This section discusses how to create the domains and organizational units needed to provision those domains. Note that domain components in the DIT directly mirror the domain components and hierarchy of the DNS.
Throughout the section, an example of a DC tree will be used, with the created domain example specified in bold. For each task the relevant tree information will be shown and the required object classes and attributes will be described.
Note - The attribute descriptions in this guide are brief overviews. For the full attribute descriptions refer to the schema section in the SIMS Reference Manual.
FIGURE 2-1 Root Node 0=internet.
The root entry is the top level node of the DIT. It must always be o=internet. The LDIF record for creating the root node is shown in CODE EXAMPLE 2-1. Note that dc=com,o=internet is created during SIMS installation, but we show these steps for instructional purposes.
Note - It is a common practice to specify an alias for certain common attributes. These are done in the attributes definition files (*.at.conf). Common aliases include cn (commonname), ou (organizationalUnit), o (organization), sn (surname), dn (distinguishedName)
|
CODE EXAMPLE 2-1 LDIF Record for Creating a Root Node
|
|
|
dn: o=internet
|
|
|
objectClass: organization
|
|
|
o: internet
|
Root Entry Attributes
This section provides brief descriptions of the root entry attributes. For more complete descriptions of the attributes refer to the SIMS schema section in the SIMS Reference Manual.
|
|
dn: o=internet |
| |
The distinguished name (dn) uniquely identifies the directory entry in the tree. When creating an LDIF record, the dn must be the first field.
|
|
|
objectClass: organization |
| |
The root node of the DC tree is defined by the object class organization. The object class allows you to add other attributes to the entry (see the SIMS Reference Manual for details), but only "o" is required. o must have the same value as set in the dn of this entry.
|
|
|
o: internet |
| |
This is the root entry for all DC trees. o stands for organization name, which in this case is internet. |
FIGURE 2-2 Top-level Domains.
Top-level domain component entries are created just below the root o=internet, and correspond to the top-level DNS domain nodes. In this example they are dc=com and dc=edu, but they may also include top-level domains in the DNS hierarchy such as dc=fr, dc=jp, dc=org, and so on.
Note that each entry must be created in a separate LDIF record (multiple records may be created in the same file by separating each record with a blank line). For example, you cannot create a top-level domain without first creating a root domain, and you cannot create a second-level domain without first creating a top-level domain.
In this example our top-level domain is dc=com. Note that dc=com,o=internet is created during SIMS installation, but we show these steps for instructional purposes. The LDIF record is shown below.
|
CODE EXAMPLE 2-2 LDIF Record for Creating a Second-level Domain
|
|
|
dn: dc=com,o=internet
|
|
|
objectClass: domain
|
|
|
dc: com
|
Top-level Domain Attributes
This section provides brief descriptions of the top-level domain attributes. For more complete descriptions of the attributes refer to the SIMS schema in the SIMS Reference Manual.
|
|
dn: dc=com, o=internet |
| |
The distinguished name (dn) uniquely identifies the directory entry in the tree.
|
|
|
objectClass: domain |
| |
The object class domain is used to create this LDAP entry. |
|
|
dc: com |
| |
The DNS domain component, com, is the name of the matching top-level node. For example, to create the hierarchy for stream.com. you need to create a domain component entry corresponding to .com. |
FIGURE 2-3 Third-level Domain stream.com.
Hosted domains are typically created at the third level of the DC tree, which in this example is dc=stream. Note that the node itself is not useful until you create the required containers below it (See "Create the Required Containers for Hosted Domains" on page 19). The LDIF code for creating a hosted domain is shown in CODE EXAMPLE 2-3.
|
CODE EXAMPLE 2-3 LDIF Record for Creating a Hosted Domain.
|
|
|
|
dn: dc=stream,dc=com,o=internet
|
|
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
Hosted Domain Attributes
This section provides brief descriptions of the hosted domain node attributes. For more complete descriptions of the attributes refer to the SIMS schema in the SIMS Reference Manual.
