|
| |
| Sun Java System Communications Services 6 2005Q1 Delegated Administrator Guide | |
Chapter 3
Configuring Delegated AdministratorThe Delegated Administrator configuration program (config-commda) creates a new configuration with your specific requirements. This initial runtime configuration program performs minimal configuration.
After you run the program, complete the initial configuration by following the steps described in Post-Configuration Tasks.
You can further customize your Delegated Administrator configuration by performing the tasks described in “Customizing Delegated Administrator.”
You might need to perform additional configuration, as described in the Sun Java System Messaging Server Administration Guide.
The following topics are described in this chapter:
Choose Which Components to ConfigureThe third panel in the configuration program asks which Delegated Administrator components you want to configure:
- Delegated Administrator Utility (client)—the command-line interface invoked with commadmin.
- Delegated Administrator Server—the Delegated Administrator server components required to run the Delegated Administrator utility and console.
- Delegated Administrator Console—the Delegated Administrator graphical user interface (GUI).
The configuration program displays different panels depending on which components you select.
The following steps summarize the configuration choices. Each summary step (below) links you to a section (later in this chapter) that walks you through the actual configuration panels.
Enter the information requested in these panels to begin the configuration.
These panels follow directly after the Select Components to Configure panel. They ask for information used to configure the Delegated Administrator utility.
The Delegated Administrator utility is required and must be configured on all machines on which you install a Delegated Administrator component (server or console).
Therefore, you always must enter the information in these panels.
These panels follow the panels that configure the utility.
You can choose whether or not to configure the Delegated Administrator console.
- If you deploy the Delegated Administrator console and server on the same machine, you would select both the console and the server in Select Components to Configure panel.
- You also can deploy the Delegated Administrator console and server on different machines.
On the machine on which you deploy the console, you would select only the console on the Select Components to Configure panel. (The utility is always selected.)
In this case, you must run the configuration program again on the machine on which you deploy the server.
If you deploy the console and server on different machines, the utility is configured on both machines.
The configuration program displays different panels depending on which Web container you select for the console. You can deploy to one of the following Web containers:
- Sun Java System Web Server
- Sun Java System Application Server 7.x
- Sun Java System Application Server 8.x
If you are configuring the Delegated Administrator server and console on one machine, you will go through these instructions twice (once for the server, once for the console).
These panels follow the panels that configure the console.
You can choose whether or not to configure the Delegated Administrator server on a given machine.
If you do not choose to configure the server on a given machine, the configuration program warns you that you must configure it on another machine. The server component is required for running the utility and console.
All other considerations for deploying the server are the same as those for the console (described in Configuring the Delegated Administrator Console).
Note also that the server uses the same Web container as Access Manager. (The configuration program asks for Web container information after it asks for Access Manager base directory.)
Enter the information requested in these panels to complete the configuration.
Run the Configuration ProgramThe steps described in this section walk you through configuring Delegated Administrator.
To run the configuration program, log in as (or become) root and go to the /opt/SUNWcomm/sbin directory. Then enter the command:
# ./config-commda
Once you run the config-commda command, the configuration program starts.
The sections that follow lead you through the configuration panels:
Starting the Configuration
Follow these steps:
- Welcome
The first panel in the configuration program is a copyright page. Click Next to continue or Cancel to exit.
- Select directory to store configuration and data files
Select the directory where you want to store the Delegated Administrator configuration and data files. The default configuration directory is /var/opt/SUNWcomm. This directory should be separate from the da_base directory (/opt/SUNWcomm).
Enter the name of the directory, or keep the default and click Next to continue.
If the directory does not exist, a dialog appears asking if you want to create the directory or choose a new directory. Click Create Directory to create the directory or Choose New to enter a new directory.
A dialog appears indicating that the components are being loaded. This may take a few minutes.
- Select components to configure
Select the component or components you want to configure on the Components Panel.
- Delegated Administrator Utility (client)—the command-line interface invoked with commadmin. This component is required and is selected by default. It cannot be deselected.
- Delegated Administrator Server—the Delegated Administrator server components required to run the Delegated Administrator console.
- Delegated Administrator Console—the Delegated Administrator graphical user interface (GUI).
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
For more information about how to choose components, see Choose Which Components to Configure.
If you choose not to configure the Delegated Administrator server, a dialog box cautions you that you must configure the Delegated Administrator Server on another machine. The server must be configured to enable the Delegated Administrator utility and console to work.
