Chapter 5   User and Group Administration


iPlanet Console allows you to create, locate, and manage user and group information from any system in your enterprise.

This chapter contains the following sections:

• Interacting with Directory Server

• Creating New Directory Entries

• Modifying Existing Directory Entries

Chapter 9, "Access Control" shows you how to work with user and group information when setting access privileges and other security information.

Interacting with Directory Server

---

When you use iPlanet Console to create or modify users and groups, you make changes in the user directory, a subtree of Directory Server. These changes affect all applications that use Directory Server. For information on how iPlanet Console uses the data stored in the user directory, see Chapter 1, "iPlanet Console and Administration Server."

Using Distinguished Names

A distinguished name (DN) is a text string that identifies a specific directory branch or entry. Each user and group in your enterprise is represented in the Directory Server by a DN. Whenever you make changes to user and group information in the Directory, you use distinguished names (DNs). For example, you need to specify a DN each time you perform one of the following operations:

• Create or modify directory entries

• Set up access controls

• Set up user accounts for applications such as mail or publishing

From the iPlanet Console "Users and Groups" tab, you can create, select, and use directory entries.

Distinguished Names, Attributes, and Syntax

This section presents a brief summary of distinguished names, directory attributes, and syntax information. For a more detailed discussion of these concepts, see the iPlanet Directory Server Administrator's Guide.

Distinguished Names

A distinguished name (DN) is the string representation of an entry's name and location in an LDAP directory. A DN describes a path to a directory entry. Each DN is made up of a number of components called relative distinguished names (RDNs). Each RDN identifies a specific entry in the directory. In order to ensure that every directory entry is unique, LDAP dictates that a single parent entry cannot have two identical RDNs below it.

Customarily, a DN for a user or group contains at least three types of RDN:

• A user name, user ID, or group name (identified by the cn keyword)

• An organization name (identified by the o keyword)

• One or more domain name components (identified by the dc keyword). Example: siroe.com contains two domain name components: siroe and com.

Other common RDNs are organizational unit (ou), state (st), and country (c).

The exact composition of a DN depends on the structure of the directory. Most directories are organized by more categories than just country designations and organization names. As a result, the DNs used to identify entries are longer and contain more specific RDNs. For example, the DNs for three employees or users in the same company might look like this:

cn=Ben Hurst, ou=Operations, o=Klondike Corp, st=CA, c=US

cn=Jeff Lee, ou=Marketing, o=Klondike Corp, st=CA, c=US

cn=Mary Smith, ou=Sales, o=Klondike Corp, st=MN, c=US

In these examples, all three users work in different departments or organizational units (ou) and for the same company or organization (o), Klondike Corp. The third user works in a different state (st) from the first two users.

LDAP allows organizations and organizational units to contain other organizations and organizational units, allowing for the representation of complex enterprises. For example, the DN for a group within a large corporation might look like this:

cn=Technical Publications, ou=Super Server Group, ou=Server Division, o=Siroe Corporation, o=MegaCorp, dc=megacorp, dc=com

Table 5-1 contains a list of common RDN keywords.

Table 5-1    Common RDN Keywords Used in DNs  

RDN Keyword	Meaning in a DN	Description
c	country	Country in which the user or group resides. Examples: c=US c=GB
cn	common name or full name	Full name of person or object defined by the entry. Examples: cn=Wally Henderson cn=Database Administrators cn=printer 3b
dc	domain component	Part of a DNS domain. This keyword is typically used at the top levels of a directory tree. For example, a user in the ldap.siroe.com domain might have the following DN: cn=Barbara Jones,ou=Engineering, dc=siroe, dc=com
l	locality	Locality in which the user or group resides. This can be the name of a city, country, township, or other geographic regions. Examples: l=Tucson l=Pacific Northwest l=Anoka County
o	organization	Organization to which the user or group belongs. Examples: o=iPlanet E-Commerce Solutions o=Public Power & Gas
ou	organizational unit	Unit within an organization. Examples: ou=Sales ou=Manufacturing
sn	surname	User's last name. Example: sn=Henderson
st	state or province	State or province in which the user or group resides. Examples: st=Iowa st=British Columbia

Keep in mind that the DNs you specify when using iPlanet Console must reflect the types of data in your user directory. For information on setting up the user data in your iPlanet Directory Server see the Directory Server documentation at http://docs.iplanet.com.