|
|
dn: dc=stream, dc=com, o=internet |
| |
The distinguished name (dn) uniquely identifies the directory entry in the tree. It consists of a comma separated list of the hierarchical components that specify the entry's location in the DIT. Note that the hosted domain component, dc=stream must match the DNS node for the hosted domain.
|
|
|
objectClass: domain
objectClass: inetDomain
objectClass: simsDomain |
| |
These three lines specify the object classes required to create the dc=stream entry in the DIT. domain is the structural object class and provides attributes useful for describing the domain component nodes of the DC tree. |
| |
inetDomain is an auxiliary object class that provides attributes for describing the additional properties of a hosted domain. This object class is associated with directory containers which correspond to a DNS domain. In an internet style DIT, this object class is associated with every domain component node (except the top-level domain, for example, com) that represents a DNS domain. |
| |
simsDomain is an auxiliary object class that provides attributes useful for describing the additional properties for an e-mail domain. Like inetDomain, this object class is associated with entries which correspond to a DNS domain. In an internet style DIT, this object class is associated with every domain component node that represents a DNS domain. |
domain Attributes
|
|
description: DC node for stream.com hosted domain |
| |
Free form text. Description about the organization node in the directory. Usually the full name of the organization that is associated with the value of the attribute organizationName for this entry. |
|
|
dc: stream |
| |
The dc (domain component) is the associated DNS domain for this node. |
inetDomain Attributes
|
|
inetTreeStyle: DC |
| |
Defines the type of tree associated with this DIT. There are possible two values for this field: OSI and DC. The single Domain Component (DC) tree style is the default since SIMS 4.0 namespace maps to the DC tree style. |
|
|
inetDomainStatus: active |
| |
Tells the system whether the domain is active, inactive, or deleted. The default is active. To temporarily disable the domain, indicate inactive in the LDIF record. To delete the domain, indicate deleted in the LDIF record. If this attribute is missing it is implied as active.
|
|
|
inetAuthorizedServices: imap
inetAuthorizedServices: pop3
inetAuthorizedServices: imaps
inetAuthorizedServices: pop3s
inetAuthorizedServices: smtp
inetAuthorizedServices: sunw_webaccess |
| |
These lines indicate the list of internet services which are authorized within this domain. The services that you can set permissions for include the following: |
| |
|
imap - IMAP-based protocol services |
| |
|
imaps - secure IMAP-based protocol services |
| |
|
pop3 - POP-based message access |
| |
|
pop3s - secure POP-based message access |
| |
|
smtp - access to SMTP server for authorized message submission. |
| |
|
smtps - access to secure SMTP server for message submission. |
| |
If this attribute is missing, it is the same as specifying all services. |
|
|
owner: cn=Mike Marola (Delegated Admin)
(deladmin),ou=People,dc=stream,dc=com,o=internet |
| |
This is a multi-value attribute specifying the distinguished name of the Delegated Administrator(s). The Delegated Administrator has the privileges to add, modify, delete, and search for group or user entries in the hosted domain. If this attribute is included in the LDIF record, then a corresponding user entry must be included in the container ou=people. If the site is not going to support Delegated Management, this value may be excluded. |
|
|
dnsDomainName: stream.com |
| |
Indicates DNS domain name associated with this node in the DIT.
|
simsDomain Attributes
|
|
simsDomainVersion: 1.0 |
| |
This required attribute indicates which version of the object class is being used in the domain.