Configuring the Delegated Administrator Utility
Follow these steps:
- Access Manager host name and port number
Enter the Access Manager (formerly called Identity Server) host name and port number. If you are installing the Delegated Administrator server component, you must install it on the same host as Access Manager.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Default domain
Enter the default domain for the Top-Level administrator. This is the domain used when a domain is not explicitly specified by the -n option when executing the commadmin command-line utility. This is also known as the default organization. If the domain specified does not exist in the directory, it will be created.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Default SSL port for client
Enter the default SSL port that the Delegated Administrator utility uses.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- If you chose to configure only the Delegated Administrator utility, go on to
If you chose to configure both the Delegated Administrator console and the server, or if you chose to configure the console only, go on to
Configuring the Delegated Administrator Console
If you chose to configure the Delegated Administrator server only (together with the required Delegated Administrator utility), go on to
Configuring the Delegated Administrator Console
The configuration program now displays the following panel:
Select a Web Container for Delegated Administrator
Select the Web container on which you will deploy the Delegated Administrator console. You can configure Delegated Administrator on
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
This panel and the panels that follow gather information about the Web container for the Delegated Administrator console. Follow the instructions in the appropriate section:
You can deploy the Delegated Administrator console and server on two different Web containers, on two different instances of the Web container, or on the same Web container.
If you chose to configure both the Delegated Administrator console and Delegated Administrator server in Panel 3, a second series of panels will ask for Web container information for the server.
Thus, you will see the Web container configuration panels twice. Follow the appropriate instructions for deploying each of the Delegated Administrator components.
When you complete the Web container configuration panels:
Web Server Configuration
If you are deploying the Delegated Administrator server or console on Web Server, follow these steps:
- Web Server Configuration Details
The panel text tells you if you are providing Web Server configuration information for the Delegated Administrator server or console.
Enter the Web Server root directory. You can browse to select the directory.
Enter the Web Server instance identifier. This is can be specified by a host.domain name such as west.sesta.com.
Enter the virtual server identifier. This can be specified by a https-host.domain name such as https-west.sesta.com.
For more information about the Web Server instance identifier and virtual server identifier, see the Web Server documentation.
Files for the Web Server instance are stored in the https-host.domain directory under the Web Server installation directory, for example /opt/SUNWwbsvr/https-west.sesta.com.
Enter the HTTP port number for the Web Server.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
The configuration program checks if the values you specified are valid. If a directory or identifier is invalid or does not exist, a dialog box tells you to choose a new value.
Next, the configuration program checks if a Web Server instance connection is alive. If not, a dialog box warns you that the configuration program could not connect to the specified instance and your configuration may not be completed. You can accept the specified values or choose new Web Server configuration values.
- Default Domain Separator
This panel appears only if you are configuring the Delegated Administrator console. The domain separator is needed to configure the console; this information is not related to the Web container.
Enter the default domain separator to be used for authentication when the user logs on. For example: @.
The domain separator value is contained in the daconfig.properties file. You can edit this property value after the configuration program runs. For more information, see “Customizing Delegated Administrator.”
- If you are configuring the Delegated Administrator console:
- If you chose to configure both the Delegated Administrator console and the server, go on to
Configuring the Delegated Administrator Server
- If you chose to configure the Delegated Administrator console only (together with the required Delegated Administrator utility), go on to
If you are configuring the Delegated Administrator server:
Go on to
Step 3. Directory (LDAP) Server in Configuring the Delegated Administrator Server.
Application Server 7.x Configuration
If you are deploying the Delegated Administrator server or console on Application Server 7.x, follow these steps:
- Application Server 7.x Configuration Details
The panel text tells you if you are providing Application Server 7.x configuration information for the Delegated Administrator server or console.
Enter the Application Server installation directory. By default, this directory is /opt/SUNWappserver7.
Enter the Application Server domain directory. By default, this directory is /var/opt/SUNWappserver7/domains/domain1.
Enter the Application Server document root directory. By default, this directory is
/var/opt/SUNWappserver7/domains/domain1/server1/docroot.You can browse to select any of these directories.
Enter the Application Server instance name. For example: server1.
Enter the Application Server virtual server identifier. For example: server1.
