Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Server Console 5.2 Server Management Guide



Chapter 5   User and Group Administration

Sun ONE Server Console allows you to create, locate, and manage user and group information from any system in your enterprise.

This chapter contains the following sections:

Chapter 9, "Access Control" shows you how to work with user and group information when setting access privileges and other security information.

Interacting with Directory Server

When you use Sun ONE Server Console to create or modify users and groups, you make changes in the user directory, a subtree (suffix) of Directory Server. These changes affect all applications that use Directory Server. For information on how Sun ONE Server Console uses the data stored in the user directory, see Chapter 1 "Sun ONE Server Console and Administration Server."

Using Distinguished Names

A distinguished name (DN) is a text string that identifies a specific directory branch or entry. Each user and group in your enterprise is represented in the Directory Server by a DN. Whenever you make changes to user and group information in the Directory, you use distinguished names (DNs). For example, you need to specify a DN each time you perform one of the following operations:

  • Create or modify directory entries

  • Set up access controls

  • Set up user accounts for applications such as mail or publishing

From the Sun ONE Server Console "Users and Groups" tab, you can create, select, and use directory entries.

Distinguished Names, Attributes, and Syntax

This section presents a brief summary of distinguished names, attributes, and syntax information.

Distinguished Names

A distinguished name (DN) is the string representation of an entry's name and location in an LDAP directory. A DN describes a path to a directory entry. Each DN is made up of a number of components called relative distinguished names (RDNs). Each RDN identifies a specific entry in the directory. In order to ensure that every directory entry is unique, LDAP dictates that a single parent entry cannot have two identical RDNs below it.

Customarily, a DN for a user or group contains at least three types of RDN:

  • A user name, user ID, or group name (identified by the cn or uid keyword)

  • An organization name (identified by the o keyword)

  • One or more domain name components (identified by the dc keyword). Example: example.com contains two domain name components: example and com.

Other common RDNs are organizational unit (ou), state (st), and country (c).

The exact composition of a DN depends on the structure of the directory. Most directories are organized by more categories than just country designations and organization names. As a result, the DNs used to identify entries are longer and contain more specific RDNs. For example, the DNs for three employees or users in the same company might look like this:

cn=Ben Hurst, ou=Operations, o=Example Corp, st=CA, c=US

cn=Jeff Lee, ou=Marketing, o=Example Corp, st=CA, c=US

cn=Mary Smith, ou=Sales, o=Example Corp, st=MN, c=US

In these examples, all three users work in different departments or organizational units (ou) and for the same company or organization (o), Example Corp. The third user works in a different state (st) from the first two users.

LDAP allows organizations and organizational units to contain other organizations and organizational units, allowing for the representation of complex enterprises. For example, the DN for a group within a large corporation might look like this:

cn=Technical Publications, ou=Super Server Group, ou=Server Division, o=Example Corporation, o=MegaCorp, dc=megacorp, dc=com

Table 5-1 contains a list of common RDN keywords.

Table 5-1    Common RDN Keywords Used in DNs  

RDN Keyword

Meaning in a DN

Description

c

country

Country in which the user or group resides. Examples:

c=US

c=GB

cn

common name or full name

Full name of person or object defined by the entry. Examples:

cn=Wally Henderson

cn=Database Administrators

cn=printer 3b

dc

domain component

Part of a DNS domain. This keyword is typically used at the top levels of a directory tree.

For example, a user in the example.com domain might have the following DN:

cn=Barbara Jones,ou=Engineering, dc=example, dc=com

l

locality

Locality in which the user or group resides. This can be the name of a city, country, township, or other geographic regions. Examples:

l=Tucson

l=Pacific Northwest

l=Anoka County

o

organization

Organization to which the user or group belongs. Examples:

o=Sun ONE Software

o=Public Power & Gas

ou

organizational unit

Unit within an organization. Examples:

ou=Sales

ou=Manufacturing

sn

surname

User's last name. Example:

sn=Henderson

st

state or province

State or province in which the user or group resides. Examples:

st=Iowa

st=British Columbia

Keep in mind that the DNs you specify when using Sun ONE Server Console must reflect the types of data in your user directory. For information on setting up the user data in your Sun ONE Directory Server refer to the product documentation under http://docs.sun.com/db/prod/s1dirsrv.

