User and group management


he Netscape® administration server lets you manage the users and groups that access the services provided by your Netscape servers. Because you manage users and groups from the administration server, you use the same interface for user and group management regardless of the type of servers or the number of servers that you are running at your site. This common management scheme provides simplified server administration by letting you maintain a single directory of users for all your Netscape servers.

This chapter contains basic information about the differences between using a local database, an LDAP directory service, and Novell® Directory Services.

Note
For more information about implementing LDAP with Novell Directory Services, visit http://www.support.novell.com.

The directory service

Under General Administration, the Users & Groups area is actually an interface to a directory service. Directory services are a type of software that allows you to maintain information, such as contact information or identification information for the people in your organization. You use a directory service in the administration server to store user information, such as user IDs, e-mail addresses, and certificates. This information is typically used when controlling access to a server.

You have a choice of the type of directory service you can use with your administration server: You can use a local directory, a Netscape Directory Server LDAP, or Novell Directory Services, which is a new option available for the Novell administration server. When configured to use Novell Directory Services, users and groups are maintained by NetWare® administration utilities. Thus the Users & Groups area of the administration server is disabled. However, in this mode, all access control comes from NetWare file system trustees rights and available Novell Directory Services usernames and passwords for http authentication.

The local directory

The Netscape local directory is bundled with each administration server, and it provides many of the core directory functions available from the directory server. The local directory is intended for sites running a stand-alone Netscape server, such as an Enterprise Server, FastTrack Server, or Messaging Server.

The local directory has the following limitations when compared to the Netscape Directory Server LDAP:

You can use only two of the directory server's command-line utilities with the local directory: ldapsearch, which allows you to search the directory; and ldapmodify, which allows you to add, delete, and modify directory entries.

Netscape Directory Server

Based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP), Netscape Directory Server is a versatile, scalable server designed to manage an enterprise-wide directory of users and resources. Using the directory server, you can manage all of your user information from a single source. You can also configure the directory server to allow your users to retrieve directory information from multiple, easily accessible network locations.

The use of a directory server to manage your servers' users and groups is recommended for large organizations consisting of up to one million users. Directory server is also ideal for organizations spread across physically different locations and for organizations where balancing the access load to their directory is important. Finally, the directory server is recommended for those organizations interested in enhancing directory availability by placing their directory services on multiple servers.

For more information about the directory server or about directory services in general, see the Administrator's Guide, which comes with the Netscape Directory Server.

Novell Directory Services

Novell Directory Services (NDS) is installed with every NetWare 4.x system during setup and provides a repository for user and group information that is used to control access to NetWare server resources. Both the Netscape Enterprise and FastTrack Servers provide a native NDS integration mode that allows access to web resources to be protected by native NetWare file system trustee assignments and allows users to login from an http client using their NDS usernames and passwords.

HTTP access to a file or resource in Novell Directory Services mode is evaluated using NetWare file system trustee assignments depending on the http method used. Table 6.1 defines the NetWare file system trustees required to grant access to web resources in Novell Directory Services mode given an http method.
HTTP METHOD

 NetWare trustee assignment required for access

GET

 Read

PUT

 Create on parent directory if file is being created or Write if file is being replaced

MKDIR

 Create

EDIT

 Write

HEAD

 File Scan

DELETE

 Erase

POST

 Read on the CGI executable file

INDEX

 File Scan

MOVE

 Erase and Read on source, Create on destination

COPY

 Read on source, Create on destination

When Novell Directory Services mode is selected,

Note
Novell Directory Services provides an intranet solution that allows access to file system resources via browsers. Novell Directory Services mode is not recommended as a configuration.

Directory service clients

 You must use a directory service client to obtain information from and to put information into a directory service. If you are using the Netscape Directory Server, then any directory client that can use the LDAP protocol can use your directory. This is one of the primary differences between a true directory service and the local database bundled with the administration server; the database can communicate only with the local administration server, whereas the directory server can communicate with any LDAP-capable client.

