![]() |
iPlanet Delegated Administrator 4.5 Deployment and Customization Guide |
Chapter 3 Basic Installation and Configuration
This chapter provides instructions for installing and configuring Delegated Administrator to support the default directory information tree that ships with the product.This chapter incldues the following sections:
System Requirements
Step 1: Install or Upgrade to iPlanet Directory Server 4.12.
Step 2: Configure the Directory Server Plug-ins.
Step 3: Configure the Directory Server
Step 4: Install or Upgrade to iPlanet Web Server 4.1
Step 5: Create a Web Server Instance
Step 6: (Optional) Install or Upgrade to Netscape Messaging Server 4.1
Step 7: Install Delegated Administrator
Step 8: Configure Netscape Messaging Server
Step 9: (Optional) Disable Anonymous Access to Your User Tree
System Requirements
This section describes the minimum hardware and software requirements for installing and using Delegated Administrator 4.5.
Web Server 4.1 and Delegated Administrator 4.5
Delegated Administrator and iPlanet Web Server 4.1 must be installed on the same computer system and must run a on supported platform (see Table 3-1). iPlanet highly recommends using Web Server 4.1 SP7, although versions 4.1 with SP2 through SP5 are also supported. To determine which patches you need, see the Web Server Release Notes at: http://docs.iplanet.com/docs/manuals/enterprise/41/rn41sp7.html#19292.Delegated Administrator by itself requires a minimum of 20MB disk space after installation. An additional 5MB is required for each customized or localized organization you add to the Delegated Administrator tree. For example, you could add Organization A and Organization B under the Delegated Administrator root. If you then create a French version and an English version for each of these organizations, the result is a total four localized organizations. This would require 20MB additional disk space.
Directory Server 4.12
Netscape Directory Server 4.12 must be installed and running; it does not have to be installed on the same computer system as Delegated Administrator. In addition to the minimum system requirements for the server, the Directory Server host computer must have 200MB disk space free when preparing an empty directory for use with Delegated Administrator.For complete Netscape Directory Server 4.12 installation requirements, see the Directory Server Release and Installation Notes available at
http://home.netscape.com/eng/server/directory/4.12/installation.html.
Supported Platforms
Table 3-1summarizes the hardware requirements for installing Delegated Administrator with iPlanet Web Server, Enterprise Edition 4.1 with SP2.
Table 3-1    Supported Platforms.
Vendor
Architecture
Operating System
Minimum Memory (RAM)
Minimum Disk Space
After Installation
Additional System Requirements for Windows NT 4.0
Paging space at least as large as the amount of RAM (twice the amount of RAM is recommended).
30 MB free disk space for the log files (for approximately 300,000 accesses per day).
If you plan to run more than two separate instances of Web Server on the same computer system, each server will require an additional 16 MB RAM.
Software Compatibility
Delegated Administrator 4.5 works with the following servers and software:
Required iPlanet Web Server 4.1 with appropriate patches. See Server Requirements for more information.
RequiredNetscape Directory Server 4.12
RequiredA browser such as Netscape Communicator or Microsoft Internet Explorer. See Table 3-2 for supported browser versions.
Netscape Messaging Server 4.1x
Web Browser Requirements
Administrators and end users will use web browsers to perform user management tasks. Table 3-2 summarizes the web browsers supported for Delegated Administrator.
Table 3-2    Supported Browsers.
Operating System
For Administrators
For End Users
Before You Begin
Before you can install Delegated Administrator, you'll need to resolve the following:
iPlanet Directory Server 4.12 and Web Server 4.1 with Service Pack 2 must be installed, configured, and running. Table 3-3 summarizes the installation steps you must take and where to find the detailed instructions you'll need in order to install these servers.
If you plan to use a Directory Server that is already deployed and provisioned with users and groups, you must modify its entries to match the Delegated Administrator objectclasses and attributes. For detailed information, see Appendix , "Using an Existing User Directory."