Attributes

Directory attributes hold descriptive information about an entry. For example, a user entry might have attributes for a user ID, email address, given name, and password.

Table 5-2 contains a list of common user and group directory attributes.

Table 5-2    Common User and Group Directory Attributes  

Attribute Keyword

Attribute Name

Description

givenName

given name

User's first name.

mail

email address

User's or group's email address.

streetAddress

street

Street number and address of user or group defined by the entry. Example:

street=12 Main Street

telephoneNumber

telephone

User's or group's telephone number. Example: (800) 555-9SUN

title

title

User's job title. Examples:

title=writer

title=manager

uid

user ID

Name that uniquely identifies the person or object defined by the entry.

userPassword

password

A user's password.

A user entry can include many more attributes than those listed above. In addition, you can create new attributes to meet your company's needs.

DN and Attribute Guidelines and Syntax

As you create, select, and use directory entries, follow these guidelines:

Separate RDNs with a comma. If an RDN value contains a comma, enclose the part of the name that uses the comma in double-quotation marks or escape it with a backslash. For example, to include the string Ace Industry, Corp in a DN, use the form:

o="Ace Industry, Corp", c=US

You may achieve the same effect using:

o=Ace Industry\, Corp, c=US

When schema checking is turned on, attributes must match directory schema. If you are using Sun ONE Directory Server and schema checking is turned on, use RDN keywords and attributes that can be recognized by the Directory Server and are allowed by the entry's object classes. If schema checking is turned off, you can use all attributes, regardless of an entry's object classes.

Specify RDNs in the same sequence or path. It is important to remember that a DN represents a path through a directory tree. If RDN keywords are not specified in the appropriate order, Directory Server may not be able to locate an entry. For example,

cn=Ralph Swenson, ou=Accounting, o=Example Corp, c=US

is not the same as

cn=Ralph Swenson, o=Example Corp, ou=Accounting, c=US

because the organizational unit (ou) and organization (o) keywords are not listed in the same order.

User IDs must be unique. If duplicate user IDs exist in your directory, users with those IDs cannot subsequently authenticate to the directory. Exercise caution when using the ldapmodify command line utility to create users, since the utility does not check for duplicate user IDs unless an attribute uniqueness plug-in is enabled in the directory for the user ID attribute.

Locating a User or Group in the Directory

You can use the "Users and Groups" Search function to locate directory entries. Initially, the function is set to search within the default user directory. If you do not want to use the default user directory, you can manually change to another one. See "Choosing a Different Directory to Search", for more information.

Figure 5-1    Sun ONE Server Console User and Groups Tab
The User and Groups tab lets you search for entries in the user directory.

To Locate Users or Groups in the Directory

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Specify your search criteria in one of these ways:

    3. To find specific entries, enter all or part of a user, group, or organizational unit name in the text entry box. For example, entering John Swanson returns any entries with DNs containing "John Swanson" while entering John returns all entries with DNs contains the word "John."

    To see all the entries currently stored in your directory, leave the Search field blank or enter an asterisk (*). Keep in mind that retrieving all entries in a large database can take a long time.

    To specify more focused search criteria, click the Advanced button. In the "Search users and groups" dialog box, enter the following information:

    Search. Specify where to perform the search by choosing Users, Groups, Users and Groups, or Administrators. The part of the subtree to search is specified at the top of the dialog box.

    Where. First choose an attribute, and then choose a search operator and type in a term.

Figure 5-2    Searching for User and Groups
You may also perform advanced searches.

  1. Click Search.

    2. The search results are displayed in the list box.


    Note

    For performance reasons, the Console for Directory Server displays only 5000 results, even when you have configured the Directory Server to return more than 5000 results.

Choosing a Different Directory to Search

When you use the Advanced Users and Groups Search function, the URL for the default user directory appears above the text entry box (see Figure 5-2). Initially, all searches are performed in this user directory. If you need to search a different user directory, you can choose one other than the default.

