Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Administration Server 5.2 2005Q1 Administration Guide 

Chapter 4
Managing Users and Groups From the Console

Sun Java System Server Console allows you to create, locate, and manage user and group information from any system in your enterprise.

This chapter contains the following sections:

Chapter 8, "Access Control" shows you how to work with user and group information when setting access privileges and other security information.

Interacting With Directory Server

When you use Server Console to create or modify users and groups, you make changes in the user directory, a subtree (suffix) of Directory Server. These changes affect all applications that use Directory Server. For information on how Server Console uses the data stored in the user directory, see Chapter 1, "Remote Server Administration Overview."

Each user and group in your enterprise is represented in Directory Server by a distinguished name (DN). A DN is the string representation of an entry's name and location in an LDAP directory. The user and group names you specify in Server Console must adhere to the naming conventions of Directory Server. For information about how Directory Server entries are named, see "Distinguished Names, Attributes, and Syntax" in the Directory Server Deployment Guide.

Locating a User or Group in the Directory

You can use the "Users and Groups" Search function to locate directory entries. Initially, the function is set to search within the default user directory. If you do not want to use the default user directory, you can manually change to another one. See Choosing a Different Directory to Searchfor more information.

Figure 4-1 Sun Java System Server Console User and Groups Tab

The User and Groups tab lets you search for entries in the user directory.

To Locate Users or Groups in the Directory

  1. In Server Console, click the "Users and Groups" tab.
  2. Specify your search criteria in one of these ways:

    3. To find specific user, group, or organizational entries, enter all or part of the name in the text entry box. For example, entering John Swanson returns all entries with an ou, cn or uid containing "John Swanson" while entering John returns all entries with an ou, cn or uid containing the word "John."

    To see all the entries currently stored in your directory, leave the Search field blank or enter an asterisk (*). Keep in mind that retrieving all entries in a large database can take a long time.

    To specify more focused search criteria, click the Advanced button. In the "Search users and groups" dialog box, enter the following information:

    Search. Specify where to perform the search by choosing Users, Groups, Users and Groups, or Administrators. The part of the subtree to search is specified at the top of the dialog box.

    Where. First choose an attribute, and then choose a search operator and type in a term.

    Figure 4-2 Searching for User and Groups
    You may also perform advanced searches.

  3. Click Search.

    4. The search results are displayed in the list box.

    Note

    For performance reasons, the Console for Directory Server displays only 5000 results, even when you have configured Directory Server to return more than 5000 results.

Choosing a Different Directory to Search

When you use the Advanced Users and Groups Search function, the URL for the default user directory appears above the text entry box (see Figure 4-2). Initially, all searches are performed in this user directory. If you need to search a different user directory, you can choose one other than the default.

To Change the Directory to Search

  1. In Server Console, click the "Users and Groups" tab.
  2. From the User menu, choose Change Directory.
  3. In the Change Directory dialog box, provide user directory information:

    4. User Directory Host. Enter the fully qualified host name where the user directory is installed.

    User Directory Port. Enter the port number used to connect to the user directory.

    Secure Connection. Check this box if the port number entered above is for use with the Secure Sockets Layer (SSL) protocol. Make sure that the port is configured to support SSL before selecting this option.

    User Directory Subtree. Enter the DN of the user directory subtree to search in. For example, to search all user entries in your organization, you might enter dc=example,dc=com. To search within the sales force, you might enter ou=sales, dc=example,dc=com.

    Bind DN. Enter the distinguished name of a user authorized to search entries in the user directory.

    Bind Password. Enter the password for the user specified by the Bind DN.

  4. Click OK.

Creating New Directory Entries

From the Server Console "Users and Groups" tab, you can add or modify a user, group, or organizational unit. Alternatively, you can perform these directory operations from the command line using tools such as ldapmodify(1).

Users

A user entry contains information about an individual person or resource in the directory. For example, you can create user entries for John Smith, Printer 3B, or Conference Room 25.

