=sesta.com,o=isp

objectclass: groupOfUniqueNames

objectclass: inetMailAdministrator

cn: Store Administrators

mailAdminRole: storeadmin

uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp

• objectclass: groupOfUniqueNames
  objectclass: inetMailAdministrator

  The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).

  inetMailAdministrator specifies attributes that confer administrative privileges to this group.

• cn: Store Administrators

  This is the common name of the group of which Message Store Administrators must be a member.

• mailAdminRole: storeadmin

  The type of administrative privileges conferred on this group.

• uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp

  DN of a member. In this example there is only one member in this group.

2. Specify the memberOf attribute in the user's entry to
   cn=Store Administrators,ou=groups,o=sesta.com,o=isp

   Code Example 6-4    Example User Entry for a Domain Administrator
   

   ---

   dn: uid=Biff,ou=people,o=sesta.com,o=isp

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   objectClass: inetUser

   objectClass: ipUser

   objectClass: inetMailUser

   objectClass: inetLocalMailRecipient

   objectClass: nsManagedPerson

   objectClass: userPresenceProfile

   cn: Biff Fanning

   sn: fanning

   initials: BTF

   givenName: Biff

   mail: Biff.Fanning@sesta.com

   mailAlternateAddress: bfanning@florizel.com

   mailDeliveryOption: mailbox

   mailHost: manatee.siroe.com

   uid: biff

   dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

   userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

   mailAllowedServiceAccess: +imap, imaps, pop3, smtp, http:*

   inetUserStatus: active

   mailUserStatus: active

   mailQuota: -1

   mailMsgQuota: 100

   memberOf: cn=Store Administrators,ou=groups o=sesta.com,o=isp

3. dn: uid=Biff,ou=People,o=sesta.com,o=isp

   The DN of the user designated to be a Message Store Administrator to this group.

4. memberOf: cn=Store Administrators,ou=groups,o=sesta.com,o=isp

   DN of a group to which Biff belongs.

Creating Top-level Administrators

---

Task Privilege: Top-level Administrator

A Top-level administrator has directory and message store privileges to the entire messaging system. A default Top-level Administrator is created at installation, but additional Top-level Administrators can created by adding users to the following group:

cn=Service Administrators,ou=Groups,o=<OrgTreeRoot>

and by specifying the memberOf attribute in the user's entry to
cn=Service Administrators,o=groups,o=<OrgTreeRoot>

The example below makes Biff Fanning a Top-level Administrator. Note that the installer creates the appropriate ACIs for this entry. If you are creating the directory from scratch, see Appendix A "Root and Domain ACI Examples."

Code Example 6-5    The Top-level Administrator Group

---

dn: cn=Service Administrators,ou=Groups,o=isp

objectclass: groupOfUniqueNames

objectclass: nsManagedDept

cn: Service Administrators

nsNumUsers: 1

nsMaxUsers: Unlimited

uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp

Code Example 6-6    Example User Entry for a Top-level Administrator

---

dn: uid=Biff,ou=people,o=sesta.com,o=isp

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: inetUser

objectClass: ipUser

objectClass: inetMailUser

objectClass: inetLocalMailRecipient

objectClass: nsManagedPerson

objectClass: userPresenceProfile

cn: Biff Fanning

sn: fanning

initials: BTF

givenName: Biff

mail: Biff.Fanning@sesta.com

mailAlternateAddress: bfanning@florizel.com

mailDeliveryOption: mailbox

mailHost: manatee.siroe.com

uid: biff

dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

mailAllowedServiceAccess: +imap, imaps, pop3, http:*

inetUserStatus: active

mailUserStatus: active

mailQuota: -1

mailMsgQuota: 100

memberOf: cn=Service Administrators,ou=groups,o=isp

Creating Domain Administrators

---

Delegated Admin Utility: imadmin admin add
Task Privilege for Provisioning: Top-level Administrator

A domain administrator is a user who has privileges to add, delete, and modify users and groups in a particular domain using the Delegated Administrator or the command line utilities. Only Top-level Administrators can create Hosted Domain Administrators.

Once the Domain Administrator's group has been created and the ACI rules have been set, it no longer has to be done again. To create new administrators, simply add them to the group. The following LDIF examples create a Domain Administrators group and add Biff as a member of this group.

1. Create a Domain Administrators group and add a user to the group.

   Create a group called Domain Administrators in the hosted domain node of the Organization Tree and add the DN of the user designated to be a Domain Administrator to this group. Also, add the object class inetMailAdministrator and the attribute value pair mailadminrole: storeadmin. (Note that this group with ACIs is automatically created when a domain is created with the Delegated Administrator.) Specify the uniqueMember attribute in the Domain Administrator's Group to the DN of the new Domain Administrator. This is shown below.

   Code Example 6-7    Creating the Domain Administrator Group
   

   ---

   dn: cn=Domain Administrators,ou=groups,o=sesta.com,o=isp

   objectclass: groupOfUniqueNames

   objectClass: nsManagedDept

   objectClass: inetMailAdministrator

   mailadminrole: storeadmin

   cn: Domain Administrators

   uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp

2. objectclass: groupOfUniqueNames
   objectClass: nsManagedDept
   objectClass: inetMailAdministrator

   The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).

3. cn: Domain Administrators

   This is common name of the group of which domain administrators must be a member.

4. mailadminrole: storeadmin

   Grants message store administrator privileges to members of this group.

5. uniqueMember: uid=Biff,ou=People,o=sesta.com,o=isp

   uniqueMember specifies the distinguished names of the members of this list. In this example there is only one member in this group.