To Change the Directory to Search

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. From the User menu, choose Change Directory.

  3. In the Change Directory dialog box, provide user directory information:

    4. User Directory Host. Enter the fully qualified host name where the user directory is installed.

    User Directory Port. Enter the port number used to connect to the user directory.

    Secure Connection. Check this box if the port number entered above is for use with the Secure Sockets Layer (SSL) protocol. Make sure that the port is configured to support SSL before selecting this option.

    User Directory Subtree. Enter the DN of the user directory subtree to search in. For example, to search all user entries in your organization, you might enter dc=example,dc=com. To search within the sales force, you might enter ou=sales, dc=example,dc=com.

    Bind DN. Enter the distinguished name of a user authorized to search entries in the user directory.

    Bind Password. Enter the password for the user specified by the Bind DN.

  4. Click OK.

Creating New Directory Entries

From the Sun ONE Server Console "Users and Groups" tab, you can add or modify a user, group, or organizational unit. Alternatively, you can perform these directory operations from the command line using tools such as ldapmodify(1) on Solaris systems.

Users

A user entry contains information about an individual person or resource in the directory. For example, you can create user entries for John Smith, Printer 3B, or Conference Room 25.

To Create a New User Entry in the Directory

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose User. Alternatively you can open the User menu and choose Create > User.

Figure 5-3    Creating a User
You may also create a user through the interface.

  1. In the Select Organizational Unit dialog box, select the organizational unit (ou) or top entry of the subtree to which the user belongs, and then click OK.

Figure 5-4    Selecting the Organizational Unit
You select the organizational unit when creating a user.

  1. In the Create User window, enter user information:

Figure 5-5    Entering User Information
You include user information for the entry.

First Name. Enter the user's first name.

Last Name. Enter the user's last name (surname).

Common Name. This is the user's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing. The user ID must be unique from all other user IDs in the directory.

Password. (Optional) Enter the user's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

Confirm Password. If you entered the user's password, enter it again to confirm.

E-Mail. (Optional) Enter the user's mail address. If the user has multiple mail addresses that you want to store in the same attribute, separate them with commas. For example: jdoe@example.com, jane.doe@example.net

Phone. (Optional) Enter the user's telephone number. If the user has multiple telephone numbers that you want to store in the same attribute, separate them with commas. For example: (800)555-9SUN, (650)960-1300

Fax. (Optional) Enter the user's fax number. If the user has multiple fax numbers that you want to store in the same attribute, separate them with commas.

  1. If you want to specify language-related information, click the Languages tab. From the drop-down list in the Languages panel, select the user's preferred language, and then enter language-related information:

    2. First Name. Enter the user's first name in the selected language.

    Last Name. Enter the user's last name (surname) in the selected language.

    Common Name. This is the user's full name in the selected language. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

    Phone. Enter the user's telephone number. If the user has multiple telephone numbers that you want to store in the same attribute, separate them with commas. For example: (800)555-9SUN, (650)960-1300

    Pronunciation. If the selected language is commonly represented phonetically, additional fields are displayed. Enter the phonetic representation for the user's first, last, and common name.

  2. If you want to specify UNIX or Windows specific attributes, click the NT User or Posix User tab. For more information, see "Specifying UNIX and Windows Systems Options."

  3. Click OK.

The User's Preferred Language

Sometimes a user's name can be more accurately represented using a character set other than that of the default language. For example, Noriko's name is Japanese, and she has indicated on her hiring forms that she prefers when Japanese characters represent her name. You can select Japanese as her preferred language so that her name is displayed in Japanese characters, even when a user's default language is English.

Step 5 of the procedure "To Create a New User Entry in the Directory".Administrators">

To indicate a user's preferred language, follow the instructions in Step 5 of the procedure "To Create a New User Entry in the Directory".Administrators

During installation, you are asked to enter a user name and password for the Configuration Administrator, the user authorized to access and modify the entire configuration directory. The Configuration Administrator entry is stored in the directory under the following DN:

uid=userID, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot

During installation, the Configuration Administrator's user name and password are used to automatically create the Administration Server Administrator. This user can perform a limited number of tasks, such as starting, stopping, and restarting servers in a local server group. The Administration Server Administrator is created for the purpose of logging into Sun ONE Server Console when the Directory Server is not running.

