Previous     Contents     Index     Next     
iPlanet Directory Access Router Administrator's Guide



Chapter 6   Creating and Managing Groups


When an LDAP client requests a service from an LDAP directory, it connects to iPlanet Directory Access Router (iDAR), which in turn identifies the client, determines whether the client is allowed to request the service from the directory, imposes configured restrictions, and then forwards the request to the appropriate directory. This chapter explains how to configure iDAR to identify clients and impose any restrictions using the iDAR Configuration Editor Console.

The chapter has the following sections.



Overview of Groups

iDAR network groups are key to understanding how iDAR works—they define how iDAR should identify an LDAP client and what restrictions iDAR should enforce on clients that match that group. It's important that you understand iDAR groups clearly in order to use them to effectively control directory access by LDAP clients.

You use network groups to identify the following:

  • A client

  • A set of LDAP directories to which iDAR can forward requests from a client.

  • A set of operations a client can perform while interacting with its set of directories.

  • The data accessible to a client while interacting with its set of directories. (Because iDAR enables you to hide certain entries and rename attributes in a directory, you can effectively control which data contained within a directory is viewable by a client.)

iDAR determines the group membership for a client by attempting to match the connection's origination attributes with a group's criteria. The server checks currently-configured groups in the descending order of priority, from the highest to the lowest priority. The first network group criteria to match the connection's origination attributes receives the connection. For this reason, it's important to create separate groups for generic and specific criteria, and prioritize the groups from most specific to most general.

If no groups are found to match a client, the client's request is rejected and the connection is closed. For this reason, there must be at least one group entry in the iDAR configuration.

The order of priority for groups is specified by their placement in the Network Groups window of the iDAR Configuration Editor Console (see Figure 6-1). In this window, groups on the bottom of the list have less priority than those towards the top. The order of evaluation of groups with equal priority is undefined.

Figure 6-1    iDAR Configuration Editor Console: Network Groups Window


Note that clients are initially identified into a group based on the network address they connect from, for example, their IP address and/or domain name. They may change their group after a successful bind; for details, see Chapter 8 "Creating and Managing Event Objects." Once a client obtains membership in a group, it implies that all the properties of the group apply to the client.

Figure 6-2 illustrates how groups are evaluated by iDAR in response to a client query.

Figure 6-2    iDAR Decision Tree for Determining Group Membership


Network criteria for groups can be based on the following:

  • IP address or network mask of the hosts

    • Single IP address (for example, 129.153.129.14)

    • IP quad/match bits (for example, 129.153.129.0/24)

    • IP quad/match quad (for example, 129.153.129.0/255.255.255.128)

  • Domain name of the hosts

    • Full name (for example, siroe.com)

    • Suffix name (for example, eng.siroe.com)

  • Special

    • ALL (This is to be used for "catch-all" groups.)

    • 0.0.0.0 (This is to be used for groups to which initial membership is not considered, for example, if a group is only used for clients to switch to when they bind.)

To further understand how iDAR evaluates groups, take a look at the sample groups listed in Table 6-1. It shows five groups, created with specific to generic network criteria, and listed in the descending order of priority.


Table 6-1    Sample Groups  

Priority

Group Name

Network Criteria

5  

Admin-machine  

129.153.129.72  

4  

IT-management-subnet  

129.153.120.0/24  

3  

Operations  

*.ops.siroe.com  

2  

Catch-all  

ALL  

1  

Trusted  

0.0.0.0  

When an LDAP client requests a service from an LDAP directory, iDAR checks whether the request is from IP address 129.153.129.72. If it isn't, iDAR checks whether the request matches 129.153.129.0/24. If it doesn't, iDAR checks whether the request originated from *.ops.siroe.com. If it didn't, iDAR places the connection in a Catch-all group, and then moves to the next step in the decision tree (see Figure 6-2).

Figure 6-3 shows that part of the iDAR Configuration Editor Console where you are able to create groups.

Figure 6-3    iDAR Network Group Definition


Notice that when creating a network group, you're given the opportunity to specify a combination of criteria. Table 6-2 summarizes them.


Table 6-2    List of Available Criteria for Network Groups  

Criteria

Description

LDAP Server(s)  

Enables you to specify the LDAP servers to which requests from clients in a network group should be forwarded. Shows the list of existing objects for the LDAP Server and Load Balancing properties; for details, see LDAP Server Property and Load Balancing Property.

