Chapter 6 Delegating Server Administration Through the use of administrative privileges and Access Control Information (ACIs) you can delegate specific server management tasks to selected individuals as you deem appropriate. Note. Each Netscape server has its own specialized functions, and each server has its own special types of ACIs. For detailed information about ACIs for a particular Netscape server, see the server's Administrator's Guide.
Through the use of administrative privileges and Access Control Information (ACIs) you can delegate specific server management tasks to selected individuals as you deem appropriate.
Overview of Delegated Administration
Access to Network Resources
Access to Server Tasks
In Netscape Console, click Users and Groups.
In the Users and Groups window, click Directory.
.In the Change Directory Window, enter a new Bind DN or Bind Password, then click OK.
In the Netscape Console navigation tree, locate and select the Administration Server you want to reconfigure. Click Open to open the Administration Server window.
In the Administration Server window, click Configuration.
In the Configuration tab, click Access.
In the Access tab, enter a new Username or Password.
Restart the Administration Server.
Figure 6.1    A member of the Administrator's group has an unrestricted view of network resources and server tasks.
Figure 6.2    A member of the Messaging Administrators group sees only the servers and tasks assigned to him.
In Netscape Console, click Users and Groups, then click Directory.
In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group, then click OK.
User Directory Host. Enter the fully qualified host name where the user directory is installed.
User Directory Port. Enter the port number you want to use to connect to the user directory.
User Directory Subtree. Enter o=NetscapeRoot to indicate where to find the Configuration Administrators group.
Bind DN. Enter the user ID or DN of a user authorized to change entries in the user directory.
Bind Password. Enter the password of the user directory Administrator.
Use the Search function to locate and highlight the Configuration Administrators group, then click Edit.
In the Edit Group window, click Members.
Click Add.
In the Search Users and Groups window, locate the user you want to add, then click OK.
Repeat this step until all the users you want to add to the group are displayed in the Add Group Members list, then click OK.
In Netscape Console, select the server you want to allow or deny access to.
From the Object menu, choose Set Access Permissions, and a list appears. The list contains the names users and groups who currently have access permissions for the selected object.
By default, the Configuration Administrators group has unrestricted access to all servers, even though its name does not display on this list.
To deny access permission to a user or group in the list, select the user or group name, then click Delete User. Skip the rest of this procedure.
To allow access permission to additional users or groups, click Add User.
Use the Search dialog box as usual to locate the user or group you want to allow or deny access permissions to, then click OK.
In the Set Access Permissions dialog box, be sure that the user or group is added to the list, then click OK.
The target specifies the object, object attributes, or group of objects and attributes you're controlling access to.
The permission specifically outlines what rights you are either allowing or denying. Read, write, and execute are typical access permissions specified in ACIs. See Table 6.1 on page 95 for a brief summary of access permissions.
The bind rules specify the circumstances under which access is to be allowed or denied. Bind rules may include any of the following:
objectClass: top
objectClass: organization
ACI: (target="ldap:///o=airius.com")(targetattr=*)
(version 3.0; acl "acl 1"; allow (all)
groupdn = "ldap:///cn=Directory Administrators, o=airius.com";)
(version 3.0; acl "acl 2"; deny (all)
groupdn != "ldap:///cn=Directory Administrators, o=airius.com"
and dayofweek = "Sun, Tues, Fri" and
(timeofday >= "0100" and timeofday <= "0300:);)
Setting Access Permissions for a Server Task To set access permission for a server task:
In Netscape Console, select a server and open its console.
From the server Tasks, select the task you want to allow or deny access permission to.
From the Edit menu, choose Set Access Permissions. The ACI Editor appears.
To create a new rule, click Add Rule. A default rule is added to the table.
To edit a rule in the table, single-click a cell to edit its contents, or double-click the cell to display a dialog box for entering additional information. Cells and related options are summarized in Table 6.2.
Continue using the Access Control Editor to create rules and enter settings as necessary, then click Save Changes.
Click OK.
Restart the server.
Add Rule. Adds a default rule to the list of rules. Edit the new rule as necessary.
Delete Rule. Deletes the selected rule in the list.
Show Inherited Rules. Displays rules that are automatically applied to the selected resource.
Rule. The rule number indicates the order in which the rule was created.
User/Group. Displays a dialog box for choosing users and groups to be affected by this rule.
Host. Displays a dialog box for specifying host names or IP addresses to which you want to allow Access Permissions.
Time. Displays a dialog box for specifying when you want the Access Permissions to be in effect.
Allow/Deny. Choose Allow if you want the listed user or group to be able to access the server. Choose Deny if you don't want the listed user or group to be able to access the server.
Rights. Displays a dialog box for selecting the various rights that will be affected by this rule.
Check Syntax. Lets you view the ACL syntax as it's stored in the directory.
Edit Attributes. Displays a dialog box for modifying the target, target filter, and target attributes of an the selected rule.
Add User. displays a dialog box for adding a user to the list. Adding a user to the list allows the user access.
Delete User. Deletes the selected user from the list. Deleting a user from the list denies the user access.
Add to List. Enter the name of a user or group you want to be affected by this rule. Use the pull-down list to indicate whether the entry is a user or group.
Add. Add the user or group your entered to the access control list.
Remove from list.
Removes a user or group from the access control entry. The change takes effect immediately.All users except those specified in the list. Select this option to exclude users in the list from the rule.
User DN Attribute. . Enter an attribute, such as manager or owner, that contains a user DN with a value that's subject to change. For example, you can set up an ACI that allows Mary's manager (manager: uid=asmith) to access Mary's employment data. When Mary transfers to another department, her DN is changed to reflect a new manager uid (manager: uid=bjones). The same ACI automatically provides appropriate rights to her new manager instead of her previous manager.
Authentication Method.. Choose None if you don't want to use client authentication at all. Choose Simple if you want to use basic user ID/password authentication. Choose SSL if you want to use SSL certificates for authentication. Choose SASL EXTERNAL if you've written a Directory Server plug-in for use with SASL authentication.
Add to List. Enter a host name or IP address you want to be affected by this rule. Use the pull-down list to indicate whether you're entering a host name or ID address.
Add. Adds the host or IP address to the access control list. Change takes effect immediately.
All users except those specified in the list. Select this option to exclude hosts or IP addresses in the list from the rule.
Remove from list. Removes the host or IP address from the access control entry. The change takes effect immediately.
Beginning at. Enter the beginning time using 24-hour format. (HHMM)
Ending at. Enter the end time using 24-hour format. (HHMM).
Deselect All. Deselects all rights your previously selected.
ACL Name. Enter a name for the ACL rule you are creating.
Target. Specify the entry to which this ACI applies. This field must contain a valid DN such as o=airius.com.
Target Filter. a search filter to use to set the target. Example: ou=accounting, ou=engineering
Target Attribute. Specify one or more attributes to which the ACI applies. To target more than one attribute, separate each attribute with double vertical bars (||). Example: userpassword || telephonenumber
New. Displays a dialog box for creating or editing an ACI.
Delete. Deletes the selected ACI.
"What's in an ACI"
"Network Resources and Administrative Privileges" "Changing Administrator Usernames and Passwords"