Appendix B       Upgrading from Delegated Administrator Version 4.11


This appendix describes modifcations you must make to your directory information tree (DIT) in order to upgrade an existing Netscape Delegated Administrator 4.11 installation to iPlanet Delegated Administrator 4.5. The appendix contains the following topics:

• Changes from Version 4.11 to Version 4.5

• Modifying the User Directory

• Add New Objectclasses and Attributes

• Importing New Configuration Information

• Changing Container Names

• Initializing the Object Counters
  

  ---

  Note	If your directory data is stored in a in an older version of Netscape Directory Server, you must first upgrade Directory Server to version 4.12 before you make the modifications described in this appendix. For more information, see the documentation for Netscape Directory Server.

  ---

  
  

Changes from Version 4.11 to Version 4.5

---

In order to support user directories that are already deployed, Delegated Administrator 4.5 uses a new, highly flexible DIT model. It defines a new grammar that is capable of creating an abstract representation of the user tree which can be interpretted by the back end. By making a few changes in your existing user directory, and representing your existing tree in terms of the new grammar, you can use Delegated Administrator 4.5 to with the user directory you created using version 4.11.

Figure B-1 illustrates the default DIT used in Delegated Administrator 4.11.

Figure B-1    Default DIT used in Delegated Adminstrator 4.11

Changes and additions were necessary to introduce flexibitlity in the support of arbitrary DITs. Figure B-2 illustrates the resulting default DIT used in Delegated Administrator 4.5.

Figure B-2    Default DIT in Delegated Administrator 4.5

Modifying the User Directory

---

Before Delegated Administrator 4.5 can work with the administrators created using Delegated Administrtor 4.11, you must modify entries at the Top level and at the Organization level of your existing tree.

Step 1: Modify Entries at the Top Level

1. Rename the top level cn=Help Desk administrators group to cn=Service Help Desk Administrators.

2. Create ou=Groups, <base suffix>

3. Move the Service Help Desk and Service Administrator Groups to under ou=Groups, <base suffix>.

4. Add the cn=domainConfiguration tree under ou=config, <base suffix>.

Step 2: Modify Entries at the Organization Level

1. Rename cn=Dept Administrators, <domain dn> to cn=Domain Department Administrators, <domain dn>.

2. Rename cn=Help Desk administrators to cn=Domain Help Desk Administrators.

3. Move the cn=Domain Administrators group, cn=Domain Help DeskAdministrators group and the cn=Domain Department Administrator group to under ou=Depts, <domain dn>

Add New Objectclasses and Attributes

---

New ACIs, objectclasses, and attributes were added in Delegated Administrator 4.5. Before you install version 4.5, you must modify the following entries created by Delegated Administator 4.11:

• The Top-level entry

• All Organization entries

• The NDAUser entry

• All Administrator Group entries

• All OrgUnit entries

• All Department or Group entries

• All User entries

Step 1: Modify the Top-level Entry

1. Add the new Top Level ACI replacing the old.

   If you had made changes to the original Delegated Adminisstrator 4.11 ACIs, you may need to make corresponding changes in the new set for iDA4.5. The following ACIs need to be added at the Top Level :

# Allow anonymous read and search access to user entries

#

aci: (targetattr != "userPassword")

(targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "Anonymous access to User entries";

allow (read,search) userdn="ldap:///anyone";)

#

# Allow anonymous read and search access to postmaster entry

#

aci: (target="ldap:///cn=postmaster, o=ISP")

(targetattr="*")

(version 3.0; acl "Anonymous access to Postmaster entry";

allow (read,search) userdn="ldap:///anyone";)

#

# ------------------------------------------------

# NDAUser access control

#

# Allow read and search access to uid, mail, and userCertificate

# attributes of user entries

#

aci: (targetattr="objectClass||uid||mail||userCertificate")

(targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "NDAUser access to user attributes"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow read and search access to nsManagedISP entries

#

aci: (targetattr="objectClass||o||nsNumDomains")

(targetfilter=(objectClass=nsManagedISP))

(version 3.0; acl "NDAUser access to toplevel attributes"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow read and search access to domain entries