The iDAR configuration must include a group with either of the two properties. Otherwise, iDAR will fail to start.  

Network  

Enables you to specify connection details and other network criteria for clients so that their requests get sorted or filtered into the appropriate groups.  

Events  

Enables you to specify which events, if any, to associate with a group, so that clients in the group can effectively change group after binding successfully to a specified directory. Shows the list of existing objects for events; for details, see Creating Groups.  

Encryption  

Enables you to specify encryption criteria for the group (for example, to specify whether clients can request an SSL session).  

Compatibility  

The LDAP v2 specification (RFC 1777) does not allow a client to bind multiple times in one session. However, some clients expect this functionality. This option can be set to interoperate with these clients.  

Forwarding  

Enables you to specify the criteria for passing the bind, compare, and other LDAP requests to the server.  

Data Hiding  

Enables you to specify which subtree, entries, or attributes of the entries in a directory are to be hidden from a group. Shows the list of existing objects for the Forbidden Entry property; for details, see Forbidden Entry Property.  

Search  

Enables you to specify the scope and size limit of searches for a group. Shows the list of existing objects for the Search Size Limit property; for details, see Search Size Limit Property.  

Attributes  

Enables you to specify rules for preventing certain kinds of search and compare operations from reaching the LDAP server. Shows the list of existing objects for the Attribute Renaming property; for details, see Attribute Renaming Property.  

Referrals  

Enables you to specify whether a group should forward, follow, or discard referrals returned by the server. Note that a client that does not implement LDAPv3 will not understand forwarded referrals. This setting applies to all referrals except for the search-continuation referrals.  

Server Load  

Enables you to specify details such as the total number of connections to a group, simultaneous and total operations per connection, simultaneous operations per IP address, and so on.  



Creating Groups



This section explains how to create groups using the iDAR Configuration Editor Console. Before you start creating a group, be sure to read section Overview of Groups and understand the significance of iDAR groups. After you create the required groups and prioritize them, be sure to test the configuration to see if the groups filter client requests as desired.

Notice that when creating a network group, you're given the opportunity to specify a variety of criteria. The instructions provided in this section present all these criteria in the order in which they appear on the UI, and rely on your judgement to set the appropriate criteria for a group.

To create a network group in iDAR, follow these steps:

  1. Access the iDAR Configuration Editor Console; see Accessing the iDAR Consoles.

  2. In the navigation tree, select Network Groups.

    The right pane shows the list of existing groups.



  3. Click New.

    The Network Group window appears.



  4. In the Name field, type a name for the group. The name must be a unique alphanumeric string. (This value must be present as it forms the RDN of entries of this class.)

  5. Make sure that the Enabled option is selected; by default, it is selected. For a group to be part of an iDAR configuration, this option must be selected. Deselect the option to disable the group in a configuration.

  6. If you want the group to forward requests to LDAP servers, make sure that LDAP Server(s) is selected on the left frame, and specify the appropriate values on the right frame.

    The description of the on-screen elements is as follows:

    Forward all requests to. Select this option if you want the group to forward requests to a specified LDAP server. The associated drop-down list shows existing objects for the LDAP Server property; see LDAP Server Property. Select an appropriate object. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

    New. Displays a dialog to create a new object for the LDAP Server property.

    Edit. Displays a dialog to edit an existing LDAP Server property.

    Load balance requests using the following property. Select this option if you want the group to use a Load Balance property to handle requests from clients. The associated drop-down list shows existing objects for the Load Balance property; see Load Balancing Property. Select an appropriate object. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

    New. Displays a dialog to create a new Load Balance property.

    Edit. Displays a dialog to edit an existing Load Balance property.

  7. If you want to specify network criteria for the group to sort or filter requests, select Network on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen elements is as follows:

    Specify connection timeout. Select this box if you want to enter a period of client inactivity after which iDAR may close the connection to the client. The value must be a number in seconds, typically 120 or more. By default, no value is present, which also means to not timeout connections. Note that if TCP keepalives are not enabled, this attribute must be present to keep iDAR from being clogged by lost client connections.

    Perform reverse DNS lookup of connecting clients. By default, this option is enabled. If Reverse DNS lookup is disabled, iDAR will not perform a reverse DNS lookup to find the domain name of the connecting client. Disabling Reverse DNS lookup can sometimes significantly improve iDAR performance. If you have used a domain name or a domain name suffix as a value in the "Client Network Binding Criteria," you must not disable Reverse DNS lookup, otherwise iDAR will not function properly.

