Chapter 4 Managing Users and Groups This chapter describes how to use the forms in the Administration Server Users and Groups tab. This chapter includes the following sections:
This chapter describes how to use the forms in the Administration Server Users and Groups tab.
About Users and Groups
Creating Users
Managing Users
Creating Groups
Managing Groups
Creating Organizational Units
Managing Organizational Units
Managing a Preferred Language List
Guidelines for Creating User Entries
How to Create a New User Entry
Directory Server User Entries
If you enter a given name (or first name) and a surname, then the form automatically fills in the user's full name and user ID for you. The user ID is generated as the first initial of the user's first name followed by the user's last name. For example, if the user's name is Billie Holiday, then the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choosing if you wish.
The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server ldapmodify command line utility (if available) to create a user, that it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.
Note that the base DN specifies the distinguished name where directory lookups will occur by default, and where all iPlanet Web Administration Server's entries are placed in your directory tree. A "DN" is the string representation for the name of an entry in a directory server.
Note that at a minimum, you must specify the following user information when creating a new user entry:
surname or last name
If any organizational units have been defined for your directory, you can specify where you want the new user to be placed using the Add New User To list. The default location is your directory's base DN (or root point).
Access the Administration Server and choose the Users & Groups tab.
Click the New User link and add the associated information to the displayed page.
User entries use the inetOrgPerson, organizationalPerson, and person object classes.
By default, the distinguished name for users is of the form:
cn=full name, ou=organization, ...,o=base organization, c=country
For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory's base DN is o=Ace Industry, c=US, then the person's DN is:
cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US
However, note that you can change this format to a uid-based distinguished name.
The values on the user form fields are stored as the following LDAP attributes (note that any stored information other than `user' and `group' requires a full Directory Server license):
The following fields are also available when editing the user entry:
Sometimes a user's name can be more accurately represented in characters of a language other than the default language. You can select a preferred language for users so that their names will display in the characters of the that language, even when the default language is English. For more information regarding setting a user's preferred language, see The Manage Users Page.
Finding User Information Editing User Information Managing a User's Password Managing User Licenses Renaming Users Removing Users
Click the Manage Users link.
In the Find User field, enter some descriptive value for the entry that you want to edit. You can enter any of the following in the search field:
A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.
A user ID.
A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number will be returned.
An email address. Any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.
An asterisk (*) to see all of the entries currently in your directory. You can achieve the same effect by simply leaving the field blank.
Any LDAP search filter. Any string that contains an equal sign (=) is considered a search filter.
As an alternative, use the pull down menus in the Find all users whose field to narrow the results of your search.
In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point (or top most entry).
In the Format field, choose either On-Screen or Printer.
Click Find. All the users in the selected organizational unit are displayed.
In the resulting table, click the name of the entry that you want to edit.
The user edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.
The left-most pull-down list allows you to specify the attribute on which the search will be based, as shown in the following illustration: Figure 4.1    Search Attribute
Figure 4.1    Search Attribute
For a complete list of the available search attribute options, see "Search Attribute Options."
In the center pull-down list, select the type of search you want to perform, as shown in the following illustration: Figure 4.2    Search Type
Figure 4.2    Search Type
For a complete list of the available search type options, see "Search Type Options."
In the right-most text field, enter your search string: Figure 4.3    Search String
Figure 4.3    Search String
Display the user entry as described in Finding User Information.
Edit the field corresponding to the attribute that you wish to change.
Managing a User's Password The password you set for user entries is used by the various servers for user authentication.
Access the Administration Server and choose Users & Groups tab.
Make the desired changes and click OK.
Click the Licenses link at the top of the User Edit form.
To rename a user entry, perform the following steps:
Note that if you are using common name-based DNs, specify the user's full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.
Click the Rename User button.
Change the Given Name, Surname, Full Name, or UID fields as is appropriate to match the new distinguished name for the entry.
You can specify that the Administration Server no longer retains the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this parameter in the following file:
server_root/admin-serv/config/dsgw-orgperson.conf
Click Delete User.
ldap:///ou=Sales,o=Netscape??sub?(uid=*)
Static Groups
Dynamic Groups
Static groups can contain other static or dynamic groups.
You can optionally also add a description for the new group.
If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory's root point, or top-most entry.
When you are finished entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.
Click the New Group link.
Enter the required information and click OK.
How iPlanet Web Server Implements Dynamic Groups Groups Can Be Static and Dynamic Dynamic Group Impact on Server Performance Guidelines for Creating Dynamic Groups To Create a Dynamic Group
ldap:///o=mcom.com??sub?(department=marketing)
Dynamic groups can not contain other groups.