Enter the Application Server instance HTTP port number.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
The configuration program checks if the directories you specified are valid. If a directory is invalid or does not exist, a dialog box tells you to choose a new directory.
Next, the configuration program checks if an Application Server instance connection is alive. If not, a dialog box warns you that the configuration program could not connect to the specified instance and your configuration may not be completed. You can accept the specified values or choose new Application Server configuration values.
- Application Server 7.x: Administration Instance Details
Enter the Administration Server port number. For example: 4848
Enter the Administration Server administrator user ID. For example: admin
Enter the administrator user password.
If you are using a secure Administration Server instance, check the Secure Administration Server Instance box. If you are not, leave the box unchecked.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Default Domain Separator
This panel appears only if you are configuring the Delegated Administrator console. The domain separator is needed to configure the console; this information is not related to the Web container.
Enter the default domain separator to be used for authentication when the user logs on. For example: @.
- If you are configuring the Delegated Administrator console:
- If you chose to configure both the Delegated Administrator console and the server, go on to
Configuring the Delegated Administrator Server
- If you chose to configure the Delegated Administrator console only (together with the required Delegated Administrator utility), go on to
If you are configuring the Delegated Administrator server:
Go on to
Step 3. Directory (LDAP) Server in Configuring the Delegated Administrator Server.
Application Server 8.x Configuration
If you are deploying the Delegated Administrator server or console on Application Server 8.x, follow these steps:
- Application Server 8.x Configuration Details
The panel text tells you if you are providing Application Server 8.x configuration information for the Delegated Administrator server or console.
Enter the Application Server installation directory. By default, this directory is /opt/SUNWappserver/appserver.
Enter the Application Server domain directory. By default, this directory is /var/opt/SUNWappserver/domains/domain1.
Enter the Application Server document root directory. By default, this directory is
/var/opt/SUNWappserver/domains/domain1/docroot.You can browse to select any of these directories.
Enter the Application Server target name. For example: server.
Enter the Application Server virtual server identifier. For example: server.
Enter the Application Server target HTTP port number.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
The configuration program checks if the directories you specified are valid. If a directory is invalid or does not exist, a dialog box tells you to choose a new directory.
Next, the configuration program checks if an Application Server target connection is alive. If not, a dialog box warns you that the configuration program could not connect to the specified target and your configuration may not be completed. You can accept the specified values or choose new Application Server configuration values.
- Application Server 8.x: Administration Instance Details
Enter the Administration Server port number. For example: 4849
Enter the Administration Server administrator user ID. For example: admin
Enter the administrator user password.
If you are using a secure Administration Server instance, check the Secure Administration Server Instance box. If you are not, leave the box unchecked.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Default Domain Separator
This panel appears only if you are configuring the Delegated Administrator console. The domain separator is needed to configure the console; this information is not related to the Web container.
Enter the default domain separator to be used for authentication when the user logs on. For example: @.
- If you are configuring the Delegated Administrator console:
- If you chose to configure both the Delegated Administrator console and the server, go on to
Configuring the Delegated Administrator Server
- If you chose to configure the Delegated Administrator console only (together with the required Delegated Administrator utility), go on to
If you are configuring the Delegated Administrator server:
Go on to
Step 3. Directory (LDAP) Server in Configuring the Delegated Administrator Server.
Configuring the Delegated Administrator Server
If you chose to configure the Delegated Administrator server, the configuration program displays the following panels. Enter the requested information:
- Access Manager base directory
Enter the Access Manager Base Directory. The default directory is /opt/SUNWam.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
The configuration program checks if a valid Access Manager base directory is specified. If not, a dialog box displays indicating that an existing Access Manager base directory must be selected.
- Next, a Web container Configuration Details panel appears.
If you chose to configure the console and server, this is the second time a Web container Configuration Details panel appears.
The Delegated Administrator server is deployed to the same Web container as Access Manager. (You cannot choose a Web container for the Delegated Administrator server.)
Follow the instructions in the appropriate section:
- Directory (LDAP) Server
This panel asks for information about connecting to the LDAP Directory Server for the user/group suffix.
Enter the User and Group Directory Server LDAP URL (LdapURL), Directory Manager (Bind As), and password in the text boxes.