Attributes

Directory attributes hold descriptive information about an entry. For example, a user entry might have attributes for a user ID, email address, given name, and password.

Table 5-2 contains a list of common user and group directory attributes.

Table 5-2    Common User and Group Directory Attributes  

Attribute Keyword	Attribute Name	Description
givenName	given name	User's first name.
mail	email address	User's or group's email address.
streetAddress	street	Street number and address of user or group defined by the entry. Example: street=494 Rice Creek Terrace
telephoneNumber	telephone	User's or group's telephone number. Example: (545) 555-1221
title	title	User's job title. Examples: title=writer title=manager
uid	user ID	Name that uniquely identifies the person or object defined by the entry.
userPassword	password	A user's password.

A user entry can include many more attributes than those listed above. In addition, you can create new attributes to meet your company's needs. For more detailed information, see the iPlanet Directory Server Administrator's Guide.

DN and Attribute Guidelines and Syntax

As you create, select, and use directory entries, follow these guidelines:

Separate RDNs with a comma. If an RDN value contains a comma, enclose the part of the name that uses the comma in double-quotation marks. For example, to include the string Ace Industry, Corp in a DN, use the form

o="Ace Industry, Corp", c=US

When schema checking is turned on, attributes must match directory schema. If you are using iPlanet Directory Server and schema checking is turned on, use RDN keywords and attributes that can be recognized by the Directory Server and are allowed by the entry's object classes. If schema checking is turned off, you can use all attributes, regardless of an entry's object classes. For more information on required attributes and schema checking, see the iPlanet Directory Server Administrator's Guide and the iPlanet Directory Server Schema Reference Guide.

Specify RDNs in the same sequence or path. It is important to remember that a DN represents a path through a directory tree. If RDN keywords are not specified in the appropriate order, Directory Server may not be able to locate an entry.

For example,

cn=Ralph Swenson, ou=Accounting, o=Ace Industry, c=US

is not the same as

cn=Ralph Swenson, o=Ace Industry, ou=Accounting, c=US

because the organizational unit (ou) and organization (o) keywords are not listed in the same order.

User IDs must be unique. If duplicate user IDs exist in your directory, users with those IDs will not be able to authenticate to the directory. Exercise caution when using the ldapmodify command line utility to create users, since the utility does not check for duplicate user IDs.

Locating a User or Group in the Directory

You can use the "Users and Groups" Search function to locate directory entries. Initially, the function is set to search within the default user directory. If you do not want to use the default user directory, you can manually change to another one. See "Choosing a Different Directory to Search", for more information.

Figure 5-1    The Users and Groups Tab of iPlanet Console

To Locate Users or Groups in the Directory

1. In iPlanet Console, click the "Users and Groups" tab.

2. Specify your search criteria in one of these ways:

   To find specific entries, enter all or part of a user, group, or organizational unit name in the text entry box. For example, entering John Swanson returns any entries with DNs containing "John Swanson" while entering John returns all entries with DNs contains the word "John."

   To see all the entries currently stored in your directory, leave the Search field blank or enter an asterisk (*). Keep in mind that retrieving all entries in a large database can take a long time.

   To specify more focused search criteria, click the Advanced button. In the "Search users and groups" dialog box, enter the following information:

   Search. Specify where to perform the search by choosing Users, Groups, Users and Groups, or Administrators.

   Where. First choose an RDN keyword, ant then choose a search operator and type in a term.

Figure 5-2    Search Users and Groups Window

3. Click Search.

   The search results are displayed in the list box.

Choosing a Different Directory to Search

When you use the Advanced Users and Groups Search function, the URL for the default user directory appears above the text entry box (see Figure 5-2). Initially, all searches are performed in this user directory. If you need to search a different user directory, you can choose one other than the default.

