Configuring users and groups

his chapter describes how to use the forms in the general administration Users & Groups area. This chapter covers creating and managing users, groups, and organizational units; importing a directory from LDIF; and exporting a database to LDIF.

Note

If you are using Novell Directory Services mode, you must use the Netware® administration tools to manage users and groups.

Creating users

To create a user entry within the directory, perform the following:

Under General Administration, click Users & Groups | New User.
In the appropriate fields, type the requested information. At a minimum, you must specify the user's

Note

If you enter a given name (or first name) and a surname, then the gateway automatically fills in the user's full name and user ID for you. The user ID is generated as the first initial of the user's first name followed by the user's last name. For example, if the user's name is Babs Jensen, then the user ID is automatically set to bjensen. You can replace this user ID with an ID of your own choice if you wish.

The user ID must be unique. The administration server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the ldapmodify command-line utility to create a user, it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the effected users will not be able to authenticate to the directory.

Click Create User to add a user and immediately return to the New User form.
Click Create and Edit User to add a user and then proceed to the Edit User form for the user you have just added.

For information on editing users, see "Managing users."

Notes on user entries

The following notes may be of interest to the directory administrator concerning creating user entries:

User entries use the inetOrgPerson, organizationalPerson, and person object classes. For more information on how these are used, see "Object Classes and Attributes" (Appendix A).
By default, the distinguished name for users is of the form:
```
cn=full name, ou=organization, ...,o=base organization, c=country
```
For example, if a user entry for Babs Jensen is created within the organizational unit Engineering, and the directory's suffix is o=Ace Industry, c=US, then the person's DN is
```
cn=Babs Jensen, ou=Engineering, o=Ace Industry, c=US
```
However, you can change this format to a uid-based distinguised name. For information on how to set this default, see "Using uid-based distinguished names."
Suffixes are optional if you are using the local directory. If you did not configure a suffix for your local directory, then you literally use the string "" (quote quote) to represent the search base on calls to ldapsearch.
The values on the user form fields are stored as the following LDAP attributes:

User field

Corresponding LDAP attribute

Given Name

givenName

Surname

sn

Full Name

cn

User ID

uid

Password

userPassword

E-Mail Address

mail

The following fields are also available when editing the user entry:

User field

Corresponding LDAP attribute

Title

title

Telephone

telephoneNumber

For information on these attributes, see "Object Classes and Attributes" (Appendix A).

User field	Corresponding LDAP attribute
Given Name	givenName
Surname	sn
Full Name	cn
User ID	uid
Password	userPassword
E-Mail Address	mail

User field	Corresponding LDAP attribute
Title	title
Telephone	telephoneNumber

Managing users

You edit user attributes from the Manage Users form. From this form you can

find user entries
change user attribute values
change the user's password
manage the user's licenses
rename the user's entry
delete the user's entry
potentially change product-specific information. Some, but not all, Netscape servers add additional forms to this area that allow you to manage product-specific information. For example, if a Messaging Server is installed under your administration server, then an additional form is added that allows you to edit Messaging Server-specific information. See the server documentation for details on these additional management capabilities.

The following sections describe these activities in detail.

For more information regarding user entries when using a directory server, see "Notes on user entries."

Note

It is possible that you will want to change an attribute value that is not displayed by the edit user form. In this situation, use the ldapmodify command-line utility.

You can change the user's first, last, and full name field from this form, but to fully rename the entry (including the entry's distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see "Renaming users."

Managing a user's password

The password you set for user entries is used by the various Netscape servers for user authentication.

To change or create a user's password, perform the following:

Under General Administration, click Users & Groups | Manage Users.
Find the user entry you want. See "Finding user entries" for more information.
Click Password at the top of the user edit form.
Type the new password and then the confirmation password.
Click Set Password. The change takes effect immediately.
Click General to return to the general user information.

You can also disable the user's password by clicking Disable Password. Doing this prevents the user from logging into a Netscape server without deleting the user's directory entry. You can reinstate the password by using the Password Management Form to enter a new password.

Managing user licenses

This area allows you to track which Netscape server products your users are licensed to use.

