Appendix A
Using an Existing User Directory
If you have already deployed Netscape Directory Server and populated it with users and groups, you must modify both your user directory tree and the Delegated Administrator framework so that the two will work together. The changes you make depend upon your existing directory structure.
This appendix provides general guidelines to help you edit your directory entries to allow them to be managed by Delegated Administrator. It includes the following topics:
Modifying Your User Directory
If Delegated Administrator detects during installation that you already have data stored at your desired suffix, it will install all required configuration information in the directory. But it will NOT modify or add to existing user, group, or organization data. Before Delegated Administrator can manage your existing user data, you must manually make the following changes in your user directory:
Add Delegated Administrator object classes and attributes to all user, group, and organization entries.
Add Delegated Administrator ACIs to the root of the tree and to each organization node.
Add Administrator groups at the root level and at each organization level.
Compute and store the number of objects in the tree.
Note
|
The updates to user data described in this appendix require advanced experience with Netscape Directory Server, the LDAP Data Interchange Format (LDIF), and Access Control Instructions (ACIs). For comprehensive documentation on these topics, see the Directory Server Administrator's Guide.
|
In the following steps and examples, there is one container node for all users under each organization. There may be any number of organizations under the root entry for the user data tree, and organizations may be nested.
Step 1: Create a Top-level Administrator
It is necessary to create a Top-level Administrator entry in your directory to initiate the delegation process before Delegated Administrator is installed. The new Top-level Administrator serves an the entry point to the Delegated Administrator User Interface.
The new or existing user entry must contain the DN appropriate to your base suffix and the specific attributes in the following example.
Create a new, or modify existing user.
-
The example DN in this step assumes the organization o=Siroe exists under the base suffix o=ISP and chris belongs to o=Siroe. Alter the construct to reflect the DN for your directory.
-
uid=chris, ou=People, o=Siroe, o=ISP
Add the following attribute to the Top-level Administrator group entry: dn: cn=Service Administrators, ou=Groups, o=ISP
-
uniqueMember: uid=chris, ou=People, o=Siroe, o=ISP
Add the following attribute to the user entry.
-
memberOf: cn=Service Administrators, ou=Groups, o=ISP
The user is now Top-level Administrator with the permissions afforded to that category of user.
Step 2: Modify user entries.
Each user entry must contain the nsManagedPerson object class.
In each user entry, add the attribute nsdaDomain. The value of the attribute must be the name of the organization that the user belongs to.
-
Example:
|
dn: uid=scarter, ou=Users, o=Siroe.com, o=ISP
objectclass: top
objectclass: person
objectclass: organizationalperson
objectclass: inetorgperson
objectclass: nsManagedPerson
uid: scarter
userpassword: password
cn: Sam Carter
sn: Carter
givenname: Sam
nsdaDomain: Siroe.com
telephoneNumber: 650.555.1212
mail: scarter@Siroe.com
|
|
Step 3: Modify Organization Entries.
Each organization entry must contain the nsManagedDomain object class.
Add the following attributes to each organization entry (sample values are listed, indicating the maximum number of objects of various types which may be created in the organization):
-
nsmaxusers: 1000
-
nsmaxdepts: 100
-
nsmaxmaillists: 1000
-
nsmaxdomains: 10
-
Example:
|
# Siroe domain
#
dn: o=Siroe.com, o=ISP
objectclass: top
objectclass: organization
objectclass: nsManagedDomain
description: Domain Root for Siroe.com
nsMaxUsers: 1000
nsMaxDepts: 100
nsMaxMailLists: 1000
nsMaxDomains: 10
o: Siroe.com
|
|
The following ACIs must be added to each organization entry, replacing o=Siroe.com, o=isp with the DN of the entry. The file isp.ldif contains the default Delegated Administrator ACIs, and is available for download at http://docs.iplanet.com/docs/manuals/deladmin/45/scripts/isp.ldif.
