6 Delegated Administrator Post-Installation Tasks

This chapter provides the following instructions for performing Oracle Communications Delegated Administrator post-installation tasks:

• Adding Mail and Calendar Services to the Default Domain

• Enforcing Unique Values for Mail Attributes

• Creating Service Packages

Perform the following task only if you are using an LDAP directory in Schema 2 compatibility mode:

• Adding ACIs for Schema 2 Compatibility Mode

Adding Mail and Calendar Services to the Default Domain

The config-commda program creates a default domain.

If you want to create users with mail service or calendar service in the default domain, you first must add mail service and calendar service to the domain.

To perform this task, use the commadmin domain modify command with the -s mail and -s cal options.

The following example shows how you can use commadmin domain modify to add mail and calendar services to the default domain:

commadmin domain modify -D chris -w bolton -n sesta.com -d siroe.com -S mail, cal -H test.siroe.com

Note that adding IM and contacts services to the default domain is required.

For commadmin command syntax and details, see Delegated Administrator Reference in Delegated Administrator System Administrator's Guide.

Enforcing Unique Values for Mail Attributes

Messaging Server uses the following mail attributes to identify a user's email address and alternate email address:

• mail

• mailAlternateAddress

• mailEquivalentAddress

Each user's mail attributes should be unique across the directory.

The following procedure shows how to modify a Directory Server LDIF file to enforce the uniqueness of these attributes. Whenever Delegated Administrator (or any LDAP tool) adds an entry or modifies a mail attribute, the ldif plug-in checks that the mail attribute values are unique. If an operation would cause two entries to have the same mail-attribute values, it is terminated.

For definitions of mail attributes, see Messaging Server and Calendar Server Attributes in Communications Suite Schema Reference.

To enforce the uniqueness of mail attributes:

1. Create a text file with the following lines. Replace the parameters shown in the file with values specific to your installation.

   For DSEE 7/ODSEE 11gR2:

   dn: cn=Uniqueness in Messaging Attribute Set,cn=plugins,cn=config
   objectClass: top
   objectClass: nsSlapdPlugin
   objectClass: ds-signedPlugin
   objectClass: extensibleObject
   cn: Uniqueness in Messaging Attribute Set
   nsslapd-pluginPath: /opt/SUNWdsee7/lib/amd64/uid-plugin.so
   nsslapd-pluginInitfunc: NSUniqueAttrSet_Init
   nsslapd-pluginType: preoperation
   nsslapd-pluginEnabled: on
   nsslapd-pluginarg0: attributeset=mail,mailalternateaddress,mailequivalentaddress
   nsslapd-pluginarg1: dc=siroe,dc=com
   nsslapd-plugin-depends-on-type: database
   nsslapd-pluginId: NSUniqueAttrSet
   nsslapd-pluginVersion: 11.1.1.5.0
   nsslapd-pluginVendor: Oracle Corporation
   nsslapd-pluginDescription: Enforce unique values among an attribute set
   

   For DSEE 6.3.1 (64-bit Solaris x86):

   dn: cn=Uniqueness in Messaging Attribute Set,cn=plugins,cn=config
   objectClass: top
   objectClass: nsSlapdPlugin
   objectClass: ds-signedPlugin
   objectClass: extensibleObject
   cn: Uniqueness in Messaging Attribute Set
   nsslapd-pluginPath: /opt/SUNWdsee/ds6/lib/amd64/uid-plugin.so
   nsslapd-pluginInitfunc: NSUniqueAttrSet_Init
   nsslapd-pluginType: preoperation
   nsslapd-pluginEnabled: on
   nsslapd-pluginarg0: attributeset=mail,mailalternateaddress,mailequivalentaddress
   nsslapd-pluginarg1: dc=siroe,dc=com
   nsslapd-plugin-depends-on-type: database
   nsslapd-pluginId: NSUniqueAttrSet
   nsslapd-pluginVersion: 6.3.1
   nsslapd-pluginVendor: Sun Microsystems, Inc.
   nsslapd-pluginDescription: Enforce unique values among an attribute set
   

   Change the following parameters:

   • These examples show specific paths for nsslapd-pluginPath. If necessary, replace the directory underneath which your Directory Server is installed. For example: /var/opt/mps/server_root

   • These examples show a specific ugldapbasedn for nsslapd-pluginarg1. If necessary, replace with your root suffix. Uniqueness checking is performed on all entries underneath this suffix.

2. Stop Directory Server.

3. Add your modified text file to the Directory Server dse.ldif file.

   The dse.ldif file is located in the following directory:

   server_root/slapd-machine-name-config
   

   where server_root is the directory underneath which Directory Server is installed. For example /var/opt/mps/server_rootmachine_name is the name of the host machine where Directory Server is installed.

   Add your text file after the uid uniqueness section of the dse.ldif file. The first line of this section (the dn) is as follows:

   dn: cn=uid uniquenss,cn=plugins,cn=config
   

4. Restart Directory Server.

   When Directory Server starts, it installs the modified dse.ldif file in the directory.