To manage the licenses available to the user, perform the following:

Under General Administration, click Users & Groups | Manage Users.
Find the user entry you want. See "Finding user entries" for more information.
Click Licenses at the top of the User Edit form.
Check next to the Netscape servers that you want this user to be able to use.
Click Save Changes.
Click General to return to general user information.

Note

Currently Netscape servers do not enforce these licenses.

Renaming users

To rename a user entry, perform the following:

Under General Administration, click Users & Groups | Manage Users.
Find the user entry you want. See "Finding user entries" for more information.
Click Rename User.
Type the new name in the resulting dialog box. If you are using common name-based DNs, specify the user's full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.
Type the modified given name, surname, full name, or UID fields as is appropriate to match the new distinguished name for the entry. Note that if you are using common name-based distinguished names, and you change the distinguished name to use a new common name, then you should make sure that this new common name is listed as the first choice in the list of full names. This ensures that the appropriate name is displayed when a list is generated that shows this entry.
You can tell the administration server to not retain the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this paramter in the following file:
```
		NSHOME/admin-serv/config/dsgw-orgperson.conf
```

Note

The rename feature changes only the user's name; all other fields are left intact. In addition, the user's old name is still preserved so searches against the old name will still find the new entry.

When you rename a user entry, you can only change the user's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have

organizational units for Marketing and Accounting
an entry named Babs Jensen under the Marketing organizational unit.

You can rename the entry from Babs Jensen to Barbara Jensen, but you cannot rename the entry such that Babs Jensen under the Marketing organizational unit becomes Babs Jensen under the Accounting organizational unit.

To return to the general information form, click General.

Removing users

To delete a user entry, perform the following:

Under General Administration, click Users & Groups | Manage Users.
Find the user entry you want. See "Finding user entries" for more information.
Click Delete User.
Click OK in the resulting confirmation box. The user entry is immediately deleted.

Creating groups

To create a group entry within the directory, perform the following:

Under General Administration, click Users & Groups | New Group.
In the Group Name field, type the group's name. You can optionally also add a description for the group in the Description field.
Click Create Group to add the group and immediately return to the New Group form.
Click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added.
For information on editing groups, see "Editing group attributes."

Managing groups

You edit groups and manage group memberships from the Group Edit form. From this form you can

The following sections describe these activities in detail.

Finding group entries

To find group entries, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
In the Find Group field, type the name of the group that you want to find. You can enter any of the following in the search field:
As an alternative, use the pull-down menus in Find all groups whose to narrow the results of your search.
In the Format field, select either On-Screen or Printer.
Click Find. All the groups matching your search criteria are displayed.
In the resulting table, click the name of the entry you want to edit.

The Find all groups whose field

The Find all groups whose field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find groups.

Find all groups whose provides the following search criteria:

The left-most pull-down list allows you to specify the attribute on which the search is based.

Options are
- Full name: Searches each entry's full name for a match.
- Description: Searches each group entry's description for a match..
In the middle pull-down list, select the type of search you want to perform.

Options are
In the right-most text field, type your search string.

For more information on how to find a group entry, see "Finding group entries."

Editing group attributes

To change a group entry, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
Find the group you want to edit. See "Finding group entries" for more information.
In the Group Edit form, change the displayed fields as desired.
Click Save Changes. The changes are made immediately.

Note

It is possible that you will want to change an attribute value that is not displayed by the group edit form. In this situation, use the ldapmodify command-line utility.

Adding group members

To add members to the group, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
Find the group you want to edit. See "Finding group entries" for more information.
Click Edit under Group Members. A new form is displayed that allows you to search for entries. If you want to add user entries to the list, make sure Users is shown in the Find pull-down menu. If you want to add group entries to the group, make sure Group is shown.
In the right-most text field, type a search string. Type any of the following:
Click Find and Add to find all the matching entries and add them to the group.
If the search returns any entries that you do not want add to the group, check the box in the Remove from list column. You can also construct a search filter to match the entries you want removed and then click Find and Remove.
When the list of group members is complete, click Save Changes. The currently displayed entries are now members of the group.

Adding groups to the group members list

You can add groups (instead of individual members) to the group's members list. Doing so causes any users belonging to the included group to become a member of the receiving group. For example, if Babs Jensen is a member of the Marketing Managers group, and you make the Marketing Managers group a member of the Marketing Personnel group, then Babs Jensen is also a member of the Marketing Personnel group.