The Administration Server Administrator does not have an LDAP entry; it exists only as an entity in a local configuration file stored at:

ServerRoot/admin-serv/config/admpw

Even though they are created at the same time during installation, and are identical at that time, the Configuration Administrator and Administration Server Administrator are two separate entities. If you change the user name or password for one, Sun ONE Server Console does not automatically make the same changes for the other.

"Modifying Existing Directory Entries"To Create an Administrator">

For more information on modifying the Configuration and Administration Server Administrators, see "Modifying Existing Directory Entries"To Create an Administrator

The administrator user you create has the same rights as the Configuration Administrator created during installation, and the administrator user entry is located in the same subtree as that of the Configuration Administrator.

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose Administrator.

Figure 5-6    Creating an Administrator User
You may create and administrator user.

Alternatively, you can open the User menu and choose Create > Administrator.

  1. In the Create Administrator window, enter the appropriate user information.

    2. The requested information is exactly the same as in the Create User dialog box, except that Password is a required field. For more information, refer to "To Create a New User Entry in the Directory".

Specifying UNIX and Windows Systems Options

You can enable additional user configuration panels to store UNIX and Windows user information in the directory. You can use these panels to specify the options and attributes to synchronize with your operating system. There are two panels you can enable: NT User and Posix User.

By default, you must enable these panels for each individual user. If you want to enable these panels automatically for every new user, you can do so by modifying the configuration directory. Once you have enabled these panels, you can use them to set Windows and UNIX systems options and attributes.

The following procedures show you how to enable these panels and modify Windows and UNIX systems options and attributes.

To Enable UNIX and Windows Systems Panels for an Individual User

  1. In the Create User window, click the NT User or Posix User tab.

    2. The appropriate panel appears.

  2. Enable the fields in the panel.

    3. To enable the NT User fields, select "Enable Windows NT user attributes."

    To enable the Posix User fields, select "Enable Posix user attributes."

To Enable UNIX and Windows Systems Panels for All New Users

  1. Open your Directory Server management window.

  2. Click the Directory tab and click NetscapeRoot in the navigation tree.

  3. Click to open your administration domain, and then expand GlobalPreferences > AdminDomain > Admin > 4.0.

  4. Click the defaultObjectClassesContainer folder, and then double-click "user" in the right-hand panel.

  5. Select "nsdefaultobjectclass," then, from the Edit menu, choose Add Value.

    6. A blank field appears. If you are enabling both the Windows NT and Posix/UNIX panels, choose Add Value a second time to create another blank field.

  6. Enter the appropriate object class name in the field.

    7. To enable the NT User panel, enter ntUser. To enable the Posix User panel, enter posixUser.

  7. Click OK.

To Set UNIX and Windows Systems Options and Attributes for a New User

  1. Follow steps 1-5 of "To Create a New User Entry in the Directory."If you want to store Windows specific user information in the directory, click the NT User tab, enable the fields by selecting "Enable Windows NT user attributes," and then enter the following information:

    2. NT User ID. Enter the user's NT login name.

    Delete NT Account If Person Deleted. (Optional) Checking this box does not delete the user.

    Comment. (Optional) Enter a descriptive comment about this user.

    User Profile Path. (Optional) Enter the path to this user's profile. Use the Windows network path format. For example: \\server\profiles\josu.

    Logon Script. (Optional) Enter the path to the user's logon script. This path is relative to the system's logon script path. For example, if the system path is \\server\logon, you might enter writers.bat or writers\josu.cmd depending on where you store your user scripts.

    Home Drive. (Optional) Use the drop-down list to choose the drive on which this user's home directory is located.

    Home Directory. (Optional) Enter the path to this user's home directory. Use the Windows network path format or an absolute path. For example, you can enter either \\server\users\josu or C:\user profiles\josu.

    Logon Server. (Optional) Enter the path to the server on which this user's logon script is stored. Use the Windows network path format.

    Logon Hours. (Optional) Click to set the hours during which this user can log on.