If you plan to use Netscape Messaging Server, you'll need to create a postmaster group and reconfigure the server. See "Step 8: Configure Netscape Messaging Server" on page 61 for more information.
Table 3-3    Summary of Delegated Administrator Installation Procedures
Installation Step
Where to Find Detailed Instructions
In this manual, see Step 1: Install or Upgrade to iPlanet Directory Server 4.12. For detailed Directory Server installation instructions, Release and Installation Notes, available at http://home.netscape.com/eng/server/directory/4.12/
In this manual, see Step 2: Configure the Directory Server Plug-ins.
In this manual, see Step 3: Configure the Directory Server.
During installation, you do not have to specify a Directory Server. For detailed installation instructions, see Web Server 4.1 Installation Guide, available at http://docs.iplanet.com/docs/manuals/enterprise.html#41
For detailed instructions, see WebServer 4.1 Administrator's Guide, http://docs.iplanet.com/docs/manuals/enterprise.html#41
During installation, when prompted for Directory Server information, specify your Directory Server 4.12 installation. For detailed instructions, see Messaging Server 4.1 Administrator's Guide, http://docs.iplanet.com/docs/manuals/messaging.html#nms41
For detailed instructions, see Step 4: Install or Upgrade to iPlanet Web Server 4.1 of this manual.
In this manual, see Step 8: Configure Netscape Messaging Server.
For detailed information, in this manual, see Step 9: (Optional) Disable Anonymous Access to Your User Tree.
Delegated Administrator provides a Start Page to help you log in for the first time, and sample data that you can use to test and evaluate the program. For detailed information, in this manual, see Getting Started.
Step 1: Install or Upgrade to iPlanet Directory Server 4.12
If you do not have a directory server installed, you must install iPlanet Directory Server 4.12 now. If you already have a pre-4.12 directory server installed, you must upgrade to version 4.12. Follow the instructions in the Release and Installation Notes, available at http://home.netscape.com/eng/server/directory/4.12/. After you've followed the instructions in the Release and Installation Notes, return to this manual and continue with Step 2: Configure the Directory Server Plug-ins, below.
Step 2: Configure the Directory Server Plug-ins
Before you can install Delegated Administrator, you must configure four plug-ins that Delegated Administrator uses. The plug-ins are automatically installed for you when you install Directory Server 4.12.
Flexible Attribute Uniqueness. This plug-in enforces the uniqueness of an attribute within a subtree.
Class of Service. This plug-in determines a user's specific configuration values and resource limits based on a Class of Service attribute in the user entry.
Directory Entry Counts. This plug-in automatically maintains count values for organizations, groups, or users that are added to or deleted from the directory.
Referential Integrity Check. This plugin ensures that relationships between related entries are maintained.
To Configure the Directory Server Plug-ins
Stop the Directory Server.
In each instance of Directory Server that you plan to use with Delegated Administrator, modify the following file (where <NSHOME> is the Directory Server root):
- <NSHOME>/slapd-<host_identifier>/config/slapd.ldbm.conf
Locate the line that begins with:
Start the Directory Server.
Add member of to the end of the line. For example (all one line):
- plugin postoperation on "referential integrity postoperation"
If your DIT is used in a hosting environment, perform this step to disable the UID Uniqueness plug-in. When this plug-in is disabled, you can have individuals with the same uid in different organizations. If your DIT is not used in a hosting environment, skip to step 2c.
- plugin postoperation on "referential integrity postoperation" /export2/brighton/ds412/lib/referint-plugin.so referint_postop_init 0 /export2/brighton/ds412/slapd-rtfm/logs/referint 0 member uniquemember owner seeAlso memberof
If you want to enable the Class of Service feature, uncomment the following lines by deleting the pound sign (#) at the beginning of the lines:
- To disable the plugin, insert a comment character at the beginning of the following line:
- plugin preoperation on "uid uniqueness" <Directory_root>/lib/uid-plugin.so NSUniqueAttr_Init uid o=iplanet.com
If the following line exists in the file, be sure it is commented out:
- #plugin postoperation on "Class of Service" <Directory_root>/lib/cos-plugin.so cos_init o=iplanet.com
- #plugin preoperation on "Class of Service init" <Directory_root>/lib/cos-plugin.so cos_preop_init
- If the above two lines are missing, add them to the file without the comment characters.