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedDomain))
(version 3.0; acl "Domain Adm domain access"; allow
(read,search) groupdn="ldap:///cn=Domain Administrators,
ou=Groups, o=Siroe.com, o=isp";)
|
aci: (target="ldap:///cn=Domain Administrators, ou=Groups,
o=Siroe.com,o=isp")(targetattr="*")(targetfilter=(|(objectClas
s=nsManagedDeptAdminGroup)(objectClass=nsManagedDept)))(version
3.0; acl "Domain Adm dept access"; allow (read,search)
groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe.c
om, o=isp";)
|
aci: (target="ldap:///cn=Domain Help Desk Administrators,
ou=Groups, o=Siroe.com,
o=isp")(targetattr="*")(targetfilter=(|(objectClass=nsManagedDe
ptAdminGroup)(objectClass=nsManagedDept)))(version 3.0; acl
"Domain Adm dept access"; allow (read,search,write)
groupdn="ldap:///cn=Domain Administrators, ou=Groups,
o=Siroe.com, o=isp";)
|
aci: (target="ldap:///cn=Domain Department
Administrators,ou=Groups,o=Siroe.com,o=isp")(targetattr="*")(t
argetfilter=(|(objectClass=nsManagedDeptAdminGroup)(objectClass
=nsManagedDept)))(version 3.0; acl "Domain Adm dept access";
allow (read,search,write) groupdn="ldap:///cn=Domain
Administrators, ou=Groups,o=Siroe.com, o=isp" or
groupdn="ldap:///cn=Domain Department Administrators, ou=Groups,
o=Siroe.com, o=isp";)
|
aci:(target="ldap:///ou=*,o=Siroe.com,o=isp")(targetattr="*")(t
argetfilter=(objectClass=nsManagedOrgUnit))(version 3.0; acl
"Domain Adm org unit access"; allow
(read,search,write)groupdn="ldap:///cn=Domain Administrators,
ou= Groups, o=Siroe.com, o=isp";)
|
aci: (target="ldap:///ou=*,
o=Siroe.com,o=isp")(targetattr="*")(targetfilter
=(|(objectClass=nsManagedDept)(objectClass=nsManagedDeptAdminGr
oup)(objectClass=nsManagedMailList)))(version 3.0; acl "Domain
Adm dept access"; allow (all) groupdn="ldap:///cn=Domain
Administrators, ou=Groups, o=Siroe.com, o=is p";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Domain Adm user access";
allow(read,search,add) groupdn="ldap:///cn=Domain
Administrators, ou=Groups,o=Siroe.com, o=isp";)
|
aci:(targetattr="*")(targetfilter=(&(objectClass=nsManagedPerson
)(&(!(memberOf=cn=Service Administrators,
ou=Groups,o=isp))(&(!(memberOf=cn=Service Help Desk
Administrators, ou=Groups, o=isp))(!(memberOf=cn=Domain
Administrators, ou=Groups, o=Siroe.com, o=isp))))))(version
3.0; acl "Domain Adm user modify access"; allow
(write,delete)groupdn="ldap:///cn=Domain Administrators,
ou=Groups, o=Siroe.com, o=isp";)
|
aci: (target="ldap:///o=*,
o=Siroe.com,o=isp")(targetattr="*")(targetfilter=
(|(objectClass=nsManagedDomain)(objectClass=nsManagedDeptAdminG
roup)(objectClass=nsManagedOrgUnit)(objectClass=nsManagedDept)(
objectClass=nsManagedMailList)))(version 3.0; acl "Domain Adm
access"; allow (all) groupdn="ldap:///cn =Domain Administrators,
ou=Groups, o=Siroe.com, o=isp";)
|
aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDomain
)(objectClass=nsManagedPerson)))(version 3.0; acl "DHDA access";
allow (read,search) groupdn="ldap:///cn=Domain Help Desk
Administrators, ou=Groups, o=Siroe.com, o= isp";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedMailList
))(version 3.0; acl "DHDA mail list access"; allow (all)
groupdn="ldap:///cn=Domain HelpDesk Administrators, ou=Groups,
o=Siroe.com, o=isp";)
|
aci:(targetattr="userPassword")(targetfilter=(&(objectClass=nsMa
nagedPerson)(&(!(memberOf=cn=Service Administrators, ou=Groups,
o=isp))(&(!(memberOf=cn=S ervice Help Desk Administrators,
ou=Groups, o=isp))(&(!(memberOf=cn=Domain Administrators,
ou=Groups, o=Siroe.com, o=isp))(!(memberOf=cn=Domain Help Desk
Administrators, ou=Groups, o=Siroe.com, o=isp)))))))(version
3.0; acl "D HDA user write access"; allow (write)
groupdn="ldap:///cn=Domain Help Desk Administrators, ou=Groups,
o=Siroe.com, o=isp";)
|
|
Step 4: Create Start and Login Pages for Each Organization.