To Change the Directory to Search

1. In iPlanet Console, click the "Users and Groups" tab.

2. From the User menu, choose Change Directory.

3. In the Change Directory dialog box, provide user directory information:

   User Directory Host. Enter the fully qualified host name where the user directory is installed.

   User Directory Port. Enter the port number used to connect to the user directory.

   Secure Connection. Check this box if the port number entered above is for use with the Secure Sockets Layer (SSL) protocol. Make sure that the port is configured to support SSL before selecting this option.

   User Directory Subtree. Enter the DN of the user directory subtree to search in. For example, to search all user entries in your organization, you might enter o=siroe.com. To search within the sales force, you might enter ou=sales, o=siroe.com.

   Bind DN. Enter the distinguished name of a user authorized to search entries in the user directory.

   Bind Password. Enter the password for the user specified by the Bind DN.

4. Click OK.

Creating New Directory Entries

---

From the iPlanet Console "Users and Groups" tab, you can add or modify a user, group, or organizational unit.

Alternatively, you can perform these directory operations from the command line. For detailed information, see the iPlanet Directory Server Administrator's Guide.

Users

A user entry contains information about an individual person or resource in the directory. For example, you can create user entries for John Smith, Printer 3B, or Conference Room 25.

To Create a New User Entry in the Directory

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose User. Alternatively you can open the User menu and choose Create > User.

   
   
   

3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the user will belong, and then click OK.

   
   
   

4. In the Create User window, enter user information:

   
   
   

   First Name. Enter the user's first name.

   Last Name. Enter the user's last name (surname).

   Common Name. This is the user's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

   User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing. The user ID must be unique from all other user IDs in the directory.

   Password. (Optional) Enter the user's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

   Confirm Password. If you entered the user's password, enter it again to confirm.

   E-Mail. (Optional) Enter the user's email address. If the user has multiple email addresses, separate them with commas. For example: jdoe@siroe.com, john.doe@siroe.net

   Phone. (Optional) Enter the user's telephone number. If the user has multiple telephone numbers, separate them with commas. For example: (550)555-1212, (950)555-2121, (725)222-5151

   Fax. (Optional) Enter the user's fax number. If the user has multiple fax numbers, separate them with commas. For example: 555-2211, 555-1221

5. If you want to specify language-related information, click the Languages tab. From the drop-down list in the Languages panel, select the user's preferred language, and then enter language-related information:

   First Name. Enter the user's first name in the selected language.

   Last Name. Enter the user's last name (surname) in the selected language.

   Common Name. This is the user's full name in the selected language. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

   Phone. Enter the user's telephone number. If the user has multiple telephone numbers, separate them with commas. For example: (550)555-1212, (950)555-2121, (725)222-5151

   Pronunciation. If the selected language is commonly represented phonetically, additional fields are displayed. Enter the phonetic representation for the user's first, last, and common name.

6. If you want to specify NT- or UNIX-specific attributes, click the NT User or Posix User tab. For more information, see "Specifying Windows NT and UNIX Systems Options."

7. Click OK.

The User's Preferred Language

Sometimes a user's name can be more accurately represented using a character set other than that of the default language. For example, Noriko's name is Japanese, and she has indicated on her hiring forms that she prefers when Japanese characters represent her name. You can select Japanese as her preferred language so that her name will display in Japanese characters, even when a user's default language is English.

"To Create a New User Entry in the Directory.", Administrators"> To indicate a user's preferred language, follow the instructions in step 5 of the section "To Create a New User Entry in the Directory.", Administrators

During installation, you are asked to enter a user name and password for the Configuration Administrator, the user authorized to access and modify the entire configuration directory. The Configuration Administrator entry is stored in the directory under the following DN:

uid=userID, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot.

During installation, the Configuration Administrator's user name and password are used to automatically create the Administration Server Administrator. This user can perform a limited number of tasks, such as starting, stopping, and restarting servers in a local server group. The Administration Server Administrator is created for the purpose of logging into iPlanet Console when the Directory Server is not running.

