Sun Java System Directory Editor 1 2004Q4 Installation and Configuration Guide |
Chapter 7
Configuring Directory EditorUse the information provided in this chapter to configure your Directory Editor application to user control access to applications and application components, and to define relative distinguished names (RDN) configurations. This chapter is organized as follows:
Controlling User AccessAuthentication and Authorization are terms used to describe methodologies for controlling access to applications or application components.
- Authentication is the process by which an application challenges a client to supply credentials — typically providing a user name and password through a log-in page. Based on these credentials, the application determines whether a user (or a different client, such as another application) can use the application.
- Authorization assumes that a client has already been authenticated and is in the process of determining whether a client can use a component of the application. Authorization takes a more fine-grained approach to access control.
You can use the Directory Editor Authorization page to authenticate clients and control access to Directory Editor components using fine-grained authorization
Note
By default, you must have the Manager role to access the Authorization page. For more information about roles, see Understanding Roles.
To understand authorization, you must understand the terms role, principal, and accessible components, which are described in the following sections:
Understanding Roles
A role describe a user's function within the enterprise hosting the Directory Editor. For example, your organization may have CEO, help desk administrator, and janitor roles.
Roles determine with which parts of Directory Editor you can interact. By default, Directory Editor is pre-configured with two roles:
Directory Editor enables you to add roles that support interactions appropriate for your enterprise. For example, you might want to define a role that allows users to edit directory data but does not allow them to access the Configure tab.
Every role is associated with a set of principals that assume the role (see the next section, Understanding Principals). For Directory Editor, there is a single group in the directory server (called the Manager Group) that serves as the principal corresponding to the Manager role.
You use the Managed Directory page to specify the Manager Group at configuration time (also available after configuration by selecting Configure > Managed Directory). So, if you have a particular user that should have full access to all Directory Editor functions, make that user's DN a member of the Manager Group.
Understanding Principals
A principal represents an entity (such as an individual, corporation, or login ID). The term subject is used to describe entities (typically human users). Subjects can be represented by multiple, differing principals — just as people can be represented by their credit card number to banks and by their UNIX account name to system administrators. The credit card numbers and UNIX account names are principals in this case.
Because Directory Editor is focused on directory data management, its principals are all represented using the following directory objects:
A user entering a DN in the log-in page can be represented by several different principals, depending on the data in the directory. For example, if the user’s account ID happens to be a member of a specific group, that user will be represented by the account ID’s DN and by the DN of the group to which the DN belongs.
In Directory Editor, objects representing the user (or subject) are stored in the HTTP session. After the user enters an account ID and a password on the Directory Editor's log-in page, Directory Editor populates the subject with all of the various principals (person entries, groups, and roles) associated with that account ID.
Understanding Accessible Components
Accessible components are the set of internal Directory Editor components that are accessible by the users. Users may not know they are interacting with certain accessible components; consequently, administrators must understand which components are required to complete certain tasks.
Currently, all accessible components are either actions or views.
The rest of this section provides instructions for defining, editing, and deleting roles. The section is organized as follows:
Accessing the Authorization Page
To open the Authorization page, select the Configure tab and then select the Authorization tab. The Authorization page is displayed as follows:
Figure 7-1 Authorization Page
This page consists of the following features:
- Role table: By default, this table contains the Manager and Default roles.
- Create Roles button: Click this button to create additional roles appropriate for your enterprise. (See Defining Directory Editor Roles.)
- Edit Selected Roles button: Click this button to change properties, principals, and accessible resources associated with a particular role. (See Editing Roles.)
- Delete Selected Roles button: Click this button to remove roles. (See Deleting Roles.)
Defining Directory Editor Roles
Before you can define new Directory Editor roles for your enterprise, you must decide which tasks a common set of users must perform. For example, all of your help desk administrators must have write access to directory data.
After you have identified these tasks, use the following steps to create a new role:
- Select Configure > Authorization.
- When the Authorization page is displayed (see Figure 7-1), click the Create Role button.
- On the Create Role page, enter a meaningful name into the Role Name text box. For example, Help Desk Administrators.
Figure 7-2 Role Properties Tab
- Select the Principals tab and use the Principals selection tool to specify the set of principals you want to assume the new role.
Figure 7-3 Principals Tab
- You can select one or more principals from the Principals list and click the button to move them to the Principals Who Assume This Role list. (Press your Shift key and click on items in the list to select multiple principals.)
- Click the button to move all principals to the Principals Who Assume This Role list.
- Click the button to move all principals from the Principals Who Assume This Role list back to the Principals list.
- Select principals from the Principals Who Assume This Role list and click the button to move them back to the Principals list.
For example, you might assign the Directory Administrators to this role.
- Select the Accessible Resources tab (Figure 7-4) to specify the set of components that can be accessed by the new role.
Note
For a complete list of available resources; including their type, category, and a description see Appendix B, "Resources for Role Configuration."