- Initial configuration of Class of Service Directory Server Plugins causes the error message "plugin init failed". This is normal behavior. It is simply stating that there are no Class of Service definitions in the directory at the time.
Add the contents of this file: <Directory_root>/slapd-<identifier>/config/counters.ldbm.conf
- #include "<Directory_root>/slapd-rtfm/config/counters.ldbm.conf"
Step 3: Configure the Directory Server
In this step, modify the Directory Server configuration and user entries to meet your needs. Optimizing page handling and search performance is recommended, but not required, for all Delegated Administrator installations. Modifying the user entries is absolutely required if you've already provisioned your directory with users and groups.
Optimizing Page Handling and Search Performance
You can optimize Delegated Administrator page handling and search performance by modifying the Directory Server configuration. The following measures are necessary when any organization in your directory exceeds 4000 users.
To add appropriate indexes to your Directory:
Using Netscape Console, in the Directory Server window, select the Configuration tab and then click the Database icon.
Select the Indexes tab in the right pane.
To add the nsdadomain attribute, click Add Attribute, and then do the following.
In the Select Attributes window, select the nsdadomain attribute and then click OK.
To add the memberof attribute, click Add Attribute, and then do the following:In the Additional Indexes list, select the nsdadomain attribute and then check the boxes for Equality, Presence, and Substring.
To add a substring index for the uid attribute, in the Additional Indexes list, select the uid attribute. Then check the boxes for Equality, Presence, and Substring.
To reset the lookthroughlimit:
Using Netscape Console, in the Directory Server window, select the Configuration tab and then select Database in the left pane.
Select the Performance tab in the right pane.
In the Look Through Limit field, enter a number greater than the number of entries that the Directory Server will check in response to a search request.
To reset the sizelimit parameter:
Using Netscape Console, in the Directory Server window, select the Configuration tab and then select the root entry in the navigation tree in the left pane.
Select the Performance tab in the right pane.
Setting the All IDs Threshold Value
By default, the directory server is set to an All IDs threshold of 4000. For Delegated Administrator, this value should be just higher than the number of users in your directory. For detailed information on changing this value, see the Directory Server Administrator's Guide at the following URL:http://home.netscape.com/eng/server/directory/4.1/admin/index1.htm#1053642
Modifying an Existing User Directory
If you have already deployed Netscape Directory Server and provisioned it with users and groups, you must modify your user directory tree before going any farther with installation. If you have already deployed Netscape Directory Server, but have not installed Delegated Administrator 4.51 to work with it, follow the instructions in Appendix , "Using an Existing User Directory." After you've modified your directory tree, return to this manual and continue with Step 4 below.
Step 4: Install or Upgrade to iPlanet Web
Server 4.1
iPlanet Web Server 4.1 and Delegated Administrator must be installed on the same computer system. If you do not have iPlanet Web Server 4.1 installed, install it now. If you have a pre-4.1 Web Server installed, you must upgrade the server to the 4.1 version. Follow the instructions in the Web Server 4.1 Installation Guide, available at http://docs.iplanet.com/docs/manuals/enterprise.html#41. During installation, you do not have to specify a Directory Server when prompted for one.
Step 5: Create a Web Server Instance
For best results, you should create a new instance of Web Server to work with Delegated Administrator. Follow the instructions in the Web Server 4.1 Administrator's Guide, available at http://docs.iplanet.com/docs/manuals/enterprise.html#41.