The Administration Server Administrator does not have an LDAP entry; it exists only as an entity in a local configuration file stored at:

<server_root>/admin-serv/config/admpw.

Even though they are created at the same time during installation, and are identical at that time, the Configuration Administrator and Administration Server Administrator are two separate entities. If you change the user name or password for one, iPlanet Console does not automatically make the same changes for the other.

For more information on modifying the Configuration and Administration Server Administrators, see "Modifying Existing Directory Entries."

To Create an Administrator

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose Administrator.

   
   
   

   Alternatively, you can open the User menu and choose Create > Administrator.

3. In the Create Administrator window, enter the appropriate user information.

   The requested information is exactly the same as in the Create User dialog box, except that Password is a required field. For more information, see steps 4 through 7 of "To Create a New User Entry in the Directory."

Specifying Windows NT and UNIX Systems Options

You can enable additional user configuration panels to store Windows NT and UNIX user information in the directory. If you are using Directory Server Synchronization Services, you can use these panels to specify the options and attributes to synchronize with your operating system. There are two panels you can enable: NT User and Posix User.

By default, you must enable these panels for each individual user. If you want to enable these panels automatically for every new user, you can do so by modifying the configuration directory. Once you have enabled these panels, you can use them to set Windows NT and UNIX Systems options and attributes.

The following procedures show you how to enable these panels and modify Windows NT and UNIX Systems options and attributes.

To Enable Windows NT and UNIX Systems Panels for an Individual User

1. In the Create User window, click the NT User or Posix User tab.

   The appropriate panel appears.

2. Enable the fields in the panel.

   To enable the NT User fields, select "Enable Windows NT user attributes."

   To enable the Posix User fields, select "Enable Posix user attributes."

To Enable Windows NT and UNIX Systems Panels for All New Users

1. Open your Directory Server management window.

2. Click the Directory tab and click NetscapeRoot in the navigation tree.

3. Click to open your administration domain, and then click the pluses (+) to expand GlobalPreferences > Admin > 4.0.

4. Click the defaultObjectClassesContainer folder, and then click "user" in the right-hand panel.

5. From the Object menu, choose Open.

6. Select "nsdefaultobjectclass," then, from the Edit menu, choose Add Value.

   A blank field appears. If you are enabling both the Windows NT and Posix/UNIX panels, choose Add Value a second time to create another blank field.

7. Enter the appropriate object class name in the field.

   To enable the NT User panel, enter ntUser. To enable the Posix User panel, enter posixUser.

8. Click OK.

To Set Windows NT and UNIX Systems Options and Attributes for a New User

9. Follow steps 1-5 of "To Create a New User Entry in the Directory."If you want to store Windows NT-specific user information in the directory, click the NT User tab, enable the fields by selecting "Enable Windows NT user attributes," and then enter the following information:

   NT User ID. Enter the user's NT login name.

   Create New NT Account. (Optional) Check this box if you are using Directory Server's NT Synch Service and want to add this entry to the NT user database.

   Delete NT Account If Person Deleted. (Optional) Check this box if you are using Directory Server's NT Synch Service and want the delete operation to also remove this user from the NT user database. Checking this box will not delete the user. It only indicates that, if the user is deleted from the iPlanet User Directory, he will also be removed from the NT user database.

   Comment. (Optional) Enter a descriptive comment about this user.

   User Profile Path. (Optional) Enter the path to this user's profile. Use the NT network path format. For example: \\aphrodite\profiles\john.

   Logon Script. (Optional) Enter the path to the user's logon script. This path is relative to the system's logon script path. For example, if the system path is \\aphrodite\logon, you might enter writers.bat or writers\john.cmd depending on where you store your user scripts.

   Home Drive. (Optional) Use the drop-down list to choose the drive on which this user's home directory is located.

   Home Directory. (Optional) Enter the path to this user's home directory. Use the NT network path format or an absolute path. For example, you can enter either \\aphrodite\users\john or C:\user profiles\john.