    Enable TCP no delay. By default, this option is enabled. If the option is disabled, then iDAR will disable the Nagle Algorithm for connections between itself and clients that fall into this group. "TCP no delay" should only be disabled if the network bandwidth between iDAR and clients is small; however, it may create substantial performance degradation.

    Client Network Binding Criteria. Use this section to specify which clients are able to bind in this network group.

    No IP binding. Select this option if clients are only to switch when they bind to the group. By default, this option is enabled. Disable the option if the group is only used for clients to switch to when they bind.

    Bind from ANY network host. Select this option if all hosts are allowed to bind with this network group.

    Bind with the following criteria. Select this option to specify the domain names or IP addresses of the hosts that match the network group; in this case, the group must specify the domain name or IP address of the host that will bind to it.

    Add. Displays a dialog to add a network criteria. There are four options: "Domain Name," "IP address," "IP address and bits," and "IP address and quad."

    Edit. Displays a dialog to edit a network criteria.

    Remove. Displays a dialog to remove a network criteria.

    Domain name dialog. Specify the domain name of a client that can bind to a network group, for example, foo.siroe.com. Note that iDAR does not assume any domain suffix by default; hence, complete domain names must be provided. A domain name suffix with a leading period, for example, .siroe.com will cause all hosts with domain names that end in that suffix to match.

    IP address. Specify a single IP address in dotted decimal form, for example, 198.214.11.1.

    IP address and bits. Specify an IP network mask, in the form of <network number>/<mask bits>, for example, 198.241.11.0/24. The first half is the network number and the second half indicates the number of bits of the network number necessary for matching.

    IP address and quad. Specify an IP network mask, in the form of a pair of dotted decimal quads, for example, 198.241.11.0/255.255.255.128. The first half is a network number, the second half indicates the bits of the network number necessary for matching. For example, 198.214.11.0/255.255.255.128 will match a host with IP address 198.214.11.63 but not the one with IP address 198.214.11.191.

    Note that use of domain names or domain name suffixes requires "Perform reverse DNS lookup of connecting client" to be enabled.

  8. If you want to associate an event-driven action with the group (for example, to change clients from one group to another), select Events on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen elements is as follows:

    On bind. The drop-down list shows existing objects for OnBindSuccess events; see Creating OnBindSuccess Event Objects. Select the name of an object that will be performed when a client successfully completes a bind operation. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

    On SSL. The drop-down list shows existing objects for OnSSLEstablished events; see Creating OnSSLEstablished Event Objects. Select the name of an object that will be performed when a client successfully establishes an SSL session. If there isn't an object, you can create one on the fly by clicking on the New button.

    Edit. Displays a dialog box for editing the behavior of an event.

    New. Displays a dialog box for creating a new event.

  9. If you want to specify encryption criteria for the group (for example, to specify whether clients can request an SSL session), select Encryption on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen elements is as follows:

    SSL is available. Select this option if Client SSL and Referral SSL is available to the group. By default, Client SSL and Referral SSL is unavailable. iDAR will not permit a Client SSL or Referral SSL session if this option is disabled. This is the default.

    Clients are able to request an SSL session. Select this option if the clients in the group will establish an SSL session provided that a client request SSL.

    Clients MUST establish an SSL session. Select this option if the clients in the group must establish an SSL session before performing any operation.

    Referral SSL policy. Configure the SSL policy while following referrals.

    If client has an SSL session established. If "SSL is available" is enabled and if this option is enabled, iDAR will only initiate SSL for clients in that group if the client already has an SSL session established with iDAR.

    For all referrals. Enable this option, if, upon a referral, iDAR will initiate an SSL session before the operation is forwarded.

  10. If you want to specify compatibility criteria for the group (for example, to allow a client to bind multiple times in one session), select Compatibility on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen element is as follows:

    Enable LDAP v2 clients to bind multiple times over a single session. The LDAP v2 specification (RFC 1777) does not allow a client to bind multiple times in one session. However, some clients expect this functionality. Select this if you want the group to allow a client to bind multiple times in one session.

  11. If you want to specify request-forwarding criteria for the group, select Request Forwarding on the left frame and specify the appropriate values on the right frame.

    Once iDAR has accepted a connection from the client and matched a group, it will wait for the client to send the LDAP operation. iDAR uses the "Client DN," "Permit Anonymous binds," "Permit simple binds," and "Permit SASL binds" to determine whether to pass the bind request to the server, or reject the bind request and close the client's connection.

