Previous     Contents     Index     Next     
iPlanet Delegated Administrator 4.5 Deployment and Customization Guide



Appendix A       Using an Existing User Directory


If you have already deployed Netscape Directory Server and populated it with users and groups, you must modify both your user directory tree and the Delegated Administrator framework so that the two will work together. The changes you make depend upon your existing directory structure.
Note If you have already installed Netscape Delegated Administrator 4.1x and are upgrading to iPlanet Delegated Administrator 4.5, see Upgrading from Delegated Administrator Version 4.11.


This appendix provides general guidelines to help you edit your directory entries to allow them to be managed by Delegated Administrator. It includes the following topics:



Modifying Your User Directory

If Delegated Administrator detects during installation that you already have data stored at your desired suffix, it will install all required configuration information in the directory. But it will NOT modify or add to existing user, group, or organization data. Before Delegated Administrator can manage your existing user data, you must manually make the following changes in your user directory:

  • Add Delegated Administrator object classes and attributes to all user, group, and organization entries.

  • Add Delegated Administrator ACIs to the root of the tree and to each organization node.

  • Add Administrator groups at the root level and at each organization level.

  • Compute and store the number of objects in the tree.
    Note The updates to user data described in this appendix require advanced experience with Netscape Directory Server, the LDAP Data Interchange Format (LDIF), and Access Control Instructions (ACIs). For comprehensive documentation on these topics, see the Directory Server Administrator's Guide.


In the following steps and examples, there is one container node for all users under each organization. There may be any number of organizations under the root entry for the user data tree, and organizations may be nested.


Step 1: Create a Top-level Administrator

It is necessary to create a Top-level Administrator entry in your directory to initiate the delegation process before Delegated Administrator is installed. The new Top-level Administrator serves an the entry point to the Delegated Administrator User Interface.

The new or existing user entry must contain the DN appropriate to your base suffix and the specific attributes in the following example.

  1. Create a new, or modify existing user.

    The example DN in this step assumes the organization o=Siroe exists under the base suffix o=ISP and chris belongs to o=Siroe. Alter the construct to reflect the DN for your directory.

    uid=chris, ou=People, o=Siroe, o=ISP

  2. Add the following attribute to the Top-level Administrator group entry: dn: cn=Service Administrators, ou=Groups, o=ISP

    uniqueMember: uid=chris, ou=People, o=Siroe, o=ISP

  3. Add the following attribute to the user entry.

    memberOf: cn=Service Administrators, ou=Groups, o=ISP

The user is now Top-level Administrator with the permissions afforded to that category of user.


Step 2: Modify user entries.

  1. Each user entry must contain the nsManagedPerson object class.

  2. In each user entry, add the attribute nsdaDomain. The value of the attribute must be the name of the organization that the user belongs to.

    Example:

    dn: uid=scarter, ou=Users, o=Siroe.com, o=ISP
    objectclass: top
    objectclass: person
    objectclass: organizationalperson
    objectclass: inetorgperson
    objectclass: nsManagedPerson
    uid: scarter
    userpassword: password
    cn: Sam Carter
    sn: Carter
    givenname: Sam
    nsdaDomain: Siroe.com
    telephoneNumber: 650.555.1212
    mail: scarter@Siroe.com


Step 3: Modify Organization Entries.

  1. Each organization entry must contain the nsManagedDomain object class.

  2. Add the following attributes to each organization entry (sample values are listed, indicating the maximum number of objects of various types which may be created in the organization):

    nsmaxusers: 1000

    nsmaxdepts: 100

    nsmaxmaillists: 1000

    nsmaxdomains: 10

    Example:

    # Siroe domain
    #
    dn: o=Siroe.com, o=ISP
    objectclass: top
    objectclass: organization
    objectclass: nsManagedDomain
    description: Domain Root for Siroe.com
    nsMaxUsers: 1000
    nsMaxDepts: 100
    nsMaxMailLists: 1000
    nsMaxDomains: 10
    o: Siroe.com

  3. The following ACIs must be added to each organization entry, replacing o=Siroe.com, o=isp with the DN of the entry. The file isp.ldif contains the default Delegated Administrator ACIs, and is available for download at http://docs.iplanet.com/docs/manuals/deladmin/45/scripts/isp.ldif.