   Logon Server. (Optional) Enter the path to the server on which this user's logon script is stored. Use the NT network path format.

   Logon Hours. (Optional) Click to set the hours during which this user can log on.

   User Workstations List. (Optional) Enter the computers from which this user can log on.

   Change. (Optional) Click to change the date and time at which the user's account expires.

10. If you want to store UNIX Systems-specific user information in the directory, click the Posix User tab, enable the fields by selecting "Enable Posix user attributes," and then enter the following information:

    UID Number. Enter the user's UNIX ID number.

    GID Number. Enter the user's UNIX group ID number.

    Home Directory. Enter the path to the user's home directory. For example, /u/jdoe.

    Login Shell. (Optional) Enter the path to the user's login shell. For example, /usr/local/bin/tcsh.

    Gecos. (Optional) The value of this user's pw_gecos entry in /etc/passwd.

11. Click OK.

Groups

A group consists of users who share a common attribute or are part of a list. For example, you might set up a group called Sales consisting of all users whose entries contain the attribute ou=Sales. iPlanet Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs in the way in which users, or members, are added to it. The following descriptions explain this.

A static group consists only of users that have been added to it. It is called static because it doesn't change unless you add a user to it or delete a user from it. For example, if you create a static group called Marketing, none of the users who have the attribute department=marketing in their entry are members of the Marketing group until you explicitly add each one to the group.

One special static group is called the Configuration Administrators group. It is automatically created and populated when the configuration directory is installed. Members of the Configuration Administrators group have unrestricted access to the configuration directory. The group is stored in the configuration directory under the following DN:

ou=Groups, ou=TopologyManagement, o=NetscapeRoot

Initially, the Configuration Administrator is the only member of the Configuration Administrators group. If he wants to give additional users his level of administrative privilege, he can do so by adding them as members of the group. These users can access the configuration directory in the same way as the Configuration Administrator. Any member of the Configuration Administrators group can add additional members.

A dynamic group automatically includes users based on one or more attributes in their entry. For example, you can create a dynamic group called California Sales that automatically includes any entry containing the attributes st=California and department=sales. These attributes are specified as part of an LDAP URL. Whenever you search for members of the California Sales group, the results contain all entries located by the URL.

A certificate group includes all users who have a certificate containing a common attribute. For example, you can create a certificate group called California Western Sales whose members share these attributes: ou=Sales, ou=West, st=CA. When an individual user logs on to a server, if all of these attributes are found in his certificate, the user is automatically recognized as belonging to the group. If the user's certificate does not contain these attributes, he is not recognized as a member of the California Western Sales group and does not receive the same access, privileges, or permissions as group members.

To Create a Static Group in the Directory

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.

   
   
   

3. In the Select Organizational Unit dialog box, select the organizational unit(ou) to which the group will belong, and then click OK.

4. In the Create Group dialog box, enter group information:

   Group Name. Enter a name for the group.

   Description. (Optional) Enter a description to help you identify this group.

   
   
   

5. Create the group, or specify members for the group before creating it.

   If you want to create only the group now, and add group members later, click OK and skip the rest of this procedure.

   If you want to immediately add members to the group, click Members and then continue to the next step.

6. In the Members panel, click Add, and then use the Search dialog box to locate a user you want to add to the Members User ID list. Repeat this step until all the users you want to add to the group are displayed in the Member User ID list.

To Add Users to the Configuration Administrators Group

1. In iPlanet Console, click the "Users and Groups" tab, and then choose Change Directory from the User menu.

2. In the Change Directory window, indicate the location of the user directory that contains the Configuration Administrators group:

   User Directory Host. Enter the fully qualified host name where the user directory is installed.

   User Directory Port. Enter the port number you want to use to connect to the user directory.

   User Directory Subtree. Enter o=NetscapeRoot to indicate where to find the Configuration Administrators group.

   Bind DN. Enter the DN of a user authorized to change entries in the user directory.