    If the client's bind passes enabled tests, iDAR will forward it to the server. If the server accepts the bind, the connection is established. If, however, the server returns an error indication for the bind request, iDAR will forward the error indication to the client, and then close the connection to the client, if the client was using LDAPv2.



    The description of the elements in the Binds tab is as follows:

    Allow all clients. By default, this option is enabled, which permits access by all clients.

    Reject clients whose DN is not subordinate to. Select this option if you want the group to check for a distinguished name (DN). Any client that provides a distinguished name in its bind that is not subordinate to a the specified DN will be rejected. Use the Browse button to browse an LDAP directory in order to construct a DN.

    Permit anonymous binds. By default, this option is enabled, which permits a bind even if a client has not supplied a password. Disable the option to forbid anonymous binds.

    Permit simple binds. By default, this option is enabled, which permits a client to supply a password in the clear. Disable the option to forbid clear text password authenticated bind requests.

    Permit SASL binds. By default, this option is enabled, which specifies that SASL binds are permitted. Disable the option to forbid SASL authentication.

  12. Select the Operations tab and specify which operations are to be forwarded.

    iDAR by default forwards search and compare requests. iDAR also recognizes an unbind request and closes the connection to the LDAP server.



    The description of the elements in the Operations tab is as follows:

    Permit search operations. By default, this option is enabled. Disable the option to prevent iDAR from forwarding search requests to the server.

    Permit compare operations. By default, this option is enabled. Disable the option to prevent iDAR from forwarding compare requests to the server.

    Permit add, delete, modify, modify DN, and extended operations. By default, iDAR does not forward add, modify, delete, modify DN, or extended operations requests. To permit forwarding of these operations, enable the appropriate operation to be allowed.

    Note that you must enable "Permit extended operations" if you want your clients to be able to negotiate Start TLS.

  13. If you want to specify data hiding criteria for the group, select Data Hiding on the left frame and specify the appropriate values on the right frame.

    Use the Subtree tab to specify which part of the directory tree is to be hidden and Entry tab to specify entries or attributes to be hidden.



    The description of the elements in the Subtree tab is as follows:

    Hiding a subtree of entries. Operations that request entries at or below a forbidden subtree will be rejected with an insufficient access error. Entries that match a search filter and are inside a forbidden subtree are dropped. Note that this option does not remove DN syntax attributes whose values fall under the subtree from entries that are being returned as part of the result.

    Add. Displays a dialog box to add a distinguished name to a list of the base of a subtree of entries to be excluded. The default, if distinguished names are not present in a network group, is to allow access to all entries in the directory. An entry in the list has dn syntax.

    Edit. Displays a dialog box to edit a distinguished name.

    Remove. Removes a distinguished name from the list.

  14. Select the Entry tab and specify which entries or attributes are to be hidden.



    The description of the elements in the Entry tab is as follows:

    Specifies an entry hiding property currently in use by this group. The drop-down list shows existing objects for the Forbidden Entry property; see Forbidden Entry Property. Select the name of an object. By default, no (<NONE>) objects are selected. If there isn't an object, you can create one on the fly by clicking on the New button.

    New. Displays a dialog to create a new Forbidden Entry property.

    Edit. Displays a dialog to edit an existing Forbidden Entry property.

  15. If you want to specify search attributes for the group, select Search on the left frame and specify the appropriate values on the right frame.



    The description of the elements in the Size tab is as follows:

    Restrict maximum number of result entries. Enable this option to specify the maximum number of result entries that may be returned to a client at one time from a single search operation. The value may be any number greater than zero, and if reached, will cause an administrativeLimitExceeded error to be indicated to the client and subsequent entries will be discarded. The default, if this property is disabled, is to not discard entries.

    Add. Displays a dialog to add a Search Size Limit property. For details, see Search Size Limit Property.

    Edit. Displays a dialog to edit a Search Size Limit property.

    Remove. Displays a dialog to remove a Search Size Limit property. (This action removes the property from the group without displaying a dialog.)

  16. Select the Control tab and specify the criteria for controlling search filters.



    The description of the elements in the Control tab is as follows:

    Permit inequality filters. By default, this option is enabled. Permit inequality filters specifies whether clients are permitted to request searches that contain inequality filters (attr>=value) and (attr<=value). Disable this option if a network group does not permit inequality searches to be performed.

