Complete Contents
Introduction
Chapter 1 Introducing Netscape Console
Chapter 2 The Netscape Server Family Setup Program
Chapter 3 Using Netscape Console
Chapter 4 User and Group Administration
Chapter 5 Using SSL
Chapter 6 Delegating Server Administration
Chapter 7 Using SNMP to Monitor Services
Chapter 8 Administration Server Basics
Chapter 9 Administration Server Configuration
Appendix A Distinguished Name Attributes and Syntax
Appendix B Administration Server Command Line Tools
Appendix C FORTEZZA
Appendix D Introduction to Public-Key Cryptography
Appendix E Introduction to SSL
Managing Servers with Netscape Console: Delegating Server Administration
Previous Next Contents Index


Chapter 6 Delegating Server Administration

Through the use of administrative privileges and Access Control Information (ACIs) you can delegate specific server management tasks to selected individuals as you deem appropriate.

Note. Each Netscape server has its own specialized functions, and each server has its own special types of ACIs. For detailed information about ACIs for a particular Netscape server, see the server's Administrator's Guide.

This chapter contains the following sections:


Overview of Delegated Administration
When a user logs into Netscape Console, the Administration Server authenticates the user against the Directory Server. During authentication, the Administration Server evaluates the user's administrative privileges and any Access Control Information (ACIs) pertaining to the user. When authentication is completed, Netscape Console displays only the resources and server tasks the user is allowed to access.

Delegating server administration is a two-step process. First, you provide specific users and groups with administrative privileges, or access, to various resources, such as host systems and servers in your enterprise. Once you've given administrative privileges to an individual, you can restrict the scope of the administrator's network or server responsibilities.

Network Resources and Administrative Privileges
All network resources registered in the same configuration directory form a Netscape topology. The entire navigation tree in Netscape Console represents a Netscape topology. An administration domain is a collection of host systems and servers that share the same user directory. A server group consists of all servers managed by the same Administration Server. Servers are the products that provide specific services such as directory, messaging, and publishing.

Netscape Console uses four levels of administration privileges to determine whether individuals are authorized to access network resources. Three levels of administration privileges correspond to entries in the user directory: Configuration Administrator, Domain Administrator, and Server Administrator. A fourth level, the Administration Server Administrator, has privileges only to the local Administration Server. A comparison of administrators and their corresponding privileges is summarized in Table 6.1.

The Configuration Administrator and the Administration Server Administrator are automatically created when you install Netscape Console. You manually create the Domain Administrator after you create an administration domain (See "Creating an Administration Domain" on page 29).

For more information on the Server Administrator, see the documentation that comes with your server.

Table 6.1 Summary of Administrative Privileges
Administrator
Primary Purpose
Description
Scope of Administrative Privileges
Configuration Administrator
To manage servers and configuration directory data in the entire Netscape topology.
When a configuration directory is first installed, the Configuration Administrators group and the Configuration Administrator user ID are both automatically created in configuration directory. Initially manages Administrative Domain configuration until the Domain Administrators group and its members are in place.
Unrestricted access to all resources in the Netscape topology. This is the only administrator who can assign Domain Administrators; can also provide server access to other administrators.
Domain Administrator
To manage servers and user data in an administrative domain.
Configuration Administrator must manually create a Domain, then assign a Domain Administrator to it. Domain Administrator can set access permissions for a server group, or for an individual server.
Restricted access to all servers and user data in a domain; can provide server access permissions to other administrators.
Server Administrator
To perform server management tasks.
Configuration or Domain Administrator must provide this user access to a server. Once a user has server access permissions, he is a Server Administrator and can provide server access permissions to others.
Restricted access to tasks for a particular server, depending upon task ACIs.
Administration Server Administrator

To start or stop a server even when there is no Directory Server connection.
When an Administration Server is installed, this administrator's entry is automatically created locally. (This administrator is not a user in the user directory.)
Restricted server tasks (typically only Restart Server and Stop Server) for all servers in a local server group.