Each organization must have its own Start page and Login page.
If you want to replace the default organization Siroe.com with your own organization, modify its Start and Login pages.
In the file <delegatedadmin_root>/nda/nda/start.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:
-
var domain = "o=Siroe.com";
In the file <delegatedadmin_root>/nda/nda/login.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:
-
var domain = "o=Siroe.com";
If you're creating a new organization, or modifying an existing one, first determine the location of the files for the new organization. For example, the files for the default Delegated Administrator organization Siroe.com are stored here:
<delegatedadmin_root>/nda/nda/default/en
If organization ABC replicates this structure, its organization files will be stored here:
<delegatedadmin_root>/nda/nda/ABC/en
Once you've determined appropriate file location, follow these steps to create the new Start and Login pages for the organization:
Copy these files to the directory where your organization files are stored:
-
<delegatedadmin_root>/nda/nda/start.htm
-
<delegatedadmin_root>/nda/nda/login.htm
In the file start.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:
-
var domain = "o=Siroe.com";
In the file login.htm, modify the following line, replacing o=Siroe.com with the base DN for the organization:
-
var domain = "o=Siroe.com";
Step 5: Modify the Root Entry.
The root entry of the tree - the parent of all top-level organizations - must contain the object class nsManagedISP.
-
Example
|
dn: o=ISP
objectclass: top
objectclass: organization
objectclass: nsManagedISP
o: ISP
|
|
Add the following ACIs must to the root entry, replacing o=isp with the DN of the entry.
|
aci:(targetattr!="userPassword")(targetfilter=(objectClass=nsMan
agedPerson))(version 3.0; acl "Anonymous access to User
entries"; allow (read,search) userdn="ldap:///anyone";)
|
aci:(target="ldap:///cn=postmaster,o=isp")(targetattr="*")(versi
on 3.0; acl "Anonymous access to Postmaster entry"; allow
(read,search) userdn="ldap:///anyone";)
|
aci:(target="ldap:///cn=domainConfiguration,
ou=config,o=isp")(targetattr="*")(version 3.0; acl "Anonymous
access to Configuration entry"; allow (read,search)
userdn="ldap:///anyone";)
|
aci:(targetattr="objectClass||uid||mail||userCertificate")(targe
tfilter=(objectClass=nsManagedPerson))(version 3.0; acl "NDAUser
access"; allow (read,search) userdn="ldap:///uid=NDAUser,
ou=config, o=isp";)
|
aci:(targetattr="objectClass||o||nsNumDomains")(targetfilter=(ob
jectClass=nsManagedISP))(version 3.0; acl "NDAUser access";
allow (read,search) userdn="ldap:///uid=NDAUser, ou=config,
o=isp";)
|
aci:(targetattr="objectClass||o||nsNumUsers||nsNumDepts||nsNumMa
ilLists||nsNumDomains||nsMaxUsers||nsMaxDepts||nsMaxMailLists||
nsMaxDomains")(targetfilter=(objectClass=nsManagedDomain))(vers
ion 3.0; acl "NDAUser access"; allow (read,search)
userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="objectClass||cn||nsNumUsers||nsNumDepts||nsMaxU
sers||nsMaxDepts")(targetfilter=(objectClass=nsManagedDept))(ve
rsion 3.0; acl "NDAUser access"; allow (read,search)
userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="objectClass||cn||nsNumUsers||nsMaxUsers")(targe
tfilter=(objectClass=nsManagedMailList))(version 3.0; acl
"NDAUser access"; allow (read,search)
userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="nsNumDomains")(targetfilter=(objectClass=nsMana
gedISP))(version 3.0; acl "NDAUser access"; allow (write)
userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDo
mains")(targetfilter=(objectClass=nsManagedDomain))(version 3.0;
acl "NDAUser access"; allow (write) userdn="ldap:///uid=NDAUser,
ou=config, o=isp";)
|
aci:(targetattr="nsNumUsers||nsNumDepts")(targetfilter=(objectCl
ass=nsManagedDept))(version 3.0; acl "NDAUser access"; allow