    User Workstations List. (Optional) Enter the computers from which this user can log on.

    Change. (Optional) Click to change the date and time at which the user's account expires.

  2. If you want to store UNIX specific user information in the directory, click the Posix User tab, enable the fields by selecting "Enable Posix user attributes," and then enter the following information:

    3. UID Number. Enter the user's UNIX ID number.

    GID Number. Enter the user's UNIX group ID number.

    Home Directory. Enter the path to the user's home directory. For example, /home/josu.

    Login Shell. (Optional) Enter the path to the user's login shell. For example, /bin/bash.

    Gecos. (Optional) The value of this user's pw_gecos entry in /etc/passwd.

  3. Click OK.

Groups

A group consists of users who share a common attribute or are part of a list. For example, you might set up a group called Sales consisting of all users whose entries contain the attribute ou=Sales. Sun ONE Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs in the way in which users, or members, are added to it. The following descriptions explain this.

A static group consists only of users that have been added to it. It is called static because it doesn't change unless you add a user to it or delete a user from it. For example, if you create a static group called Marketing, none of the users who have the attribute department=marketing in their entry are members of the Marketing group until you explicitly add each one to the group.


Tip

For high performance, avoid huge static groups. Use roles instead.

One special static group is called the Configuration Administrators group. It is automatically created and populated when the configuration directory is installed. Members of the Configuration Administrators group have unrestricted access to the configuration directory. The group is stored in the configuration directory under the following DN:

ou=Groups, ou=TopologyManagement, o=NetscapeRoot

Initially, the Configuration Administrator is the only member of the Configuration Administrators group. If he wants to give additional users his level of administrative privilege, he can do so by adding them as members of the group. These users can access the configuration directory in the same way as the Configuration Administrator. Any member of the Configuration Administrators group can add additional members.

A dynamic group automatically includes users based on one or more attributes in their entry. For example, you can create a dynamic group called California Sales that automatically includes any entry containing the attributes st=California and department=sales. These attributes are specified as part of an LDAP URL. Whenever you search for members of the California Sales group, the results contain all entries located by the URL.

A certificate group includes all users who have a certificate containing a common attribute. For example, you can create a certificate group called California Western Sales whose members share these attributes: ou=Sales, ou=West, st=CA. When an individual user logs on to a server, if all of these attributes are found in his certificate, the user is automatically recognized as belonging to the group. If the user's certificate does not contain these attributes, he is not recognized as a member of the California Western Sales group and does not receive the same access, privileges, or permissions as group members.

To Create a Static Group in the Directory

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.

Figure 5-7    Creating a Static Group
You may create a static group.

  1. In the Select Organizational Unit dialog box, select the organizational unit(ou) to which the group belongs, and then click OK.

  2. In the Create Group dialog box, enter group information:

    3. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description to help you identify this group.

Figure 5-8    Entering Group Information
You include group information for the entry.

  1. Create the group, or specify members for the group before creating it.

    2. If you want to create only the group now, and add group members later, click OK and skip the rest of this procedure.

    If you want to immediately add members to the group, click Members and then continue to the next step.

  2. In the Members panel, click Add, and then use the Search dialog box to locate a user you want to add to the Members User ID list. Repeat this step until all the users you want to add to the group are displayed in the Member User ID list.

To Add Users to the Configuration Administrators Group

  1. In Sun ONE Server Console, click the "Users and Groups" tab, and then choose Change Directory from the User menu.

  2. In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group:

    3. User Directory Host. Enter the fully qualified host name where the user directory is installed.

    User Directory Port. Enter the port number you want to use to connect to the user directory.

    User Directory Subtree. Enter o=NetscapeRoot to indicate where to find the Configuration Administrators group.

    Bind DN. Enter the DN of a user authorized to change entries in the user directory.

    Bind Password. Enter the password of the user directory administrator.

Figure 5-9    Change to the Directory Holding the Administrator Subtree
You change to the directory containing Configuration Administrators.

  1. Click OK.

  2. Use the Search function to locate and highlight the Configuration Administrators group, and then click Edit.

  3. In the Edit Group window, click Members.

Figure 5-10    Adding the User to the Administrator Group
You add the user to the Administrators group.