|
|
|
simsRecursive: 0 |
| |
simsRecursive=0 is the recommended value. If the value=0, the IMTA generates a routing entry for this domain. If you set a value to 1 for a particular site, you must add rewrite rules to the IMTA configuration files. In other words, if the value is set to 0, the system automatically generates the appropriate rewrite rule to route messages to this domain. If the value is 1, the system cannot automatically generate a rewrite rule since an incoming message can go to the domain or any of its subdomains. Thus, you will need to create specific rewrite rules for the domain and each of its subdomains. |
|
|
rfc822Postmaster: deladmin@stream.com |
| |
Address of the postmaster. Mail addressed to postmaster@stream.com will be sent to the address specified in this attribute. |
|
|
mailHosts: route66.stream.com |
| |
mailHosts is a list of fully qualified hostnames of mail servers that have routing responsibility for this domain. You cannot specify a mailserver in a domain entry if that mailserver is specified in a parent domain. |
|
|
preferredMailhost: route66.stream.com |
| |
Fully qualified hostname of the preferred mail server for this hosted domain. When the delegated administrator adds a new user/group, the new user/group is assigned this value for their mailhost. Service providers can use this attribute to control where new users and groups are created. SIMS provisioning tools (the Delegated Admin Console and the SIMS Administration command line interface) use this value when creating users and groups. |
|
|
domainDiskQuota: 10G |
| |
Disk quota in bytes for this domain. Disk usage for all users in this hosted domain should not exceed this value. The default unit can be overridden by using one of the following tags: |
- <size>K - size is specified in kilobytes
- <size>M - size is specified in megabytes
- <size>G - size is specified in gigabytes
- <size>T - size is specified in terabytes
|
|
maxMailboxes: 10 |
| |
The maximum number of mailboxes allowed in the domain. |
|
|
maxDistributionLists: 2 |
| |
The maximum number of distribution lists allowed in the domain. |
|
|
maxEntries: 12 |
| |
This indicates the number of directory entries allowed for the domain. |
FIGURE 2-4 Third-level Domain stream.com.
A domain alias is an entry that points to another domain. Domain aliasing allows hosted domains to have several domain names. One of these domain name is the official domain name used amongst other things to create internal addresses. This special name is referred to as official domain name.
The LDIF code for creating a hosted domain is shown in CODE EXAMPLE 2-3.
|
CODE EXAMPLE 2-4 LDIF Record for Creating a Hosted Domain.
|
|
|
|
dn: dc=river,dc=com,o=internet
|
|
objectClass: alias
|
|
objectClass: aliasobject
|
|
aliasedObjectName: dc=stream,dc=com,o=Internet
|
|
dc: river
|
FIGURE 2-5 Third-level Domain stream.com.
Every domain that contains users or groups must have three organizationalUnit containers:
|
|
ou=people - container for user entries. |
|
|
ou=groups - container for group entries. |
|
|
ou=services - container for service entries. |
The following example shows the LDIF records for creating these required container entries in the hosted domain stream.
|
CODE EXAMPLE 2-5 LDIF Records for Hosted Domain Containers.
|
|
|
|
dn: ou=People,dc=stream,dc=com,o=internet
|
|
objectClass: organizationalUnit
|
|
ou: People
|
|
|
|
dn: ou=Groups,dc=stream,dc=com,o=internet
|
|
objectClass: organizationalUnit
|
|
ou: Groups
|
|
|
|
dn: ou=Services,dc=stream,dc=com,o=internet
|
|
objectClass: organizationalUnit
|
|
ou: Services
|
Hosted Domain Container Attributes
This section provides brief descriptions of the hosted domain node attributes. For more complete descriptions of the attributes refer to the SIMS schema in the SIMS Reference Manual.
|
|
dn: ou=People,dc=stream,dc=com,o=internet
dn: ou=Groups,dc=stream,dc=com,o=internet
dn: ou=Services,dc=stream,dc=com,o=internet |
| |
These are the distinguished names for containers required by all hosted domains. ou=People contains all the user entries for the hosted domain. ou=Groups contains all the group entries for the hosted domain. ou=Services contains entries for service objects.