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))  (version 3.0; acl "Domain Adm domain access"; allow  (read,search) groupdn="ldap:///cn=Domain Administrators,  ou=Groups, o=Siroe.com, o=isp";)

    aci: (target="ldap:///cn=Domain Administrators, ou=Groups,  o=Siroe.com,o=isp")(targetattr="*")(targetfilter=(|(objectClas  s=nsManagedDeptAdminGroup)(objectClass=nsManagedDept)))(version  3.0; acl "Domain Adm dept access"; allow (read,search)  groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe.c  om, o=isp";)

    aci: (target="ldap:///cn=Domain Help Desk Administrators,  ou=Groups, o=Siroe.com,  o=isp")(targetattr="*")(targetfilter=(|(objectClass=nsManagedDe  ptAdminGroup)(objectClass=nsManagedDept)))(version 3.0; acl  "Domain Adm dept access"; allow (read,search,write)  groupdn="ldap:///cn=Domain Administrators, ou=Groups,  o=Siroe.com, o=isp";)

    aci: (target="ldap:///cn=Domain Department  Administrators,ou=Groups,o=Siroe.com,o=isp")(targetattr="*")(t  argetfilter=(|(objectClass=nsManagedDeptAdminGroup)(objectClass  =nsManagedDept)))(version 3.0; acl "Domain Adm dept access";  allow (read,search,write) groupdn="ldap:///cn=Domain  Administrators, ou=Groups,o=Siroe.com, o=isp" or  groupdn="ldap:///cn=Domain Department Administrators, ou=Groups,  o=Siroe.com, o=isp";)

    aci:(target="ldap:///ou=*,o=Siroe.com,o=isp")(targetattr="*")(t  argetfilter=(objectClass=nsManagedOrgUnit))(version 3.0; acl  "Domain Adm org unit access"; allow  (read,search,write)groupdn="ldap:///cn=Domain Administrators,  ou= Groups, o=Siroe.com, o=isp";)

    aci: (target="ldap:///ou=*,  o=Siroe.com,o=isp")(targetattr="*")(targetfilter  =(|(objectClass=nsManagedDept)(objectClass=nsManagedDeptAdminGr  oup)(objectClass=nsManagedMailList)))(version 3.0; acl "Domain  Adm dept access"; allow (all) groupdn="ldap:///cn=Domain  Administrators, ou=Groups, o=Siroe.com, o=is p";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))  (version 3.0;acl "Domain Adm user access";  allow(read,search,add) groupdn="ldap:///cn=Domain  Administrators, ou=Groups,o=Siroe.com, o=isp";)

    aci:(targetattr="*")(targetfilter=(&(objectClass=nsManagedPerson  )(&(!(memberOf=cn=Service Administrators,  ou=Groups,o=isp))(&(!(memberOf=cn=Service Help Desk  Administrators, ou=Groups, o=isp))(!(memberOf=cn=Domain  Administrators, ou=Groups, o=Siroe.com, o=isp))))))(version  3.0; acl "Domain Adm user modify access"; allow  (write,delete)groupdn="ldap:///cn=Domain Administrators,  ou=Groups, o=Siroe.com, o=isp";)

    aci: (target="ldap:///o=*,  o=Siroe.com,o=isp")(targetattr="*")(targetfilter=  (|(objectClass=nsManagedDomain)(objectClass=nsManagedDeptAdminG  roup)(objectClass=nsManagedOrgUnit)(objectClass=nsManagedDept)(  objectClass=nsManagedMailList)))(version 3.0; acl "Domain Adm  access"; allow (all) groupdn="ldap:///cn =Domain Administrators,  ou=Groups, o=Siroe.com, o=isp";)

    aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDomain  )(objectClass=nsManagedPerson)))(version 3.0; acl "DHDA access";  allow (read,search) groupdn="ldap:///cn=Domain Help Desk  Administrators, ou=Groups, o=Siroe.com, o= isp";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedMailList  ))(version 3.0; acl "DHDA mail list access"; allow (all)  groupdn="ldap:///cn=Domain HelpDesk Administrators, ou=Groups,  o=Siroe.com, o=isp";)

    aci:(targetattr="userPassword")(targetfilter=(&(objectClass=nsMa  nagedPerson)(&(!(memberOf=cn=Service Administrators, ou=Groups,  o=isp))(&(!(memberOf=cn=S ervice Help Desk Administrators,  ou=Groups, o=isp))(&(!(memberOf=cn=Domain Administrators,  ou=Groups, o=Siroe.com, o=isp))(!(memberOf=cn=Domain Help Desk  Administrators, ou=Groups, o=Siroe.com, o=isp)))))))(version  3.0; acl "D HDA user write access"; allow (write)  groupdn="ldap:///cn=Domain Help Desk Administrators, ou=Groups,  o=Siroe.com, o=isp";)


Step 4: Create Start and Login Pages for Each Organization.

Each organization must have its own Start page and Login page.

If you want to replace the default organization Siroe.com with your own organization, modify its Start and Login pages.

  1. In the file <delegatedadmin_root>/nda/nda/start.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:

    var domain = "o=Siroe.com";

  2. In the file <delegatedadmin_root>/nda/nda/login.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:

    var domain = "o=Siroe.com";

If you're creating a new organization, or modifying an existing one, first determine the location of the files for the new organization. For example, the files for the default Delegated Administrator organization Siroe.com are stored here:

<delegatedadmin_root>/nda/nda/default/en

If organization ABC replicates this structure, its organization files will be stored here:

<delegatedadmin_root>/nda/nda/ABC/en

Once you've determined appropriate file location, follow these steps to create the new Start and Login pages for the organization:

  1. Copy these files to the directory where your organization files are stored:

    <delegatedadmin_root>/nda/nda/start.htm

    <delegatedadmin_root>/nda/nda/login.htm

  2. In the file start.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:

    var domain = "o=Siroe.com";

  3. In the file login.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:

    var domain = "o=Siroe.com";


Step 5: Modify the Root Entry.

  1. The root entry of the tree - the parent of all top-level organizations - must contain the object class nsManagedISP.

    Example

    dn: o=ISP
    objectclass: top
    objectclass: organization
    objectclass: nsManagedISP
    o: ISP

  2. Add the following ACIs must to the root entry, replacing o=isp with the DN of the entry.

    aci:(targetattr!="userPassword")(targetfilter=(objectClass=nsMan  agedPerson))(version 3.0; acl "Anonymous access to User  entries"; allow (read,search) userdn="ldap:///anyone";)

    aci:(target="ldap:///cn=postmaster,o=isp")(targetattr="*")(versi  on 3.0; acl "Anonymous access to Postmaster entry"; allow  (read,search) userdn="ldap:///anyone";)

    aci:(target="ldap:///cn=domainConfiguration,  ou=config,o=isp")(targetattr="*")(version 3.0; acl "Anonymous  access to Configuration entry"; allow (read,search)  userdn="ldap:///anyone";)

    aci:(targetattr="objectClass||uid||mail||userCertificate")(targe  tfilter=(objectClass=nsManagedPerson))(version 3.0; acl "NDAUser  access"; allow (read,search) userdn="ldap:///uid=NDAUser,  ou=config, o=isp";)

    aci:(targetattr="objectClass||o||nsNumDomains")(targetfilter=(ob  jectClass=nsManagedISP))(version 3.0; acl "NDAUser access";  allow (read,search) userdn="ldap:///uid=NDAUser, ou=config,  o=isp";)