#

aci: (targetattr="objectClass||o||nsdaorgid||nsNumUsers||nsNumDepts|| nsNum MailLists||nsNumDomains

||nsMaxUsers||nsMaxDepts||nsMaxMailLists||nsMaxDomains")

(targetfilter=(objectClass=nsManagedDomain))

(version 3.0; acl "NDAUser access to domain entries"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow read and search access to department entries

#

aci: (targetattr="objectClass||cn||nsNumUsers||nsNumDepts||nsMaxUsers ||ns MaxDepts")

(targetfilter=(objectClass=nsManagedDept))

(version 3.0; acl "NDAUser access to dept entries"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow read and search access to nsManagedOrgUnit entries

#

aci: (targetattr="objectClass")

(targetfilter=(objectClass=nsManagedorgUnit))

(version 3.0; acl "NDAUser access to orgunits"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow read and search access to mail list entries

#

aci: (targetattr="objectClass||cn||nsNumUsers||nsMaxUsers")

(targetfilter=(objectClass=nsManagedMailList))

(version 3.0; acl "NDAUser access to mail lists"; allow (read,search)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow write access to nsNumDomains attribute of nsManagedISP entries

#

aci: (targetattr="nsNumDomains")

(targetfilter=(objectClass=nsManagedISP))

(version 3.0; acl "NDAUser write access to toplevel"; allow (write)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow write access to nsNum* attributes of all domain entries

#

aci: (targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomain s")

(targetfilter=(objectClass=nsManagedDomain))

(version 3.0; acl "NDAUser write access to domains"; allow (write)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow write access to nsNum* attributes of all department entries

#

aci: (targetattr="nsNumUsers||nsNumDepts")

(targetfilter=(objectClass=nsManagedDept))

(version 3.0; acl "NDAUser write access to depts"; allow (write)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# Allow write access to nsNumUsers attribute of all mail list entries

#

aci: (targetattr="nsNumUsers")

(targetfilter=(objectClass=nsManagedMailList))

(version 3.0; acl "NDAUser write access to mail lists"; allow (write)

userdn="ldap:///uid=NDAUser, ou=config, o=ISP";)

#

# ------------------------------------------------

# Service Administrator access control

#

# Allow read and search access to all ISP nodes

#

aci: (targetattr="*")

(targetfilter=(objectClass=nsManagedISP))

(version 3.0; acl "SA root node access"; allow (read,search)

groupdn="ldap:///cn=Service Administrators, ou=Groups, o=ISP";)

#

# Allow all access to all domains, organizational units, departments,

# mail lists and users

#

aci: (targetattr="*")

(targetfilter=(|(objectClass=nsManagedDomain)

(objectClass=nsManagedOrgUnit)

(objectClass=nsManagedDeptAdminGroup)

(objectClass=nsManagedDept)

(objectClass=nsManagedMailList)

(objectClass=nsManagedPerson)))

(version 3.0; acl "SA domain access"; allow (all)

groupdn="ldap:///cn=Service Administrators, ou=Groups, o=ISP";)

#

# ------------------------------------------------

# Service Help Desk Administrator access control

#

# Allow read and search access to all ISP nodes, domains, and users

#

aci: (targetattr="*")

(targetfilter=(|(objectClass=nsManagedISP)

(|(objectClass=nsManagedDomain)

(objectClass=nsManagedPerson))))

(version 3.0; acl "SHDA root node access"; allow (read,search)

groupdn="ldap:///cn=Service Help Desk Administrators, ou=Groups, o=ISP";)

#

# Allow all access to all mail lists

#

aci: (targetattr="*")

(targetfilter=(objectClass=nsManagedMailList))

(version 3.0; acl "SHDA mail list access"; allow (all)

groupdn="ldap:///cn=Service Help Desk Administrators, ou=Groups, o=ISP";)

#

# Allow write access to userPassword attribute of all users except

# Service Administrators and Service Help Desk Administrators

#

aci: (targetattr="userPassword||passwordExpirationTime")

(targetfilter=(&(objectClass=nsManagedPerson)

(&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))

(!(memberOf=cn=Service Help Desk Administrators, ou=Groups, o=ISP)))))

(version 3.0; acl "SHDA user write access"; allow (write)

groupdn="ldap:///cn=Service Help Desk Administrators, ou=Groups, o=ISP";)