|
|
|
objectClass: organizationalUnit |
| |
The organizationalUnit object class is used to create the container entries of the primary DIT in our example. |
|
|
ou: People
ou: Groups
ou: Services |
| |
These are the three required organizationalUnit entries. |
This section describes how to implement common domain tasks. The entire LDIF record is given for each task, however, most tasks require only adding one or more attributes to an existing domain. If you are going to modify a record, use only the lines in italics. For example, to do the task described in the following section using ldapmodify, you would do:
# ./ldapmodify -D "<SIMS Admin DN>" -w <passwd> -f change.ldif
where the contents of change.ldif is:
|
dn: dc=stream,dc=com,o=internet
|
|
changetype: modify
|
|
add: owner
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
owner: cn= Bill Komash (Delegated Bill),ou=People,dc=stream,dc=com,o=internet
|
 |
Creating or Removing Delegated Administrators
|
To create or remove delegated administrator privileges, use the owner attribute. These must be valid existing user entries in the domain to be delegated. The LDIF example below, specifies two delegated administrators. Note that a line may be continued by inserting a single space at the beginning of the next line.
|
CODE EXAMPLE 2-6 LDIF Record for Creating Delegated Administrators.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
owner: cn= Bill Komash (Delegated Bill),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
| |
Assigning or Removing RFC822 Postmasters
|
To assign or remove RFC822 postmasters, add or remove user entries to the rfc822Postmaster attribute. These must be valid email addresses. In the example below, specifies domain postmasters.
|
CODE EXAMPLE 2-7 LDIF Record for Assigning RFC822 Postmasters.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
rfc822Postmaster: billkoma@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
| |
Changing the Preferred Mailhost
|
To change the preferred mailhost, assign the fully qualified domain name of the mailhost to preferredMailhost. In the example below, the preferredMailhost is highlighted.
|
CODE EXAMPLE 2-8 LDIF Record for Changing the Preferred Mailhost.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
| |
Adding a New Server to the SIMS System
|
To add a mail server, add its fully qualified domain name to mailHosts as shown below.
|
CODE EXAMPLE 2-9 LDIF Record for Adding a New Server to the System.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
mailHosts: bowser.isp.net
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
| |
Adding or Removing Authorized Services
|
To add or remove authorized services for a domain, add or remove the desired internet services to the inetAuthorizedServices attribute. For example, if you wanted to remove IMAP support, then you would remove the two lines highlighted below. This results in IMAP and IMAPS services being disallowed for all users in the domain, even if users have these services listed in their user entries.
|
CODE EXAMPLE 2-10 LDIF Record for Adding Authorized Services.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 10G
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
Note - The set of services a user is permitted is derived from the intersection of services user entry and the services specified in the domain entry.
| |
Setting the Domain Quota
|
The domain quota is the maximum amount of storage space that all the mailboxes of all the users in a particular domain can use. SIMS does not do strict domain quota enforcement. That is, the quota reporting tool uses this value in its report, but the system does not reject messages when domainQuota is exceeded.
Set domainDiskQuota to the amount of data storage allocated to a domain.
|
CODE EXAMPLE 2-11 LDIF Record for Changing the Domain Storage Quota.
|
|
|
|
dn: dc=stream,dc=com,o=internet
objectClass: domain
|
|
objectClass: inetDomain
|
|
objectClass: simsDomain
|
|
description: DC node for stream.com hosted domain
|
|
dc: stream
|
|
inetTreeStyle: DC
|
|
inetDomainStatus: active
|
|
inetAuthorizedServices: imap
|
|
inetAuthorizedServices: pop3
|
|
inetAuthorizedServices: imaps
|
|
inetAuthorizedServices: pop3s
|
|
inetAuthorizedServices: smtp
|
|
inetAuthorizedServices: sunw_webaccess
|
|
owner: cn=Mike Marola (Delegated Admin),ou=People,dc=stream,dc=com,o=internet
|
|
simsRecursive: 0
|
|
simsDomainVersion: 1.0
|
|
dnsDomainName: stream.com
|
|
rfc822Postmaster: deladmin@stream.com
|
|
mailHosts: route66.stream.com
|
|
preferredMailhost: route66.stream.com
|
|
domainDiskQuota: 90000M
|
|
maxMailboxes: 10
|
|
maxDistributionLists: 2
|
|
maxEntries: 12
|
Copyright © 1999 Sun Microsystems, Inc. All Rights Reserved.