Chapter 14   Customizing Configuration in the Directory


Delegated Administrator uses iPlanet Directory Server to store the configuration information which controls the user experience. If no customized configuration information is available for an organization, Delegated Administrator uses default configuration information. Delegated Administrator enables you to customize the user experience based on your organization. Within an organization, the user experience can be further customized on a per-language basis. When you customize Delegated Administrator in these ways, you must modify the configuration information in the directory.

This chapter includes the following topics:

• Default Configuration Information

• Customizing Configuration Information

• Configuration Management Utilities

Default Configuration Information

---

The default configuration information is loaded into the Directory server during its installation. The Top-level entry for the configuration information subtree is:

cn=domainConfiguration, ou=config, o=ISP

Figure 14-1    The Default Configuration Information Tree

As shown in Figure 14-1, the default configuration tree stores information in subtrees on a per-language basis. When a user logs in, the configuration information corresponding to the user's preferred language (specified via the preferredLanguage attribute in the user's entry, or the browser language preference) is used. When an administrator creates a customized configuration for an organization, by default, the configuration information tree is stored under the organization entry. Figure 1 illustrates a customized configuration information tree stored for the organization represented by o=CompanyA, o=ISP.

The examples in this chapter are for the English language locale. Configuration information for other locales would be located under their corresponding entries. For example, configuration information entries for the Japanese locale would have a cn=jn component instead of cn=en in their distinguished names (DNs).

The configuration information is categorized into four major areas and stored under the following relative distinguished names (RDNs):

• cn=mainconf

• cn=servletsconf

• cn=opconf

• cn=macrosconf

cn=mainconf

In Figure 2, this section of the subtree contains configuration entries that specify miscellaneous configuration parameters that control the Delegated Administrator behavior when it performs searches (such as the time limit and size limit for searches) as well as the datatypes used in conjunction with the Page Generator. Each datatype defines the search parameters, including the search base, the search scope and the search filter. For example, the following entry defines the search parameters for the datatype allsubdomains:

objectclass: top

objectclass: extensibleObject

cn: allsubdomains

iDAhandle: allsubdomains

iDAdisplayText: All Nested Domains

iDAbaseDN: $DOMAINDN$

iDAscope: SUBTREE

iDAfilter: objectclass=nsManagedDomain

The above entry specifies that the search for the datatype allsubdomains is a subtree search starting from the base DN $DOMAINDN$. (This base DN is expanded at run time to the appropriate DN.) The search filter used is objectclass=nsManagedDomain.

A Delegated Administrator HTML file may contain a directive of the form:

<!-- S_ENTRYBEGIN "datatype=allsubdomains" "option=excludebase" -->

When the Page Generator encounters this directive, it performs a search for the datatype allsubdomains and uses the above entry to define various search parameters. The excludebase option instructs the Page Generator to exclude the base DN itself from the result set, if the base itself satisfies the search criteria. For more information about the Page Generator, see How the Templates Work.

Figure 14-2    cn=mainconf

cn=servletsconf

This section of the configuration information tree (see Figure 3) controls the Delegated Administrator behavior when creating new objects. When an administrator creates a new object, such as a new user or a new organization, Delegated Administrator will populate the entry with certain objectclasses and attributes that are defined by the corresponding object definition entry. For example, the following entry controls the creation of new user objects:

objectclass: top

objectclass: extensibleObject

cn: User

iDAobjectclass: top

iDAobjectClass: person

iDAobjectClass: organizationalPerson

iDAobjectClass: inetOrgPerson

iDAobjectClass: mailRecipient

iDAobjectClass: nsMessagingServerUser

iDAobjectClass: nsManagedPerson

iDArequiredAttribute: cn

iDArequiredAttribute: sn

iDArequiredAttribute: uid

iDArequiredAttribute: userPassword

iDAattribute: nsdadomain $DomainContainerName$

iDAattribute: owner $ThisDeptAdminGroupDN$

iDArdnAttribute: uid

iDAdataTypeIdent: enduser

iDAsearchFilter: objectClass=nsManagedPerson

iDAparentDN: "ou=People, $DomainContainerDN$"

iDAcnComposition: $givenname$ $sn$

The above entry specifies that the new user entry will have the following objectclasses:

• top

• person

• organizationalPerson

• inetOrgPerson

• mailRecipient

• nsMessagingServerUser

• nsManagedPerson

The RDN attribute for the user entry will be uid. It also specifies the various required attributes that will be populated by Delegated Administrator. Furthermore, the location where this new user entry will be created and how the cn attribute will be composed are also specified by this configuration entry.

Figure 14-3    cn=servletsconf

cn=opconf

This section of the configuration information tree defines the mapping from an operation to a template which is an HTML file. The NDAGetPage servlet works in conjunction with the Page Generator to create a graphical user interface (GUI) page. The NDAGetPage servlet is invoked with an operation (op) as a parameter. Delegated Administrator determines the corresponding template (HTML file) based on the type of user such as Top Level Administrator, End User, and so on.