(write) userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="nsNumUsers")(targetfilter=(objectClass=nsManage
dMailList))(version 3.0; acl "NDAUser access"; allow (write)
userdn="ldap:///uid=NDAUser, ou=config, o=isp";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedISP))(ve
rsion 3.0; acl "SA root node access"; allow (read,search)
groupdn="ldap:///cn=Service Administrators, ou=Groups, o=isp";)
|
aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDomain
)(objectClass=nsManagedOrgUnit)(objectClass=nsManagedDeptAdminG
roup)(objectClass=nsManagedDept)(objectClass=nsManagedMailList)
(objectClass=nsManagedPerson)))(version3.0; acl "SA domain
access"; allow (all) groupdn="ldap:///cn=Service Administrators,
ou=Groups, o=isp";)
|
aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedISP)(|
(objectClass=nsManagedDomain)(objectClass=nsManagedPerson))))(v
ersion 3.0; acl "SHDA rootnode access"; allow (read,search)
groupdn="ldap:///cn=Service Help Desk Administrators, ou=Groups,
o=isp";)
|
aci:(targetattr="userPassword")(targetfilter=(&(objectClass=nsMa
nagedPerson)( &(!(memberOf=cn=Service Administrators, ou=Groups,
o=isp))(!(memberOf=cn=Service Help Desk Administrators,
ou=Groups, o=isp)))))(version 3.0; acl "SHDAuser write access";
allow (write) groupdn="ldap:///cn=Service Help Desk
Administrators, ou=Groups, o=isp";)
|
aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDept)(
objectClass=nsManagedDeptAdminGroup)))(version 3.0; acl "Dept
Adm dept access"; allow (read,search)
userdn="ldap:///o=isp??sub?(memberOf=cn=Department
Administrators*)" and
groupdnattr="ldap:///o=isp?nsDAModifiableBy";)
|
aci:(targetattr="nsNumUsers||nsNumDepts||uniqueMember")(targetfi
lter=(|(objectClass=nsManagedDept)(objectClass=nsManagedDept)))
(version 3.0; acl "Dept Adm dept access"; allow (write)
userdn="ldap:///o=isp??sub?(memberOf=cn=Department
Administrators*)" and
groupdnattr="ldap:///o=isp?nsDAModifiableBy";)
|
aci:(targetattr="*")(targetfilter=(|(objectClass=nsManagedDeptAd
minGroup)(objectClass=nsManagedDept)))(version 3.0; acl "Dept
Adm dept access"; allow (all)
userdn="ldap:///o=isp??sub?(memberOf=cn=Department
Administrators*)" and groupdnattr="ldap:///o=isp?owner";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Dept Adm user modify access"; allow
(write,delete)
userdn="ldap:///o=isp??sub?(memberOf=cn=Department
Administrators*)" and groupdnattr="ldap:///o =isp?owner";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "Dept Adm user create access"; allow (add)
userdn="ldap:///o=isp??sub?(memberOf=cn=Department
Administrators*)";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedPerson))
(version 3.0;acl "User self modification"; allow (read,search)
userdn="ldap:///self";)
|
aci:(targetattr!="uid||ou||owner||nsDAModifiableBy||nsDACapabili
ty||mail||mailAlternateAddress||memberOf||nsDADomain")(targetfi
lter=(objectClass=nsManagedPerson))(version 3.0; acl "User self
modification"; allow (write) userdn="ldap:///self";)
|
aci: (targetfilter=(objectClass=nsManagedPerson))(version 3.0;
acl "User self deletion"; deny (delete) userdn="ldap:///self";)
|
aci:(targetattr="memberOf")(targetfilter=(objectClass=nsManagedP
erson))(version 3.0; acl "Administrator self promotion or
demotion"; deny (write) userdn="ldap:///self";)
|
aci:(targetattr="*")(targetfilter=(objectClass=nsManagedMailList
))(version 3.0; acl "Mail list create access"; allow (add)
userdn="ldap:///o=isp??sub?(nsDACapability=mailListCreate)";)
|
aci:(targetattr!="nsMaxUsers")(targetfilter=(objectClass=nsManag
edMailList))(version 3.0; acl "Mail list owner access"; allow
(read,search,write,delete) groupdnattr="ldap:///o=isp?owner";)
|
aci: (target="ldap:///ou=COS, o=ISP")(targetattr="*")(version
3.0; acl"Access to all for read/search"; allow (read,search)
userdn="ldap:///all";)
|
|
Step 6: Create Group Containers.
