Sun Java System Web Server 6.1 SP9 Administrator's Guide

Managing Users

Use the Administration Server Manage User form to edit user attributes such as find, change, rename, and delete user entries.

Some, but not all, Sun Java System servers add additional forms to this area that allow you to manage product-specific information. For example, if a messaging server is installed under your Administration Server, then an additional form is added that allows you to edit messaging server-specific information. See the server documentation for details on these additional management capabilities.

This section includes the following topics:

Finding User Information

Before you can edit a user entry, you must display the associated information. To find the specific user information, perform the following steps:

To find the specific user information

Access the Administration Server and choose the Users and Groups tab.

Click Manage Users.

Select a directory service from the Select Directory Service drop-down list and click Select.

For directory services of type Key File or Digest File, a list of users is displayed. For directory services of type LDAP Server, search fields are displayed.

Find user information.

For Key File and Digest File, click the link for the user to display the edit form and make changes. For detailed information about the edit form, see the online help.

For LDAP Server, do the following:
1. In the Find user field, enter some descriptive value for the entry that you want to edit. You can enter any of the following in the search field:
  - A name: Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.
    - A user ID:
      - A telephone number: If you enter only a partial number, any entries that have telephone numbers ending in the search number will be returned.
      - An email address: Any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.
      - An asterisk (*) to see all of the entries currently in your directory. You can achieve the same effect by simply leaving the field blank.
      - Any LDAP search filter: Any string that contains an equal sign (=) is considered a search filter.
        
        As an alternative, use the drop-down menus in the “Find all users whose” field to narrow the results of your search.
2. In the Look within field, select the organizational unit under which you want to search for entries.
  
  The default is the directory’s root point (or top most entry).
3. In the Format field, choose either On-Screen or Printer.
4. Click Find.
  
  All users in the selected organizational unit are displayed.
5. In the resulting table, click the entry you want to edit.
  
  The user edit form is displayed. Edit the information as described in the online help.
6. Click Save Changes.
  
  The changes are made immediately.

Building Custom Search Queries

For LDAP services, the “Find all users whose” field allows you to build a custom search filter. Use this field to narrow down the search results returned by a “Find user” search.

The “Find all users whose” field provides the following search criteria:

The left-most drop-down list allows you to specify the attribute on which the search will be based.

The available search attribute options are described in the following table:

Table 3–3 Search Attribute Options


Option Name	Description
full name	Search each entry’s full name for a match.
last name	Search each entry’s last name, or surname for a match.
user id	Search each entry’s user id for a match.
phone number	Search each entry’s phone number for a match.
email address	Search each entry’s email address for a match.
unit name	Search each entry’s unit name for a match.
description	Search each organizational unit entry’s description for a match.

In the center drop-down list, select the type of search you want to perform.

The available search type options are described in the following table:

Table 3–4 Search Type Options


Option Name	Description
`contains`	Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an user’s name probably contains the word “Dylan,” use this option with the search string “Dylan” to find the user’s entry.
`is`	Causes an exact match to be found. That is, this option specifies an equality search. Use this option when you know the exact value of an user’s attribute. For example, if you know the exact spelling of the user’s name, use this option.
`isn’t`	Returns all the entries whose attribute value does not exactly match the search string. That is, if you want to find all the users in the directory whose name is not “John Smith,” use this option. Be aware, however, that use of this option can cause an extremely large number of entries to be returned to you.
`sounds` `like`	Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute’s value, but you are unsure of the spelling. For example, if you are not sure if a user’s name is spelled “Sarret,” “Sarette,” or “Sarett,” use this option.
`starts with`	Causes a substring search to be performed. Returns all the entries whose attribute value starts with the specified search string. For example, if you know a user’s name starts with “Miles,” but you do not know the rest of the name, use this option.
`ends with`	Causes a substring search to be performed. Returns all the entries whose attribute value ends with the specified search string. For example, if you know a user’s name ends with “Dimaggio,” but you do not know the rest of the name, use this option.

In the right-most text field, enter your search string.

To display all of the users entries contained in the Look within directory, enter either an asterisk (*) or simply leave this text field blank.

Editing User Information

To change a user's entry

Access the Administration Server and choose the Users and Groups tab.

Display the user entry as described in Finding User Information.

Edit the field corresponding to the attribute that you wish to change.

For more information about the specific fields, see the online help of these pages.

Note –
It is possible that you will want to change an attribute value that is not displayed by the edit user form. In this situation, use the Directory Server ldapmodify command line utility, if available.

For LDAP databases, also note that you can change the user’s first, last, and full name field from the edit form, but to fully rename the entry (including the entry’s distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see Renaming Users.

Managing a User’s Password

The password you set for user entries is used by the various servers for user authentication.

To change or create a user's password

Access the Administration Server and choose Users and Groups tab.

Display the user entry as described in Finding User Information.

Make the desired changes.

For more information, see the Manage Users page in the online help.

Note –
You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However, note that while on UNIX/Linux platforms, the installer can give “rw” permissions to a group for the configuration files, on Windows platforms, the user must belong to the “Administrators” group.

For LDAP databases, you can also disable the user’s password by clicking the Disable Password button. Doing this prevents the user from logging into a server without deleting the user’s directory entry. You can allow access for the user again by using the Password Management Form to enter a new password.

Renaming Users

For LDAP databases, the rename feature changes only the user’s name, all other fields are left intact. In addition, the user’s old name is still preserved so searches against the old name will still find the new entry.

When you rename a user entry, you can only change the user’s name. You cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have organizational units for Marketing and Accounting and an entry named “Billie Holiday” under the Marketing organizational unit. You can rename the entry from Billie Holiday to Doc Holiday, but you cannot rename the entry such that Billie Holiday under the Marketing organizational unit becomes Billie Holiday under the Accounting organizational unit.

To rename a user entry

Access the Administration Server and choose the Users and Groups tab.

Display the user entry as described in Finding User Information.

If you are using common name-based DNs, specify the user’s full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.

Click Rename User.

Change the Given Name, Surname, Full Name, or UID fields appropriately to match the new distinguished name for the entry.

You can specify that the Administration Server no longer retains the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this parameter in the following file:

server_root/admin-serv/config/dsgw-orgperson.conf

For more information, see the Manage Users page in the online help.

Removing Users

To delete user entry

Access the Administration Server and choose the Users and Groups tab.

Display the user entry as described in Finding User Information.

Click Remove User (key file and digest file) or Delete User (LDAP).

For more information, see the Manage Users page in the online help.