Enter the group's LDAP URL using the following format (without host and port info, since these parameters are ignored):
ldap:///<basedn>?<attributes>?<scope>?<(filter)>
The required parameters are described in the following table:
Note that the <attributes>, <scope>, and <(filter)> parameters are identified by their positions in the URL. If you do not want to specify any attributes, you still need to include the question marks delimiting that field.
Select Dynamic Group from the Type of Group dropdown list.
Finding Group Entries Editing Group Attributes Adding Group Members Adding Groups to the Group Members List Removing Entries from the Group Members List Managing Owners Managing See Alsos Removing Groups Renaming Groups
Click the Manage Groups link.
Enter the name of the group that you want to find in the Find Group field. You can enter any of the following values in the search field:
A name. Enter a full name or a partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.
An asterisk (*) to see all of the groups currently residing in your directory. You can achieve the same effect by simply leaving the field blank.
Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.
As an alternative, use the pull down menus in Find all groups whose to narrow the results of your search.
In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point, or top-most entry.
Click Find. All the groups matching your search criteria are displayed.
Locate the group you want to edit, and type the desired changes.
For more information regarding how to find specific entries, refer to the concepts outlined in Finding Group Entries.
Adding Group Members To add members to a group, perform the following steps:
Locate the group you want to manage as described in Finding Group Entries, and click the Edit button under Group Members.
iPlanet Web Server displays a new form that enables you to search for entries. If you want to add user entries to the list, make sure Users is shown in the Find pull-down menu. If you want to add group entries to the group, make sure Group is shown.
In the right-most text field, enter a search string. Enter any of the following options:
A name. Enter a full name or a partial name. All entries whose name matches the search string is returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sounds like the search string are found.
A user ID if you are searching for user entries.
A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.
An email address. any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.
Enter either an asterisk (*) or simply leave this text field blank to see all of the entries or groups currently residing in your directory.
Click Find and Add to find all the matching entries and add them to the group.
If the search returns any entries that you do not want add to the group, click the box in the Remove from list? column. You can also construct a search filter to match the entries you want removed and then click Find and Remove.
When the list of group members is complete, click Save Changes. The currently displayed entries are now members of the group.
Click the Manage Groups link, locate the group you want to manage as described in Finding Group Entries, and click the Edit button under Group Members.
For each member that you want to remove from the list, click the corresponding box under the Remove from list? column.
Alternatively, you can construct a filter to find the entries you want to remove and click the Find and Remove button. For more information on creating a search filter, see Adding Group Members.
Click Save Changes. The entry(s) are deleted from the group members list.
Click the Manage Groups link, locate the group you want to manage as described in Finding Group Entries, and click Delete Group.
Click the Manage Groups link and locate the group you want to manage as described in Finding Group Entries.
Click the Rename Group button and type the new group name in the resulting dialog box.
organizational units for Marketing and Product Management
a group named Online Sales under the Marketing organizational unit
Click the New Organizational Unit link and enter the required information.
New organizational units are created using the organizationalUnit object class.
The distinguished name for new organizational units is of the form:
ou=new organization, ou=parent organization, ...,o=base organization, c=country
ou=Accounting, ou=West Coast, o=Ace Industry, c=US
Finding Organizational Units
Editing Organizational Unit Attributes
Renaming Organizational Units
Deleting Organizational Units
Click the Manage Organizational Units link.
Type the name of the unit you want to find in the Find organizational unit field. You can enter any of the following in the search field:
An asterisk (*) to see all of the groups currently residing in your directory. You can achieve this same result by simply leaving the field blank.
As an alternative, use the pull down menus in the Find all units whose field to narrow the results of your search.
In the Look within field, select the organizational unit under which you want to search for entries. The default is the root point of the directory.
Click Find. All the organizational units matching your search criteria are displayed.
In the resulting table, click the name of the organizational unit that you want to find.
Locate the organizational unit you want to edit as described in Finding Organizational Units.
The organizational unit edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.
Renaming Organizational Units To rename an organizational unit entry, access the Administration Server and perform the following steps:
Make sure no other entries exist in the directory under the organizational unit that you want to rename.
Click the Rename button.
Enter the new organizational unit name in the resulting dialog box.
Deleting Organizational Units To delete an organizational unit entry, access the Administration Server and perform the following steps:
Locate the organizational unit you want to delete as described in Finding Organizational Units.
Click the Delete button.
Click OK in the resulting confirmation box. The organizational unit is immediately deleted.
Click the Manage Preferred Language List link.
In the Display Language Selection List field, click Yes or No to specify whether iPlanet Web Server displays the Language Selection List.
In the Languages in the Selection List field, click the Add to List checkbox to add each language you want specified as part of the Preferred Language List.
Click the default value for the language you want to specify as the default language in the Preferred Language List.
Click Save Changes.