Previous     Contents     Index     Next     
iPlanet Web Server: FastTrack Edition Administrator's Guide



Chapter 4   Managing Users and Groups


This chapter describes how to use the forms in the Administration Server Users and Groups tab.

This chapter includes the following sections:



About Users and Groups

The Administration Server provides you access to your application data about user accounts, group lists, access privileges, organization units, and other user/group-specific information. You can use the Administration Server to create, locate, and manage records for users and groups within your iPlanet Web Servers.

iPlanet Web Server 4.x does not support local LDAP. In order to add users and groups, you must have a directory server installed, such as Netscape Directory Server. If you need to create, locate, or manage records for users and groups on any other servers within your network, you should use Netscape Console with your Directory Server. For more information, see Managing Servers with Netscape Console.


Warning (NT)
You cannot install Netscape Directory Server 4.0 and iPlanet Web Server 4.x on the same Windows NT machine because of system library conflicts. Install Directory Server on a separate machine and use the Administration Server's Global Settings tab to configure iPlanet Web Server to use that Directory Server.

The Users and Groups tab of the Administration Server enables you to create or modify users, groups, and organizational units. Each user and group in your enterprise is represented by a Distinguished Name (DN) attribute. A DN attribute is a text string that contains identifying information for an associated user, group, or object. You use DNs whenever you make changes to a user or group directory entry. For more information regarding distinguished name syntax and frequently used attributes, see Managing Servers with Netscape Console.

Note that if you do not currently have a directory, or if you want to add a new subtree to an existing directory, you can use the Directory Server's Administration Server LDIF import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries. You can also export your current directory to LDIF using the Directory Server's LDIF export function. This function creates an LDIF-formatted file that represents your directory. For more information, see your Directory Server documentation.



Creating Users


Use the Users and Groups tab of the Administration Server to create or modify user entries. A user entry contains information about an individual person or object in the database.

This section includes the following topics:


Guidelines for Creating User Entries

Consider the following guidelines when using the administrator forms to create new user entries:

  • If you enter a given name (or first name) and a surname, then the form automatically fills in the user's full name and user ID for you. The user ID is generated as the first initial of the user's first name followed by the user's last name. For example, if the user's name is Billie Holiday, then the user ID is automatically set to bholiday. You can replace this user ID with an ID of your own choosing if you wish.

  • The user ID must be unique. The Administration Server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the Directory Server ldapmodify command line utility (if available) to create a user, that it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the affected users will not be able to authenticate to the directory.

  • Note that the base DN specifies the distinguished name where directory lookups will occur by default, and where all iPlanet Web Administration Server's entries are placed in your directory tree. A "DN" is the string representation for the name of an entry in a directory server.

  • Note that at a minimum, you must specify the following user information when creating a new user entry:

    • surname or last name

    • full name

    • user ID

  • If any organizational units have been defined for your directory, you can specify where you want the new user to be placed using the Add New User To list. The default location is your directory's base DN (or root point).


    Note The user edit text fields for international information differs between the Administration Server and Netscape Console. In Netscape Console, in addition to the untagged cn fields, there is a preferred language cn field which doesn't exist in the Administration Server.



How to Create a New User Entry

To create a user entry, read the guidelines outlined in Guidelines for Creating User Entries and then perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the New User link and add the associated information to the displayed page.

For more information, see The New User Page. For information on editing users, see Managing Users.


Directory Server User Entries

The following user entry notes may be of interest to the directory administrator:

  • User entries use the inetOrgPerson, organizationalPerson, and person object classes.

  • By default, the distinguished name for users is of the form:

    cn=full name, ou=organization, ...,o=base organization, c=country

    For example, if a user entry for Billie Holiday is created within the organizational unit Marketing, and the directory's base DN is o=Ace Industry, c=US, then the person's DN is:

    cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US

    However, note that you can change this format to a uid-based distinguished name.

  • The values on the user form fields are stored as the following LDAP attributes (note that any stored information other than `user' and `group' requires a full Directory Server license):


    Table 4-1 LDAP Attributes

    User Field

    Corresponding LDAP Attribute

    Given Name  

    givenName  

    Surname  

    sn  

    Full Name  

    cn  

    User ID  

    uid  

    Password  

    userPassword  

    Email Address  

    mail  

    The following fields are also available when editing the user entry:


    Table 4-2 User Entry LDAP Attributes

    User Field

    Corresponding LDAP Attribute

    Title  

    title  

    Telephone  

    telephoneNumber  

  • Sometimes a user's name can be more accurately represented in characters of a language other than the default language. You can select a preferred language for users so that their names will display in the characters of the that language, even when the default language is English. For more information regarding setting a user's preferred language, see The Manage Users Page.