Step 6: (Optional) Install or Upgrade to Netscape Messaging Server 4.1
If you don't have Messaging Server installed, installing it now will save you a step later as you install Delegated Administrator. If you have a pre-4.1 Messaging Server already installed, you must update it to version 4.1 before installing Delegated Administrator. See the Messaging Server 4.1 Installation Guide, available at http://docs.iplanet.com/docs/manuals/messaging.html#nms41 for detailed information.
Step 7: Install Delegated Administrator
Before you can install Delegated Administrator, you must install Directory Server and Web Server, and resolve related server issues. See Before You Begin.
To install Delegated Administrator:
Run the Delegated Administrator install program.
In Unix, in the Delegated Administrator root, enter ./setup.
When prompted, enter the following:In Windows NT, in the Delegated Administrator directory, double-click the self-extracting icon.
- Would you like to continue with setup? Enter Yes.
- Do you agree to the license terms? Enter Yes.
- Install location: Enter the path to the directory where Delegated Administrator will be installed.
- Select one of the following options:
No Messaging Server Support
Select this option if you do not intend to use Delegated Administrator with a messaging server.Support for Netscape Messaging Server
Select this option if you intend to use Delegated Administrator with Netscape Messaging Server 4.1x.
- If you selected "No Messaging Server Support" above, skip to Specify Enterprise Server configuration directory.
- If you selected "Support for Netscape Messaging Server, Delegated Administrator prompts you for the following:
Manage Messaging Server? This step is optional. If you intend to use Delegated Administrator with either Netscape Messaging Server 4.1, the setup program can store the appropriate Administration Server URL for future reference. Enter Yes.
Specify Host Name: Enter the fully qualified host name the Administration Server that manages the Messaging Server.
Specify Admin URL: Enter the fully qualified host name and port number of the Administration Server that manages the Messaging Server.
- Example: miriam.mcom.com. If you don't know this information at the time of installation, you can enter it later. See To Configure Delegated Administrator to Work with Messaging Server.
- Example: http://miriam.mcom.com:400. If you don't know this information at the time of installation, you can enter it later. See To Configure Delegated Administrator to Work with Messaging Server
- Specify Enterprise Server configuration directory: Enter the path to the directory that contains the file magnus.conf.
- Specify LDAP URL: Enter the URL to the instance of Directory Server you're using with Delegated Administrator. Use the following form:
- ldap://<host_name>:<port_number>
- Example: ldap://siroe.mcom.com:8000
- Specify Directory Manager: Enter the DN of the user with Directory Manager privileges on the configuration directory.
- Password: Enter the Directory Manager password you used when you installed the Directory Server.
Note In this next part of the installation program, you are asked twice to specify a suffix: one for user data, and one for configuration data.
- Specify Suffix: Enter a base suffix using the form o=<your_suffix>.
- Delegated Administrator requires a suffix to store its user data. Examples: o=ISP or dc=ISP, dc=com
- All organizations, groups, and user to be managed by Delegated Administrator will be created under this base suffix.
If you specify a suffix in an existing Delegated Administrator 4.5 user tree, no new user information will be written into that tree at this time. The installation program will continue.
If you specify a suffix in a pre-4.5 Delegated Administrator user tree, or in an existing DIT, the installation program will not allow you to continue. You'll be asked to update your directory entries to include Delegated Administrator 4.5 objectclasses and attributes. For more information, see "Using an Existing Directory Tree." This document will be available at the location where you downloaded Delegated Administrator.
When prompted, press Enter to continue and exit the installation program.
- Specify Suffix: Delegated Administrator requires a suffix to store its configuration data. Enter a base suffix using the form o=<your_suffix>
- Examples: o=ISP or dc=ISP, dc=com
- Delegated Administrator automatically creates a new base suffix for you containing the following default directory entries and their respective ACIs:
- Figure 3-1 illustrates the base suffix that Delegated Administrator creates at installation. In the figure, the user Chris Bolton is a member of the Service Administrators group and can create new administrators and new organizations.
