This chapter provides the following instructions for performing Oracle Communications Delegated Administrator post-installation tasks:
Perform the following task only if you are using an LDAP directory in Schema 2 compatibility mode:
The config-commda program creates a default domain.
If you want to create users with mail service or calendar service in the default domain, you first must add mail service and calendar service to the domain.
To perform this task, use the commadmin domain modify command with the -s mail and -s cal options.
The following example shows how you can use commadmin domain modify to add mail and calendar services to the default domain:
commadmin domain modify -D chris -w bolton -n sesta.com -d siroe.com -S mail, cal -H test.siroe.com
Note that adding IM and contacts services to the default domain is required.
For commadmin command syntax and details, see Delegated Administrator Reference in Delegated Administrator System Administrator's Guide.
Messaging Server uses the following mail attributes to identify a user's email address and alternate email address:
mailAlternateAddress
mailEquivalentAddress
Each user's mail attributes should be unique across the directory.
The following procedure shows how to modify a Directory Server LDIF file to enforce the uniqueness of these attributes. Whenever Delegated Administrator (or any LDAP tool) adds an entry or modifies a mail attribute, the ldif plug-in checks that the mail attribute values are unique. If an operation would cause two entries to have the same mail-attribute values, it is terminated.
For definitions of mail attributes, see Messaging Server and Calendar Server Attributes in Communications Suite Schema Reference.
To enforce the uniqueness of mail attributes:
Create a text file with the following lines. Replace the parameters shown in the file with values specific to your installation.
For DSEE 7/ODSEE 11gR2:
dn: cn=Uniqueness in Messaging Attribute Set,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: ds-signedPlugin objectClass: extensibleObject cn: Uniqueness in Messaging Attribute Set nsslapd-pluginPath: /opt/SUNWdsee7/lib/amd64/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttrSet_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: attributeset=mail,mailalternateaddress,mailequivalentaddress nsslapd-pluginarg1: dc=siroe,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttrSet nsslapd-pluginVersion: 11.1.1.5.0 nsslapd-pluginVendor: Oracle Corporation nsslapd-pluginDescription: Enforce unique values among an attribute set
For DSEE 6.3.1 (64-bit Solaris x86):
dn: cn=Uniqueness in Messaging Attribute Set,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: ds-signedPlugin objectClass: extensibleObject cn: Uniqueness in Messaging Attribute Set nsslapd-pluginPath: /opt/SUNWdsee/ds6/lib/amd64/uid-plugin.so nsslapd-pluginInitfunc: NSUniqueAttrSet_Init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginarg0: attributeset=mail,mailalternateaddress,mailequivalentaddress nsslapd-pluginarg1: dc=siroe,dc=com nsslapd-plugin-depends-on-type: database nsslapd-pluginId: NSUniqueAttrSet nsslapd-pluginVersion: 6.3.1 nsslapd-pluginVendor: Sun Microsystems, Inc. nsslapd-pluginDescription: Enforce unique values among an attribute set
Change the following parameters:
These examples show specific paths for nsslapd-pluginPath. If necessary, replace the directory underneath which your Directory Server is installed. For example: /var/opt/mps/server_root
These examples show a specific ugldapbasedn for nsslapd-pluginarg1. If necessary, replace with your root suffix. Uniqueness checking is performed on all entries underneath this suffix.
Stop Directory Server.
Add your modified text file to the Directory Server dse.ldif file.
The dse.ldif file is located in the following directory:
server_root/slapd-machine-name-config
where server_root is the directory underneath which Directory Server is installed. For example /var/opt/mps/server_rootmachine_name is the name of the host machine where Directory Server is installed.
Add your text file after the uid uniqueness section of the dse.ldif file. The first line of this section (the dn) is as follows:
dn: cn=uid uniquenss,cn=plugins,cn=config
Restart Directory Server.
When Directory Server starts, it installs the modified dse.ldif file in the directory.
If Directory Server does not start because the dse.ldif file has generated an error, check the values you used to replace the parameters in the sample text file. Your LDAP root suffix and the Directory Server installation path and host machine must be correct for your installation.
