Sun Java System Directory Editor 1 2004Q4 SP1 Installation and Configuration Guide |
Chapter 7
Configuring Directory EditorUse the information provided in this chapter to configure your Directory Editor application to control user access to applications and application components, and to define relative distinguished names (RDN) configurations. This chapter is organized as follows:
Controlling User AccessAuthentication and Authorization are terms used to describe methodologies for controlling access to applications or application components.
- Authentication is the process by which an application challenges a client to supply credentials — typically providing a user name and password through a log-in page. Based on these credentials, the application determines whether a user (or a different client, such as another application) can use the application.
- Authorization assumes that a client has already been authenticated and is in the process of determining whether a client can use a component of the application. Authorization takes a more fine-grained approach to access control.
You can use the Directory Editor Authorization page to authenticate clients and to control access to Directory Editor components using fine-grained authorization.
Note
By default, you must have the Manager role to access the Authorization page. For more information about roles, see Understanding Roles.
To understand authorization, you must understand the terms role, principal, and capabilities. These terms are described in the following sections:
Understanding Roles
A role describes a user's function within the enterprise hosting Directory Editor and determines with which parts of Directory Editor the user can interact.
By default, Directory Editor is pre-configured with two roles:
Directory Editor enables you to add roles that support interactions appropriate for your enterprise, and these roles can consist of individual users or a group of users.
For example, if you create CEO, help desk administrator, and HR administrator roles for your organization, it is probably not necessary for each of these roles to have the same access capabilities.
Every role is associated with a set of principals that assume the role (see the next section, Understanding Principals).
For Directory Editor, there is a single group in the directory server (called the Manager Group) that serves as the principal corresponding to the Manager role.
You use the Managed Directory page to specify the Manager Group at configuration time (also available after configuration by selecting Configure > Managed Directory). So, if you have a particular user that should have full access to all Directory Editor functions, make that user's DN a member of the Manager Group.Understanding Principals
A principal represents an entity (such as an individual, corporation, or login ID). The term subject is used to describe entities (typically human users). Subjects can be represented by multiple, differing principals — just as people can be represented by their credit card number to banks and by their UNIX account name to system administrators. The credit card numbers and UNIX account names are principals in this case.
Because Directory Editor is focused on directory data management, its principals are all represented using the following directory objects:
A user entering a DN in the log-in page can be represented by several different principals, depending on the data in the directory. For example, if the user’s account ID happens to be a member of a specific group, that user will be represented by the account ID’s DN and by the DN of the group to which the DN belongs.
In Directory Editor, objects representing the user (or subject) are stored in the HTTP session. After the user enters an account ID and a password on the Directory Editor's log-in page, Directory Editor populates the subject with all of the various principals (person entries, groups, and roles) associated with that account ID.
Note
If you edit the Manager role’s default principals, you can restore the original settings by clicking the Restore Default Setting button located on the Principals tab.
Understanding Capabilities
Capabilities are rights to perform actions within Directory Editor. A capability aggregates a set of resources that are necessary to perform the associated action (see Appendix B, "Resources for Capability Configuration").
By default, the Directory Editor capabilities include:
Working with RolesThis section provides instructions for defining, editing, and deleting roles. The section is organized as follows:
Accessing the Authorization Page
To open the Authorization page, select the Configure tab and then select the Authorization tab. The Authorization page is displayed as follows:
Figure 7-1 Authorization Page
This page consists of the following features:
- Create Role button: Click this button to create additional roles appropriate for your enterprise. (See Creating Directory Editor Roles.)
- Edit Selected Role button: Click this button to change the properties, principals, and capabilities associated with a particular role. (See Editing Roles.)
- Delete Selected Role(s) button: Click this button to remove roles. (See Deleting Roles.)
- Role table: By default, this table contains the Manager and Default roles.
Creating Directory Editor Roles
Before you can define new Directory Editor roles for your enterprise, you must decide which tasks a common set of users must perform. For example, all of your help desk administrators must have write access to directory data.
After you have identified these tasks, use the following steps to create a new role:
- Select Configure > Authorization.