Figure 3-1    Delegated Administrator automatically creates a base suffix with default data you can use to get started.
![]()
Step 8: Configure Netscape Messaging Server
Messaging Server will not recognize the Delegated Administrator base suffix until you create a postmaster group and change the Messaging Server configuration.
Creating a Postmaster Group
Create a postmaster group in the base suffix you specified when you installed Delegated Administrator. In Netscape Console, when you click the Users and Groups tab, the current base suffix is displayed. If the Delegated Administrator base suffix is not displayed, you must change to the appropriate directory. To change to the Delegated Administrator Directory, click Directory.
In Netscape Console, in the Users and Groups tab, use the drop-down list in the lower-right corner to choose New Group. Then click Create.
In the Select Organizational Unit window, choose Base DN, and then click OK.
In the Create Group window, in the Group Name field enter Postmaster.
Click the Account tab, and then click the Mail Account checkbox until a checkmark is displayed. After a moment, the Mail tab is added to the window.
Click the Mail tab. Enter a primary email address using the form postmaster@<your_host>.<your_domain>.
Changing the Messaging Server Configuration
Once you change the configuration, Messaging Server will recognize the mail accounts for any users you create.
To Configure Messaging Server to Work with Delegated Administrator
In Netscape Console, open the Messaging Server window.
In the Messaging Server window, click the Configuration tab, and in the navigation tree click Services.
Click the LDAP tab. In the section "LDAP connection for user lookup," select "Use messaging server specific directory settings." Verify the following Directory Server information, and modify the Base DN:
Click Change Password, and then change the password for the Bind DN.
- Host name: Displays the name of the computer where the Directory Server is installed.
- Port number: Displays the port number for the Directory Server.
- Base DN: Enter the base suffix you used when you installed Delegated Administrator. Example: o=ISP
- Bind DN: Displays the Distinguished Name (DN) for the user who has appropriate permissions to make changes to the configuration directory.
Click Save. In the Restart Services window, click to select "Restart all services now."
To Configure Delegated Administrator to Work with Messaging Server
You need to perform this step only if you did not specify the Messaging Server URL when you ran the installation program for Delegated Administrator.
In the Delegated Administrator root, locate the following file:
Modify the following line to include the fully qualified host name the of Administration Server that manages the Messaging Server:
- ...nda/classes/netscape/nda/servlet/resource.properties
Modify the following line to include the fully qualified host name and port number of instance of Administration Server that manages the Messaging Server:
- MsgSvr0-name=<server_identifier>
- Example: MsgSvr0-name=miriam.mcom.com
- MsgSvr0-adminurl=http://<host_name>:<port_number>
- Example: http://miriam.mcom.com:400.
Step 9: (Optional) Disable Anonymous Access to Your User Tree
By default, Delegated Administrator uses a special Access Control Instruction (ACI) for anonymous access. Anonymous access allows any user to search all user entries in the directory. Many applications that use Directory Server data cannot work without anonymous access.However, Delegated Administrator customers who provide internet service to multiple companies may want to disable anonymous access. When you disable anonymous access, for example, users in organization A can search the user directory and never see users in organization B; users in organization B will never see the users in organization A.
You can disable anonymous access by running a script provided for you in the <DelegatedAdmin_root>/nda/ldif directory. The script removes the ACI which allows anonymous access.
Figure 3-2    By default, anonymous access is enabled and users in organization A can see users in organization B.
![]()
If you've installed Delegated Administrator using the default base suffix (o=ISP), skip to Step 3.
In the file <DelegatedAdmin_root>/nda/ldif,change the base suffix o=ISP to your base suffix as appropriate.
In the Directory Server, in <NSHOME>/shared/bin, execute ldapmodify with the anon.ldif file.
Changing the NDAUser Password
Delegated Administrator uses the NDAUser entry under ou=config for resolving uids at login. You can change the password for this user as an added security measure.