Gateways

The administration server is actually a type of directory service client known as a gateway. The administration server acts as a gateway between the communication protocol used by your web browser (HTML) and the protocol used by the directory server (LDAP). Of course, if you are using the local database, then the gateway skips the LDAP protocol and accesses the local database directly.

When you first install your administration server, you must configure your server to communicate either with the local directory or with the directory server. If you use a directory server, you need to make sure it has at least one user account that the administration server can access. This is usually the administration server superuser account. Beyond that, you'll experience no difference when using the Users & Groups forms.

For more information on how to use the Users & Groups forms, see the online documentation that is available with your administration server.

Command-line clients

Both the directory server and the Netscape local directory offer command-line utilities that allow you to search the directory and perform directory modifications from the command line. This allows you to create custom shell scripts or batch files to perform routine, automated tasks on your directory.

The local directory provides two tools for your use: ldapmodify and ldapsearch. These are actually identical to the ldapmodify and ldapsearch command-line tools shipped with the directory server, except that the -C option has been added so that they can work with the local directory. Netscape Directory Server provides many command-line tools to help you administer and maintain your directory. NetWare Administrator provides the Novell Directory Services to maintain the directory. The NetWare Administrator and Rights.wxe maintain file system trustees.

For more information on the ldapmodify and ldapsearch command-line tools bundled with your administration server, see the online documentation. For more information on the command-line tools bundled with the directory server, see the Administrator's Guide.

Authenticating users to directory services

Anytime you perform an operation on a directory service, you must identify yourself to the service. This identification process is known as authentication. You can also think of this process as logging into the directory service.

Authentication allows a directory service to know if you have sufficient permissions to perform operations in the directory. Examples of directory operations are

Usually authentication is not required if all you want to do is search the directory. When you access a directory without providing authentication credentials, you are performing anonymous access.

When you login to the administration server, the username and password that you provide are automatically used by the Users & Groups forms when they communicate with a directory server.

Note
If you need to change your superuser password, make sure you change it in the directory server before you change it in the administration server.
For information on allowing anonymous access to the directory server, see the Netscape Directory Server Administrator's Guide.

Distinguished names

A distinguished name (DN) is the string representation for the name of an entry in a directory server or in a local directory. You use DNs when naming entries using the LDAP Data Interchange Format (LDIF) and the LDAP command-line clients, and when configuring the directory server and so forth.

Traditionally, a DN consists of the following items, in this order:

This string of identifying attributes uniquely locates the entry within your directory. If you choose, you can also use this naming structure to uniquely identify your entries within the global directory tree as defined in the X.500 standard.

Distinguished name syntax

The traditional syntax for a DN string representation is the following:

cn=common name, street=address, l=locality, st=state or province, 
ou=organizational unit, o=organization, c=country name
A DN can consist of virtually any attributes you want to use. However, if you are using the Netscape Directory Server and schema checking is turned on, then the attributes must be recognized by the directory server, and the attribute must be allowed by the entry's object classes.

For more information on object classes and attributes, and your directory server's schema, see Appendix A of the online documentation.

Generally, however, a DN begins with a specific common name and gives increasingly broader areas of identification, ending with the country name. However, the DN attributes you use and the order in which you organize them is up to you. The only requirement is that DN attributes must be separated by a comma and can optionally use a space following the separator.

Using uid-based distinguished names

One common variation on the traditional distinguished name identified here is to use a user ID (uid) in the place of a common name (cn). Because user IDs are typically unique values across an enterprise, basing your distinguished name on user IDs allows you to avoid cn collision problems caused by people who share the same name. By default, the administration server uses cn-based distinguished names, but you can change this behavior so that it creates uid-based distinguished names instead. You do this by editing the file:

<server_root>/admin-serv/config/dsgw-orgperson.conf
and setting the useUidForDN variable to true.