#

# ------------------------------------------------

# Specific Department Administrator access control

#

# Allow read and search access to all depts s/he can view

#

aci: (targetattr="*")

(targetfilter=(|(objectClass=nsManagedDept)

(objectClass=nsManagedDeptAdminGroup)))

(version 3.0; acl "Dept Adm dept access"; allow (read,search)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)" and

groupdnattr="ldap:///o=ISP?nsDAModifiableBy";)

#

# Allow write access to nsNumUsers, nsNumDepts, and uniqueMember attributes

# of the dept entry s/he can modify

#

aci: (targetattr="nsNumUsers||nsNumDepts||uniqueMember")

(targetfilter=(|(objectClass=nsManagedDept)(objectClass=nsManage dDept)))

(version 3.0; acl "Dept Adm dept write"; allow (write)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)" and

groupdnattr="ldap:///o=ISP?nsDAModifiableBy";)

#

# Allow all access to the depts s/he owns

#

aci: (targetattr="*")

(targetfilter=(|(objectClass=nsManagedDeptAdminGroup)

(objectClass=nsManagedDept)))

(version 3.0; acl "Dept Adm all access to dept"; allow (all)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)" and

groupdnattr="ldap:///o=ISP?owner";)

#

# Allow read, search, write and delete access to all users in dept

#

aci: (targetattr="*")

(targetfilter=(&(objectClass=nsManagedPerson)

(&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))

(&(!(memberOf=cn=Service Help Desk Administrators, ou=Groups, o=ISP))

(&(!(memberOf=cn=Domain Administrators*))

(!(memberOf=cn=Domain Help Desk Administrators*)))))))

(version 3.0; acl "Dept Adm user access"; allow (read,search,write,delete)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)" and g

roupdnattr="ldap:///o=ISP?owner";)

#

# Allow add access to create new users

#

aci: (targetattr="*")

(targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "Dept Adm user create access"; allow (add)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)";)

#

# Allow a department administrator to add self to any group/subgroup that they

# administer

#

aci: (targetattr="memberOf||owner") (version 3.0; acl

"Dept Adm access to add self to group and subgroups"; allow (write)

userdn="ldap:///o=ISP??sub?(memberOf=cn=Department Administrators*)" and

userdn="ldap:///self";)

#

# ------------------------------------------------

# User access control

#

# Allow read and search access to self

#

aci: (targetattr="*")

(targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "User self read,search"; allow (read,search)

userdn="ldap:///self";)

#

# Allow write access to self except for uid, ou, owner,

# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,

# memberOf, and nsDADomain attributes

#

aci: (targetattr!="uid||ou||owner||nsDAModifiableBy||nsDACapability

||mail||mailAlternateAddress||memberOf||nsDADomain")

(targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "User self modification"; allow (write)

userdn="ldap:///self";)

#

# Deny delete access to self

#

aci: (targetfilter=(objectClass=nsManagedPerson))

(version 3.0; acl "User self deletion"; deny (delete)

userdn="ldap:///self";)

#

# ------------------------------------------------

# Mail List access control

#

# Allow designated users to create mail lists

#

aci: (targetattr="*")

(targetfilter=(objectClass=nsManagedMailList))

(version 3.0; acl "Mail list create access"; allow (add)

userdn="ldap:///o=ISP??sub?(nsDACapability=mailListCreate)";)

#

# Allow mail list owner read, search, write, and delete access to

# the mail lists s/he owns except for the nsMaxUsers attribute

#

aci: (targetattr!="nsMaxUsers")

(targetfilter=(objectClass=nsManagedMailList))

(version 3.0; acl "Mail list owner access"; allow (read,search,write,delete)

groupdnattr="ldap:///o=ISP?owner";)

#

# ------------------------------------------------

# ------------------------------------------------

#

aci: (targetattr="nsNumDomains")(targetfilter=(objectClass=nsManagedI SP))(version 3.0; acl "Write Counters"; allow

(write) groupdn="ldap:///cn=Service Administrators, ou=Groups, o=ISP";)

aci: (targetfilter=(objectClass=nsValueItem))(version 3.0; acl "SA domain access"; allow (all)

groupdn="ldap:///cn=Service Administrators, ou=Groups,o=ISP";)

2. Add objectclass: nsUniquenessDomain

   For more indepth information on iDA 4.5 schema, see Appendix B "Delegated Administrator Schema" in the Deployment and Customization Guide.