2. Verify Domain Administrators ACI Rules.

   Domain administrator ACI rules are created automatically when you create a hosted domain using the Delegated Administrator or command line utilities like imadmin domain create. If you are provisioning hosted domains using LDAP, you will need to add ACI rules. An example is shown Appendix A "Root and Domain ACI Examples."

3. Add memberOf to User Entry.

   Specify the memberOf attribute to
   cn=Domain Administrators,o=groups,o=sesta.com,o=isp in the user's entry.

   Code Example 6-8    Example User Entry for a Domain Administrator
   

   ---

   dn: uid=Biff,ou=people,o=sesta.com,o=isp

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   objectClass: inetUser

   objectClass: ipUser

   objectClass: inetMailUser

   objectClass: inetLocalMailRecipient

   objectClass: nsManagedPerson

   objectClass: userPresenceProfile

   cn: Biff Fanning

   sn: fanning

   initials: BTF

   givenName: Biff

   mail: Biff.Fanning@sesta.com

   mailAlternateAddress: bfanning@florizel.com

   mailDeliveryOption: mailbox

   mailHost: manatee.siroe.com

   uid: fanning

   dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

   userPassword: password

   mailAllowedServiceAccess: +imap, imaps, pop3, http:*

   inetUserStatus: active

   mailUserStatus: active

   mailQuota: -1

   mailMsgQuota: 100

   memberOf: cn=Domain Administrators,o=groups,o=sesta.com,o=isp

4. dn: uid=Biff,ou=People,o=sesta.com,o=isp

   The DN of the user designated to be a domain administrator for this domain.

5. memberOf: cn=Domain Administrators,o=sesta.com,o=isp

   DN of the group to which this user belongs.

Creating a Domain Organization Administrator

---

A Domain Organization Administrator is a user of an organization who has privileges to add, delete, and modify users and groups in a particular organization using the Delegated Administrator or the command line utilities. Multiple Domain Organization Administrators can be contained in a hosted domain, and Domain Organization Administrators can be nested. Only Top-level Administrators can create Organization Administrators.

Once the Organization Administrator's group has been created and the ACI rules have been set, it no longer has to be done again. To create new administrators, simply add them to the group. The example below shows how to create an Organization Administrator, Biff, for ou=east,o=siroe.com,o=isp.

Figure 6-1    Creating a Domain Organization Administrator

See "Creating a Domain Organization" for how to create a domain organization.

1. Create a group called Domain Organization Administrators in the domain organization node of the organization tree and add the DN of the Domain Organization Administrator of this group.

Code Example 6-9    Creating the Organization Administrator Group

---

dn: cn=Domain Organization Administrators,ou=east,o=siroe.com,o=isp

objectclass: nsManagedDept

objectclass: inetAdmin

objectclass: groupOfUniqueNames

cn: Domain Organization Administrators

uniqueMember: uid=Biff,ou=people,ou=east,o=siroe.com,o=isp

• dn: cn=Organization Administrators,ou=groups,ou=east,o=siroe.com,o=isp

  Name of Organization Administrator's group.

• objectclass: nsManagedDept
  objectclass: inetAdmin
  objectclass: groupOfUniqueNames

  nsManagedDept attributes to support Delegated Administrator. inetAdmin provides attributes to support administration. The groupOfUniqueNames object class contains attributes for describing a collection of directory entries (namely users and other groups).

• cn: Organization Administrators

  This is the common name of the group of which organization administrators must be a member

• uniqueMember: uid=Biff,ou=People,o=east.siroe.com,o=isp

  uniqueMember specifies the distinguished names of the members of this list. In this example there is only one member in this group.

2. Add Domain Organization Administrator ACI Rules.

   You must add and modify the appropriate ACI rules to the domain organization. In this example that would be ou=east,o=siroe.com,o=isp. An example is shown Appendix A "Root and Domain ACI Examples."

3. Specify the memberOf attribute in the Domain Organization Administrator's entry.

   Specify the memberOf attribute to cn=Domain Organization Administrators,o=east.siroe.com,o=isp in uid=Biff,ou=people,o=sesta.com,o=isp

   Code Example 6-10    Example User Entry for a Domain Administrator
   

   ---

   dn: uid=Biff,ou=people,o=sesta.com,o=isp

   objectClass: person

   objectClass: organizationalPerson

   objectClass: inetOrgPerson

   objectClass: inetUser

   objectClass: ipUser

   objectClass: inetMailUser

   objectClass: inetLocalMailRecipient

   objectClass: nsManagedPerson

   objectClass: userPresenceProfile

   cn: Otis Fanning

   sn: fanning

   initials: BTF

   givenName: Biff

   mail: Biff.Fanning@sesta.com

   mailAlternateAddress: bfanning@florizel.com

   mailDeliveryOption: mailbox

   mailHost: manatee.siroe.com

   uid: fanning

   dataSource: iMS 5.0 @(#)ims50users.sh 1.5a 02/3/00

   userPassword: {SHA}aluWfd0LYY9ImsJb3h4afrI4AXk=

   mailAllowedServiceAccess: +imap, imaps, pop3, http:*

   inetUserStatus: active

   mailUserStatus: active

   mailQuota: -1

   mailMsgQuota: 100

   memberOf: cn=Domain Organization Administrators,ou=east,o=siroe.com,o=isp

4. dn: uid=Biff,ou=People,o=eng.siroe.com,o=isp

   The DN of the user designated to be a domain organization administrator to this group.

5. memberOf: cn=Organization Administrators,ou=groups,ou=east,o=siroe.com,o=isp

   DN of the group to which this user belongs.