Configuration Administrator
During installation, you're asked to specify a username and password for the Configuration Administrator. The Configuration Administrator is authorized to access and modify the Configuration Directory of your LDAP server. Netscape Console creates the Configuration Administrator as an entry in the LDAP user directory under: ou=Administrators, out=Mission Control, ou=<domain>, o=NetscapeRoot.

Normally, when you log in to Netscape Console as the Configuration Administrator, the username and password you enter are authenticated against the LDAP entry. But if the Directory Server cannot be accessed or the user LDAP entry cannot be found, Netscape Console authenticates the username and password against the Administration Server Administrator's credentials.

Administration Server Administrator
The Administration Server Administrator can execute limited CGI programs such as starting, stopping, or restarting servers in the local Server Group. It was designed to provide a means for you to log in the Netscape Console when the Directory Server is not running.

During installation, Netscape Console uses the same username and password you specified for the Configuration Administrator to automatically create the Administration Server Administrator username and password.

The Administration Server Administrator does not have an LDAP entry; it exists only as an entity named in a local configuration file stored at <server_root>/admin-serv/config/admpw. The user id and password stored in this file are used for authentication when the Directory Server cannot be reached. This is what makes it possible for you to access an Administration Server and perform limited server administration even when the Directory Server is not running.

Changing Administrator Usernames and Passwords
Keep in mind that the Configuration Administrator and Administration Server Administrator are two separate entities even though they are created at the same time during installation. If you change the username or password for one, Netscape Console does not automatically make the same changes for the other.

To change the username or password for the Configuration Administrator:

  1. In Netscape Console, click Users and Groups.

  2. In the Users and Groups window, click Directory.

  3. .In the Change Directory Window, enter a new Bind DN or Bind Password, then click OK.
To change the username or password for the Local Administrator:

  1. In the Netscape Console navigation tree, locate and select the Administration Server you want to reconfigure. Click Open to open the Administration Server window.

  2. In the Administration Server window, click Configuration.

  3. In the Configuration tab, click Access.

  4. In the Access tab, enter a new Username or Password.

  5. Restart the Administration Server.

Examples of Delegated Administration
Jane is an administrator who troubleshoots network problems for end users. She needs to be able to access any server in any domain, and frequently modifies many types of user account information. She has a wide range of access permissions. When Jane logs into Netscape Console, she has a relatively unrestricted view of servers and tasks.

Figure 6.1    A member of the Administrator's group has an unrestricted view of network resources and server tasks.

 John is also an administrator, but his job is focused on managing mail servers in the network. John's access permissions are more limited than Jane's. John is only allowed to access mail servers and can only modify user information related to mail accounts. When John logs into Netscape Console, he sees only the servers and tasks he needs to see in order to do his job

Figure 6.2    A member of the Messaging Administrators group sees only the servers and tasks assigned to him.


Access to Network Resources
You provide access to network resources by adding users to administrators groups or by setting access permissions for a particular server.

Adding Users to the Configuration Administrators Group
Note. The Configuration Administrators group is automatically created when the configuration directory is installed. Only members of the Configuration Administrators group can add more users to the group. Members of the Configuration Administrators group have unrestricted access permissions.

To add users to the Configuration Administrators group:

  1. In Netscape Console, click Users and Groups, then click Directory.

  2. In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group, then click OK.

    3. User Directory Host. Enter the fully qualified host name where the user directory is installed.

    User Directory Port. Enter the port number you want to use to connect to the user directory.

    User Directory Subtree. Enter o=NetscapeRoot to indicate where to find the Configuration Administrators group.

    Bind DN. Enter the user ID or DN of a user authorized to change entries in the user directory.

    Bind Password. Enter the password of the user directory Administrator.

  3. Use the Search function to locate and highlight the Configuration Administrators group, then click Edit.

  4. In the Edit Group window, click Members.

  5. Click Add.

  6. In the Search Users and Groups window, locate the user you want to add, then click OK.

  7. Repeat this step until all the users you want to add to the group are displayed in the Add Group Members list, then click OK.
Setting Access Permission for an Individual Server
Users who have access permissions to a particular server can provide the same access to additional users. By default, the Configuration Administrator has the appropriate access permissions; Domain-level administrators and server administrations who have been given access permissions for an individual server can also provide the same access to other users.