The Directory Manager has overall administrator privileges on the Directory Server and all Sun Java System servers that make use of the Directory Server (for example, Delegated Administrator) and has full administration access to all entries in the Directory Server. The default and recommended Distinguished Name (DN) is cn=Directory Manager.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Access Manager Top Level Administrator
Enter the user ID and password for the Access Manager Top-Level Administrator. The user ID and password are created when Access Manager is installed. The default user ID is amadmin.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Access Manager internal LDAP authentication password
Enter the password for the Access Manager Internal LDAP authentication user.
The authentication user name is hard-coded as amldapuser. It is created by the Access Manager installer and is the Bind DN user for the LDAP service.
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Organization Distinguished Name (DN)
Enter the Organization DN for the default domain. For example, if your organization DN is o=siroe.com, all the users in that organization will be placed under the LDAP DN "o=siroe.com, o=usergroup", where o=usergroup is your root suffix.
By default, the configuration program adds the default domain under the root suffix in the LDAP directory.
If you want to create the default domain at the root suffix (not underneath it), delete the organization name from the DN that appears in the Organization Distinguished Name (DN) text box.
For example, if your organization DN is o=siroe.com and your root suffix is o=usergroup, delete “o=siroe.com” from the DN in the text box; leave only o=usergroup.
If you choose to create the default domain at the root suffix, and if you later decide to use hosted domains, it can be difficult to migrate to the hosted-domain configuration. The config-commda program displays the following warning:
“The Organization DN you chose is the User/Group Suffix. Although this is a valid choice, if you ever decide to use hosted domains, there will be difficult migration issues. If you do wish to use hosted domains, then specify a DN one level below the User/Group suffix.”
For more information, see Directory Structure Supporting a One-Tiered Hierarchy in Chapter 1, “Delegated Administrator Overview.”
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Top-Level Administrator for the default organization
Enter the user ID and password for the Top-Level Administrator that is to be created in the default domain (organization).
Click Next to continue, Back to return to the previous panel, or Cancel to exit.
- Service Package and Organization Samples
You can choose to add sample service packages and sample organizations to your LDAP directory.
Load sample service packages. Select this option if you want to use or modify sample service package templates to create your own Class-of-Service packages. (In Delegated Administrator, at least one Class-of-Service package must be assigned to each user in the LDAP directory.)
Load sample organizations. Select this option if you want your LDAP directory tree to contain sample Service Provider Organization nodes and Business Organization nodes.
You can select
- Both the sample service packages and the sample organizations
- Only one of these options
- Neither option
Preferred Mailhost for Sample. Enter the name of the machine on which Messaging Server is installed.
For example: mymachine.siroe.com
If you chose to load the sample organizations into your LDAP directory, you must enter a preferred mail host name for these samples.
For information about service packages and organizations, see Chapter 2: “Delegated Administrator Overview.”
After you run the configuration program, you must modify the service package templates to create your own Class-of-Service packages. For information about this post-configuration task, see Create Service Packages.
Completing the Configuration
To complete the configuration, take these steps:
- Ready to Configure
The verification panel displays the items that will be configured.
Click Configure Now to begin the configuration, Back to return to any previous panel to change information, or Cancel to exit.
- Task Sequence
A sequence of tasks being performed is displayed on the Task Sequence Panel. This is when the actual configuration takes place.
When the panel displays “All Tasks Passed” you can click Next to continue or Cancel stop the tasks from being performed and exit.
A dialog box appears reminding you to restart the Web container in order for configuration changes to take effect.
- Installation Summary
The Installation Summary panel displays the product installed and a Details... button that displays more information about this configuration.
A log file for the config-commda program is created in the /opt/SUNWcomm/install directory. The name of the log file is commda-config_YYYYMMDDHHMMSS.log, where YYYYMMDDHHMMSS identifies the 4-digit year, month, date, hour, minute, and second of the configuration.
Click Close to complete the configuration.
Restarting the Web Container
After you complete the Delegated Administrator configuration, you must restart the Web container to which Delegated Administrator is deployed (one of the following):
Configuration and Log Files Created by the config-commda Program
Configuration Files
Using the information you provided in the panels, the config-commda program creates the following configuration files for the three Delegated Administrator components:
For information about these files, the properties they contain, and how to edit these properties to customize your configuration, see “Customizing Delegated Administrator.”
Log Files
The Delegated Administrator console creates a runtime log file:
For more information about this and other Delegated Administrator log files, see Appendix C, "Debugging Delegated Administrator."
