Exit Print View

Sun OpenDS Standard Edition 2.0 Administration Guide

Get PDF Book Print View
 
Previous Next

Document Information

Configuring the Directory Server

Configuring Security in the Directory Server

Managing Directory Data

Controlling Access To Data

Replicating Data

Managing Users and Groups

Managing Root User, Global Administrator, and Administrator Accounts

Working With Multiple Root Users

Root Users and the Privilege Subsystem

Managing Root Users With dsconfig

To View the Default Root User Privileges

To Edit the Default Root User Privileges

To Create a Root User

To Change a Root User's Password

To Change a Root User's Privileges

Setting Root User Resource Limits

Managing Global Administrators

Managing Administrators

To Create a New Administrator

Managing Password Policies

Password Policy Components

Password Policies in a Replicated Environment

To View the List of Password Policies

Properties of the Default Password Policy

To View the Properties of the Default Password Policy

Configuring Password Policies

To Create a New Password Policy

To Create a First Login Password Policy

To Assign a Password Policy to an Individual Account

To Prevent Password Policy Modifications

To Assign a Password Policy to a Group of Users

To Delete a Password Policy

Managing User Accounts

Changing Passwords

To Change the Directory Manager's Password

To Reset and Generate a New Password for a User

To Change a User's Password

Managing a User's Account Information

To View a User's Account Information

To View Account Status Information

To Disable an Account

To Enable an Account

Setting Resource Limits on a User Account

To Set Resource Limits on an Account

Defining Groups

Defining Static Groups

To Create a Static Group With groupOfNames

To Create a Static Group With groupOfUniqueNames

To Create a Static Group With groupOfEntries

To List All Members of a Static Group

To List All Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Group

Defining Dynamic Groups

To Create a Dynamic Group

To List All Members of a Dynamic Group

To List All Dynamic Groups of Which a User Is a Member

To Determine Whether a User Is a Member of a Dynamic Group

Defining Virtual Static Groups

To Create a Virtual Static Group

To List All Members of a Virtual Static Group

To List All Virtual-Static Groups of Which a User Is a Member

To Determine Whether a User is a Member of a Virtual Static Group

Defining Nested Groups

To Create a Nested Group

Maintaining Referential Integrity

Overview of the Referential Integrity Plug-In

To Enable the Referential Integrity Plug-In

Simulating DSEE Roles in an OpenDS Directory Server

To Determine Whether a User is a Member of a Role

To Alter Membership by Using the nsRoleDN Attribute

Directory Server Monitoring

Improving Performance

Advanced Administration

To Determine Whether a User is a Member of a Role

If the application needs only to determine whether a user is a member of a given role, it should only need to look at the nsRole attribute in the target user's entry to determine whether the DN of the appropriate role is present. In this case, you can simulate role functionality by following these steps.

After these steps are completed, the nsRole virtual attribute appears as an operational attribute in user entries, and should include the DNs of all groups in which that user is a member. Note that nsRole is an operational attribute, and must be explicitly requested for it to be returned in search results. You must also ensure that the authenticated user has permission to see that attribute.

  1. Update the directory server to include the necessary schema for the DSEE roles implementation.

    This schema is provided in the following LDIF file (named 03-dsee-roles.ldif).

    # CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE
# or https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# This file contains schema definitions required to simulate DSEE role
# functionality in OpenDS.
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
attributeTypes: ( 2.16.840.1.113730.3.1.574 NAME 'nsRole'
  DESC 'Sun ONE defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  NO-USER-MODIFICATION USAGE directoryOperation
  X-ORIGIN 'Sun ONE Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.575 NAME 'nsRoleDN'
  DESC 'Sun ONE defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
  USAGE directoryOperation X-ORIGIN 'Sun ONE Directory Server' )
    • Either copy the file into the config/schema directory of the directory server implementation and restart the server, or
    • Use the add schema file task to cause the server to load the schema file into a running server instance.
  2. Create a static or dynamic group to define role membership.

    Make sure that the group has an appropriate set of members.

  3. Create a new instance of the isMemberOf virtual attribute to provide the nsRole virtual attribute.

    The nsRole attribute will include a list of the DNs of all groups in which the target user is a member. Use the dsconfig command to create the virtual attribute, as follows:

    $ dsconfig -D "cn=directory manager" -w password -n create-virtual-attribute \
  --type is-member-of --name nsRole --set attribute-type:nsRole --set enabled:true
Legal Copyright 1994-2009 Sun Microsystems, Inc.
Previous Next