To set access permissions for an individual server:

  1. In Netscape Console, select the server you want to allow or deny access to.

  2. From the Object menu, choose Set Access Permissions, and a list appears. The list contains the names users and groups who currently have access permissions for the selected object.

  3. To deny access permission to a user or group in the list, select the user or group name, then click Delete User. Skip the rest of this procedure.

  4. Use the Search dialog box as usual to locate the user or group you want to allow or deny access permissions to, then click OK.

  5. In the Set Access Permissions dialog box, be sure that the user or group is added to the list, then click OK.
Access to Server Tasks
You provide access to server tasks by creating Access Control Information (ACI) rules. ACI rules determine who has permission to perform specific server tasks such as starting, stopping, or configuring a server. The ACI Editor is a graphical interface that helps you create Access Control Information or rules. ( See the illustration in "Setting Access Permissions for a Server Task" on page 105.)

Note. Each Netscape 4.0 server may have its own ACI extensions and different uses for the ACI Editor. For detailed information about a particular server's ACI options, see the Administrator's Guide for that server.

What's in an ACI
Each entry in the user directory maintained by a Directory Server can include one or more ACI attributes. Attributes contain access control information for the entry. The access control information is composed of three parts: a target, permissions, and bind rules.

Target

The target specifies the object, object attributes, or group of objects and attributes you're controlling access to.

Permissions

The permission specifically outlines what rights you are either allowing or denying. Read, write, and execute are typical access permissions specified in ACIs. See Table 6.1 on page 95 for a brief summary of access permissions.

Bind Rules

The bind rules specify the circumstances under which access is to be allowed or denied. Bind rules may include any of the following:

ACI attributes are stored in the Directory Server entry for the targeted resource. The following example illustrates the use of two ACIs in the same directory entry. The first ACI allows all members of the Directory Administrators group unrestricted access to the Directory Server. The second ACI denies access to the Directory Administrators group from 1:00 a.m. to 3:00 a.m. (0100 to 0300) on Sunday, Tuesday, and Friday:

dn: o=airius.com

objectClass: top

objectClass: organization

ACI: (target="ldap:///o=airius.com")(targetattr=*)

(version 3.0; acl "acl 1"; allow (all)

groupdn = "ldap:///cn=Directory Administrators, o=airius.com";)

ACI: (target="ldap:///o=airius.com")(targetattr=*)

(version 3.0; acl "acl 2"; deny (all)

groupdn != "ldap:///cn=Directory Administrators, o=airius.com"

and dayofweek = "Sun, Tues, Fri" and

(timeofday >= "0100" and timeofday <= "0300:);)

Setting Access Permissions for a Server Task
To set access permission for a server task:

  1. In Netscape Console, select a server and open its console.

  2. From the server Tasks, select the task you want to allow or deny access permission to.

  3. From the Edit menu, choose Set Access Permissions. The ACI Editor appears.

  4. To create a new rule, click Add Rule. A default rule is added to the table.

  5. To edit a rule in the table, single-click a cell to edit its contents, or double-click the cell to display a dialog box for entering additional information. Cells and related options are summarized in Table 6.2.