    aci:(targetattr="objectClass||o||nsNumUsers||nsNumDepts||nsNumMa  ilLists||nsNumDomains||nsMaxUsers||nsMaxDepts||nsMaxMailLists||  nsMaxDomains")(targetfilter=(objectClass=nsManagedDomain))(vers  ion 3.0; acl "NDAUser access"; allow (read,search)  userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="objectClass||cn||nsNumUsers||nsNumDepts||nsMaxU  sers||nsMaxDepts")(targetfilter=(objectClass=nsManagedDept))(ve  rsion 3.0; acl "NDAUser access"; allow (read,search)  userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="objectClass||cn||nsNumUsers||nsMaxUsers")(targe  tfilter=(objectClass=nsManagedMailList))(version 3.0; acl  "NDAUser access"; allow (read,search)  userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="nsNumDomains")(targetfilter=(objectClass=nsMana  gedISP))(version 3.0; acl "NDAUser access"; allow (write)  userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDo  mains")(targetfilter=(objectClass=nsManagedDomain))(version 3.0;  acl "NDAUser access"; allow (write) userdn="ldap:///uid=NDAUser,  ou=config, o=isp";)

    aci:(targetattr="nsNumUsers||nsNumDepts")(targetfilter=(objectCl  ass=nsManagedDept))(version 3.0; acl "NDAUser access"; allow  (write) userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="nsNumUsers")(targetfilter=(objectClass=nsManage  dMailList))(version 3.0; acl "NDAUser access"; allow (write)  userdn="ldap:///uid=NDAUser, ou=config, o=isp";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedISP))(ve  rsion 3.0; acl "SA root node access"; allow (read,search)  groupdn="ldap:///cn=Service Administrators, ou=Groups, o=isp";)

    aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDomain  )(objectClass=nsManagedOrgUnit)(objectClass=nsManagedDeptAdminG  roup)(objectClass=nsManagedDept)(objectClass=nsManagedMailList)  (objectClass=nsManagedPerson)))(version3.0; acl "SA domain  access"; allow (all) groupdn="ldap:///cn=Service Administrators,  ou=Groups, o=isp";)

    aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedISP)(|  (objectClass=nsManagedDomain)(objectClass=nsManagedPerson))))(v  ersion 3.0; acl "SHDA rootnode access"; allow (read,search)  groupdn="ldap:///cn=Service Help Desk Administrators, ou=Groups,  o=isp";)

    aci:(targetattr="userPassword")(targetfilter=(&(objectClass=nsMa  nagedPerson)( &(!(memberOf=cn=Service Administrators, ou=Groups,  o=isp))(!(memberOf=cn=Service Help Desk Administrators,  ou=Groups, o=isp)))))(version 3.0; acl "SHDAuser write access";  allow (write) groupdn="ldap:///cn=Service Help Desk  Administrators, ou=Groups, o=isp";)

    aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDept)(  objectClass=nsManagedDeptAdminGroup)))(version 3.0; acl "Dept  Adm dept access"; allow (read,search)  userdn="ldap:///o=isp??sub?(memberOf=cn=Department  Administrators*)" and  groupdnattr="ldap:///o=isp?nsDAModifiableBy";)

    aci:(targetattr="nsNumUsers||nsNumDepts||uniqueMember")(targetfi  lter=(|(objectClass=nsManagedDept)(objectClass=nsManagedDept)))  (version 3.0; acl "Dept Adm dept access"; allow (write)  userdn="ldap:///o=isp??sub?(memberOf=cn=Department  Administrators*)" and  groupdnattr="ldap:///o=isp?nsDAModifiableBy";)

    aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDeptAd  minGroup)(objectClass=nsManagedDept)))(version 3.0; acl "Dept  Adm dept access"; allow (all)  userdn="ldap:///o=isp??sub?(memberOf=cn=Department  Administrators*)" and groupdnattr="ldap:///o=isp?owner";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))  (version 3.0;acl "Dept Adm user modify access"; allow  (write,delete)  userdn="ldap:///o=isp??sub?(memberOf=cn=Department  Administrators*)" and groupdnattr="ldap:///o =isp?owner";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))  (version 3.0;acl "Dept Adm user create access"; allow (add)  userdn="ldap:///o=isp??sub?(memberOf=cn=Department  Administrators*)";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))  (version 3.0;acl "User self modification"; allow (read,search)  userdn="ldap:///self";)