- When the Authorization page is displayed (see Figure 7-1), click the Create Role button.
- On the New Role page, enter a meaningful name into the Role Name text box. For example, Site Managers.
Figure 7-2 Role Properties Tab
- To specify a set of principals for this role, select the Principals tab and then click the Search for Principals button.
Figure 7-3 Principals Tab
- When the Search for Principals page is displayed (Figure 7-4), use one of the search tabs (Basic, Advanced, or Filtered) to search the directory for identity, group, or role objects you want to assume the new role.
Figure 7-4 Search for Principals Page
- Define the parameters for your search and then click the Search button.
Note
If necessary, see Chapter 6, "Searching Directories" to review the instructions for using these search tabs.
For example, if you want all Managers to assume the new role, you can use the Basic Search tab to search for Directory Administrators as follows:
Figure 7-5 Adding Objects to the Principals Set
- In the Results from Search table, enable the Results checkbox(es) to select principals for the new role and then click the Add Selected Principals button.
The New Role page redisplays and the Principal table now contains the principal(s) you specified.
Figure 7-6 Principal Table
Note
To remove principals from the Principal table (and from the new role), enable the checkbox to the right of the principal name(s), and then click the Remove Selected button.
- Select the Capabilities tab (Figure 7-7) to specify a set of actions that can be performed by users who assume the new role.
Figure 7-7 Capabilities Tab
- Select one or more capabilities from the Available Capabilities list and click to move them to the Capabilities Of This Role list. (Press your Shift key and click on items in the list to select multiple resources.)
- Click to move all resources to the Capabilities Of This Role list.
- Click to move all resources from the Capabilities Of This Role list back to the Available Capabilities list.
- Select resources from the Capabilities Of This Role list and click to move them back to the Available Capabilities list.
For example, you might want to assign all of the capabilities to the Help Desk Administrator role.
- Click Save to save the new role and to add it to the Roles table (or click Cancel to return to the Authorization page without saving your changes).
Figure 7-8 shows the updated Roles table.
Figure 7-8 New Role Added to the Roles Table
Editing Roles
To edit selected authorization roles, use the following steps:
- Select Configure > Authorization.
- When the Authorization page is displayed, click the checkbox located next to the role you want to edit.
Figure 7-9 Click the Checkbox
- Click the Edit Selected Role button to open the Edit page.
Figure 7-10 Edit Page
- The process for editing a role is the same as the process you used to create it. Review the instructions provided in Creating Directory Editor Roles if necessary.
- When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).
Deleting Roles
To delete selected roles, use the following steps:
- Select Configure > Authorization.
- When the Authorization page is displayed, enable the checkbox(es) located next to the role(s) you want to delete.
Figure 7-11 Click the Checkbox
- Click the Delete Selected Role(s) button and Directory Editor will immediately remove the selected role(s) from the Roles table.
Working with Naming AttributesThis section provides instructions for defining, editing, and deleting naming attributes. The section is organized as follows:
Accessing the Naming Attributes Page
To create new objects, Directory Editor must know how to construct DNs (distinguished names) for the new objects.
For example, if your customer wants to use uid (user ID) as the naming attribute for inetOrgPerson instead of cn you might specify the following DN for a newly created entry:
cn=Mike Miller,dc=example,dc=com
instead of:
uid=mmiller,dc=example,dc=com
Directory Editor ships with a small set of default naming attributes to use for object classes, so it is important that you modify these mappings to match the naming conventions used by your enterprise for naming directory objects. You must configure any object class that you add to the Create page with naming attributes.
To access the Naming Attributes page,
This page consists of the following features:
- Naming Attribute Mapping table: By default, this table contains a small set of object classes and their naming attributes.
- New button: Click this button to add object classes (and define naming attributes for those object classes) to your enterprise. (See Creating New Object Class - Naming Attribute Mappings.)
- Edit Selected button: Click this button to edit the naming attributes currently selected for the selected object class. (See Editing Naming Attributes.)