Create a group container named ou=Groups under the root of the tree, and then create a container named ou=Groups under each organization.
Each ou=Groups container entry must include the nsManagedOrgUnit object class.
-
Examples:
|
dn: ou=Groups, o=isp
objectclass: top
objectclass: organizationalUnit
objectclass: nsManagedOrgUnit
ou: Groups
dn: ou=Groups, o=Siroe.com, o=isp
objectclass: top
objectclass: organizationalUnit
objectclass: nsManagedOrgUnit
ou: Groups
|
|
Add the following ACIs to each group container entry except for the one directly under the root of the tree. Using this example, replace o=Siroe.com, o=isp with the DN of the entry.
|
aci:(targetattr="uniqueMember")(targetfilter=(&(objectClass=nsMa
nagedMailList)(mgmanJoinability=all)))(version 3.0; acl "User
self subscribe access"; allow (selfwrite) userdn="ldap:///uid=*,
ou=People, o=Siroe.com, o=isp";)
aci:(targetattr!="uniqueMember||mgrpRfc822MailMember")(targetfil
ter=(&(objectClass=nsManagedMailList)(mgmanHidden=false)))(vers
ion 3.0; acl "User mail list access when visible"; allow
(read,search) userdn="ldap:///uid=*, ou=People, o=Siroe.com,
o=isp";)
aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt
er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=all)
))(version 3.0; acl "Usermail list member access"; allow
(read,search) userdn="ldap:///uid=*, ou=People, o=Siroe.com,
o=isp";)
aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt
er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=rest
ricted)))(version 3.0; acl"User mail list access - group"; allow
(read,search)groupdnattr="ldap:///o=isp?mgmanMemberVisibilityGr
oup";)
aci:(targetattr="uniqueMember||mgrpRfc822MailMember")(targetfilt
er=(&(objectClass=nsManagedMailList)(mgmanMemberVisibility=anyo
ne)))(version 3.0; acl "User mail list access - public"; allow
(read,search) userdn="ldap:///anyone";)
|
|
Step 7: Add New Administrator Groups.
Create the following administrator groups under the ou=Groups node which is directly below the root entry of the tree. Using this example, you would replace o=isp with the DN of the root of your tree, and replace the two uniquemember values with the DNs of existing administrator users. Example:
|
dn: cn=Service Administrators, ou=Groups, o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
objectclass: inetAdmin
cn: Service Administrators
nsmaxusers: Unlimited
adminrole: Service Administrators
uniquemember: uid=chris, ou=People, o=Siroe.com, o=isp
|
dn: cn=Service Help Desk Administrators, ou=Groups, o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
objectclass: inetAdmin
cn: Service Help Desk Administrators
nsmaxusers: Unlimited
adminrole: Service Help Desk Administrators
uniquemember: uid=fred, ou=People, o=Siroe.com, o=isp
|
|
Create the following administrator groups in the ou=Groups node under each organization in the tree (replace o=Siroe.com, o=isp with the DN of the organization):
|
dn: cn=Domain Administrators, ou=Groups, o=Siroe.com, o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
objectclass: inetAdmin
cn: Domain Administrators
adminrole: Domain Administrators
nsmaxusers: Unlimited
|
dn: cn=Domain Department Administrators, ou=Groups, o=Siroe.com,
o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
objectclass: inetAdmin
cn: Domain Department Administrators
adminrole: Domain Department Administrators
nsmaxusers: Unlimited
|
dn: cn=Domain Help Desk Administrators, ou=Groups, o=Siroe.com,
o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
objectclass: inetAdmin
cn: Domain Help Desk Administrators
adminrole: Domain Help Desk Administrators
nsmaxusers: Unlimited
|
|
Step 8: Update the Containers for People.