    Restrict time limit for searches. Enable this option and enter a value in seconds for a network group to specify a maximum time limit in seconds for search operations. If the client specifies a time limit that is larger than the value given in this option, the value specified for this network group will override the client's request. By default, this option is disabled and a network group will allow the client to set any time limit, including no limit.

    Specify minimum search filter substring. Enable this option and enter a value to specify the minimum permissible length of a substring in a search filter. The value is a number greater than one. The default, if this option is disabled, is to allow any size of substring in a search filter. This option should be enabled in the a network group if you wish to restrict the kinds of searches that may be performed by web robots. For example, a value of 2 will block searches like (cn=A*).

    Restrict to subtree with DN. Enable this option and specify the base of a subtree for all operations. This option has dn syntax. If this option is disabled, then there is no restriction to a minimum base.

    Operations whose target entry is at or below the minimum base entry are not affected by this option. If the target entry is superior to the minimum base entry, and the operation is a subtree search, then the query will be rewritten before being sent to the server, to change the target entry to be the minimum base. If the target entry is not below the minimum base or a superior of it, the request will be rejected with a no such object error.

    For example, if the "Restrict to subtree with DN" is set as:

    o=Siroe, st=California, c=US

    and a subtree search of st=California, c=US is received, the search will be rewritten such that the server performs a subtree search of

    o=Siroe, st=California, c=US

    Browse. Displays a dialog to aid in constructing a valid DN.

  17. Select the Scope tab and specify the search scope (that a client may specify in a search request).



    The description of the elements in the Scope tab are as follows:

    Permit all search scopes. By default, this option is enabled, permitting all search scopes by a client.

    Only `base' search scope is permitted. Enable this option to permit only base search scope.

    Only `base' and `one level' searches are permitted. Enable this option to permit only base and one level searches.

  18. Select the References tab and specify what to do if a search-continuation reference is generated during a search.



    The description of the elements in the References tab is as follows:

    Discard the reference. By default, this option is enabled, which will discard a reference if it is generated during a search.

    Forward the reference to the client. Enable this option only to forward a search continuation reference.

    Follow the reference and return result to client. Enable this option to follow and return the result for a search continuation reference. A search continuation referral is a special case of a referral whereby part of the query has been satisfied by the original directory server queried but that directory server has a reference to another directory server with more data satisfying the query. This option can be used to hide the part of your Directory Information Tree whose naming context is mastered by another LDAP server. It also prevents clients from finding out the network address and port on which this server runs.

  19. If you want to specify attribute criteria for the group, select Attributes on the left frame and specify the appropriate values on the right frame.



    The description of the elements in the Search tab is as follows:

    This tab is used to prevent certain kinds of search and compare operations from reaching the LDAP server. If the client's request falls under this restriction, iDAR will return an insufficient access error to the client.

    Allow any attribute. By default, this option is enabled to permit all attributes to be used for search filters and comparisons.

    Forbid the following attributes. Enable this option to specify the name of an attribute or attributes that cannot be used by a client in a search filter or compare request.

    Only allow the following attributes. Enable this option to specify the name of an attribute or attributes that may be used in a search filter or compare request. If there is one or more attributes values present in a network group table and a compare does not match one of these, the request will be rejected by iDAR. If there are no attributes present in a network group table, and an attribute does not match any attributes, then it may be used by clients. For example, if you want only the cn, dn, and mail attributes to be searchable by the client, add these attributes to the table.

    Add. Displays a dialog box that allows an attribute to be added to the table. You must specify above whether these attributes are to be forbidden or permitted.

    Edit. Displays a dialog box to edit a selected attribute in the table.

    Remove. Removes an attribute from the table.

  20. Select the Renaming tab and specify the rules for renaming of attributes.



    The description of the elements in the Renaming tab is as follows:

    Add. Displays a dialog box to add one or more existing attribute renaming properties to the following table that will be used by this network group. (See Attribute Renaming Property.)

    Edit. Displays a dialog box to edit a selected attribute renaming property.

    Remove. Remove an attribute renaming property from the table.

  21. Select the Return tab and specify restrictions that are to applied to search results being returned by the server, before they are forwarded to the client.



    The description of the elements in the Return tab is as follows:

    Return all attributes. This option is enabled by default, and it will permit all attributes to be returned.

    Exclude the following attributes. Enable this option to specify the name of the attributes that are to be excluded from search result entries.

    Only return the following attributes. Enable this option to specify the name of attributes that may be returned from a search result, if present.