To add a group to the members list of another group, add the group as if it were a user entry. See "Adding group members" for more information.

Removing entries from the group members list

To delete an entry from the group members list, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
Find the group you want to edit. See "Finding group entries" for more information.
Click Edit under Group Members.
For each member that you want to remove from the list, check the corresponding box under the Remove from list column.
Alternatively, you can construct a filter to find the entries you want to remove and click Find and Remove. For more information on creating a search filter, see "Adding group members."
Click Save Changes. The entries are deleted from the group members list.

Managing owners

You manage a group's owners list the same way as you manage the group members list. The following table shows you which section to read for more information:


If you want to . . .	Use the steps in . . .
Add owners to the group	"Adding group members"
Add groups to the owners list	"Adding groups to the group members list"
Remove entries from the owners list	"Removing entries from the group members list"

Managing see alsos

If you want to . . .	Use the steps in . . .
Add users to see alsos	"Adding group members"
Add groups to see alsos	"Adding groups to the group members list"
Remove entries from see alsos	"Removing entries from the group members list"

Removing groups

To delete a group, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
Find the group you want to delete. See "Finding group entries" for more information.
Click Delete Group.
Click OK in the resulting confirmation box. The group entry is immediately deleted.

Renaming groups

To rename a group, perform the following:

Under General Administration, click Users & Groups | Manage Groups.
Find the group you want to edit. See "Finding group entries" for more information.
Click Rename Group.
Type the new group name in the resulting dialog box.

Note

When you rename a group entry, you only change the group's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have

organizational units for Marketing and Accounting
a group named Bean Counters under the Accounting organizational unit.

You can rename the group from Bean Counters to Counters of Beans, but you cannot rename the entry such that Bean Counters under the Accounting organizational unit becomes Bean Counters under the Marketing organizational unit.

Creating organizational units

For information on organizational units and how they should be used, see "Planning your directory structure."

To create an organizational unit, perform the following:

Under General Administration, click Users & Groups | New Organizational Unit.
In the Unit Name field, type the name of the organizational unit.
In the Description field, you can optionally type a description of the unit.
Click Create Organizational Unit. The new entry is added immediately.

Notes on organizational units

The following notes may be of interest to the directory administrator:

New organizational units are created using the organizationalUnit object class.
The distinguished name for new organizational units is of the form:
```
ou=new organization, ou=parent organization, ...,o=base organization, 
c=country
```
For example, if you create a new organization called Accounting within the organizational unit West Coast, and your Base DN is o=Ace Industry, c=US, then the new organization unit's DN is
```
ou=Accounting, ou=West Coast, o=Ace Industry, c=US
```

Managing organizational units

You edit and manage organizational units from the Organizational Unit Edit form. From this form, you can

find organizational units
remove organizational units
edit organizational unit attributes
rename organizational units
delete organizational units.

Finding organizational units

To find organizational units, perform the following:

Under General Administration, click Users & Groups | Manage Organizational Units.
In the Find organizational unit field, type the name of the unit you want to find. You can enter any of the following in the search field:
As an alternative, use the pull down menus in Find all units whose to narrow the results of your search.
In the Format field, select either On-Screen or Printer.
Click Find. All the organizational units matching your search criteria are displayed.
In the resulting table, click the name of the organizational unit that you want to find.

The Find all units whose field

The Find all units whose field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find organizational unit:

Find all units whose provides the following search criteria:

The left-most pull-down list allows you to specify the attribute on which the search will be based.

Options are
- Unit name: Search each entry's name for a match.
- Description: Search each organizational unit entry's description for a match..
In the middle pull-down list, select the type of search you want to perform.