Step 2: Modify Each Organization Entry

1. Add the following new attributes with appropriate values for each.
   • nsMaxDomains

   • nsNumDomains

   • nsMaxMailLists

   • nsNumMailLists

2. Remove the following attribute

nsDefaultMaxDeptSize

3. Add the new Domain Level ACI replacing the old. If you had made ACI changes to the original NDA4.11 ACI at the domain level, you may need to make corresponding changes in the new set for iDA4.5. The following acis need to be added at the domain level :

   #

   aci: (targetattr="*")

   (targetfilter=(objectClass=nsManagedDomain))

   (version 3.0; acl "Domain Adm domain access"; allow (read,search)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow read and search access to the Domain Administrators group

   #

   aci: (target="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDeptAdminGroup)

   (objectClass=nsManagedDept)))

   (version 3.0; acl "Domain Adm dept access"; allow (read,search)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow read, search, and write access to the Domain Help Desk

   # Administrators group

   #

   aci: (target="ldap:///cn=Domain Help Desk Administrators, ou=Groups, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDeptAdminGroup)

   (objectClass=nsManagedDept)))

   (version 3.0; acl "Domain Adm dept access"; allow (read,search,write)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow read, search, and write access to all Domain Department

   # Administrators group for Domain and Domain Dept Admins

   #

   aci: (target="ldap:///cn=Domain Department Administrators, ou=Groups, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDeptAdminGroup)

   (objectClass=nsManagedDept)))

   (version 3.0; acl "Domain Adm dept access"; allow (read,search,write)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP" or

   groupdn="ldap:///cn=Domain Department Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow read and search access to all organizational units in this domain

   #

   aci: (target="ldap:///ou=*, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(objectClass=nsManagedOrgUnit))

   (version 3.0; acl "Domain Adm org unit access"; allow (read,search,write)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow all access to the departments and mail lists in this domain

   #

   aci: (target="ldap:///ou=*, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDept)

   (objectClass=nsManagedDeptAdminGroup)

   (objectClass=nsManagedMailList)))

   (version 3.0; acl "Domain Adm dept access"; allow (all)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow read, search, and add access to all users in domain and subdomains

   #

   aci: (targetattr="*")(targetfilter=(objectClass=nsManagedPerson))

   (version 3.0; acl "Domain Adm user access"; allow (read,search,add)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow write and delete access to all users in domain s/he owns

   # except for Service Administrators and Service Help Desk Administrators

   #

   aci: (targetattr="*")(targetfilter=(&(objectClass=nsManagedPerson)

   (&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))

   (!(memberOf=cn=Service Help Desk Administrators, ou=Groups, o=ISP)))))

   (version 3.0; acl "Domain Adm user modify access"; allow (write,delete)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow all access to subdomains and their organizational units,

   # departments, and mail lists

   #

   aci: (target="ldap:///o=*, o=Siroe, o=ISP")

   (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDomain)

   (objectClass=nsManagedDeptAdminGroup)

   (objectClass=nsManagedOrgUnit)

   (objectClass=nsManagedDept)

   (objectClass=nsManagedMailList)))

   (version 3.0; acl "Domain Adm access"; allow (all)

   groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   aci: (targetfilter=(|(objectClass=nsValueItem)

   (objectClass=extensibleObject)))

   (version 3.0; acl "Domain Adm config access";

   allow (all) groupdn="ldap:///cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # ------------------------------------------------

   # Domain Help Desk Administrator access control

   #

   # Allow read and search access to this domain, its subdomains, and all users

   #

   aci: (targetattr="*")

   (targetfilter=(|(objectClass=nsManagedDomain)

   (objectClass=nsManagedPerson)))

   (version 3.0; acl "DHDA access"; allow (read,search)

   groupdn="ldap:///cn=Domain Help Desk Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow all access to all mail lists

   #

   aci: (targetattr="*")

   (targetfilter=(objectClass=nsManagedMailList))

   (version 3.0; acl "DHDA mail list access"; allow (all)

   groupdn="ldap:///cn=Domain Help Desk Administrators, ou=Groups, o=Siroe, o=ISP";)