To Create a New User Entry in the Directory

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose User. Alternatively you can open the User menu and choose Create > User.
  3. In the Select Organizational Unit dialog box, select the organizational unit (ou) or top entry of the subtree to which the user belongs, and then click OK.
  4. In the Create User window, enter user information:

    5. Figure 4-3 Entering User Information
    You include user information for the entry.

    First Name. Enter the user's first name.

    Last Name. Enter the user's last name (surname).

    Common Name. This is the user's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

    User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choice. The user ID must be unique from all other user IDs in the directory.

    Password. (Optional) Enter the user's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

    Confirm Password. If you entered the user's password, enter it again to confirm.

    E-Mail. (Optional) Enter the user's mail address. If the user has multiple mail addresses that you want to store in the same attribute value, separate them with commas. For example: jsimon@example.com, james.simon@example.net. If you want a separate attribute value per mail address, separate them using new line characters. For example:

      jsimon@example.com
      james.simon@example.net

      Phone. (Optional) Enter the user's telephone number. If the user has multiple telephone numbers that you want to store in the same attribute value, separate them with commas. For example: (800)555-9SUN, (650)960-1300. If you want a separate attribute value per telephone number, separate them using new line characters. For example:

      (800)555-9SUN
      (650)960-1300

      Fax. (Optional) Enter the user's fax number. If the user has multiple fax numbers that you want to store in the same attribute value, separate them with commas. If you want a separate attribute value per fax number, separate them using new line characters.

  5. If you want to specify language-related information, click the Languages tab. From the drop-down list in the Languages panel, select the user's preferred language, and then enter language-related information:

    6. First Name. Enter the user's first name in the selected language.

    Last Name. Enter the user's last name (surname) in the selected language.

    Common Name. This is the user's full name in the selected language. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

    Phone. Enter the user's telephone number. If the user has multiple telephone numbers that you want to store in the same attribute, separate them with commas. For example: (800)555-9SUN, (650)960-1300. If you want a separate attribute value per telephone number, separate them using new line characters.

    Pronunciation. If the selected language is commonly represented phonetically, additional fields are displayed. Enter the phonetic representation for the user's first, last, and common name.

  6. Click OK.

The User's Preferred Language

Sometimes a user's name can be more accurately represented using a character set other than that of the default language. For example, Akumi's name is Japanese. She has indicated on her hiring forms that she prefers Japanese characters to represent her name. You can select Japanese as her preferred language so that her name is displayed in Japanese characters, even when a user's default language is English. To indicate a user's preferred language, follow the instructions in Step 5 of the procedure To Create a New User Entry in the Directory

Administrators

During installation, you are asked to enter a user name and password for the Configuration Administrator, the user authorized to access and modify the entire configuration directory. The Configuration Administrator entry is stored in the directory under the following DN:

uid=userID,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot

During installation, the Configuration Administrator's user name and password are used to create the Administration Server Administrator. This user can perform a limited number of tasks, such as starting, stopping, and restarting servers in a local server group. The Administration Server Administrator is created for the purpose of logging into Server Console when Directory Server is not running.

The Administration Server Administrator does not have an LDAP entry; it exists only as an entity in a local configuration file stored at:

ServerRoot/admin-serv/config/admpw

Even though they are created at the same time during installation, and are identical at that time, the Configuration Administrator and Administration Server Administrator are two separate entities. If you change the user name or password for one, Server Console does not automatically make the same changes for the other.

For more information on modifying the Configuration and Administration Server Administrators, see Modifying Existing Directory Entries.

To Create an Administrator

The administrator user you create has the same rights as the Configuration Administrator created during installation, and the administrator user entry is located in the same subtree as that of the Configuration Administrator.

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose Administrator.