Options are

Contains: Causes a substring search to be performed. Entries with attribute values containing the specified search string are returned. For example, if you know an organizational unit's name probably contains the word "Marketing," use this option with the search string "Marketing" to find the organizational unit entry.
Is: Causes an exact match to be found. This option specifies an equality search. Use this option when you know the exact value of an organizational unit's attribute. For example, if you know the exact spelling of the organizational unit's name, use this option.
Iisn't: Returns all the entries whose attribute value does not exactly match the search string. If you want to find all the organizational units in the directory whose name does not contain "Marketing," use this option. Be aware, however, that use of this option can cause an extremely large number of entries to be returned to you.
Sounds like: Causes an approximate, or phonetic, search to be performed. Use this option if you know an attribute's value, but you are unsure of the spelling. For example, if you are not sure if a organizational unit's name is spelled "Sarret's Org," "Sarette's Org," or "Sarett's Org," use this option.
Starts with: Causes a substring search to be performed. Returns all the entries whose attribute value starts with the specified search string. For example, if you know a organizational unit's name starts with "Product," but you do not know the rest of the name, use this option.
Ends with: Causes a substring search to be performed. Returns all the entries whose attribute value ends with the specified search string. For example, if you know a organizational unit's name ends with "Development 1," but you do not know the rest of the name, use this option.

In the right-most text field, type your search string.

For more information on how to find an organizational unit entry, see "Finding organizational units."

Editing organizational unit attributes

To change an organizational unit entry, perform the following:

Under General Administration, click Users & Groups | Manage Organizational Units.
Find the organizational unit you want to edit. See "Finding organizational units" for more information.
In the organizational unit edit form, change the displayed fields as desired.
Click Save Changes. The changes are made immediately.

Note

It is possible that you will want to change an attribute value that is not displayed by the organizational unit edit form. In this situation, use the ldapmodify command-line utility.

Renaming organizational units

To rename an organizational unit entry, perform the following:

Make sure no other entries exist in the directory under the organizational unit that you want to rename.
Under General Administration, click Users & Groups | Manage Organizational Units.
Find the organizational unit you want to edit. See "Finding organizational units" for more information.
Click Rename.
Type the new organizational unit name in the resulting dialog box.

Note

When you rename an organizational unit entry, you can only change the organizational unit's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have

organizational units for Marketing and Accounting
an organizational unit called Widget 1 under the Marketing organizational unit.

You can rename the entry from Widget 1 to Widget 2, but you cannot rename the entry such that Widget 1 under the Marketing organizational unit becomes Widget 1under the Accounting organizational unit.

Deleting organizational units

To delete an organizational unit entry, perform the following:

Make sure no other entries exist in the directory under the organizational unit that you want to rename.
Under General Administration, click Users & Groups | Manage Organizational Units.
Find the organizational unit you want to delete. See "Finding organizational units" for more information.
Click Delete.
Click OK in the resulting confirmation box. The organizational unit is immediately deleted.

Importing a directory from LDIF

If you do not currently have a directory or if you want to add a new subtree to an existing directory, you can use the Users and Groups import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries.

If you are using the Netscape local directory, the import function will optionally overwrite any existing directories. If you are using a directory server and you attempt to import an entry that already exists, then that operation will fail.

To merge LDIF formatted entries into an existing directory (either for a local directory or for directory server), it is best to convert the LDIF to LDIF update statements and use ldapmodify to perform the merge.

To create an new directory or subtree from Users and Groups, perform the following:

Under General Administration, click Users & Groups | Import.
In the Import from LDIF file field, type the full pathname to the LDIF file containing the entries you want to add to your directory.
Check Stop on errors if you want the import to fail completely if any single add operation fails.
If you are using the local directory, then Erase existing database is available to you. Check this field if you want your existing database to be erased when a new directory is imported from LDIF. If Erase existing database is not checked, then the import function will attempt to add the contents of the LDIF file to the existing directory. However, if the import function attempts to add an entry to the directory that already exists, then an error is returned. Whether the import function continues or stops immediately is dependent on whether Stop on errors is checked.
Click Begin Import. The import proceeds immediately.

Exporting a directory to LDIF

You can export your current directory to LDIF using the Users and Groups export function. This function creates an LDIF-formatted file that represents your directory.

To export your directory to an LDIF file, perform the following:

Under General Administration, click Users & Groups | Export.
In the Export to LDIF file field, type the full pathname to the file in which you want the LDIF to be placed. Note that if you do not enter a full pathname here, the file is placed in NSHOME\db\ldap\tools where NSHOME is your administration server's installation root directory.
The Suffix to add field is available if you are exporting a local directory to the directory server. In this situation, you must specify a suffix to successfully import your local directory into directory server.
The suffix you specify must match at least one of the suffixes configured for your directory server.
Click OK. The export proceeds immediately.