If Directory Server still does not start, you can, as a last resort, remove the text file from the dse.ldif file and restart Directory Server.
Each user and group provisioned in the LDAP directory with Delegated Administrator should have a service package. A user or group can have more than one service package. For more information, see Creating Your Own Service Packages in Delegated Administrator System Administrator's Guide.
If you are using an LDAP directory in Schema 2 compatibility mode, you must manually add ACIs to the directory to enable Delegated Administrator to provision in your directory.
To add ACIs for Schema 2 compatibility mode with Access Manager, for example:
Add the following two ACIs to the OSI root. You can find the following two ACIs in the usergroup.ldif file, located in the DelegatedAdmin_home/config directory.
Be sure to replace ugldapbasedn with your usergroup suffix. Add the edited usergroup.ldif into the LDAP directory.
# # acis to limit Org Admin Role # ######################################## # dn: local.ugldapbasedn ######################################## dn: ugldapbasedn changetype: modify add: aci aci: (target="ldap:///($dn),ugldapbasedn")(targetattr="*") (version 3.0; acl "Organization Admin Role access deny to org node"; deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),ugldapbasedn";) dn: ugldapbasedn changetype: modify add: aci aci: (target="ldap:///($dn),ugldapbasedn")(targetattr="*") (version 3.0; acl "Organization Admin Role access allow read to org node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),ugldapbasedn";)
Add the following two ACIs to the DC Tree root suffix. You can find the following two ACIs in the dctree.ldif file, located in the DelegatedAdmin_home/lib/config-templates directory.
Be sure to replace dctreebasedn with your DC Tree root suffix and ugldapbasedn with your usergroup suffix. Add the edited dctree.ldif into the LDAP directory.
# # acis to limit Org Admin Role # ######################################## # dn: dctreebasedn ######################################## dn: dctreebasedn changetype: modify add: aci aci: (target="ldap:///($dn),dctreebasedn")(targetattr="*") (version 3.0; acl "Organization Admin Role access deny to dc node"; deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),ugldapbasedn";) dn: dctreebasedn changetype: modify add: aci aci: (target="ldap:///($dn),dctreebasedn")(targetattr="*") (version 3.0; acl "Organization Admin Role access allow read to dc node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),ugldapbasedn";)
Add the following additional ACIs to the DC Tree root suffix. (These ACIs are not in the dctree.ldif file.)
dn:dctreebasedn changetype:modify add:aci aci: (target="ldap:///dctreebasedn")(targetattr="*") (version 3.0; acl "S1IS Proxy user rights"; allow (proxy) userdn = "ldap:///cn=puser,ou=DSAME Users,ugldapbasedn";) dn:dctreebasedn changetype:modify add:aci aci: (target="ldap:///dctreebasedn")(targetattr="*") (version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn ="ldap:///cn=dsameuser,ou=DSAME Users,ugldapbasedn";) dn:dctreebasedn changetype:modify add:aci aci: (target="ldap:///dctreebasedn")(targetattr="*") (version 3.0; acl "S1IS Top-level admin rights"; allow (all) roledn = "ldap:///cn=Top-level Admin Role,ugldapbasedn";)
Set the com.iplanet.am.domaincomponent property in the AMConfig.properties file to your DC Tree root suffix.
For example, modify the following lines in the AM_base_directory/lib/AMConfig.properties [file:]
from
com.iplanet.am.domaincomponent=o=isp
to
com.iplanet.am.domaincomponent=o=internet
Enable Access Manager to use compatibility mode.
In the Access Manager Console, in the Administration Console Service Page, check (enable) the Domain Component Tree Enabled check box.
Add the inetdomain object class to all the DC Tree nodes (such as dc=com,o=internet), as shown in the following example:
/var/mps/server_root/shared/bin 298% ./ldapmodify
-D "cn=Directory Manager" -w password
dn: dc=com,o=internet
changetype: modify
add: objectclass
objectclass: inetdomain
Restart the Web container.