Managing Users

You edit user attributes from the Administration Server Manage Users form. From this form you can find, change, rename, and delete user entries; manage user licenses; and potentially change product-specific information.

Some, but not all, Netscape/iPlanet servers add additional forms to this area that allow you to manage product-specific information. For example, if a messaging server is installed under your Administration Server, then an additional form is added that allows you to edit messaging server-specific information. See the server documentation for details on these additional management capabilities.

This section includes the following topics:


Finding User Information

Before you can edit a user entry, you must display the associated information. To find the specific user information, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Users link.

  3. In the Find User field, enter some descriptive value for the entry that you want to edit. You can enter any of the following in the search field:

    • A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

    • A user ID.

    • A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number will be returned.

    • An email address. Any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.

    • An asterisk (*) to see all of the entries currently in your directory. You can achieve the same effect by simply leaving the field blank.

    • Any LDAP search filter. Any string that contains an equal sign (=) is considered a search filter.

    As an alternative, use the pull down menus in the Find all users whose field to narrow the results of your search.

  4. In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point (or top most entry).

  5. In the Format field, choose either On-Screen or Printer.

  6. Click Find. All the users in the selected organizational unit are displayed.

  7. In the resulting table, click the name of the entry that you want to edit.

  8. The user edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.


Building Custom Search Queries

The Find all users whose field allows you to build a custom search filter. Use this field to narrow down the search results returned by a "Find user" search.

The Find all users whose field provides the following search criteria:

  • The left-most pull-down list allows you to specify the attribute on which the search will be based, as shown in the following illustration:

Figure 4-1    Search Attribute

For a complete list of the available search attribute options, see "Search Attribute Options."

  • In the center pull-down list, select the type of search you want to perform, as shown in the following illustration:

Figure 4-2    Search Type

For a complete list of the available search type options, see "Search Type Options."

  • In the right-most text field, enter your search string:

Figure 4-3    Search String

To display all of the users entries contained in the Look Within directory, enter either an asterisk (*) or simply leave this text field blank.


Search Attribute Options

The available search attribute options are described in the following table:


Table 4-3 Search Attribute Options

Option Name

Description

full name  

Search each entry's full name for a match.  

last name  

Search each entry's last name, or surname for a match.  

user id  

Search each entry's user id for a match.  

phone number  

Search each entry's phone number for a match.  

email address  

Search each entry's email address for a match.  

unit name  

Search each entry's name for a match.  

description  

Search each organizational unit entry's description for a match.  


Search Type Options

The available search type options are described in the following table:


Table 4-4 Search Type Options

Option Name

Description

contains  

Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an user's name probably contains the word "Dylan," use this option with the search string "Dylan" to find the user's entry.  

is  

Causes an exact match to be found. That is, this option specifies an equality search. Use this option when you know the exact value of an user's attribute. For example, if you know the exact spelling of the user's name, use this option.  

isn't  

Returns all the entries whose attribute value does not exactly match the search string. That is, if you want to find all the users in the directory whose name is not "John Smith," use this option. Be aware, however, that use of this option can cause an extremely large number of entries to be returned to you.  

sounds like  

Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute's value, but you are unsure of the spelling. For example, if you are not sure if a user's name is spelled "Sarret," "Sarette," or "Sarett," use this option.  

starts with  

Causes a substring search to be performed. Returns all the entries whose attribute value starts with the specified search string. For example, if you know a user's name starts with "Miles," but you do not know the rest of the name, use this option.  

ends with  

Causes a substring search to be performed. Returns all the entries whose attribute value ends with the specified search string. For example, if you know a user's name ends with "Dimaggio," but you do not know the rest of the name, use this option.  


Editing User Information

To change a user's entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Display the user entry as described in Finding User Information.

  3. Edit the field corresponding to the attribute that you wish to change.

    For more information, see The Edit Users Page.

    Note It is possible that you will want to change an attribute value that is not displayed by the edit user form. In this situation, use the Directory Server ldapmodify command line utility, if available.