Distinguished name usage

Once you have organized your directory structure, you must always specify the DN attributes in the same order because a DN represents a path through the directory tree. For example, the following DNs do not represent the same entry:

cn=Ralph Swenson, ou=Accounting, o=Ace Industry, c=US 

cn=Ralph Swenson, o=Ace Industry, ou=Accounting, c=US
Also distinguished names representing branch points in the directory do not typically begin with a common name value. Rather, they usually begin with some subelement in the directory path. For example, if your directory contained entries of the form,

	cn=name, ou=Marketing, o=Ace Industry, c=US
then your directory would also contain the entries,

	o=Ace Industry, c=US

	ou=Marketing, o=Ace Industry, c=US
These two entries must appear in the directory before the entries represented by a common name can appear.

For more information on your directory's organization, see "Planning your directory structure."

Distinguished name examples

The following are some examples of distinguished names:

cn=Wally Henderson,ou=Product Development,o=Bait and Tackle Inc, 
st=Minnesota,c=US

cn=Ashley Sweeny, ou=Product Test, o=Bait and Tackle Inc, st=Michigan, 
c=US
cn=printer3b, l=room 308, o=Acme Programming Ltd, c=USDistinguished name attributes

The various standard attributes that comprise a DN are
Attribute

 Name

 Definition

c

 country

 Identifies the name of the country under which the entry resides. Must be the two-letter country code, for example,

c=US

c=GB

cn

 common name

 Identifies the person or object defined by the entry, for example,

cn=Wally Henderson

cn=Database Administrators

cn=printer3b

uid

 user ID

 Identifies the person or object defined by the entry. DNs based on uids are often preferred over cn-based DNs because they avoid duplicated distinguished names caused by people who share the same name.

l

 locality

 Identifies the locality in which the entry resides. The locality could be a city, county, township, or other geographic region, for example,

l=Tucson

l=Pacific Northwest

l=Anoka County

o

 organization

 Identifies the organization in which the entry resides, for example,

o=Netscape Communications Corp

o=Public Power & Gas

ou

 organizational unit

 Identifies a unit within the organization, for example,

ou=Sales

ou=Manufacturing

st

 state or province name

 Identifies the state or province in which the entry resides, for example,

st=Iowa

st=British Columbia

street

 street address

 Identifies the street address at which the entry resides, for example,

street=494 Rice Creek Terrace

in the following table:

Using commas in distinguished names

If a distinguished name contains a comma, then the part of the name that uses the comma must also be enclosed in double-quotation marks. For example, to include the string Ace Industry, Corp in your distinguished name, type it as follows:

	o="Ace Industry, Corp", c=US

Planning your directory structure

 Directories are usually organized in a tree-like structure. The top of the tree is known as the root, for example,


Notice that there are several branch points in the tree below the root. These branch points usually represent major organizational units within the larger organization. For example, if you work at a corporation, then your company is probably subdivided into organizations, such as marketing, sales, product development, and so forth. Each of these organizations may themselves contain further subdivisions, such as product development for Widget 1, product development for Widget 2, and so forth. An organizational unit, then, is a large, relatively static division or unit within your organization.

For information on how to create branch points in your directory, see "Creating organizational units" in the administration server online documentation.

The following sections discuss the pros and cons of creating subdivisions within your directory.

Disadvantages of organizational units

Be aware that the flatter the structure of a directory, the easier your directory is to manage. The following are some of the reasons:

If you are using Netscape Directory Server, then you can create tools to perform these tasks, either by using shell scripts or batch files to call the appropriate command-line utilities or by writing programs that make use of the Netscape Directory Server client SDK.

Advantages of organizational units

A directory tree with many subdivisions has many advantages. An obvious one is that you can easily search for everyone who works for a specific organization. If you are using a directory server, there are several other benefits to a subdivided directory:

For information on replication and directory access control, see the Administrator's Guide.

Recommendations for using organizational units

A flat directory structure is the easiest to administer, but not necessarily the easiest to use. You should therefore consider the following when planning your directory:

Configuring directory services

 To organize your users and groups, you can choose the local directory, Netscape Directory Server LDAP, or Novell Directory Services. When you first install your administration server, you configure the server to use either the local directory or a directory server. You can also change this configuration after the administration server is installed. The following sections describe how to configure your administration server to use these three directory services.