   Bind Password. Enter the password of the user directory administrator.

   
   
   

3. Click OK.

4. Use the Search function to locate and highlight the Configuration Administrators group, and then click Edit.

5. In the Edit Group window, click Members.

   
   
   

6. Click Add.

7. In the Search Users and Groups window, locate and select the user you want to add, and then click OK.

   Repeat this step until all the users you want to add to the group are displayed in the Members list, and then click OK.

To Create a Dynamic Group

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose Group. Alternatively you can open the User menu and choose Create > Group.

3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group will belong, and then click OK.

4. In the Create Group dialog box, enter general group information.

   Group Name. Enter a name for the group.

   Description. (Optional) Enter a description to help you identify this group.

5. Click Members.

6. Click Dynamic Group, and then click Add.

7. Use the "Construct and Test LDAP URL" dialog box to specify the criteria for including users in the dynamic group.

   If you know the exact LDAP URL you want to use to include users in the group, enter it and skip to Step 10.

   The LDAP URL will take this form:

   ldap:///o=base_suffix??sub?(RDN_or_attribute=value)

   For example:

   ldap:///o=siroe.com??sub?(department=marketing)

   If you want to interactively build an LDAP URL for including users in the group, click Construct.

   .
   
   

8. In the Construct LDAP URL dialog box, provide search criteria:

   LDAP Server Host. Displays the fully qualified host name of the Directory Server in which you are searching.

   Port. Displays the port number for the listed LDAP Server Host.

   Base DN. Enter the base DN for from which to begin the search. Example: ou=Marketing, o=Siroe Corp, c=US

   Search. Specify the user directory subtree you want to search.

   for. Specify whether you want to search users, groups, or both.

   where. In the drop-down lists, first select an attribute, and then a search operator. In the last input field, enter a search string, and then click Search.

   More. If you want to specify more attributes to search for, click this button.

   
   
   

9. Click OK.

10. If you want to see a list of users and groups included in the dynamic group, click Test in the Construct and Test LDAP URL dialog box.

11. Click OK to confirm your acceptance of the LDAP URL and add it to the list used to include members in this dynamic group.

    If you want to create additional LDAP URLs for including members in this group, repeat steps 6 through 11.

To Create a Certificate Group

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose Group. Alternatively, you can open the User menu and choose Create > Group.

3. In the Select Organizational Unit dialog box, select the organizational unit (ou) to which the group will belong, and then click OK.

4. In the Create Group dialog box, enter group information:

   Group Name. Enter a name for the group.

   Description. (Optional) Enter a description that helps you identify this group.

5. Click Members

6. Click Certificate Group, and then click Add.

7. In the Certificate Group dialog box, fill in one or more of the following fields:

   Common Name. Enter the full name of the group. Example: Database Administrators.

   Organization. Enter the name of the organization the group belongs to. Example: Operations Group.

   Mail. Enter the street address for the group.

   Country. Enter the country code for the group.

   Locality. Enter the city name for the group's business.

   State/Province. Enter the state or province name for the group.

   Unit. Enter the name of the organizational unit that the group belongs to. Example: IS Department.

   
   
   

8. Click OK.

Organizational Units

An organizational unit can include a number of groups and usually represents a division, department, or other discrete business group.

When you create a new organizational unit, you add a branch to the directory. This is reflected through the use of an ou RDN. For example, if you create a new organizational unit called Accounting within the organizational unit West Coast, and your Base DN is o=Siroe, c=US, then the new organizational unit's DN is:

ou=Accounting, ou=West Coast, o=Siroe, c=US

To Create a New Organizational Unit

1. In iPlanet Console, click the "Users and Groups" tab.

2. Click the Create button and then choose Organizational Unit. Alternatively, you can open the User menu and choose Create > Organizational Unit.

   
   
   

3. In the Select Organizational Unit dialog box, select the directory subtree in which to store the new organizational unit.

4. In the Create Organizational Unit dialog box, enter organizational unit information:

   Name. Enter a name for the organizational unit.