    3. Alternatively, you can open the User menu and choose Create > Administrator.

  3. In the Create Administrator window, enter the appropriate user information.

    4. The requested information is exactly the same as in the Create User dialog box, except that Password is a required field. For more information, refer to To Create a New User Entry in the Directory

Groups

A group consists of users who share a common attribute or are part of a list. For example, you might set up a group called Sales consisting of all users whose entries contain the attribute ou=Sales. Sun Java System Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs in the way in which users, or members, are added to it. The following descriptions explain this.

A static group consists only of users that have been added to it. It is called static because it doesn't change unless you add a user to it or delete a user from it. For example, if you create a static group called Marketing, none of the users who have the attribute department=marketing in their entry are members of the Marketing group until you explicitly add each one to the group.

Tip

For high performance, avoid huge static groups, and use roles instead. For information about assigning roles see the Directory Server Administration Guide.

One special static group is called the Configuration Administrators group. It is automatically created and populated when the configuration directory is installed. Members of the Configuration Administrators group have unrestricted access to the configuration directory. The group is stored in the configuration directory under the following DN:

ou=Groups, ou=TopologyManagement, o=NetscapeRoot

Initially, the Configuration Administrator is the only member of the Configuration Administrators group. If he wants to give additional users his level of administrative privilege, he can do so by adding them as members of the group. These users can access the configuration directory in the same way as the Configuration Administrator. Any member of the Configuration Administrators group can add additional members.

A dynamic group automatically includes users based on one or more attributes in their entry. For example, you can create a dynamic group called California Sales that automatically includes any entry containing the attributes st=California and department=sales. These attributes are specified as part of an LDAP URL. Whenever you search for members of the California Sales group, the results contain all entries located by the URL.

A certificate group includes all users who have a certificate containing a common attribute. For example, you can create a certificate group called California Western Sales whose members share these attributes: ou=Sales, ou=West, st=CA. When an individual user logs on to a server, if all of these attributes are found in his certificate, the user is automatically recognized as belonging to the group. If the user's certificate does not contain these attributes, he is not recognized as a member of the California Western Sales group and does not receive the same access, privileges, or permissions as group members.

To Create a Static Group in the Directory

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.
  3. In the Select Organizational Unit dialog box, select the organizational unit(ou) to which the group belongs, and then click OK.
  4. In the Create Group dialog box, enter group information:

    5. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description to help you identify this group.

    Figure 4-4 Entering Group Information
    You include group information for the entry.

  5. Create the group, or specify members for the group before creating it.

    6. If you want to create only the group now, and add group members later, click OK and skip the rest of this procedure.

    If you want to immediately add members to the group, click Members and then continue to the next step.

  6. In the Members panel, click Add, and then use the Search dialog box to locate a user you want to add to the Members User ID list. Repeat this step until all the users you want to add to the group are displayed in the Member User ID list.

To Add Users to the Configuration Administrators Group

  1. In Server Console, click the "Users and Groups" tab, and then choose Change Directory from the User menu.
  2. In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group:

    3. User Directory Host. Enter the fully qualified host name where the user directory is installed.

    User Directory Port. Enter the port number you want to use to connect to the user directory.

    User Directory Subtree. Enter o=NetscapeRoot to indicate where to find the Configuration Administrators group.

    Bind DN. Enter the DN of a user authorized to change entries in the user directory.

    Bind Password. Enter the password of the user directory administrator.

    Figure 4-5 Change to the Directory Holding the Administrator Subtree
    You change to the directory containing Configuration Administrators.

  3. Click OK.
  4. Use the Search function to locate and highlight the Configuration Administrators group, and then click Edit.
  5. In the Edit Group window, click Members.

    6. Figure 4-6 Adding the User to the Administrator Group
    You add the user to the Administrators group.

  6. Click Add.
  7. In the Search Users and Groups window, locate and select the user you want to add, and then click OK.

    8. Repeat this step until all the users you want to add to the group are displayed in the Members list, and then click OK.

To Create a Dynamic Group

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.
  3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group is to belong, and then click OK.
  4. In the Create Group dialog box, enter general group information.