Figure 4 illustrates how these configuration entries are organized based on the type of user. For each user type, entries are defined for each operation. For example, when the Top Level Administrator clicks on the link to edit a user entry, the NDAGetPage servlet is invoked with editUser as the operation. The HTML file that is displayed in response to this operation is controlled by the following entry:

objectclass: top

objectclass: nsValueItem

cn: editUser

nsValueType: nsValueCIS

nsValueCIS: ../templates/dialogs/EditUserFrame.html

The above entry specifies that the HTML template to use is ../templates/dialogs/EditUserFrame.html

Figure 14-4    cn=opconf

cn=macrosconf

The Page Generator uses macros for dynamically substituting context-specific information. As in the example above for the datatype allsubdomains, the macro $DOMAINDN$ will be substituted with a specific DN when an administrator is navigating through the organization hierarchy.

Customizing Configuration Information

---

Customizing configuration information involves modifying the configuration information entries. When you modify these entries, it helps to have a working knowledge of the following:

• Customizing the default configuration

• Customizing configuration for an organization

• The domain.map file

• The Lookup algorithm

Customizing the Default Configuration

To customize the default configuration information, you need to modify the configuration information entries that control Delegated Administrator behavior when no custom configuration information is available for a specific organization. For example, to change the time limit when a search times out, you can modify the following entry:

objectclass:top

objectclass: nsValueItem

cn: searchtimelimit

nsValueType: nsValueCIS

nsValueCIS: 10

nsValueDescription: Default server side timeout value for a search

You can increase the time limit to 30 seconds by modifying the nsValueCIS attribute in the above entry to 30. Similarly, you can customize any of the entries in the cn=opconf section to change the templates that are used in response to operation requests. You can change the datatype definitions to modify the search criteria, or add new datatypes of your own by defining the search base DN, the search scope and the search filter.

Any change made to the default configuration information will affect all the organizations that do not define their own configuration information.

Customizing Configuration for an Organization

If you have a separate configuration information tree for a particular organization, then you can make changes to the entries for this organization's configuration tree. For example, changes made to the configuration tree for companyA (Figure 14-1) will only affect users who belong to companyA. To create a new configuration information tree for an organization, refer to the section on Configuration Management Utilities.

The domain.map File

The domain.map file can be used to specify the location where the configuration information tree for an organization can be found. By default, Delegated Administrator will look for this information directly under the entry for this organization. For example, in Figure 14-1, Delegated Administrator will attempt to locate the configuration information for companyA under the following base DN:

dn: cn=domainConfiguration, o=companyA, o=ISP

If the configuration information tree is located elsewhere, you can use the domain.map file to specify this location. This file is located in the <DelegatedAdmin_root>/nda/nda directory. If the configuration information is located under the base DN cn=domainConfiguration,cn=someplaceelse,o=ISP, you can specify the following line (use a single line) in the domain.map file:

o=companyA,o=ISP companyA cn=domainConfiguration,cn=someplaceelse,o=ISP

The first element specifies the organization to which this directive is applicable. The second element tells Delegated Administrator where it can find customized templates (HTML files) for this organization. The last element tells it where the configuration information tree is located.

The Lookup Algorithm

The Delegated Administrator attempts to locate the configuration information tree for an organization in the following order:

1. If the domain.map file specifies the location for the configuration information, Delegated Administrator uses the information stored in the subtree at that location.

2. If there is no entry in the domain.map file, Delegated Administrator attempts to locate the configuration information in the default location (cn=domainConfiguration) below the entry for the organization.

3. If Delegated Administrator cannot locate the configuration information after steps 1 and 2 above, it uses the default configuration information

   (cn=domainConfiguration,ou=config,o=ISP).

Configuration Management Utilities

---

To facilitate the process of customizing configuration information for an organization, Delegated Administrator provides two basic configuration management utilities. These are available to the Top-level Administrator and the Organization Administrator under the Configuration Tab.

Using the Configuration Management Tab

Top-level Administrators and Organization Administrators can use the Configuration Tab to manage certain basic configuration related tasks.

Reloading Configuration

Delegated Administrator reads and caches the configuration information at start-up (when a Delegated Administrator servlet is invoked for the first time after a web server start or restart). Ordinarily, any changes to the configuration information tree will be effective only after the web server is restarted.

You can, however, force Delegated Administrator to reload the configuration information by using the Configuration Tab.

Copying Configuration

You can begin the process of creating customized configuration information for an organization by first copying the default configuration information (or configuration information from another organization). The Configuration Tab aids you in this process by creating the necessary entries and ACIs for Delegated Administrator to function correctly. Once you have a copy of the configuration information tree, you can then modify various entries to provide the desired customized behavior.

Using Directory Server Console and Command-Line Utilities

To modify the configuration information, you can use the Directory Server Console or command line utilities such as ldapmodify. For more information see, the iPlanet Directory Server Administrator's Guide.