   Description. (Optional) Enter a description that helps you identify the organizational unit.

   Phone. (Optional) Enter a phone number where one can reach a contact person (such as an administrative assistant) for the organizational unit.

   Fax. (Optional) Enter a fax number where one can reach a contact person (such as an administrative assistant) for the organizational unit.

   Alias. (Optional) Enter another name, such as a nickname or acronym, that you might use in place of the Name entered above.

5. Click OK.

Modifying Existing Directory Entries

---

From the iPlanet Console "Users and Groups" tab, you can change existing directory entries. Therefore, you can easily update user and group information whenever you need to.

Updating User and Group Entries

Before you can modify user or group data, you must first locate a user or group entry in the directory. See "Locating a User or Group in the Directory" for more information on using the "Users and Groups" Search function to find directory entries.

Once you have located an entry, you can modify it or remove it. If you are working with a user entry, alternatively, you can change its password.

To Edit a User or Group Entry in the Directory

1. In the "Users and Groups" tab of iPlanet Console, use the Search function to locate the user or group.

2. Once the user or group name appears in the search results list, select it, and then click Edit.

3. Modify user or group information as necessary, and then click OK.

To Change a User Password

1. In the "Users and Groups" tab of iPlanet Console, use the Search function to locate the user.

2. Once the user appears in the search results list, select it, and then click Edit.

3. Enter the new password information:

   Password. Enter the new password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

   Confirm Password. Enter the password again to confirm.

4. Click OK for the change to take effect.

To Change the Configuration Administrator's User Name or Password

1. In the "Users and Groups" tab of iPlanet Console, click Advanced.

2. In the "Search users and groups" dialog box, enter search information.

   If you have never changed the Configuration Administrator's user name, enter the following information:

   Search. Select Administrators from the drop-down list.

   where. Select cn and contains from the drop-down lists and enter Configuration Administrator in the field.

   If you have changed the Configuration Administrator's user name, enter the following information:

   Search. Select Administrators from the drop-down list.

   where. Select cn and contains from the drop-down lists and enter the user name of the Configuration Administrator in the field.

3. Click Search.

   The results appear in the "Users and Groups" tab.

4. Click Close.

5. Select the Configuration Administrator from the list of search results, and then click Edit.

6. Enter the administrator's new user name and password:

   First Name. Enter the administrator's first name.

   Last Name. Enter the administrator's last name (surname).

   Common Name. This is the administrator's full name. It is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary.

   User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing.

   Password. (Optional) Enter the new administrator's password. Alphanumeric characters, spaces, and punctuation marks are all acceptable.

   Confirm Password. If you entered a password, enter it again to confirm it.

7. Click OK.

8. If you bind to the directory as the Configuration Administrator when searching for users, Update your user directory information by completing these steps:
   1. Click the "Users and Groups" tab of iPlanet Console, and choose Change Directory from the User menu.

   2. In the Change Directory Window, update the Bind DN and Bind Password with the new information for the Configuration Administrator, and then click OK.

To Change the Administration Server Administrator's User Name or Password

1. In the iPlanet Console navigation tree, select the Administration Server instance that you want to change the administrator user name or password for.

2. Click Open to open the management window for the instance of Administration Server.

3. Click the Configuration tab.

4. In the Configuration tab, click the Access tab.

5. In the Access tab, enter information for the following fields:

   Username. Enter the user name for the Administration Server Administrator.

   Password. Enter the password for the Administration Server Administrator.

   Confirm Password. Enter the password again to confirm it.

   If you make an error while entering this information, you can click Reset to restore the original values for the fields.

6. Click Save to save the new Administration Server Administrator user name or password.

7. Restart the instance of Administration Server.

To Remove a User, Group, or Organizational Unit From the Directory

1. In the "Users and Groups" tab of iPlanet Console, use the Search function to locate and highlight the user, group, or organizational unit you want to delete.

   If you are removing an organizational unit, you must first remove all users and groups belonging to it.

2. Click Delete.

3. Click OK when prompted to confirm the deletion.