    5. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description to help you identify this group.

  5. Click Members.
  6. Click Dynamic Group, and then click Add.
  7. Use the "Construct and Test LDAP URL" dialog box to specify the criteria for including users in the dynamic group.

    8. If you know the exact LDAP URL you want to use to include users in the group, enter it and skip to Step 10.

    The LDAP URL takes the form:

    ldap:///dc=base_suffix??sub?(RDN_or_attribute=value)

    For example:

    ldap:///dc=example,dc=com??sub?(department=marketing)

    If you want to interactively build an LDAP URL for including users in the group, click Construct.

    Figure 4-7 Constructing the LDAP URL
    You define the LDAP URL to specify the dynamic group.

  8. In the Construct LDAP URL dialog box, provide search criteria:

    9. LDAP Server Host. Displays the fully qualified host name of the Directory Server in which you are searching.

    Port. Displays the port number for the listed LDAP Server Host.

    Base DN. Enter the base DN from which to begin the search. Example: ou=Marketing, o=Example Corp, c=US

    Search. Specify the user directory subtree you want to search.

    for. Specify whether you want to search users, groups, or both.

    where. In the drop-down lists, first select an attribute, and then a search operator. In the last input field, enter a search string, and then click Search.

    More. If you want to specify more attributes to search for, click this button.

    Figure 4-8 The Construct LDAP URL Dialog
    You can use this dialog box to define the LDAP URL.

  9. Click OK.
  10. If you want to see a list of users and groups included in the dynamic group, click Test in the Construct and Test LDAP URL dialog box.
  11. Click OK to confirm your acceptance of the LDAP URL and add it to the list used to include members in this dynamic group.

    12. If you want to create additional LDAP URLs for including members in this group, repeat steps 6 through 11.

To Create a Certificate Group

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose Group. Alternatively, you can open the User menu and choose Create > Group.
  3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group belongs, and then click OK.
  4. In the Create Group dialog box, enter group information:

    5. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description that helps you identify this group.

  5. Click Members
  6. Click Certificate Group, and then click Add.
  7. In the Certificate Group dialog box, fill in one or more of the following fields:

    8. Common Name. Enter the full name of the group. Example: Database Administrators.

    Organization. Enter the name of the organization the group belongs to. Example: Operations Group.

    Mail. Enter the street address for the group.

    Country. Enter the country code for the group.

    Locality. Enter the city name for the group's business.

    State/Province. Enter the state or province name for the group.

    Unit. Enter the name of the organizational unit that the group belongs to. Example: IS Department.

  8. Click OK.

Organizational Units

An organizational unit can include a number of groups and usually represents a division, department, or other discrete business group. When you create a new organizational unit, you add a branch to the directory. This is reflected through the use of an ou RDN. For example, if you create a new organizational unit called Accounting within the organizational unit West Coast, and your Base DN is o=Example, c=US, then the new organizational unit's DN is:

ou=Accounting, ou=West Coast, o=Example, c=US

To Create a New Organizational Unit

  1. In Server Console, click the "Users and Groups" tab.
  2. Click the Create button and then choose Organizational Unit. Alternatively, you can open the User menu and choose Create > Organizational Unit.
  3. In the Select Organizational Unit dialog box, select the directory subtree in which to store the new organizational unit.
  4. In the Create Organizational Unit dialog box, enter the following information:

    5. Name. Enter a name for the organizational unit.

    Description. (Optional) Enter a description that helps you identify the organizational unit.

    Phone. (Optional) Enter a phone number where one can reach a contact person (such as an administrative assistant) for the organizational unit. If you want to store multiple telephone numbers in the same attribute value, separate them with commas. For example: (800)555-9SUN, (650)960-1300. If you want a separate attribute value per telephone number, separate them using new line characters. For example:

      (800)555-9SUN
      (650)960-1300

      Fax. (Optional) Enter a fax number where one can reach a contact person (such as an administrative assistant) for the organizational unit. If you want to store multiple fax numbers in the same attribute value, separate them with commas. If you want a separate attribute value per fax number, separate them using new line characters.