The container node for users in each organization (ou=People by default) must include the objectclass nsManagedOrgUnit and the following ACI (replace o=Siroe.com, o=isp with the DN of the organization):
|
dn: ou=People, o=Siroe.com, o=isp
objectclass: top
objectclass: organizationalUnit
objectclass: nsManagedOrgUnit
ou: People
aci:(targetattr!="userPassword")(targetfilter=(objectClass=nsMan
aged Person))( version 3.0; acl "User access to all users in
domain"; allow (read,search) userdn="ldap:///uid=*, ou=People,
o=Siroe.com, o=isp";)
|
|
Step 9: Create Non-Administrator Groups.
If non-administrator groups are to be managed by Delegated Administrator, they should be created under ou=Groups for each organization. In early versions of Delegated Administrator, these groups were called Departments. If you want to create non-administrator groups manually rather than through the GUI, the group should look like the sample below. In this example, replace Group1 with the name of the group, o=Siroe.com, o=isp with the DN of the organization, and substitute existing group members for the uniquemember value:
|
dn: cn=Group1, ou=Groups, o=Siroe.com, o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDept
cn: Group1
nsmaxusers: 20
nsmaxdepts: 10
uniquemember: uid=bill, ou=People, o=Siroe.com, o=isp
nsdamodifiableby: cn=Department Administrators, cn=Group1,
ou=Groups, o=Siroe .com, o=isp
|
|
Create an administrator group under each such group. In the following example, replace Group1 with the name of the group, o=Siroe.com, o=isp with the DN of the organization, and substitute an existing administrator user or users for the uniquemember value:
|
dn: cn=Department Administrators, cn=Group1, ou=Groups,
o=Siroe.com, o=isp
objectclass: top
objectclass: groupOfUniqueNames
objectclass: nsManagedDeptAdminGroup
objectclass: inetAdmin
cn: Department Administrators
adminrole: Department Administrators
uniquemember: uid=doris, ou=People, o=Siroe.com, o=isp
|
|
Step 10: Initialize the Object Counters.
Delegated Administrator keeps track of the number of objects in the user data tree such as users, groups, organizations, and mailing lists . After manually making changes to the tree, including the steps above to make an existing tree manageable by Delegated Administrator, the object counters must be initialized.
Initializing the object counters may be achieved in the Delegated Administrator user interface by Top-level Administrators.
Login as a top-level administrator and click the Configuration tab.
Click the Initialize Counters button in the Initialize Counters section of the Configuration tab interface.
The Initializing Counters window appears and completes the initialization task.
When the task is complete, click Close.
-
If for any reason you do not want to continue the initialization process it may be interupted by clicking the Stop or Stop and Close buttons at the bottom of the Initializating Counters window.
Configuring Delegated Administrator for Other Tree Structures
Delegated Administrator is flexible in the range of Directory Information Tree (DIT) structures that it can manage. By creating or modifying entries in the configuration stored in the directory under the cn=objects,cn=servletsconf node, you can configure Delegated Administrator to work with your existing user directory. You can specify this configuration for the root level so that it applies to objects in all organizations, or for an organization level so that different organizations can have different object definitions.
