You can user the Access Manager console to create, edit, and delete user profiles in your existing data store. The procedures in this section are optional.
Access Manager typically is used more for policy management than for user management. In most cases, the user repository is a different repository than the one used by Access Manager to store its configuration. Administrators usually prefer to manage the user repository separately or differently from the Access Manager repository. However, at some times administrators find it necessary to manage the assignment of Access Manager services to users or roles. For convenience, administrators can to do this through the Access Manager console. The relevant AM objectclasses must be imported into the user repository so that Access Manager can read and write Access Manager service properties into the relevant entries in the user repository.
Use the following as your checklist for enabling Access Manager to manage users in the existing data store:
Configure Access Manager to manage users in an existing user data store.
Verify that user management with the existing data store works properly.
Copy Access Manager schema to Directory Server 1.
Copy Access Manager schema to Directory Server 2.
Start the Directory Server 1 console.
# cd /var/opt/mps/serverroot # ./startconsole & |
Log in to the Directory Server 1 console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-1.example.com:1391
Create a new Access Control Instruction (ACI).
In the Directory Server console, in the navigation tree, expand the Server Group object and then click on the am-users instance.
On the Directory Server page for am-users, click Open.
Click the Directory tab.
In the navigation tree, click the dc=company, dc=com suffix.
Double-click the Directory Administrators group.
On the Edit Entry page for Directory Administrators, click Members.
On the Static Group page, click Add.
In the Search dialog, click Search.
In the results list, click the User ID userdbadmin.
The Member User ID userdbadmin is now added to the Static Group list.
Click OK.
Set access permissions.
On the Directory tab, in the navigation tree, right— click the dc=company, dc=com suffix, and the select Set Access Permissions.
In the Manage Access Control dialog, click New.
In the Edit ACI dialog, in the ACI name field, enter Directory Administrators.
In the list of Users/Groups, select All Users, and then click Remove.
Click Add.
In the Add Users and Groups, click Search.
In the Search results list, select Directory Administrators, and then click Add.
Click OK.
The group Directory Administrators group is now displayed in the list of Users/Groups who have access permission.
Click the Target tab.
In the “Target directory entry,” click This Entry.
The dc=company,dc=com suffix is displayed.
Click OK.
The Directory Administrators group is displayed in the Manage Access Control dialog.
Click OK, and then log out of Directory Server 1.
Restart both Directory Server 1 and Directory Server 2.
Log in as a root user to the Directory Server 1 host.
# cd /var/opt/mps/serverroot # ./restart |
Log in as a root user to the Directory Server 2 host.
# cd /var/opt/mps/serverroot # ./restart |
If you see errors such as the following on the command line:
[13/Oct/2006:12:43:39 -0700] - ERROR<5895> - Schema - conn=-1 op=-1 msgId=-1 - User error: Entry "cn=schema", single-valued attribute "modifyTimestamp" has multiple values |
then run the following commands:
# cd config/schema # edit file 98am-schema.ldif # remove the entries: modifiersName: cn=directory manager modifyTimestamp: 20060913190551Z # cd ../.. # ./restart-slapd |
Restart both Access Manager 1 and Access Manager 2.
In a browser, go to the following Access Manager URL:
https://loadbalancer-3.example.com:9443/amserver/UI/Login
Log in to the Access Manager console using the following information:
amadmin
4m4dmin1
Add a new user.
On the Realms page, click the users link.
Click the Subjects tab.
On the User page, under User, click New.
On the New User page, provide the following information, and then click Create:
johndoe
John
Doe
John Doe
password
password
John Doe is now displayed in the list of Users. This indicates the user created in Access Manager was also created in Directory Server. Changes to the user profile were updated in Directory Server.
Modify the John Doe entry.
Log in as a root user to the host DirectoryServer-1.
Start the Directory Server console:
# cd /var/opt/mps/serverroot # ./startconsole & |
Log in to the Directory Server console using the following information:
cn=Directory Manager
d1rm4n4ger
http://DirectoryServer-1.example.com:1391
In the navigation tree, expand the DirectoryServer-1 node, and expand the Server Group.
Click the am-users instance.
On the Directory Server page for am-users , click Open.
Click the Directory tab.
Click the dc=company,dc=com suffix, and then click the users group.
In the list of users, double-click the johndoeentry.
In the Edit User page, verify that the information is the same as the information you entered through the Access Manager console in the previous steps.
Leave the Directory Server console open.
In the Access Manager console, create a new role and add John Doe to the role.
In the Realms page for users, click the Subjects tab.
Click the Role tab.
Under Roles, click New Role.
In the Role page, in the Name field, enter testRole.
Click Create.
The new role testRole is now displayed in the list of roles.
Click the testRole link.
Click the User tab.
In the Edit Role page for testRole, in the Available list, select johndoe.
Click Add.
The user johndoe is added to the Selected list.
Click Save.
John Doe is now added to the testRole role.
Verify that the new user and role are created in Directory Server.