In addition, note that you can change the user's first, last, and full name field from this form, but to fully rename the entry (including the entry's distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see Renaming Users.


Managing a User's Password

The password you set for user entries is used by the various servers for user authentication.

To change or create a user's password, perform the following steps:

  1. Access the Administration Server and choose Users & Groups tab.

  2. Display the user entry as described in Finding User Information.

  3. Make the desired changes and click OK.

For more information, see The Manage Users Page.


Note You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However, note that while on Unix/Linux platforms, the installer can give "rw" permissions to a group for the configuration files, on Windows NT platforms, the user must belong to the "Administrators" group.


You can also disable the user's password by clicking the Disable Password button. Doing this prevents the user from logging into a server without deleting the user's directory entry. You can allow access for the user again by using the Password Management Form to enter a new password.


Managing User Licenses

Administration Server enables you to track which iPlanet server products your users are licensed to use.

To manage the licenses available to the user, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Display the user entry as described in Finding User Information.

  3. Click the Licenses link at the top of the User Edit form.

  4. Make the desired changes and click OK.

For more information, see The Manage Users Page.


Renaming Users

The rename feature changes only the user's name; all other fields are left intact. In addition, the user's old name is still preserved so searches against the old name will still find the new entry.

When you rename a user entry, you can only change the user's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have organizational units for Marketing and Accounting and an entry named "Billie Holiday" under the Marketing organizational unit. You can rename the entry from Billie Holiday to Doc Holiday, but you cannot rename the entry such that Billie Holiday under the Marketing organizational unit becomes Billie Holiday under the Accounting organizational unit.

To rename a user entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Display the user entry as described in Finding User Information.

    Note that if you are using common name-based DNs, specify the user's full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.

  3. Click the Rename User button.

  4. Change the Given Name, Surname, Full Name, or UID fields as is appropriate to match the new distinguished name for the entry.

  5. You can specify that the Administration Server no longer retains the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this parameter in the following file:

    server_root/admin-serv/config/dsgw-orgperson.conf

For more information, see The Manage Users Page.


Removing Users

To delete a user entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Display the user entry as described in Finding User Information.

  3. Click Delete User.

For more information, see The Manage Users Page.



Creating Groups


A group is an object that describes a set of objects in an LDAP database. An iPlanet Web Server group consists of users who share a common attribute. Static groups enumerate their member objects explicitly. A static group is a CN and contains uniqueMembers and/or memberURLs and/or memberCertDescriptions. For static groups, the members do not share a common attribute except for the CN=<Groupname> attribute.

For static groups, members can share a common attribute from a certificate if you use the memberCertDescription. Note that these will only work if the ACL uses the SSL method.

Once you create a new group, you can add users, or members, to it.

This section includes the following topics for creating groups:


Static Groups

The Administration Server enables you to create a static group by specifying the same group attribute in the DNs of any number of users. A static group doesn't change unless you add a user to it or delete a user from it.


Guidelines for Creating Static Groups

Consider the following guidelines when using the Administration Server forms to create new static groups:

  • Static groups can contain other static groups.

  • You can optionally also add a description for the new group.

  • If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To list. The default location is your directory's root point, or top-most entry.

  • When you are finished entering the desired information, click Create Group to add the group and immediately return to the New Group form. Alternatively, click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added. For information on editing groups, see Editing Group Attributes.


To Create a Static Group

To create a static group entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the New Group link.

  3. Enter the required information and click OK.

For more information, see The New Group Page.



Managing Groups


The Administration Server enables you to edit groups and manage group memberships from the Manage Group form. This section describes the following topics:


Finding Group Entries

Before you can edit a group entry, you must display the entry.

To find a group entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link.

  3. Enter the name of the group that you want to find in the Find Group field. You can enter any of the following values in the search field:

    • A name. Enter a full name or a partial name. All entries that equally match the search string are returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

    • An asterisk (*) to see all of the groups currently residing in your directory. You can achieve the same effect by simply leaving the field blank.

    • Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

    As an alternative, use the pull down menus in Find all groups whose to narrow the results of your search.

  4. In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point, or top-most entry.

  5. In the Format field, choose either On-Screen or Printer.

  6. Click Find. All the groups matching your search criteria are displayed.

  7. In the resulting table, click the name of the entry that you want to edit.


The "Find all groups whose" Field

The Find all groups whose field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find groups. For more information regarding how to build a custom search filter, see Building Custom Search Queries.