Perform Silent InstallationThe Delegated Administrator utility initial runtime configuration program automatically creates a silent installation state file (called saveState). This file contains internal information about the configuration program, and is used for running silent installs.
The silent installation saveState file is stored in the /opt/SUNWcomm/data/setup/commda-config_YYYYMMDDHHMMSS/ directory, where YYYYMMDDHHMMSS identifies the 4-digit year, month, date, hour, minute, and second of the saveState file.
For example, once you have run the config-commda program once, you can run it in silent install mode:
The fullpath variable is the full directory path of where the saveState file is located.
Run Delegated Administrator Console and UtilityLaunching the Console
To launch the Delegated Administrator console, take these steps:
- Go to the following url:
http://host:port/da/DA/Login
where
host is the Web container host machine
port is the Web container port
For example:
http://siroe.com:8080/da/DA/Login
The Delegated Administrator console log-in window appears.
- Log in to the Delegated Administrator console.
You could use the Top-Level Administrator (TLA) user ID and password specified in the Delegated Administrator configuration program. This information was requested in the following panel:
Top-Level Administrator for the default organization
Running the Command-Line Utility
To run the Delegated Administrator utility (commadmin), take these steps:
- Go to the da_base/bin/ directory. For example, go to /opt/SUNWcomm/bin/.
- Enter the commadmin command.
For example:
commadmin -D userid -w password
where userid and password are the Top-Level Administrator (TLA) user ID and password specified in the Delegated Administrator configuration program. This information was requested in the following panel:
Top-Level Administrator for the default organization
Post-Configuration TasksAfter you run the Delegated Administrator configuration program, you should perform the following tasks:
Perform the following task only if you are using an LDAP directory in Schema 2 compatibility mode:
Add Mail and Calendar Services to the Default Domain
The config-commda program creates a default domain.
If you want to create users with mail service or calendar service in the default domain, you first must add mail service and calendar service to the domain.
To perform this task, use the commadmin domain modify command with the -S mail and -S cal options.
The following example shows how you can use commadmin domain modify to add mail and calendar services to the default domain:
commadmin domain modify -D chris -w bolton -n sesta.com -d siroe.com
-S mail, cal -H test.siroe.comFor commadmin command syntax and details, see Chapter 5, "Command Line Utilities."
Create Service Packages
Each user provisioned in the LDAP directory with Delegated Administrator should have a Service package. A user can have more than one Service package.
Predefined Class-of-Service Templates
When you run the Delegated Administrator configuration program (config-commda), a default Class-of-Service template (defaultmail) is installed in the LDAP directory. You also can choose to have the config-commda program install the set of eight sample Class-of-Service templates in the directory.
For information about the sample Class-of-Service templates and the available mail attributes in a Service package, see Service Packages in Chapter 1, “Delegated Administrator Overview.”
You can use the sample Class-of-Service templates as Service packages. However, these templates are meant to be examples.
Creating Your Own Service Packages
Most likely you will have to create your own Service packages with attribute values appropriate for the users in your installation.
To create your own Service packages, use the Class-of-Service template stored in the da.cos.skeleton.ldif file.
This file was created specifically for use as a template for writing Service packages. It is not installed in the LDAP directory when Delegated Administrator is configured.
The Class-of-Service template in the da.cos.skeleton.ldif file is as follows:
To create your own Service packages, follow these steps:
- Copy and rename the da.cos.skeleton.ldif file.
When you install Delegated Administrator, the da.cos.skeleton.ldif file is installed in the following directory:
da_base/lib/config-templates
- Edit the following entries in your copy of the da.cos.skeleton.ldif file:
- <rootSuffix>
Change the root suffix parameter, <rootSuffix>, to your root suffix (such as o=usergroup).
The <rootSuffix> parameter appears in the DN.
- <service package name>
Change the <service package name> parameter to your own Service package name.
The <service package name> parameter appears in the DN and the cn.
- Mail attribute values:
<mailMsgMaxBlocksValue>
<mailQuotaValue>
<mailMsgQuotaValue>
<mailAllowedServiceAccessValue>Edit these values to your specifications.
For example, you could enter the following values for the mail attributes:
mailMsgMaxBlocks: 400
mailQuota: 400000000
mailMsgQuota: 5000
mailAllowedServiceAccess: +imap:ALL$+pop:ALL$+smtp:ALL$+http:ALLFor definitions and descriptions of these attributes, see “Chapter 3: Attributes” in the Sun Java System Communications Services Schema Reference.