  6. Click OK.

  7. Restart the server.

 . Table 6.2 The ACI Editor Settings and Options
Setting
What it does
Options
Rule number
Indicates the order in which the rule was created.
No options available.
User /Group
Designates users or groups to be affected by this rule.
Double-click this cell to display the Select Users and Groups window. Enter information to create a list of users and groups to be affected by this rule.
Add User/Group to List. Use this pull-down list to indicate whether you're adding a user or group to the list.
Blank Input field. Enter the full DN for the user or group you want to add to the list. Examples:
Add. Adds to the list the user or group you specified in the blank input field (above).
Remove from List. Removes a selected user or group from the list.
Find Users and Groups. Displays the Search Users and Groups window so you can locate a user or group you want to add to the list.
All users/groups except those specified in the list. When checked, excludes the users and groups listed from the rule you create.
Authentication Method. Choose None if you don't want to use client authentication at all. Choose Simple if you want to use basic user ID/password authentication. Choose SSL if you want to use SSL certificates for authentication. Choose SASL EXTERNAL if you've written a Directory Server plug-in for use with SASL authentication.
User DN Attribute. Enter an attribute, such as manager or owner, that contains a user DN with a value that's subject to change. For example, you can set up an ACI that allows Mary's manager (manager: uid=asmith) to access Mary's employment data. When Mary transfers to another department, her DN is changed (manager: uid=bjones). The ACI automatically provides rights to her new manager .
Host
Designates host computers affected by this rule.
Enter a host name or IP address. You can use wildcards to enter multiple host names at one time.
You can only use the wildcard .* and only at the end of an IP address. The * must replace an entire byte in the address. For example, 198.95.251.* is acceptable; 198.95.251.3* is unacceptable.

Time
Specifies an interval when the rule will be in effect.
Enter in 24-hour format (HHMM).
Allow/Deny
Specifies whether to grant or restrict access to the resources named in this rule.
Choose Allow or Deny from the drop-down list.
Rights
Specifies user rights allowed or denied by this rule. (When setting rights for a task, you typically check all of these.)
Read. User can view a file. Includes HTTP methods GET, HEAD, POST, and INDEX.

Write. User can change or delete file. Includes HTTP methods PUT, DELETE, MKDIR, RMDIR, MOVE.

Add. User can add directory entries.

Delete. User can delete files.

Search. Indicates whether data can be searched for. Users must have Search and Read rights in order to view the data returned as part of a search operation.

Compare. Indicates whether data may be used in comparison operations. With compare rights, the directory returns a yes or no in response to an inquiry, but the user cannot see the value of the entry or attribute.

Selfwrite. Indicate whether people can add or delete themselves from a group. This right is only used for group management.

Check Syntax
Lets you view the ACI syntax as stored in the directory.
You cannot edit the syntax in the Check Syntax dialog box. You must use the Edit Attributes dialog box. In the Access Control Editor, click Edit Attributes.

Edit Attributes
Displays a dialog box for editing ACI search targets.
Use the Edit ACI Attributes dialog box to edit the following:

ACI Name. Enter a name for the rule you're creating.

Target. Enter a valid DN to specify the directory entry this rule will apply to. Example: o=airius.com.

Target Filter. Enter a search filter to use to set the rule target. Example: ou=accounting, ou=engineering.

Target Attribute. Specify one or more attributes to which the rule applies. Separate multiple attributes with double vertical bars.
Example: userpassword || telephonenumber.


Set Access Permissions

Add Rule. Adds a default rule to the list of rules. Edit the new rule as necessary.

Delete Rule. Deletes the selected rule in the list.

Show Inherited Rules. Displays rules that are automatically applied to the selected resource.

Rule. The rule number indicates the order in which the rule was created.

User/Group. Displays a dialog box for choosing users and groups to be affected by this rule.

Host. Displays a dialog box for specifying host names or IP addresses to which you want to allow Access Permissions.

Time. Displays a dialog box for specifying when you want the Access Permissions to be in effect.

Allow/Deny. Choose Allow if you want the listed user or group to be able to access the server. Choose Deny if you don't want the listed user or group to be able to access the server.

Rights. Displays a dialog box for selecting the various rights that will be affected by this rule.

Check Syntax. Lets you view the ACL syntax as it's stored in the directory.

Edit Attributes. Displays a dialog box for modifying the target, target filter, and target attributes of an the selected rule.


Access Permissions for a Server
Use this dialog box to allow or deny access to the selected server.

This list displays the names of users who have access to the selected server. Although the Configuration Administrators group does not appear on the list, all users in the Configuration Adminstrators group do have access to the server.

Add User. displays a dialog box for adding a user to the list. Adding a user to the list allows the user access.

Delete User. Deletes the selected user from the list. Deleting a user from the list denies the user access.


ACI User-Group
Use this dialog box to add to the list of users and groups affected by an ACL rule.