    If attributes returned as part of a search result are not present in the "Only return the following attributes" table, they are not returned. If the table is empty and they are not in the "exclude the following attributes" table, they are returned.

    Add. Displays a dialog box that allows an attribute to be added to the table. You must specify above whether these attributes are to be forbidden or permitted.

    Edit. Displays a dialog box to edit a selected attribute in the table.

    Remove. Removes an attribute from the table.

  22. If you want to specify referrals for the group (for example, whether the group will forward, follow, or discard referrals returned by the server), select Referrals on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen elements is as follows:

    Discard the referral. Enable this option if a network group will discard all referrals returned by the server.

    Forward the referral. By default, this option is enabled, which will forward referrals returned by the server.

    Follow the referral and return result to client. Enable this option if a network group will forward referrals returned by the server and return results to the client.

    Bind policy. This option controls the bind policy when an operation is referred and the referral is being followed.

    Note that iDAR cannot replay binds for clients bound using a SASL mechanism. Thus the referral operation will be rejected if "Required" is specified and the client used a SASL mechanism to bind.

    Always. Select this option if iDAR should always bind anonymous while following referral for a client connected to this network group.

    Any. Select this option if a network group should use simple bind if the client had used password-based bind, else bind as anonymous. This is the default.

    Required. Select this option if a network group should reject the referred operation if the client is not password-based bound.

    Maximum referrals per operation. Enter an integer value greater or equal to zero. This will limit the maximum number of references that will be followed for a single operation. The default is 15. A value of zero indicates that no limit will be applied.

    Referral SSL Policy. In order to enable the Referral SSL Policy Panel, "SSL is available" option must be enabled on the encryption view.

    If client has an SSL session established. Enable this option if a network group will only initiate SSL if the client already has SSL session established with iDAR. This is the default.

    For all referrals. Enable "For all referrals" if, upon a referral, a group will initiate an SSL session before the operation is forwarded.

  23. If you want to specify server load criteria for the group, select Server Load on the left frame and specify the appropriate values on the right frame.



    The description of the on-screen elements is as follows:

    Simultaneous operations per connection. Select this option to limit the number of simultaneous operations iDAR will process per connection in that group. The value is an integer greater than zero. If this attribute is not present, then no limit is enforced. For example, if you set this value to 1, all the clients in that group will be forced to perform synchronous LDAP operations. Additional simultaneous requests, except for requests to abandon an operation, will fail with Server Busy error.

    Total operations per connection. Select this option to limit the total number of operations that iDAR will allow per connection in a group. The value is an integer greater than zero. If a client exceeds the maximum number of operations allowed for its group on one connection, then that connection will be closed by iDAR. If this attribute is not present, then no limit is set.

    Connections to this group. Select this option to limit the number of simultaneous connections to this network group, and specify the number.

    Simultaneous connections per IP address. Select this option to restrict the number of simultaneous connections clients can make from a single IP address. By default, any number of connections are allowed.

  24. Click Save to create the group.

    The iDAR configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

  25. Repeat Step 3 through Step 24 to create any additional groups.

  26. Go to the Network Groups window (see Step 2) and prioritize the groups appropriately.

  27. Restart the servers; see Restarting iDAR.



Modifying Groups

To modify a group:

  1. Access the iDAR Configuration Editor Console; see Accessing the iDAR Consoles.

  2. In the navigation tree, select Network Groups.

    The right pane shows the list of existing groups.



  3. In the list, select the group you want to modify and click Edit.

  4. Make the required modifications.

  5. Click Save to save your changes.

    The iDAR configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

  6. Repeat Step 3 through Step 5 to modify any additional groups.

  7. Restart the servers; see Restarting iDAR.



Deleting Groups

You can delete any unwanted network groups from the iDAR configuration. To delete a group:

  1. Access the iDAR Configuration Editor Console; see Accessing the iDAR Consoles.

  2. In the navigation tree, select Network Groups.

    The right pane shows the list of existing groups.



  3. In the list, select the group you want to delete and click Delete.

  4. Confirm your action.

    The name of the group you deleted is now removed from the list. The iDAR configuration is modified, and you are prompted to restart the servers that rely on this configuration. Don't restart the servers yet. You can do this after you've completed all the configuration changes.

  5. Repeat Step 3 and Step 4 to delete any additional groups.

  6. Restart the servers; see Restarting iDAR.


Previous     Contents     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated July 26, 2001