    aci:(targetattr!="uid||ou||owner||nsDAModifiableBy||nsDACapabili  ty||mail||mailAlternateAddress||memberOf||nsDADomain")(targetfi  lter=(objectClass=nsManagedPerson))(version 3.0; acl "User self  modification"; allow (write) userdn="ldap:///self";)

    aci: (targetfilter=(objectClass=nsManagedPerson))(version 3.0;  acl "User self deletion"; deny (delete) userdn="ldap:///self";)

    aci:(targetattr="memberOf")(targetfilter=(objectClass=nsManagedP  erson))(version 3.0; acl "Administrator self promotion or  demotion"; deny (write) userdn="ldap:///self";)

    aci:(targetattr="*")(targetfilter=(objectClass=nsManagedMailList  ))(version 3.0; acl "Mail list create access"; allow (add)  userdn="ldap:///o=isp??sub?(nsDACapability=mailListCreate)";)

    aci:(targetattr!="nsMaxUsers")(targetfilter=(objectClass=nsManag  edMailList))(version 3.0; acl "Mail list owner access"; allow  (read,search,write,delete) groupdnattr="ldap:///o=isp?owner";)

    aci: (target="ldap:///ou=COS, o=ISP")(targetattr="*")(version  3.0; acl"Access to all for read/search"; allow (read,search)  userdn="ldap:///all";)


Step 6: Create Group Containers.

  1. Create a group container named ou=Groups under the root of the tree, and then create a container named ou=Groups under each organization.

  2. Each ou=Groups container entry must include the nsManagedOrgUnit object class.

    Examples:

    dn: ou=Groups, o=isp
    objectclass: top
    objectclass: organizationalUnit
    objectclass: nsManagedOrgUnit
    ou: Groups

    dn: ou=Groups, o=Siroe.com, o=isp
    objectclass: top
    objectclass: organizationalUnit
    objectclass: nsManagedOrgUnit
    ou: Groups

  3. Add the following ACIs to each group container entry except for the one directly under the root of the tree. Using this example, replace o=Siroe.com, o=isp with the DN of the entry.

    aci:(targetattr="uniqueMember")(targetfilter=(&(objectClass=nsMa  nagedMailList)(mgmanJoinability=all)))(version 3.0; acl "User  self subscribe access"; allow (selfwrite) userdn="ldap:///uid=*,  ou=People, o=Siroe.com, o=isp";)

    aci:(targetattr!="uniqueMember||mgrpRfc822MailMember")(targetfil  ter=(&(objectClass=nsManagedMailList)(mgmanHidden=false)))(vers  ion 3.0; acl "User mail list access when visible"; allow  (read,search) userdn="ldap:///uid=*, ou=People, o=Siroe.com,  o=isp";)

    aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt  er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=all)  ))(version 3.0; acl "Usermail list member access"; allow  (read,search) userdn="ldap:///uid=*, ou=People, o=Siroe.com,  o=isp";)

    aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt  er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=rest  ricted)))(version 3.0; acl"User mail list access - group"; allow  (read,search)groupdnattr="ldap:///o=isp?mgmanMemberVisibilityGr  oup";)

    aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt  er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=anyo  ne)))(version 3.0; acl "User mail list access - public"; allow  (read,search) userdn="ldap:///anyone";)


Step 7: Add New Administrator Groups.

  1. Create the following administrator groups under the ou=Groups node which is directly below the root entry of the tree. Using this example, you would replace o=isp with the DN of the root of your tree, and replace the two uniquemember values with the DNs of existing administrator users. Example:

    dn: cn=Service Administrators, ou=Groups, o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    objectclass: inetAdmin
    cn: Service Administrators
    nsmaxusers: Unlimited
    adminrole: Service Administrators
    uniquemember: uid=chris, ou=People, o=Siroe.com, o=isp

    dn: cn=Service Help Desk Administrators, ou=Groups, o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    objectclass: inetAdmin
    cn: Service Help Desk Administrators
    nsmaxusers: Unlimited
    adminrole: Service Help Desk Administrators
    uniquemember: uid=fred, ou=People, o=Siroe.com, o=isp