To display all of the group entries contained in the Look Within directory, enter either an asterisk (*) or simply leave this text field blank.


Editing Group Attributes

To edit a group entry, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link.

  3. Locate the group you want to edit, and type the desired changes.

    For more information regarding how to find specific entries, refer to the concepts outlined in Finding Group Entries.


    Note You can change the Administration Server user from root to another user on the operating system to enable multiple users (belonging to the group) to edit/manage the configuration files. However, note that while on Unix/Linux platforms, the installer can give "rw" permissions to a group for the configuration files, on Windows NT platforms, the user must belong to the "Administrators" group.


For more information about editing group attributes, see The Manage Groups Page.


Note

It is possible that you will want to change an attribute value that is not displayed by the group edit form. In this situation, use the Directory Server ldapmodify command line utility, if available.



Adding Group Members

To add members to a group, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link.

  3. Locate the group you want to manage as described in Finding Group Entries, and click the Edit button under Group Members.

    iPlanet Web Server displays a new form that enables you to search for entries. If you want to add user entries to the list, make sure Users is shown in the Find pull-down menu. If you want to add group entries to the group, make sure Group is shown.

  4. In the right-most text field, enter a search string. Enter any of the following options:

    • A name. Enter a full name or a partial name. All entries whose name matches the search string is returned. If no such entries are found, all entries that contain the search string are found. If no such entries are found, any entries that sounds like the search string are found.

    • A user ID if you are searching for user entries.

    • A telephone number. If you enter only a partial number, any entries that have telephone numbers ending in the search number are returned.

    • An email address. any search string containing an at (@) symbol is assumed to be an email address. If an exact match cannot be found, then a search is performed to find all email addresses that begin with the search string.

    • Enter either an asterisk (*) or simply leave this text field blank to see all of the entries or groups currently residing in your directory.

    • Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

  5. Click Find and Add to find all the matching entries and add them to the group.

    If the search returns any entries that you do not want add to the group, click the box in the Remove from list? column. You can also construct a search filter to match the entries you want removed and then click Find and Remove.

  6. When the list of group members is complete, click Save Changes. The currently displayed entries are now members of the group.

For more information about adding groups members, see The Edit Members Page.


Adding Groups to the Group Members List

You can add groups (instead of individual members) to the group's members list. Doing so causes any users belonging to the included group to become a member of the receiving group. For example, if Neil Armstrong is a member of the Engineering Managers group, and you make the Engineering Managers group a member of the Engineering Personnel group, then Neil Armstrong is also a member of the Engineering Personnel group.

To add a group to the members list of another group, add the group as if it were a user entry. For more information, see Adding Group Members.


Removing Entries from the Group Members List

To delete an entry from the group members list, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link, locate the group you want to manage as described in Finding Group Entries, and click the Edit button under Group Members.

  3. For each member that you want to remove from the list, click the corresponding box under the Remove from list? column.

    Alternatively, you can construct a filter to find the entries you want to remove and click the Find and Remove button. For more information on creating a search filter, see Adding Group Members.

  4. Click Save Changes. The entry(s) are deleted from the group members list.


Managing Owners

You manage a group's owners list the same way as you manage the group members list. The following table identifies which section to read for more information:


Table 4-5 Additional Information

Task You Want to Complete

Read Section

Add owners to the group  

Adding Group Members.  

Add groups to the owners list  

Adding Groups to the Group Members List.  

Remove entries from the owners list  

Removing Entries from the Group Members List.  


Managing See Alsos

"See alsos" are references to other directory entries that may be relevant to the current group. They allow users to easily find entries for people and other groups that are related to the current group.

You manage see alsos the same way as you manage the group members list. The following table shows you which section to read for more information:


Table 4-6 Additional Information

Task You Want to Complete

Read Section

Add users to see alsos  

Adding Group Members.  

Add groups to see alsos  

Adding Groups to the Group Members List.  

Remove entries from see alsos  

Removing Entries from the Group Members List.  


Removing Groups

To delete a group, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link, locate the group you want to manage as described in Finding Group Entries, and click Delete Group.


    Note The Administration Server does not remove the individual members of the group(s) you remove; only the group entry is removed.



Renaming Groups

To rename a group, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Groups link and locate the group you want to manage as described in Finding Group Entries.