To change the password for the NDAUser:
Go to the directory where the file resource.properties is stored:
In the file resource.properties, change the password for the following entry:
Use ldapmodify to change the password for the NDAUser entry. In the directory <DirectoryServer_root>/shared/bin, enter the following:
At the prompt, enter the following:
To complete the command:
- dn: uid=NDAUser, ou=config, o=<base_suffix>
- changetype: modify
- replace: userpassword
- userpassword: <newpassword>
Restart Web Server.
Silent Installation
If you plan to install more than one instance of Delegated Administrator, you can save a cache file that contains all of the parameters you specify during the first installation. Then, after you've installed Delegated Administrator once, you can use the cache file to quickly install additional Delegated Administrator instances. All of your responses to the installation prompts are recorded in the cache file. When you use a cache file in a new installation you are not asked any questions. Instead, all of the cache file responses are automatically applied as the new installation parameters. This type of installation is known as silent installation.
Saving the Cache File
To save the cache file, you must run the installation program with the -k command line option.Windows NT. Choose Run, and then enter setup -k.
DOS command line. Enter setup -k.
The cache file from an installation is saved with the name install.inf in the server-root/setup directory. For example, if you installed the server into /home/deladmin, the cache file for that installation is: /home/deladmin/setup/install.inf.
To Use the Cache File for Installation
Copy the install.inf cache file to the installation directory that you are using for the new installation.
Review and edit the install.inf cache file as necessary.
Run setup with the -s -f filename options. The filename is the full path identifying the cache file you wish to use. For example:
- You will probably want to change some of the parameters and specifications in the cache file. For example, the host name for this installation will likely be different than the host name recorded in the cache file. Remember that the parameters listed in the cache file will be automatically applied to this installation.
- setup -s -f /home/deladmin/setup/install.inf
- When you use a cache file in this way, no new cache file is created from this installation. If you have many similar server configurations to set up, you can place the configuration file plus the server installation package on each machine. You execute the setup program on each machine; it then extracts all information it needs from the configuration file as it performs the installation.
Getting Started
The Start Page was designed to provide all the information you need to quickly begin using Delegated Administrator with the sample organization Siroe. You can access the Start Page at any time by pointing a web browser to http://<host:webserver_port>/nda/start.htm.You can use the Start Page to log in as any level of administrator named in the page. The user ID and password you use to log in determines your administrator role and determines which branches of the directory you have access to.
In a browser, enter the URL for the Delegated Administrator host using the form http://<host:webserver_port>/nda/start.htm.
Delegated Administrator displays the administration page that is appropriate for the User ID you entered.In the Delegated Administrator Login window, using the information on the Start Page, enter an administrator's system user ID and password. For example, to log in as the Service Administrator, Chris Bolton, you would enter the following:
Click Login.
Using the Default Organization
You can use the default organization, Siroe, to perform the first few administration tasks, and then reconfigure it to meet your own requirements. For example, you can log in with the user ID chris and create as many organizations and administrators as you need. You can continue to use the default data and administration pages for learning or testing purposes. Once you've put your own directory structure in place, you can edit the default organization and group name, and delete the original six users from the directory.If you've created a new organization at the same level as Siroe in the Delegated Administrator user tree, you'll have to create a new start.htm page and a new login.htm page for that organization. For more information, see the "Customizing Delegated Administrator." It will be available at the location where you downloaded the application.
Uninstalling Delegated Administrator
You can remove Delegated Administrator from your computer system. Both Directory Server and Web Server should be installed and running when you uninstall Delegated Administrator.When you run the Uninstall program, the following occurs:
All Delegated Administrator binaries are removed.
The web server configuration reverts to the way it was before Delegated Administrator was installed.
All Delegated Administrator files that were generated after initial installation remain on your computer system.
All data that was added to the directory when Delegated Administrator was installed, and any data that was added subsequently, remains in the directory.
To uninstall Delegated Administrator, run the Uninstall program:
Previous Contents Index Next
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.
Last Updated May 24, 2001