Troubleshooting

If Directory Server does not start because the dse.ldif file has generated an error, check the values you used to replace the parameters in the sample text file. Your LDAP root suffix and the Directory Server installation path and host machine must be correct for your installation.

If Directory Server still does not start, you can, as a last resort, remove the text file from the dse.ldif file and restart Directory Server.

Creating Service Packages

Each user and group provisioned in the LDAP directory with Delegated Administrator should have a service package. A user or group can have more than one service package. For more information, see Creating Your Own Service Packages in Delegated Administrator System Administrator's Guide.

Adding ACIs for Schema 2 Compatibility Mode

If you are using an LDAP directory in Schema 2 compatibility mode, you must manually add ACIs to the directory to enable Delegated Administrator to provision in your directory.

To add ACIs for Schema 2 compatibility mode with Access Manager, for example:

1. Add the following two ACIs to the OSI root. You can find the following two ACIs in the usergroup.ldif file, located in the DelegatedAdmin_home/config directory.

   Be sure to replace ugldapbasedn with your usergroup suffix. Add the edited usergroup.ldif into the LDAP directory.

   #
   # acis to limit Org Admin Role
   #
   ########################################
   # dn: local.ugldapbasedn
   ########################################
   dn: ugldapbasedn
   changetype: modify
   add: aci
   aci: (target="ldap:///($dn),ugldapbasedn")(targetattr="*")
   (version 3.0; acl "Organization Admin Role access deny to org node";
   deny (write,add,delete) roledn = "ldap:///cn=Organization Admin
   Role,($dn),ugldapbasedn";)
   
   dn: ugldapbasedn
   changetype: modify
   add: aci
   aci: (target="ldap:///($dn),ugldapbasedn")(targetattr="*")
   (version 3.0; acl "Organization Admin Role access allow read
   to org node";
   allow (read,search) roledn = "ldap:///cn=Organization Admin
   Role,($dn),ugldapbasedn";)
   

2. Add the following two ACIs to the DC Tree root suffix. You can find the following two ACIs in the dctree.ldif file, located in the DelegatedAdmin_home/lib/config-templates directory.

   Be sure to replace dctreebasedn with your DC Tree root suffix and ugldapbasedn with your usergroup suffix. Add the edited dctree.ldif into the LDAP directory.

   #
   # acis to limit Org Admin Role
   #
   ########################################
   # dn: dctreebasedn
   ########################################
   dn: dctreebasedn
   changetype: modify
   add: aci
   aci: (target="ldap:///($dn),dctreebasedn")(targetattr="*")
   (version 3.0; acl "Organization Admin Role access deny to dc node";
   deny (write,add,delete) roledn = "ldap:///cn=Organization Admin
   Role,($dn),ugldapbasedn";)
   
   dn: dctreebasedn
   changetype: modify
   add: aci
   aci: (target="ldap:///($dn),dctreebasedn")(targetattr="*")
   (version 3.0; acl "Organization Admin Role access allow read to dc
   node"; allow (read,search) roledn = "ldap:///cn=Organization Admin
   Role,($dn),ugldapbasedn";)
   

3. Add the following additional ACIs to the DC Tree root suffix. (These ACIs are not in the dctree.ldif file.)

   dn:dctreebasedn
   changetype:modify
   add:aci
   aci: (target="ldap:///dctreebasedn")(targetattr="*")
   (version 3.0; acl "S1IS Proxy user rights"; allow (proxy)
   userdn = "ldap:///cn=puser,ou=DSAME Users,ugldapbasedn";)
   
   dn:dctreebasedn
   changetype:modify
   add:aci
   aci: (target="ldap:///dctreebasedn")(targetattr="*")
   (version 3.0; acl "S1IS special dsame user rights for all under the
   root suffix"; allow (all) userdn ="ldap:///cn=dsameuser,ou=DSAME
   Users,ugldapbasedn";)
   
   dn:dctreebasedn
   changetype:modify
   add:aci
   aci: (target="ldap:///dctreebasedn")(targetattr="*")
   (version 3.0; acl "S1IS Top-level admin rights";
   allow (all) roledn = "ldap:///cn=Top-level Admin
   Role,ugldapbasedn";)
   

4. Set the com.iplanet.am.domaincomponent property in the AMConfig.properties file to your DC Tree root suffix.

   For example, modify the following lines in the AM_base_directory/lib/AMConfig.properties [file:]

   from

   com.iplanet.am.domaincomponent=o=isp
   

   to

   com.iplanet.am.domaincomponent=o=internet
   

5. Enable Access Manager to use compatibility mode.

   In the Access Manager Console, in the Administration Console Service Page, check (enable) the Domain Component Tree Enabled check box.

6. Add the inetdomain object class to all the DC Tree nodes (such as dc=com,o=internet), as shown in the following example:

   /var/mps/server_root/shared/bin 298% ./ldapmodify
   -D "cn=Directory Manager" -w password
   dn: dc=com,o=internet
   changetype: modify
   add: objectclass
   objectclass: inetdomain
   

7. Restart the Web container.