This appendix provides general information to help you define the configuration that best describes your DIT structure. In most cases, changing one of the attribute values in an entry described here will not produce a change in the existing objects of that type. However, new objects will conform to the new definition (content and location).
Note
|
The updates to user data described in this appendix require advanced experience with Netscape Directory Server, the LDAP Data Interchange Format (LDIF), and Access Control Instructions (ACIs). For comprehensive documentation on these topics, see the Directory Server Administrator's Guide.
|
The Delegated Administrator Directory Information Tree (DIT)
The Delegated Administrator configuration for the DIT structure and for the contents of managed objects is located under the cn=objects,cn=servletsconf node. It consists of object definitions where each object type corresponds to an entry in the directory as summarized in Table A-2.
Table A-1    Delegated Administrator objects and directory entries
Object
|
Type of Directory Entry
|
ServiceAdminGroup
|
Top-level Administrator Group
|
ServiceHelpDeskAdminGroup
|
Top-level Help Desk Administrator Group
|
Domain
|
Organization
|
DomainAdminGroup
|
Organization Administrator Group
|
DomainHelpDeskAdminGroup
|
Organization Help Desk Administrator Group
|
DomainDeptAdminGroup
|
Department Administrator Group
|
UsersOrgUnit
|
Subtree containing users
|
DeptsOrgUnit
|
Subtree containing groups
|
Department
|
Non-administrator group
|
DeptAdminGroup
|
Department Administrator Group
|
User
|
User
|
You can modify these object definitions to include information that matches your directory tree. Some examples:
A list of objectclasses that should be added when an entry of this type is created
A list of attributes that should get added by default when an object of this type created.
Required attributes
The RDN to use for this entry (For example, whether a User entry should use cn=bill or uid=bill.)
A list of other objects that should automatically get created as child entries under this object when it is created.
The parent DN under which to create this object.
Defining Object Types
Delegated Administrator lets you modify existing objects as well as define new ones. The default object type definition for User is shown below.
|
dn: cn=User, cn=objects, cn=servletsconf, cn=en,
cn=domainConfiguration, ou=config, o=ISP
objectclass: top
objectclass: extensibleObject
cn: User
iDAobjectclass: top
iDAobjectClass: person
iDAobjectClass: organizationalPerson
iDAobjectClass: inetOrgPerson
iDAobjectClass: mailRecipient
iDAobjectClass: nsMessagingServerUser
iDAobjectClass: nsManagedPerson
iDArequiredAttribute: cn
iDArequiredAttribute: sn
iDArequiredAttribute: uid
iDArequiredAttribute: userPassword
iDAattribute: nsdadomain $DomainContainerName$
iDAattribute: owner $ThisDeptAdminGroupDN$
iDArdnAttribute: uid
iDAdataTypeIdent: enduser
iDAsearchFilter: objectClass=nsManagedPerson
iDAparentDN: "ou=People, $DomainContainerDN$"
|
|
The syntax for defining an object is:
|
[ object <OBJ_NAME> { [ <KEY_SINGLE_VALUE> | <KEY_MULTI_VALUE> ]*
} ]*
<OBJ_NAME> : [ascii-characters]*
<KEY_SINGLE_VALUE> : <SINGLE_KEY> <SINGLE_VALUE>
<KEY_MULTI_VALUE> : <ATTRIBUTE_KEY_THREE_VALUE>
<ATTRIBUTE_KEY_FOUR_VALUE>
<SINGLE_KEY> : objectClass | requiredAttribute | rdnAttribute |
searchFilter | objectToManage
<SINGLE_VALUE> : [ascii-characters]*
<ATTRIBUTE_KEY_THREE_VALUE> : <ATTRIBUTE_KEY> <ATTRIBUTE_NAME>
<ATTRIBUTE_VALUE>
<ATTRIBUTE_KEY_FOUR_VALUE> : <ATTRIBUTE_KEY> <ATTRIBUTE_NAME>
<ATTRIBUTE_VALUE> true
<ATTRIBUTE_KEY> : attribute
<ATTRIBUTE_NAME> : [ascii-characters]*
<ATTRIBUTE_VALUE> : [ascii-characters]*
|
|
Here's an example of how you can use ldapmodify to modify an existing object definition. Delegated Administrator uses one container node for all users under each organization. The default name of the container is ou=People. If in your user directory, the container node is cn=Users, you can use ldapmodify to change the definition. In the following example, the definition for ou=People is deleted and then the definition for cn=Users is added to the entry which defines UserOrgUnit.