You do not have to use all four mail attributes in a Service package. You can delete one or more attributes from the Service package.
- Use the LDAP directory tool ldapmodify to install the Service package in the directory.
For example, you could run the following command:
ldapmodify -D <directory manager> -w <password>
-f <cos.finished.template.ldif>where
<directory manager> is the name of the Directory Server administrator.
<password> is the password of the Directory Service administrator.
<cos.finished.template.ldif> is the name of the edited ldif file to be installed as a Service package in the directory.
Add ACIs for Schema 2 Compatibility Mode
If you are using an LDAP directory in Schema 2 compatibility mode, you must manually add ACIs to the directory to enable Delegated Administrator to provision in your directory. Take the following steps:
- Add the following two ACIs to the OSI root. You can find the following two ACIs in the usergroup.ldif file, located in the /opt/SUNWcomm/config directory.
Be sure to replace ugldapbasedn with your usergroup suffix. Add the edited usergroup.ldif into the LDAP directory.
#
# acis to limit Org Admin Role
#
########################################
# dn: <local.ugldapbasedn>
########################################
dn: <ugldapbasedn>
changetype: modify
add: aci
aci: (target="ldap:///($dn),<ugldapbasedn>")(targetattr="*")
(version 3.0; acl "Organization Admin Role access deny to org node"; deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";)dn: <ugldapbasedn>
changetype: modify
add: aci
aci: (target="ldap:///($dn),<ugldapbasedn>")(targetattr="*") (version 3.0; acl "Organization Admin Role access allow read to org node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";)- Add the following two ACIs to the DC Tree root suffix. You can find the following two ACIs in the dctree.ldif file, located in the /opt/SUNWcomm/config directory.
Be sure to replace dctreebasedn with your DC Tree root suffix and ugldapbasedn with your usergroup suffix. Add the edited dctree.ldif into the LDAP directory.
#
# acis to limit Org Admin Role
#
########################################
# dn: <dctreebasedn>
########################################
dn: <dctreebasedn>
changetype: modify
add: aci
aci: (target="ldap:///($dn),<dctreebasedn>")(targetattr="*")
(version 3.0; acl "Organization Admin Role access deny to dc node";
deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";)dn: <dctreebasedn>
changetype: modify
add: aci
aci: (target="ldap:///($dn),<dctreebasedn>")(targetattr="*")
(version 3.0; acl "Organization Admin Role access allow read to dc node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";)- Add the following additional ACIs to the DC Tree root suffix. (These ACIs are not in the dctree.ldif file.)
dn:<dctreebasedn>
changetype:modify
add:aci
aci: (target="ldap:///<dctreebasedn>")(targetattr="*")
(version 3.0; acl "S1IS Proxy user rights"; allow (proxy)
userdn = "ldap:///cn=puser,ou=DSAME Users,<ugldapbasedn>";)dn:<dctreebasedn>
changetype:modify
add:aci
aci: (target="ldap:///<dctreebasedn>")(targetattr="*")
(version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn ="ldap:///cn=dsameuser,ou=DSAME Users,<ugldapbasedn>";)dn:<dctreebasedn>
changetype:modify
add:aci
aci: (target="ldap:///<dctreebasedn>")(targetattr="*")
(version 3.0; acl "S1IS Top-level admin rights";
allow (all) roledn = "ldap:///cn=Top-level Admin Role,<ugldapbasedn>";)- Set the com.iplanet.am.domaincomponent property in the AMConfig.properties file to your DC Tree root suffix. For example, modify the following lines in the <IS_base_directory>/lib/AMConfig.properties file:
from
com.iplanet.am.domaincomponent=o=isp
to
com.iplanet.am.domaincomponent=o=internet- Enable Access Manager (formerly called Identity Server) to use compatibility mode. In the Access Manager Console, in the Administration Console Service page, check (enable) the Domain Component Tree Enabled check box.
- Add the inetdomain object class to all the DC Tree nodes (such as dc=com,o=internet), as in following example:
/var/mps/serverroot/shared/bin 298% ./ldapmodify -D "cn=Directory Manager" -
w password
dn: dc=com,o=internet
changetype: modify
add: objectclass
objectclass: inetdomain- Restart the Web container.