  1. Click Add.

  2. In the Search Users and Groups window, locate and select the user you want to add, and then click OK.

    3. Repeat this step until all the users you want to add to the group are displayed in the Members list, and then click OK.

To Create a Dynamic Group

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.

  3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group is to belong, and then click OK.

  4. In the Create Group dialog box, enter general group information.

    5. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description to help you identify this group.

  5. Click Members.

  6. Click Dynamic Group, and then click Add.

  7. Use the "Construct and Test LDAP URL" dialog box to specify the criteria for including users in the dynamic group.

    8. If you know the exact LDAP URL you want to use to include users in the group, enter it and skip to Step 10.

    The LDAP URL takes the form:

    ldap:///o=base_suffix??sub?(RDN_or_attribute=value)

    For example:

    ldap:///o=example.com??sub?(department=marketing)

    If you want to interactively build an LDAP URL for including users in the group, click Construct.

Figure 5-11    Constructing the LDAP URL
You define the LDAP URL to specify the dynamic group.

  1. In the Construct LDAP URL dialog box, provide search criteria:

    2. LDAP Server Host. Displays the fully qualified host name of the Directory Server in which you are searching.

    Port. Displays the port number for the listed LDAP Server Host.

    Base DN. Enter the base DN for from which to begin the search. Example: ou=Marketing, o=Example Corp, c=US

    Search. Specify the user directory subtree you want to search.

    for. Specify whether you want to search users, groups, or both.

    where. In the drop-down lists, first select an attribute, and then a search operator. In the last input field, enter a search string, and then click Search.

    More. If you want to specify more attributes to search for, click this button.

Figure 5-12    The Construct LDAP URL Dialog
You can use this dialog box to define the LDAP URL.

  1. Click OK.

  2. If you want to see a list of users and groups included in the dynamic group, click Test in the Construct and Test LDAP URL dialog box.

  3. Click OK to confirm your acceptance of the LDAP URL and add it to the list used to include members in this dynamic group.

    4. If you want to create additional LDAP URLs for including members in this group, repeat steps 6 through 11.

To Create a Certificate Group

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose Group. Alternatively, you can open the User menu and choose Create > Group.

  3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group belongs, and then click OK.

  4. In the Create Group dialog box, enter group information:

    5. Group Name. Enter a name for the group.

    Description. (Optional) Enter a description that helps you identify this group.

  5. Click Members

  6. Click Certificate Group, and then click Add.

  7. In the Certificate Group dialog box, fill in one or more of the following fields:

    8. Common Name. Enter the full name of the group. Example: Database Administrators.

    Organization. Enter the name of the organization the group belongs to. Example: Operations Group.

    Mail. Enter the street address for the group.

    Country. Enter the country code for the group.

    Locality. Enter the city name for the group's business.

    State/Province. Enter the state or province name for the group.

    Unit. Enter the name of the organizational unit that the group belongs to. Example: IS Department.

Figure 5-13    The Certificates Group Dialog
You can use this dialog box to define the certificate group.

  1. Click OK.

Organizational Units

An organizational unit can include a number of groups and usually represents a division, department, or other discrete business group.

When you create a new organizational unit, you add a branch to the directory. This is reflected through the use of an ou RDN. For example, if you create a new organizational unit called Accounting within the organizational unit West Coast, and your Base DN is o=Example, c=US, then the new organizational unit's DN is:

ou=Accounting, ou=West Coast, o=Example, c=US

To Create a New Organizational Unit

  1. In Sun ONE Server Console, click the "Users and Groups" tab.

  2. Click the Create button and then choose Organizational Unit. Alternatively, you can open the User menu and choose Create > Organizational Unit.

Figure 5-14    Creating an Organizational Unit
You may create an organizational unit.

  1. In the Select Organizational Unit dialog box, select the directory subtree in which to store the new organizational unit.

  2. In the Create Organizational Unit dialog box, enter organizational unit information:

    3. Name. Enter a name for the organizational unit.

    Description. (Optional) Enter a description that helps you identify the organizational unit.