Add to List. Enter the name of a user or group you want to be affected by this rule. Use the pull-down list to indicate whether the entry is a user or group.

Add. Add the user or group your entered to the access control list.

Remove from list.

Removes a user or group from the access control entry. The change takes effect immediately.All users except those specified in the list. Select this option to exclude users in the list from the rule.

User DN Attribute. . Enter an attribute, such as manager or owner, that contains a user DN with a value that's subject to change. For example, you can set up an ACI that allows Mary's manager (manager: uid=asmith) to access Mary's employment data. When Mary transfers to another department, her DN is changed to reflect a new manager uid (manager: uid=bjones). The same ACI automatically provides appropriate rights to her new manager instead of her previous manager.

Authentication Method.. Choose None if you don't want to use client authentication at all. Choose Simple if you want to use basic user ID/password authentication. Choose SSL if you want to use SSL certificates for authentication. Choose SASL EXTERNAL if you've written a Directory Server plug-in for use with SASL authentication.


Select Hosts and IP Addresses
Use this dialog box to add to the list of host computers you want to allow access to.

Add to List. Enter a host name or IP address you want to be affected by this rule. Use the pull-down list to indicate whether you're entering a host name or ID address.

Add. Adds the host or IP address to the access control list. Change takes effect immediately.

All users except those specified in the list. Select this option to exclude hosts or IP addresses in the list from the rule.

Remove from list. Removes the host or IP address from the access control entry. The change takes effect immediately.


Select Time
Use this dialog box to specify the interval when you want access to be allowed or denied.

Beginning at. Enter the beginning time using 24-hour format. (HHMM)

Ending at. Enter the end time using 24-hour format. (HHMM).


Select Access Rights
Select the rights you want to allow for the selected user or group

Table 6.3 Access Permission for the Administration Server
Access Permission
Description
Read
User can view a file. Includes HTTP methods GET, HEAD, POST, and INDEX.
Write
User can change or delete file. Includes HTTP methods PUT, DELETE, MKDIR, RMDIR, MOVE.
Add
User can add directory entries.
Delete
User can delete files.
Search
Indicates whether data can be searched for. Users must have Search and Read rights in order to view the data returned as part of a search operation.
Compare
Indicates whether data may be used in comparison operations. With compare rights, the directory returns a yes or no in response to an inquiry, but the user cannot see the value of the entry or attribute.
Selfwrite
Indicates whether people can add or delete themselves from a group. This right is used only for group management.

Deselect All. Deselects all rights your previously selected.


View or Edit Syntax
You can view the rule syntax as its stored in the.acl file. Although you can edit attributes manually in this display, the changes you make could affect other rules and attributes. We recommend you use the Edit Attributes dialog box to make modifications.

To access the Edit Attributes dialog box, first click Cancel or OK. Then click Edit Attributes in the Set Access Permissions dialog box.


ACI Attributes

ACL Name. Enter a name for the ACL rule you are creating.

Target. Specify the entry to which this ACI applies. This field must contain a valid DN such as o=airius.com.

Target Filter. a search filter to use to set the target. Example: ou=accounting, ou=engineering

Target Attribute. Specify one or more attributes to which the ACI applies. To target more than one attribute, separate each attribute with double vertical bars (||). Example: userpassword || telephonenumber


Multi-value ACI Selector
The list displays the Access Control Instructions (ACIs) created for the selected directory entry.Use this dialog box when you want to add a new ACI, or when you want to edit or delete an existing one.

New. Displays a dialog box for creating or editing an ACI.

Delete. Deletes the selected ACI.

See Also

"What's in an ACI"


Administration Server Administrator Password
The server you're attempting to start must be started by the Administration Server Administrator.

During installation, Netscape Console uses the same password specified for the Configuration Administrator to automatically create the Administration Server Administrator password.

If you do not know this password, contact your Configuration Administrator, or contact Netscape Business Technical Support at http://help.netscape.com/business/.

See Also

"Network Resources and Administrative Privileges"
"Changing Administrator Usernames and Passwords"

 

©Copyright 1999 Netscape Communications Corporation