      Alias. (Optional) Enter another name, such as a nickname or acronym, that you might use in place of the Name entered above.

  5. Click OK.

Modifying Existing Directory Entries

From the Server Console "Users and Groups" tab, you can change existing directory entries. Therefore, you can easily update user and group information whenever you need to.

Updating User and Group Entries

Before you can modify user or group data, you must first locate a user or group entry in the directory. See Locating a User or Group in the Directoryfor more information on using the "Users and Groups" Search function to find directory entries.

Once you have located an entry, you can modify it or remove it. If you are working with a user entry, you can also change its password.

To Edit a User or Group Entry in the Directory

  1. On the Server Console "Users and Groups" tab, use the Search function to locate the user or group.
  2. Once the user or group name appears in the search results list, select it, and then click Edit.
  3. Modify user or group information as necessary, and then click OK.

To Change a User Password

  1. On the Server Console "Users and Groups" tab, use the Search function to locate the user.
  2. Once the user appears in the search results list, select it, and then click Edit.
  3. Enter the new password information:

    4. Password. Enter the new password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

    Confirm Password. Enter the password again to confirm.

  4. Click OK for the change to take effect.

To Change the Configuration Administrator's User Name or Password

  1. On the Server Console "Users and Groups" tab, click Advanced.
  2. In the "Search users and groups" dialog box, enter search information.

    3. If you have never changed the Configuration Administrator's user name, enter the following information:

    Search. Select Administrators from the drop-down list.

    where. Select cn and contains from the drop-down lists and enter Configuration Administrator in the field.

    If you have changed the Configuration Administrator's user name, enter the following information:

    Search. Select Administrators from the drop-down list.

    where. Select cn and contains from the drop-down lists and enter the user name of the Configuration Administrator in the field.

  3. Click Search.

    4. The results appear in the "Users and Groups" tab.

  4. Click Close.
  5. Select the Configuration Administrator from the list of search results, and then click Edit.
  6. Enter the administrator's new user name and password:

    7. First Name. Enter the administrator's first name.

    Last Name. Enter the administrator's last name (surname).

    Common Name. This is the administrator's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

    User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing.

    Password. (Optional) Enter the new administrator's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

    Confirm Password. If you entered a password, enter it again to confirm it.

  7. Click OK.
  8. If you bind to the directory as the Configuration Administrator when searching for users, Update your user directory information by completing these steps:
    1. Click the "Users and Groups" tab of Sun Java System Server Console, and choose Change Directory from the User menu.
    2. In the Change Directory window, update the Bind DN or user ID, and the Bind Password with the new information for the Configuration Administrator, and then click OK.

To Change the Administration Server Administrator's User Name or Password

  1. In the Server Console navigation tree, select the Administration Server instance whose administrator user name or password you want to change.
  2. Click Open to open the management window for the instance of Administration Server.
  3. Click the Configuration tab.
  4. In the Configuration tab, click the Access tab.
  5. In the Access tab, enter information for the following fields:

    6. Username. Enter the user name for the Administration Server Administrator.

    Password. Enter the password for the Administration Server Administrator.

    Confirm Password. Enter the password again to confirm it.

    If you make an error while entering this information, you can click Reset to restore the original values for the fields.

  6. Click Save to save the new Administration Server Administrator user name or password.
  7. Restart the instance of Administration Server.

To Remove a User, Group, or Organizational Unit From the Directory

  1. In the "Users and Groups" tab of Server Console, use the Search function to locate and highlight the user, group, or organizational unit you want to delete.

    2. If you are removing an organizational unit, you must first remove all users and groups belonging to it.

  2. Click Delete.
  3. Click OK when prompted to confirm the deletion.


Previous      Contents      Index      Next     

Part No: 817-7612-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.