Sun ONE logo     Previous     Contents     Index     Next     
Sun ONE Identity Server Administration Guide



Chapter 32       User Attributes


There are two places which house user attributes: the Service Configuration and User Management windows. The Service Configuration window contains default attributes for registered organizations. The User Management window contains user entry attributes.



User Attributes

The User Attributes are dynamic attributes. The values applied to dynamic attributes are assigned to a role or an organization that is configured in Identity Server. When the role is assigned to a user or a user is assigned to the organization, the dynamic attributes become a characteristic of the user. The User Attributes are divided into:

Default user values are set for all Identity Server registered organizations. These values can be set differently for separate organizations by registering the user service to the specific organization, creating a template and inputting a value other than the default value.


User Preferred Language

This field specifies the user's choice for the text language displayed in the Identity Server console. The default value is en. This value maps a set of localization keys to the user session so that onscreen text appears in a language appropriate for the user.


User Preferred Timezone

This field specifies the time zone in which the user accesses the Identity Server console. There is no default value.


Inherited Locale

This field specifies the locale for the user. The default value is en_US. Any value from Table 17-1 can be used.


Admin DN Starting View

If this user is a Identity Server administrator, this field specifies the node that would be the starting point displayed in the Identity Server console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.


Caution

If the Top-Level Administrator wishes to assign a user the administration privileges to two different groups, the Admin DN Starting View should be specified as the DN of the level above BOTH groups. This holds true for any entries at the same level such as organizations, or groups. This action could result in the user being able to manage an organization, or group that is not specifically assigned to them. It is up to the Top-Level Administrator to decide on the ACI model and where to define the DN Starting View.



Default User Status

This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through Identity Server. The default value is Active. Either of the following can be selected from the pull-down menu:

  • Active - The user can authenticate through Identity Server.

  • Inactive - The user cannot authenticate through Identity Server, but the user profile remains stored in the directory.

The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.



User Profile Attributes


The User Profile Attributes are default attributes for user profiles. These values are set in the User Profile view by an administrator or by the user when they log on. Administrators can add their own user attributes to the user profile or create a new service. For more information see Sun One Identity Server Programmer's Guide.


Note Identity Server does not enforce uniqueness for attributes within user entries. For example, userA and userB are both created in the same organization. For both, the email address attribute can be set jimb@madisonparc.com. The administrator can configure Sun ONE Directory Server's attribute uniqueness plug-in to help enforce unique attribute values. For more information, see Unique User IDs at the end of this chapter or the Sun One Directory Server Administrator's Guide.



First Name

This field takes the first name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Identity Server console.)


Last Name

This field takes the last name of the user. (The First Name value and the Last Name value identify the user in the Currently Logged In field in the upper right corner of the Identity Server console.)


Full Name

This field takes the full name of the user.


Password

This field takes the password for the name specified in the UserId field.


Password (Confirm)

Confirmation of the password.


Email Address

This field takes the email address of the user.


Employee Number

This field takes the employee number of the user.


Telephone Number

This field takes the telephone number of the user.


Home Address

This field can take the home address of the user.


User Status

This option indicates whether the user is allowed to authenticate through Identity Server. Only active users can authenticate through Identity Server. The default value is Active. Either of the following can be selected from the pull-down menu:

  • Active - The user can authenticate through Identity Server.

  • Inactive - The user cannot authenticate through Identity Server, but the user profile remains stored in the directory.


    Note Changing the user status to Inactive only affects authentication through Identity Server. The Directory Server uses the nsAccountLock attribute to determine user account status. User accounts inactivated for Identity Server authentication can still perform tasks that do not require Identity Server. To inactivate a user account in the directory, and not just for Identity Server authentication, set the value of nsAccountLock to false. If delegated administrators at your site will be inactivating users on a regular basis, consider adding the nsAccountLock attribute to the Identity Server User Profile page. See the Sun One Identity Server Programmer's Guide for details.



Account Expiration Date

If this attribute is present, the authentication service will disallow login if the current date and time has passed the specified Account Expiration Date. The format for this attribute is as follows:

(mm/dd/yyyy hh:mm)


User Authentication Configuration

This attribute sets the authentication method for the user. The default authentication method is LDAP. One or more authentication methods can be selected by clicking the Edit link. If more than on method is selected, then the user may have to successfully authenticate to all of selected methods.


User Alias List

The field defines a list of aliases that may be applied to the user.


Preferred Locale

This field specifies the locale for the user. The default value is en_US. Any value from Table 17-1 can be used.

You can use one of the following attributes in the pull-down menu:

  • Ignore

  • Customize

  • Inherit


Success URL

This attribute specifies the URL that the user will be redirected to upon successful authentication.


Failure URL

This attribute specifies the URL that the user will be redirected to upon unsuccessful authentication.



Unique User IDs


In order to enforce uid uniqueness within the Identity Server application, the plug-in, available in Directory Server, must be configured as follows:

dn: cn=uid uniqueness,cn=plugins,cn=config

objectClass: top

objectClass: nsSlapdPlugin

objectClass: extensibleObject

cn: uid uniqueness

nsslapd-pluginPath: /ids908/lib/uid-plugin.so

nsslapd-pluginInitfunc: NSUniqueAttr_Init

nsslapd-pluginType: preoperation

nsslapd-pluginEnabled: on

nsslapd-pluginarg0: attribute=uid

nsslapd-pluginarg1: markerObjectClass=nsManagedDomain

nsslapd-plugin-depends-on-type: database

nsslapd-pluginId: NSUniqueAttr

nsslapd-pluginVersion: 5.1

nsslapd-pluginVendor: Sun | Netscape Alliance

nsslapd-pluginDescription: Enforce unique attribute values

It is recommended that the nsManagedDomain object class is used to mark the organization in which uid uniqueness is desired. The plug-in is not enabled by default.

To configure the uniqueness of uids per organization, either add the DN for each organization in the plug-in entry or use the marker object class option and add nsManagedDomain to each top-level organization entry.

nsslapd-pluginEnabled: on

nsslapd-pluginarg0: attribute=uid

nsslapd-pluginarg1: markerObjectClass=nsManagedDomain


Previous     Contents     Index     Next     
Copyright 2002   Sun Microsystems, Inc. All rights reserved.

Last Updated December 04, 2002