    Phone. (Optional) Enter a phone number where one can reach a contact person (such as an administrative assistant) for the organizational unit.

    Fax. (Optional) Enter a fax number where one can reach a contact person (such as an administrative assistant) for the organizational unit.

    Alias. (Optional) Enter another name, such as a nickname or acronym, that you might use in place of the Name entered above.

  3. Click OK.

Modifying Existing Directory Entries

From the Sun ONE Server Console "Users and Groups" tab, you can change existing directory entries. Therefore, you can easily update user and group information whenever you need to.

Updating User and Group Entries

Before you can modify user or group data, you must first locate a user or group entry in the directory. See "Locating a User or Group in the Directory" for more information on using the "Users and Groups" Search function to find directory entries.

Once you have located an entry, you can modify it or remove it. If you are working with a user entry, alternatively, you can change its password.

To Edit a User or Group Entry in the Directory

  1. In the "Users and Groups" tab of Sun ONE Server Console, use the Search function to locate the user or group.

  2. Once the user or group name appears in the search results list, select it, and then click Edit.

  3. Modify user or group information as necessary, and then click OK.

To Change a User Password

  1. In the "Users and Groups" tab of Sun ONE Server Console, use the Search function to locate the user.

  2. Once the user appears in the search results list, select it, and then click Edit.

  3. Enter the new password information:

    4. Password. Enter the new password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

    Confirm Password. Enter the password again to confirm.

  4. Click OK for the change to take effect.

To Change the Configuration Administrator's User Name or Password

  1. In the "Users and Groups" tab of Sun ONE Server Console, click Advanced.

  2. In the "Search users and groups" dialog box, enter search information.

    3. If you have never changed the Configuration Administrator's user name, enter the following information:

    Search. Select Administrators from the drop-down list.

    where. Select cn and contains from the drop-down lists and enter Configuration Administrator in the field.

    If you have changed the Configuration Administrator's user name, enter the following information:

    Search. Select Administrators from the drop-down list.

    where. Select cn and contains from the drop-down lists and enter the user name of the Configuration Administrator in the field.

  3. Click Search.

    4. The results appear in the "Users and Groups" tab.

  4. Click Close.

  5. Select the Configuration Administrator from the list of search results, and then click Edit.

  6. Enter the administrator's new user name and password:

    7. First Name. Enter the administrator's first name.

    Last Name. Enter the administrator's last name (surname).

    Common Name. This is the administrator's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

    User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing.

    Password. (Optional) Enter the new administrator's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

    Confirm Password. If you entered a password, enter it again to confirm it.

  7. Click OK.

  8. If you bind to the directory as the Configuration Administrator when searching for users, Update your user directory information by completing these steps:

    1. Click the "Users and Groups" tab of Sun ONE Server Console, and choose Change Directory from the User menu.

    2. In the Change Directory window, update the Bind DN or user ID, and the Bind Password with the new information for the Configuration Administrator, and then click OK.

To Change the Administration Server Administrator's User Name or Password

  1. In the Sun ONE Server Console navigation tree, select the Administration Server instance that you want to change the administrator user name or password for.

  2. Click Open to open the management window for the instance of Administration Server.

  3. Click the Configuration tab.

  4. In the Configuration tab, click the Access tab.

  5. In the Access tab, enter information for the following fields:

    6. Username. Enter the user name for the Administration Server Administrator.

    Password. Enter the password for the Administration Server Administrator.

    Confirm Password. Enter the password again to confirm it.

    If you make an error while entering this information, you can click Reset to restore the original values for the fields.

  6. Click Save to save the new Administration Server Administrator user name or password.

  7. Restart the instance of Administration Server.

To Remove a User, Group, or Organizational Unit From the Directory

  1. In the "Users and Groups" tab of Sun ONE Server Console, use the Search function to locate and highlight the user, group, or organizational unit you want to delete.

    2. If you are removing an organizational unit, you must first remove all users and groups belonging to it.

  2. Click Delete.

  3. Click OK when prompted to confirm the deletion.

Previous      Contents      Index      Next     
Copyright 2003 Sun Microsystems, Inc. All rights reserved.