The information you specify for each entry you create is stored in the Directory Server used with your instance of Netscape Application Server (NAS). The information held in Directory Server is shared between all application servers when you have multiple servers supporting an application
Implementing User-Based Security
User-based security allows access to an application by authenticating a user's user name and password. The user name and password of any user who requires access to the application must be stored in Directory Server.
An application starts the user authentication process by calling the application component—usually a servlet—responsible for user authentication. The user's login privileges are then verified against the list of users stored in Directory Server.
Once a user is successfully authenticated, access to specific application components is managed programmatically using access control lists and application components responsible for application security.
User security verifies access to an application based on a user's name and password. To implement user security, you must create a user profile, which holds the user name and password, for all users of an application. This procedure is described in Using Netscape Console to Add Entries to Directory Server.
Using Netscape Console to Add Entries to Directory Server
You can use Netscape Console to create user entries and group entries. A user entry contains information about an individual person or object in the directory. A group consists of all users who share a common attribute. For example, all users in a particular department might belong to the same group.
What Is a Distinguished Name (DN)?
Each of the users and groups in your enterprise is represented in Directory Server by a distinguished name (DN). A DN is a text string that contains identifying attributes. You use DNs whenever you make changes in the directory's users and groups database. For example, you need to specify DN information each time you create or modify directory entries, set up access controls, and set up user accounts for applications such as mail or publishing. The users and groups interface of Netscape Console helps you create or modify DNs.
For example, this might be a typical DN for an employee of Netscape Communications Corporation:
uid=doe,e=doe@netscape.com,cn=John Doe,o=Netscape Communications
Corp.,c=US
The abbreviations before each equal sign in this example have the following meanings:
DNs may include a variety of name-value pairs. They are used to identify both certificate subjects and entries in directories that support LDAP.
Creating User Entries Using Netscape Console
User security is best suited for applications that have a small number of known users. You must create a user profile for each user who accesses the application.
You must be a Directory Server administrator or a user with the necessary permissions to create a user.
To create a new user entry in the directory using Netscape Console, perform the following steps:
From the Windows Start menu, under Programs, choose Netscape Server Family, then Netscape Console 4.0 to open Netscape Console.
Enter a valid user name and password and click OK.
Click the Users and Groups tab.
Use the drop-down list in the lower-right corner of the window to choose New User, then click Create.
In Select Organizational Unit, click the directory subtree (ou) to which the user will belong, then click OK.
In the Create User window, enter user information.
Click the Licenses tab.
Select the servers this user is licensed to use, then click OK.
(Optional) Click the Languages tab.
Creating Group Entries Using Netscape Console
A group consists of all users who share a common attribute. For example, all users with DNs containing the attribute ou=Sales belong to the Sales group. Once you create a new group, you add users, or members, to it. You can use three types of groups in your directory: static, dynamic, and certificate groups.
Creating a Static Group
Create a static group by specifying the same group attribute in the DNs of any number of users. A static group doesn't change unless you add a user to it or delete a user from it. For example, a number of users have the attribute department=marketing in their DN. None of those users are members of the Marketing group until you explicitly add each one to the group.
To create a static group in the directory, perform the following steps:
In Netscape Console, click the Users and Groups tab to display the following window:
Use the drop-down list in the lower-right corner of the window to choose New Group, then click Create.
In the Select Organizational Unit window, select the directory subtree (ou) to which the group will belong, then click OK.
In the Create Group window, enter group information, then click the Members tab.
If you only want to create the group now and plan to add group members later, click OK and skip the rest of this procedure.
In the Members window, click Add or Edit as appropriate.
Creating a Dynamic Group
Create a dynamic group when you want users to be added automatically to a group based on their DN attributes. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. Whenever you apply a search filter for department=marketing, the search returns a group including all DNs containing that attribute. The DNs are included automatically; you do not have to add each individual to the group.
To create a dynamic group in the directory, perform the following steps:
In Netscape Console, click the Users and Groups tab to display the following window:
Use the drop-down list in the lower-right corner of the window to choose New Group, then click Create.
In the Select Organizational Unit window, select the directory subtree (ou) to which the group will belong, then click OK.
In the Create Group window, enter group information, then click the Members tab.
Click Dynamic Group, then click Add.
Use the Construct and Test LDAP URL dialog box to specify the criteria for including users in the dynamic group.
ldap:///o=mcom.com??sub?(department=marketing)
-
Click Construct to build a new URL.
Click OK.
(Optional) In the Construct and Test LDAP URL dialog box, to see a list of users and groups included in the dynamic group, click Test.
Click OK.
Modifying Database Entries Using Netscape Console
Before you can modify user or group data, you must first use the Users and Groups Search function to locate the user or group entry in the user directory. Then you can select operations from the menu bar to change the entry. The operations you perform apply to all in the Search list.
See Netscape Console documentation for more information.
Using LDIF to Add Entries to Directory Server
You can add entries to Directory Server using LDIF or Netscape Console. Netscape Console is described Using Netscape Console to Add Entries to Directory Server.
Directory Server uses the LDAP Data Interchange Format (LDIF) to describe a directory and directory entries in text format. LDIF is commonly used to initially build a directory database or to add large numbers of entries to the directory all at once. You can also add or edit entries using the ldapmodify command along with the appropriate LDIF update statements.
To add entries to the database using LDIF, first define the entries in an LDIF file, then import the LDIF file from Directory Server.
Formatting LDIF Entries
LDIF consists of one or more directory entries separated by a blank line. Each LDIF entry consists of an optional entry ID, a required distinguished name, one or more object classes, and multiple attribute definitions.
The basic form of a directory entry represented in LDIF is:
dn: distinguished name
objectClass: object class
objectClass: object class
...
attribute type[;subtype]:attribute value
attribute type[;subtype]:attribute value
...
You must supply the DN and at least one object class definition. In addition, you must include any attributes required by the object classes that you define for the entry. All other attributes and object classes are optional. You can specify object classes and attributes in any order. The space after the colon is also optional. For information on standard object classes and attributes, refer to the Netscape Directory Server Schema Reference Guide.
Modifying Database Entries Using ldapmodify
You use the ldapmodify command-line utility to modify entries in an existing Directory Server database. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and modifies the entries based on LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything that ldapdelete can do. Most of Directory Server's command-line utilities are stored in a single location. You can find them in the following directory:
NAS install directory/bin/slapd/server
The remaining three—ldapdelete, ldapmodify, and ldapsearch—are stored in the following directory:
NAS install directory/shared/bin
The following is an example of the command used to add a user to an LDIF file:
ldapmodify -h myserverhost -p 389 -D "Directory Manager" -w admin -a -f
MyUsersFile
Creating Entries Programmatically
You can also create entries progammatically within an application using the LDAP JDK included with each installation of NAS. See the Programmer's Guide for more information.
Previous