   #

   # Allow write access to userPassword attribute of all users in domain except for

   # Service Administrators, Service Help Desk Administrators, and Domain Administrators

   #

   aci: (targetattr="userPassword||passwordExpirationTime")(targetfilter =(&(objectClas s=nsManagedPerson)

   (&(!(memberOf=cn=Service Administrators, ou=Groups, o=ISP))

   (&(!(memberOf=cn=Service Help Desk Administrators, ou=Groups, o=ISP))

   (&(!(memberOf=cn=Domain Administrators, ou=Groups, o=Siroe, o=ISP))

   (!(memberOf=cn=Domain Help Desk Administrators, ou=Groups, o=Siroe, o=ISP)))))))

   (version 3.0; acl "DHDA user write access"; allow (write)

   groupdn="ldap:///cn=Domain Help Desk Administrators, ou=Groups, o=Siroe, o=ISP";)

   aci: (targetattr="uniqueMember")

   (targetfilter=(&(objectClass=nsManagedMailList)(mgmanJoinability =all)))

   (version 3.0; acl "User self subscribe access"; allow (selfwrite)

   userdn="ldap:///uid=*, ou=People, o=Siroe, o=ISP";)

   #

   # Allow users read and search access to mail lists in their domain

   #

   aci: (targetattr!="uniqueMember||mgrpRfc822MailMember")

   (targetfilter=(&(objectClass=nsManagedMailList)(mgmanHidden=fals e)))

   (version 3.0; acl "User mail list access when visible"; allow (read,search)

   userdn="ldap:///uid=*, ou=People, o=Siroe, o=ISP";)

   #

   # Allow users read and search access to members of mail lists in their domain

   #

   aci: (targetattr="uniqueMember||mgrpRfc822MailMember")

   (targetfilter=(&(objectClass=nsManagedMailList)(mgmanMemberVisib ility=all)))

   (version 3.0; acl "User mail list member access"; allow (read,search)

   userdn="ldap:///uid=*, ou=People, o=Siroe, o=ISP";)

Step 3: Modify the NDAUser Entry

Set the NDAUser userpassword to auth (default password set in the servlet/resource.properties file). You may want to change this password in both places after installing iDA against the user DIT.

Step 4: Modify Administrator Group Entries

All administrator groups should be modified as follows

1. Add objectclass: nsManagedDeptAdminGroup to the entry.

2. Add objectclass: inetAdmin to the entry.

3. Remove objectclass: nsManagedDept from the entry, if it exists.

4. Add adminRole: <rdn of the Administrative Group entry> e.g.

5. To the Service Administrators group add the attribute -> adminRole: Service Administrators

6. Remove nsNumUsers and nsMaxUsers from the Administrator group entry if they exist.

7. For the Department level Administrator groups, rename the group rdn from cn=Dept Administrators to cn=Department Administrators. Make corresponding changes from Dept to Department in all places where this dn exists as an attribute value.

Step 5: Modify OrgUnit Entries

Add objectclass: nsManagedOrgUnit to the ou=Users & ou=Depts entries.

Step 6: Modify Department or Group Entries

1. Add attributes nsNumDepts & nsMaxDepts with appropriate values to each entry.

2. Change the attribute name 'owner' to 'nsDAModifiableBy' and retain the old attribute value.

Step 7: Modify User Entries

Since UID translation is no longer supported in iDA4.5, the uid value in each entry needs to be changed to just the userID without the domain name suffixed to it. Corresponding changes would need to be made in the user tree if UID translation was on. For example:

uid=bill-Airius.com will now become uid=bill.

All references to the user entry would need to be modified accordingly.

1. Change the attribute name 'nssearchfilter' to 'nsDADomain' and retain the old attribute value.

2. Change the attribute name 'ou' to 'memberOf' and retain the old attribute value.

Importing New Configuration Information

---

Delegated Administrator 4.5 configuration information, which formerly existed on the file system, has been moved into the directory server. This allows other applications to access the configuration and leverage the DIT structure information. This arrangement also allows other applications to garner additional useful information on predefined search datatypes and other generic parameters from the configuration. Since this information was absent in the NDA4.11 DIT, it needs to be imported into the user tree.

