|
| |
| Sun Java System Calendar Server 6 2005Q1 Administration Guide | |
Chapter 13
Administering Hosted DomainsThis chapter contains the following sections about administering hosted domains:
Choosing the Correct User Management ToolOnce your calendar installation has been configured for hosted domains and the preparation work described in Chapter 11, "Setting Up Hosted Domains" has been performed, you can add new hosted domains.
Each domain has a set of attributes and preferences that you can set. These attributes are part of the icsCalendarDomain object class. The attributes include preferences such as access rights, access control lists (ACLs), domain searches, access rights for domain searches, user status, and proxy logins.
To administer Calendar Server hosted (or virtual) domains use one of the two following set of tools:
Installed with Calendar Server. You can add or delete attributes with csdomain, but you there is no modify command. Use csattribute to modify the value of an existing attribute. In addition, should the need arise, use ldapmodify to add or delete object classes in domains created with csdomain.
For information about csdomain and csattribute, see Appendix D, "Calendar Server Command-Line Utilities Reference."
For information about particular object classes and attributes, see the Sun Java System Communications Services Schema Reference.
All Calendar Server 6 2005Q1 documents are available at:
http://docs.sun.com/coll/CalendarServer_05q1
For an overview of hosted domains and other introductory material, see Chapter 11, "Setting Up Hosted Domains."
Caution
Calendar Server does not support using the Access Manager Console for domain administration.
Creating New Hosted DomainsCreate hosted domains for either Schema 2 or Schema 1:
To Add a Hosted Domain (Schema 2)
To create a hosted domain in Schema 2, use the commadmin domain create command. For example, to create the domain sesta.com, issue the following command:
commadmin domain create -D calmaster -d sesta.com -w calmasterpassword -S cal -B backend.sesta.com
To Add a Hosted Domain (Schema 1)
You must be in hosted domain mode to run csdomain. For instructions on how to enable hosted domains, see Chapter 11, "Setting Up Hosted Domains."
Use csdomain create when creating a hosted domain in Schema 1. For example, to create west.sesta.com, use the following command:
csdomain create west.sesta.com
Enabling Cross Domain SearchesThis section covers the two tasks you must do to enable cross domain searches:
- Modify the Access Control Information (ACI) in the LDAP entry for each of the affected domains.
- Add the icsDomainNames Attribute to each of the domains where users are allowed to perform cross domain searches.
This can be done using either of the following tools: ldapmodify (for either Schema mode), commadmin domain modify (for Schema 2).
Modify the Access Control Information (ACI)
Each domain LDAP entry specifies access permissions in ACIs, which are defined in the domainAccess parameter of the icsExtendedDomainPrefs attribute. Two different ways to allow cross domain searches are:
The construction of ACIs is explained more fully in Calendar Access Control.
To Allow Specific Domains to Perform Cross Domain Searches
Form the ACI by specifying the domain allowed to search this domain, followed by sufficient permissions to allow the search:
@domain_being_allowed^a^lsfr^g
For example, in a Schema 2 environment, sesta.com allows searches from siroe.com:
commadmin domain modify -D admin@sesta.com -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:
“domainAccess=@@d^a^slfrwd^g;@siroe.com^a^lsfrwd^g;anonymous^a^r^g;
@^a^s^g”To Allow All Domains to Perform Cross Domain Searches
Form the ACI by specifying that all domains have sufficient access to perform searches.
@^a^slfr^g
For example, in a Schema 2 environment, sesta.com allows searches by all domains:
commadmin domain modify -D admin@sesta.com -w adminpassword -X hostmachine_1 -d sesta.com -A +icsextendeddomainprefs:
"domainAccess=@@d^a^slfrwd^g;anonymous^a^r^g;@^a^slfr^g"
Add the icsDomainNames Attribute
This is a multi-valued attribute. You must add one instance of it for each domain that will be searched in cross domain searches. For example, if users in sesta.com can search in two other domains, siroe.com and example.com, then the domain LDAP entry for sesta.com, must contain two instances of icsDomainNames:
icsDomainNames: siroe.com
icsDomainNames: example.comFor example, sesta.com searches in both siroe.com and example.com when performing cross domain searches. Use ldapmodify (for either Schema 1 or Schema 2) to create the following LDIF:
dn: dc=sesta, dc=com, o=internet
changetype: modify
add: icsDomainNames
icsDomainNames:siroe.com
icsDomainNames:example.comOr for Schema 2 only, use commadmin domain modify to add the attribute as follows:
commadmin domain modify -D admin@sesta.com -w adminpassword -X hostmachine_1 -d sesta.com -A +icsDomainNames:siroe.com -A +icsDomainNames:example.com
Enabling Hosted DomainsCalendar Server defaults to non-hosted domains. If you are using Calendar Server and Messaging Server in your Java Enterprise System deployment, you should use hosted domains.
You can enable or disable hosted domains for your installation by editing the ics.conf file.
To Enable Hosted Domains
For a list of all the ics.conf parameters necessary to implement hosted domains, see Setting up a Hosted Domain Environment
To Disable Hosted Domains