- Delete Selected button: Click this button to remove an object class and associated naming attributes from the table. (See Deleting Selected Naming Attributes.)
Creating New Object Class - Naming Attribute Mappings
After you have identified these tasks, use the following steps to create a new naming attribute:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed (see Figure 7-12), click the New button.
- A new Naming Attributes page is displayed (Figure 7-13). Select the object class from the Object Class menu.
Figure 7-13 New Naming Attributes Page
- Use the Naming Attributes selection tool to specify naming attributes for the new object class, as follows:
- Select one or more naming attributes from the Available Attributes list and click the button to move them to the Used Attributes list. (Press your Shift key and click on items in the list to select multiple naming attributes.)
- Click the button to move all naming attributes to the Used Attributes list.
- Click the button to move all naming attributes from the Used Attributes list back to the Available Attributes list.
- Select naming attributes from the Used Attributes list and click the button to move them back to the Available Attributes list.
- Use the (move up) and (move down) buttons to change the order of attributes in the Used Attributes list
For example, you might specify a new objectclass called exUser for extending the default user object and have an attribute called exIdentifier as the naming attribute.
Figure 7-14 New Object Class and Naming Attribute Added to the Table
- Click Save to save the new object class and attribute(s) (or click Cancel to return to the Naming Attributes page without saving your changes).
Figure 7-15 shows the new entry added to the Object Class table.
Figure 7-15 Updated Table
Editing Naming Attributes
To edit selected naming attributes, use the following steps:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed, click the checkbox located next to the role you want to edit.
- Click the Edit Selected button to open a new Naming Attributes page (similar to Figure 7-16).
Figure 7-16 Editing the Naming Attributes
Note that the Object Class menu is not available on this page. Instead, Directory Editor displays the selected object class name.
- Use the Naming Attributes selection tool to add or remove naming attributes. Review the instructions provided in Creating New Object Class - Naming Attribute Mappings if necessary.
- When you are finished, click Save (or click Cancel to return to the Authorization page without saving your changes).
Deleting Selected Naming Attributes
To delete selected naming attributes, use the following steps:
- Select Configure > Naming Attributes.
- When the Naming Attributes page is displayed, enable the checkbox(es) located next to the object class(es) you want to delete.
Figure 7-17 Click the Checkbox
- Click the Delete Selected button and Directory Editor will immediately remove the selected object class(es) from the table.
Editing the Startup PropertiesAfter initially configuring the Startup Properties page, you can edit any of the property values by selecting Configuration > Startup.
The steps for editing any of the properties provided on this tab are the same as the steps you performed during the initial configuration.
Editing the Managed Directory PropertiesAfter initially configuring the Managed Directory page, you can edit any of the specified property values by selecting Configuration > Managed Directory.
The steps for editing any of the properties provided on this tab are the same as the steps you performed during the initial configuration — except for the Manager Principals parameter.
After completing the initial configuration of Directory Editor, the program adds a Search for Principals button beneath the Manager Principals text boxes so you can search the directory for principals.
Note
Completing these Manager Principals fields is the same as selecting Configure > Authorization and editing the Manager role’s principals on the Principals tab.
To search for principals to add to the Manager Principals set,
- Click the Search for Principals button.
Figure 7-18 Search for Principals button
- When the Search for Principals page is displayed (Figure 7-19), select one of the search tabs (Basic, Advanced, or Filtered) to search the directory for User, Organization, Group, or All objects.
Figure 7-19 Search for Principals Page
- Define the parameters for your search and then click the Search button.
Note
If necessary, see Chapter 6, "Searching Directories" to review the instructions for using these search tabs.
For example, if you add all Directory Administrators to the Manager Principals list, you can select the Basic Search tab to search for Directory Administrators as follows:
Figure 7-20 Adding Objects to the Principals Set
- When a Results table is displayed with the results of your search, enable the appropriate Results checkbox(es) to select those principals and then click the Add Selected Principals button.
The Managed Directory page redisplays. Note that the Manager Principals list now contains the principal(s) you specified.
Figure 7-21 New Manager Principals List