Figure 7-4 Accessible Resources Tab
- Select one or more resources from the Resources list and click the button to move them to the Resources Accessible By This Role list. (Press your Shift key and click on items in the list to select multiple resources.)
- Click the button to move all resources to the Resources Accessible By This Role list.
- Click the button to move all resources from the Resources Accessible By This Role list back to the Resources list.
- Select resources from the Resources Accessible By This Role list and click the button to move them back to the Resources list.
For example, for a Help Desk Administrator, you might want to assign all the Debug-related resources to this role.
- Click Save to save the new role and to add it to the Roles table (or click Cancel to return to the Authorization page without saving your changes).
Figure 7-5 shows the updated Roles table.
Figure 7-5 New Role Added to the Roles Table
Editing Roles
To edit selected authorization roles, use the following steps:
- Select Configure > Authorization.
- When the Authorization page is displayed, click the checkbox located next to the role you want to edit.
Figure 7-6 Click the Checkbox
- Click the Edit Selected Roles button to open the Edit Roles page.
Figure 7-7 Edit Role Page
- The process for editing a role is the same as the process you used to create it. Review the instructions provided in Defining Directory Editor Roles if necessary.
- When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).
Deleting Roles
To delete selected authorization roles, use the following steps:
- Select Configure > Authorization.
- When the Authorization page is displayed, enable the checkbox(es) located next to the role(s) you want to delete.
Figure 7-8 Click the Checkbox
- Click the Delete Selected Role(s) button and Directory Editor will immediately remove the selected role(s) from the Roles table.
Working with Naming AttributesThis section provides instructions for defining, editing, and deleting naming attributes. The section is organized as follows:
Accessing the Naming Attributes Page
To create new objects, Directory Editor must know how to construct DNs (distinguished names) for the new objects.
For example, if your customer wants to use uid (user ID) as the naming attribute for inetOrgPerson instead of cn you might specify the following DN for a newly created entry:
cn=Mike Miller,dc=example,dc=com
instead of:
uid=mmiller,dc=example,dc=com
Directory Editor ships with a small set of default naming attributes to use for object classes, so it is important that you modify these mappings to match the naming conventions used by your enterprise for naming directory objects. You must configure any object class that you add to the create page with naming attributes.
To access the Naming Attributes page,
This page consists of the following features:
- Naming Attribute Mapping table: By default, this table contains a small set of object classes and their naming attributes.
- New button: Click this button to add object classes (and define naming attributes for those object classes) to your enterprise. (See Creating New Object Class Naming Attribute Mappings.)
- Edit Selected button: Click this button to edit the naming attributes currently selected for the selected object class. (See Editing Naming Attributes.)
- Delete Selected button: Click this button to remove an object class and associated naming attributes from the table. (See Deleting Selected Naming Attributes.)
Creating New Object Class Naming Attribute Mappings
After you have identified these tasks, use the following steps to create a new naming attribute:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed (see Figure 7-9), click the New button.
- A new Naming Attributes page is displayed (Figure 7-10). Select the object class from the Object Class menu.
Figure 7-10 New Naming Attributes Page
- Use the Naming Attributes selection tool to specify naming attributes for the new object class, as follows:
- Select one or more naming attributes from the Available Attributes list and click the button to move them to the Used Attributes list. (Press your Shift key and click on items in the list to select multiple naming attributes.)
- Click the button to move all naming attributes to the Used Attributes list.
- Click the button to move all naming attributes from the Used Attributes list back to the Available Attributes list.
- Select naming attributes from the Used Attributes list and click the button to move them back to the Available Attributes list.
- Use the (move up) and (move down) buttons to change the order of attributes in the Used Attributes list
For example, you might specify a new objectclass called exUser for extending the default user object and have an attribute called exIdentifier as the naming attribute.
Figure 7-11 New Object Class and Naming Attribute Added to the Table
- Click Save to save the new object class and attribute(s) (or click Cancel to return to the Naming Attributes page without saving your changes).
Figure 7-12 shows the new entry added to the Object Class table.
Figure 7-12 Updated Table
Editing Naming Attributes
To edit selected naming attributes, use the following steps:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed, click the checkbox located next to the role you want to edit.
Figure 7-13 Click the Checkbox
- Click the Edit Selected button to open a new Naming Attributes page (similar to Figure 7-14).
Figure 7-14 Editing the Naming Attributes
Note that the Object Class menu is not available on this page. Instead, Directory Editor displays the selected object class name.
- Use the Naming Attributes selection tool to add or remove naming attributes. Review the instructions provided in Creating New Object Class Naming Attribute Mappings if necessary.
- When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).
Deleting Selected Naming Attributes
To delete selected naming attributes, use the following steps:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed, enable the checkbox(es) located next to the object class(es) you want to delete.
Figure 7-15 Click the Checkbox
- Click the Delete Selected button and Directory Editor will immediately remove the selected object class(es) from the table.