Using the local directory

To configure a local directory, perform the following:

  1. Under General Administration, click Global Settings | Configure Directory Service.
  2. Select Local Database.
  3. A dialog box appears to warn you that you will lose your directory service configuration information. Click OK.
  4. In the Base DN field, type the distinguished name that will be used as a suffix for your local directory and also as the point from which directory lookups will occur by default.
    An example of a suffix that you could enter here is

    o=your company name, c=US

    If you do not enter a value in this field, then your suffix will be a null string, and all searches will begin from the top or root point of the directory.

  5. Click Save Changes.

Using Netscape Directory Server LDAP

To configure a Netscape Directory Server LDAP, perform the following:

  1. Under General Administration, click Global Setting | Configure Directory Service.
  2. Click LDAP Directory Server.
  3. A dialog box appears to confirm that you want to use a Directory Server. Click OK.
  4. In the Host Name field, type the host name where the directory server is running. You must enter a host name even if the directory server is running on the local machine.
  5. In the Port field, type the default number if your directory server is using a different port number than the default port number 389. If you are going to use SSL communications with a directory server, then you should enter the port number that the directory server is using for SSL communications. By default, this is port number 636.
    For information on SSL, see the Netscape Directory Server Administrator's Guide.

  6. In the Base DN field, type the distinguished name that will be the point from which directory lookups will occur by default and will be the location where all the administration server's entries will be placed in your directory tree.
    An example of a base DN that you could enter here is

    o=your company name, c=US

    For more information on distinguished names, LDAP searches, and base DNs, see the Administrator's Guide.

  7. In the Bind DN field, type the Bind DN that the administration server will use to initially bind (or login) to the directory server. This bind DN only requires read and search access to the directory. Because this DN and associated password (if any) is easily compromised, it is best to simply leave this field blank and then set up your directory server to allow anonymous search access. If you do not want to allow anonymous search access to your directory, then specify a bind DN entry here that only has read and search access to your directory. Do not specify your directory server's unrestricted user (Root DN) in this field.

Note
This bind DN is used only to initially search for the username you typed in the administration server authentication dialog box. Once the entry corresponding to this username is located, the administration server rebinds to the directory server using the retrieved entry. Therefore, if the username you supplied when you first logged into the administration server does not have access to the directory server, you will not have any access to the directory server, regardless of the bind DN information provided in this field.

For more information on how the administration server binds to the directory server, see "Logging in to the administration server". For information on granting permissions to a directory server entry, see the Administrator's Guide.

  1. In the Bind Password field, type the password for the Bind DN entry, if you have entered a bind DN in the previous field.
  2. Click Save Changes. The changes take effect immediately.

Note
If you change directory service from a local file to a directory server and visa-versa, you need to restart all Netscape servers, including the administration server.

Using Novell Directory Services

To configure the Enterprise and FastTrack Servers to utilize Novell Directory Services, perform the following:

  1. Under General Administration, click Global Settings | Configure Directory Service.
  2. Select Novell Directory Services.
  3. A dialog box appears to confirm that you want to use Novell Directory Services. Click OK.
  4. A Novell Directory Services treename will be displayed that represents the tree used by the server on which the admin server is hosted.
  5. The Search Content List box allows an administrator to specify multiple Novell Directory Services contexts in which to search for users during authentication. This allows users to specify a relative distinguished name, much like a uid for LDAP directories that provide a noncontextual type login. The user search will start at the first context and continue until the relative name provided by the user is found.
  6. Click Insert Context to add a new search context.
  7. Click Remove Context to remove one or more search contexts.
  8. Click Float Context to move the selected context to a higher priority context.
  9. Click Save Changes.

If you change directory service from a local or remote LDAP directory to Novell Directory Services, you need to restart all Netscape servers. The administration server does not need to be restarted because its configuration is dynamically updated to refer to the Novell Directory Services operation mode.

Note
Novell Directory Services does not allow public access to files. All users must be authenticated before receiving any content.