To Import Configuration Changes

1. Change the base suffix from the default value of o=ISP to the appropriate suffix value in each of the ldifs.

2. Download the file config.zip on the download site: http://docs.iplanet.com/docs/manuals/deladmin.html.

3. Import the following LDIF files in the order in which they are listed :
   • config.ldif

   • main.ldif

   • op.ldif

   • macros.ldif

   • servlets.ldif

   For detailed information on importing LDIF files into the directory, see the documentation that comes with Netscape Directory Server.

Changing Container Names

---

In Delegated Adminstrator 4.11, the container for user entries was ou=Users; the container for group entries was ou=Depts. In version 4.5, the container for user entries is ou=People; the container for group entries is ou=Groups. Before you can use Delegated Administrator 4.5 with entries created under version 4.11, you must reconcile these differences

Table B-1    Container names

Container type	Delegated Administrator 4.11	Delegated Administrator 4.5
People	ou=Users	ou=People
Group	ou=Depts	ou=Groups

. You can do this using one of two methods. You can change the version 4.11 DIT to match the new container names in version 4.5. This is the recommended method. Or you can change the version 4.5 configuration to match the old container names in the version 4.11 DIT. Consider the size and complexity of your DIT in determining which method to use.

Step 1: Change the Version 4.11 Container Names

Since it is not possible to simply rename an entry's DN in the directory, the users & people's container would need to be repopulated if you use this approach.

1. Change the existing people container (ou=Users) to ou=People.

2. Change the existing groups container (ou=Dept) to ou=Groups.

Step 2: Change the Version 4.5 Container Names

1. Change the iDA4.5 configuration entry for the people container object to use ou=Users.

2. Change the iDA4.5 configuration entry for thegroup container object to use ou=Depts.

   This would need to be done in servlets.ldif before importing it in the above step. The following changes would need to be made:

   ou=config, o=ISP

   objectclass: top

   objectclass: extensibleObject

   cn: UsersOrgUnit

   iDAobjectclass: top

   iDAobjectClass: organizationalUnit

   iDAobjectClass: nsManagedOrgUnit

   iDArequiredAttribute: ou

   iDArdnAttribute: ou

   iDAattribute: ou "People" "Users"

   iDAattribute: aci `(targetattr!="userPassword")

   (targetfilter=(objectClass=nsManagedPerson))

   (version 3.0; acl "User access to all users in domain";

   allow (read,search) userdn="ldap:///uid=*, ou=People, $DomainContainerDN$";)' iDAparentDN: $DomainContainerDN$

   dn: cn=DeptsOrgUnit, cn=objects, cn=servletsconf, cn=en, cn=domainConfiguration, ou=config, o=ISP

   objectclass: top

   objectclass: extensibleObject

   cn: DeptsOrgUnit

   iDAobjectclass: top

   iDAobjectClass: organizationalUnit

   iDAobjectClass: nsManagedOrgUnit

   iDArequiredAttribute: ou

   iDArdnAttribute: ou

   iDAattribute: ou "Groups" "Depts"

   iDAobjectToManage: DomainAdminGroup

   iDAobjectToManage: DomainHelpDeskAdminGroup

   iDAobjectToManage: DomainDeptAdminGroup

   iDAparentDN: $DomainContainerDN$

3. In servlets.ldif and main.ldif, change occurances of People to Users; change occurances of Users to Dept.

4. In the ACIs for at the Top level and at the Organization leve, change all occurances of People to Users; change all occurances of Groups to Depts.

Initializing the Object Counters

---

Delegated Administrator keeps track of the number of objects in the user data tree such as users, groups, organizations, and mailing lists . After manually making changes to the tree, including the steps above to make an existing tree manageable by Delegated Administrator, the object counters must be initialized. This task is typically performed only by Top-level Administrators.

To Initialize the Object Counters

1. Login as a Top-level administrator and click the Configuration tab.

2. Click the Initialize Counters button in the Initialize Counters section of the Configuration tab interface. The Initializing Counters window appears and completes the initialization task.

3. When the task is complete, click Close. If for any reason you do not want to continue the initialization process it may be interupted by clicking the Stop or Stop and Close buttons at the bottom of the Initializating Counters window.