|
ldapmodify -D "cn=directory manager" -w password -h host_name
dn: cn=UsersOrgUnit, cn=objects, cn=servletsconf, cn=en,
cn=domainConfiguration, ou=config, o=isp
changetype: modify
delete: idaattribute
idaattribute: ou "People"
-
add: idaattribute
idaattribute: cn "Users"
|
|
In the following example, a new object is created for a conference room (using the standard LDAP schema for "room"):
|
dn: cn=ConferenceRoom, cn=objects, cn=servletsconf, cn=en,
cn=domainConfiguration, ou=config, o=isp
objectclass: top
objectclass: extensibleObject
cn: ConferenceRoom
idaobjectclass: top
idaobjectclass: room
idaattribute: description
idaattribute: roomNumber
idaattribute: seeAlso
idaattribute: telephoneNumber
idardnattribute: cn
idarequiredattribute: cn
idadatatypeident: conferenceroom
idasearchfilter: objectClass=room
idaparentdn: "ou=Rooms, $DomainContainerDN$"
|
|
Quotation marks..
In order to specify values that include white-space characters, you must enclose them in matching quotation marks. This makes it possible to use two sets of quotation marks at once when necessary. Examples:
-
"space separated value"
-
'another example'
-
`"yet another quote"`
Macros.
Some values may be macros. The following macros are defined in Delegated Administrator:
$ISPDN$
$DOMAINDN$
$DEPTDN$
$USERDN$
$SELFDN$
Most of these are defined internally by the servlets. Their value can be set by passing new values for the macros to the getPage servlet from the templates.
Table A-2 provides information about object definitions you can modify in Delegated Administrator.
Table A-2    Configurable object definitions in Delegated Administrator
Object Definition
|
Syntax
|
Description
|
iDAobjectClass
|
iDAobjectClass <oc>
|
objectClass value to add to the entry when creating the entry in the directory. Multiple objectClass values can be specified.
|
iDArequiredAttribute
|
iDArequiredAttribute <attr>
|
Attribute values required when creating the entry in the directory. Multiple attribute values can be specified. In the absence of an attribute specified here, the entry will not be created.
|
iDArdnAttribute
|
iDArdnAttribute <attr>
|
Attribute to be used as the entry's RDN. Only one attribute can be specified. For example, iDA uses uid as the rdn for the user entries. In order to change the rdn to cn, change the value of iDArdnAttribute in the user definition entry to cn.
|
iDAsearchFilter
|
iDAsearchFilter <filter>
|
The search filter to use to find such entries in the directory.
|
iDAattribute
|
iDAattribute <attr> <value> [true]
|
Attribute and its default value. Multiple attribute values can be specified. Multi-valued attributes can be defined by using the same <attr> value. By default, the attribute values specified override any user submitted values for these attributes. The optional fourth parameter (true) indicates that the user submitted values should be used in place of the default values.
|
iDAobjectToManage
|
iDAobjectToManage <object>
|
Additional object to manage immediately beneath this entry in the DIT.
|
iDAparentDN
|
iDAparentDN <dn>
|
The directory entry beneath which the new object should be created. Multiple parent DN values can be specified. The order in which they are specified is significant. The servlet will check each value in order, and the first one to evaluate to non-null will be used as the parent DN.
Example:
By default, the Delegated Administrator creates users under ou=People, <DOMAINDN>. If you wanted the users to be created directly under the domain entry instead of under a container (ou=People), you would edit the value of this attribute to be $DomainContainerDN$.
|
iDAdataTypeIdent
|
iDAparentDN <identifier>
|
This defines the identifier used by other configuration entries for locating user/admin types. You would need to set this value for an object that is a new user/administrator type.
|