  3. Click the Rename Group button and type the new group name in the resulting dialog box.

When you rename a group entry, you only change the group's name; you cannot use the Rename Group feature to move the entry from one organizational unit to another. For example, a business might have the following organizations:

  • organizational units for Marketing and Product Management

  • a group named Online Sales under the Marketing organizational unit

In this example, you can rename the group from Online Sales to Internet Investments, but you cannot rename the entry such that Online Sales under the Marketing organizational unit becomes Online Sales under the Product Management organizational unit.



Creating Organizational Units


An organizational unit can include a number of groups, and it usually represents a division, department, or other discrete business group. A DN can exist in more than one organizational unit.

To create an organizational unit, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the New Organizational Unit link and enter the required information.

For more information, see The New Organizational Unit Page.

The following notes may be of interest to the directory administrator:

  • New organizational units are created using the organizationalUnit object class.

  • The distinguished name for new organizational units is of the form:

    ou=new organization, ou=parent organization, ...,o=base organization, c=country

For example, if you create a new organization called Accounting within the organizational unit West Coast, and your Base DN is o=Ace Industry, c=US, then the new organization unit's DN is:

ou=Accounting, ou=West Coast, o=Ace Industry, c=US



Managing Organizational Units

You edit and manage organizational units from the Organizational Unit Edit form. This section describes the following tasks:


Finding Organizational Units

To find organizational units, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Organizational Units link.

  3. Type the name of the unit you want to find in the Find organizational unit field. You can enter any of the following in the search field:

    • A name. Enter a full name or a partial name. All entries that equally match the search string will be returned. If no such entries are found, all entries that contain the search string will be found. If no such entries are found, any entries that sounds like the search string are found.

    • An asterisk (*) to see all of the groups currently residing in your directory. You can achieve this same result by simply leaving the field blank.

    • Any LDAP search filter. Any string that contains an equal sign (=) is considered to be a search filter.

    As an alternative, use the pull down menus in the Find all units whose field to narrow the results of your search.

  4. In the Look within field, select the organizational unit under which you want to search for entries. The default is the root point of the directory.

  5. In the Format field, choose either On-Screen or Printer.

  6. Click Find. All the organizational units matching your search criteria are displayed.

  7. In the resulting table, click the name of the organizational unit that you want to find.


The "Find all units whose" Field

The Find all units whose field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find organizational unit. For more information regarding how to build a custom search filter, see Building Custom Search Queries.

To display all of the group entries contained in the Look Within directory, enter either an asterisk (*) or simply leave this text field blank.


Editing Organizational Unit Attributes

To change a organizational unit entry, access the Administration Server and perform the following steps:

  1. Locate the organizational unit you want to edit as described in Finding Organizational Units.

  2. The organizational unit edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.


Note
It is possible that you will want to change an attribute value that is not displayed by the organizational unit edit form. In this situation, use the Directory Server ldapmodify command line utility, if available.


Renaming Organizational Units

To rename an organizational unit entry, access the Administration Server and perform the following steps:

  1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.

  2. Locate the organizational unit you want to edit as described in Finding Organizational Units.

  3. Click the Rename button.

  4. Enter the new organizational unit name in the resulting dialog box.


    Note When you rename an organizational unit entry, you can only change the organizational unit's name; you cannot use the rename feature to move the entry from one organizational unit to another. For more information, see Renaming Organizational Units.



Deleting Organizational Units

To delete an organizational unit entry, access the Administration Server and perform the following steps:

  1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.

  2. Locate the organizational unit you want to delete as described in Finding Organizational Units.

  3. Click the Delete button.

  4. Click OK in the resulting confirmation box. The organizational unit is immediately deleted.



Managing a Preferred Language List

iPlanet Web Server enables you to display and maintain the list of preferred languages.

To manage the preferred language list, perform the following steps:

  1. Access the Administration Server and choose the Users & Groups tab.

  2. Click the Manage Preferred Language List link.

  3. In the Display Language Selection List field, click Yes or No to specify whether iPlanet Web Server displays the Language Selection List.

  4. In the Languages in the Selection List field, click the Add to List checkbox to add each language you want specified as part of the Preferred Language List.

  5. Click the default value for the language you want to specify as the default language in the Preferred Language List.

  6. Click Save Changes.


Previous     Contents     Index     Next     
Copyright © 2000 Sun Microsystems, Inc. Some preexisting portions Copyright © 2000 Netscape Communications Corp. All rights reserved.

Last Updated July 13, 2000