  2. Create the following administrator groups in the ou=Groups node under each organization in the tree (replace o=Siroe.com, o=isp with the DN of the organization):

    dn: cn=Domain Administrators, ou=Groups, o=Siroe.com, o=isp
     objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    objectclass: inetAdmin
    cn: Domain Administrators
    adminrole: Domain Administrators
    nsmaxusers: Unlimited

    dn: cn=Domain Department Administrators, ou=Groups, o=Siroe.com,  o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    objectclass: inetAdmin
    cn: Domain Department Administrators
    adminrole: Domain Department Administrators
    nsmaxusers: Unlimited

    dn: cn=Domain Help Desk Administrators, ou=Groups, o=Siroe.com,  o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    objectclass: inetAdmin
    cn: Domain Help Desk Administrators
    adminrole: Domain Help Desk Administrators
    nsmaxusers: Unlimited


Step 8: Update the Containers for People.

The container node for users in each organization (ou=People by default) must include the objectclass nsManagedOrgUnit and the following ACI (replace o=Siroe.com, o=isp with the DN of the organization):

dn: ou=People, o=Siroe.com, o=isp
objectclass: top
objectclass: organizationalUnit
objectclass: nsManagedOrgUnit
ou: People
aci:(targetattr!="userPassword")(targetfilter=(objectClass=nsMan  aged Person))( version 3.0; acl "User access to all users in  domain"; allow (read,search) userdn="ldap:///uid=*, ou=People,  o=Siroe.com, o=isp";)


Step 9: Create Non-Administrator Groups.

  1. If non-administrator groups are to be managed by Delegated Administrator, they should be created under ou=Groups for each organization. In early versions of Delegated Administrator, these groups were called Departments. If you want to create non-administrator groups manually rather than through the GUI, the group should look like the sample below. In this example, replace Group1 with the name of the group, o=Siroe.com, o=isp with the DN of the organization, and substitute existing group members for the uniquemember value:

    dn: cn=Group1, ou=Groups, o=Siroe.com, o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDept
    cn: Group1
    nsmaxusers: 20
    nsmaxdepts: 10
    uniquemember: uid=bill, ou=People, o=Siroe.com, o=isp
    nsdamodifiableby: cn=Department Administrators, cn=Group1,  ou=Groups, o=Siroe .com, o=isp

  2. Create an administrator group under each such group. In the following example, replace Group1 with the name of the group, o=Siroe.com, o=isp with the DN of the organization, and substitute an existing administrator user or users for the uniquemember value:
    dn: cn=Department Administrators, cn=Group1, ou=Groups,  o=Siroe.com, o=isp
    objectclass: top
    objectclass: groupOfUniqueNames
    objectclass: nsManagedDeptAdminGroup
    objectclass: inetAdmin
    cn: Department Administrators
    adminrole: Department Administrators
    uniquemember: uid=doris, ou=People, o=Siroe.com, o=isp


Step 10: Initialize the Object Counters.

Delegated Administrator keeps track of the number of objects in the user data tree such as users, groups, organizations, and mailing lists . After manually making changes to the tree, including the steps above to make an existing tree manageable by Delegated Administrator, the object counters must be initialized.

Initializing the object counters may be achieved in the Delegated Administrator user interface by Top-level Administrators.

  1. Login as a top-level administrator and click the Configuration tab.

  2. Click the Initialize Counters button in the Initialize Counters section of the Configuration tab interface.

  3. The Initializing Counters window appears and completes the initialization task.

  4. When the task is complete, click Close.

    If for any reason you do not want to continue the initialization process it may be interupted by clicking the Stop or Stop and Close buttons at the bottom of the Initializating Counters window.



Configuring Delegated Administrator for Other Tree Structures

Delegated Administrator is flexible in the range of Directory Information Tree (DIT) structures that it can manage. By creating or modifying entries in the configuration stored in the directory under the cn=objects,cn=servletsconf node, you can configure Delegated Administrator to work with your existing user directory. You can specify this configuration for the root level so that it applies to objects in all organizations, or for an organization level so that different organizations can have different object definitions.

This appendix provides general information to help you define the configuration that best describes your DIT structure. In most cases, changing one of the attribute values in an entry described here will not produce a change in the existing objects of that type. However, new objects will conform to the new definition (content and location).

Note The updates to user data described in this appendix require advanced experience with Netscape Directory Server, the LDAP Data Interchange Format (LDIF), and Access Control Instructions (ACIs). For comprehensive documentation on these topics, see the Directory Server Administrator's Guide.



The Delegated Administrator Directory Information Tree (DIT)

The Delegated Administrator configuration for the DIT structure and for the contents of managed objects is located under the cn=objects,cn=servletsconf node. It consists of object definitions where each object type corresponds to an entry in the directory as summarized in Table A-2.


Table A-1    Delegated Administrator objects and directory entries

Object

Type of Directory Entry

ServiceAdminGroup  

Top-level Administrator Group  

ServiceHelpDeskAdminGroup  

Top-level Help Desk Administrator Group  

Domain  

Organization  

DomainAdminGroup  

Organization Administrator Group  

DomainHelpDeskAdminGroup  

Organization Help Desk Administrator Group  

DomainDeptAdminGroup  

Department Administrator Group  

UsersOrgUnit  

Subtree containing users  

DeptsOrgUnit  

Subtree containing groups  

Department  

Non-administrator group  

DeptAdminGroup  

Department Administrator Group  

User  

User  

You can modify these object definitions to include information that matches your directory tree. Some examples:

  • A list of objectclasses that should be added when an entry of this type is created

  • A list of attributes that should get added by default when an object of this type created.

  • Required attributes

  • The RDN to use for this entry (For example, whether a User entry should use cn=bill or uid=bill.)

  • A list of other objects that should automatically get created as child entries under this object when it is created.

  • The parent DN under which to create this object.


Defining Object Types

Delegated Administrator lets you modify existing objects as well as define new ones. The default object type definition for User is shown below.

dn: cn=User, cn=objects, cn=servletsconf, cn=en,  cn=domainConfiguration, ou=config, o=ISP
objectclass: top
objectclass: extensibleObject
cn: User
iDAobjectclass: top
iDAobjectClass: person
iDAobjectClass: organizationalPerson
iDAobjectClass: inetOrgPerson
iDAobjectClass: mailRecipient
iDAobjectClass: nsMessagingServerUser
iDAobjectClass: nsManagedPerson
iDArequiredAttribute: cn
iDArequiredAttribute: sn
iDArequiredAttribute: uid
iDArequiredAttribute: userPassword
iDAattribute: nsdadomain $DomainContainerName$
iDAattribute: owner $ThisDeptAdminGroupDN$
iDArdnAttribute: uid
iDAdataTypeIdent: enduser
iDAsearchFilter: objectClass=nsManagedPerson
iDAparentDN: "ou=People, $DomainContainerDN$"

The syntax for defining an object is:

[ object <OBJ_NAME> { [ <KEY_SINGLE_VALUE> | <KEY_MULTI_VALUE> ]* } ]*
<OBJ_NAME> : [ascii-characters]*
<KEY_SINGLE_VALUE> : <SINGLE_KEY> <SINGLE_VALUE>
<KEY_MULTI_VALUE> : <ATTRIBUTE_KEY_THREE_VALUE>  <ATTRIBUTE_KEY_FOUR_VALUE>
<SINGLE_KEY> : objectClass | requiredAttribute | rdnAttribute |  searchFilter | objectToManage
<SINGLE_VALUE> : [ascii-characters]*
<ATTRIBUTE_KEY_THREE_VALUE> : <ATTRIBUTE_KEY> <ATTRIBUTE_NAME> <ATTRIBUTE_VALUE>
<ATTRIBUTE_KEY_FOUR_VALUE> : <ATTRIBUTE_KEY> <ATTRIBUTE_NAME> <ATTRIBUTE_VALUE> true
<ATTRIBUTE_KEY> : attribute
<ATTRIBUTE_NAME> : [ascii-characters]*
<ATTRIBUTE_VALUE> : [ascii-characters]*

Here's an example of how you can use ldapmodify to modify an existing object definition. Delegated Administrator uses one container node for all users under each organization. The default name of the container is ou=People. If in your user directory, the container node is cn=Users, you can use ldapmodify to change the definition. In the following example, the definition for ou=People is deleted and then the definition for cn=Users is added to the entry which defines UserOrgUnit.

ldapmodify -D "cn=directory manager" -w password -h host_name
dn: cn=UsersOrgUnit, cn=objects, cn=servletsconf, cn=en,  cn=domainConfiguration, ou=config, o=isp
changetype: modify
delete: idaattribute
idaattribute: ou "People"
-
add: idaattribute
idaattribute: cn "Users"

In the following example, a new object is created for a conference room (using the standard LDAP schema for "room"):

dn: cn=ConferenceRoom, cn=objects, cn=servletsconf, cn=en,  cn=domainConfiguration, ou=config, o=isp
objectclass: top
objectclass: extensibleObject
cn: ConferenceRoom
idaobjectclass: top
idaobjectclass: room
idaattribute: description
idaattribute: roomNumber
idaattribute: seeAlso
idaattribute: telephoneNumber
idardnattribute: cn
idarequiredattribute: cn
idadatatypeident: conferenceroom
idasearchfilter: objectClass=room
idaparentdn: "ou=Rooms, $DomainContainerDN$"

Quotation marks.. In order to specify values that include white-space characters, you must enclose them in matching quotation marks. This makes it possible to use two sets of quotation marks at once when necessary. Examples:

"space separated value"

'another example'

`"yet another quote"`

Macros. Some values may be macros. The following macros are defined in Delegated Administrator:

  • $ISPDN$

  • $DOMAINDN$

  • $DEPTDN$

  • $USERDN$

  • $SELFDN$

Most of these are defined internally by the servlets. Their value can be set by passing new values for the macros to the getPage servlet from the templates.

Table A-2 provides information about object definitions you can modify in Delegated Administrator.


Table A-2    Configurable object definitions in Delegated Administrator  

Object Definition

Syntax

Description

iDAobjectClass  

iDAobjectClass <oc>  

objectClass value to add to the entry when creating the entry in the directory. Multiple objectClass values can be specified.  

iDArequiredAttribute  

iDArequiredAttribute <attr>  

Attribute values required when creating the entry in the directory. Multiple attribute values can be specified. In the absence of an attribute specified here, the entry will not be created.  

iDArdnAttribute  

iDArdnAttribute <attr>  

Attribute to be used as the entry's RDN. Only one attribute can be specified. For example, iDA uses uid as the rdn for the user entries. In order to change the rdn to cn, change the value of iDArdnAttribute in the user definition entry to cn.  

iDAsearchFilter  

iDAsearchFilter <filter>  

The search filter to use to find such entries in the directory.  

iDAattribute  

iDAattribute <attr> <value> [true]  

Attribute and its default value. Multiple attribute values can be specified. Multi-valued attributes can be defined by using the same <attr> value. By default, the attribute values specified override any user submitted values for these attributes. The optional fourth parameter (true) indicates that the user submitted values should be used in place of the default values.  

iDAobjectToManage  

iDAobjectToManage <object>  

Additional object to manage immediately beneath this entry in the DIT.  

iDAparentDN  

iDAparentDN <dn>

 

The directory entry beneath which the new object should be created. Multiple parent DN values can be specified. The order in which they are specified is significant. The servlet will check each value in order, and the first one to evaluate to non-null will be used as the parent DN.

Example:

By default, the Delegated Administrator creates users under ou=People, <DOMAINDN>. If you wanted the users to be created directly under the domain entry instead of under a container (ou=People), you would edit the value of this attribute to be $DomainContainerDN$.  

iDAdataTypeIdent  

iDAparentDN <identifier>  

This defines the identifier used by other configuration entries for locating user/admin types. You would need to set this value for an object that is a new user/administrator type.  


Previous     Contents     Index     Next     
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.

Last Updated May 24, 2001