This topic explains how SecretStore server components, workstation components, and eDirectory objects work together. This background prepares you for installing, setting up, managing, using, and troubleshooting SecretStore.
SecretStore: A Container object, located within eDirectory's security container, that can hold default SecretStore service settings.
This object is automatically named SecretStore and placed in the Security container.
The SecretStore system requires at least one SecretStore Container object. The SecretStore object can contain sssServerPolicyOverride objects.
The following figure illustrates a SecretStore object.
sssServerPolicyOverride object: Objects that enable you to customize access to applications, depending on group or user needs for different parts of the tree.
sssServerPolicyOverride objects reside in the SecretStore Container object. Each sssServerPolicyOverride object must take the name of the context that the Group or User objects are in.
As the next step, the server servicing the replicas of that container should be configured to load with /o= option on the command line to use the override.object DN for the users in that container, as shown in the following example:
load sss /o=RSDev.digitalairlines.SecretStore.Security
This configuration permits the server to advertise itself to the root of the partition with the specified override.object DN. To minimize the amount of tree walking by the SecretStore client, you can define the sssServerPolicyOverrideDN attribute for individual users, organizational unit, organization, etc. This allows the SecretStore client to read this attribute, search the root of the partition for the server that supports that override configuration, then connect the user to that read/write replica for SecretStore access.
The following figure illustrates an sssServerPolicyOverride object:
Scenario. You want to provide more liberal restrictions for groups and users in the RSDev context. This object is in the digitalairlines Organization object. In ConsoleOne, you create a new sssServerPolicyOverride object, name it RSDev.digitalairlines, and configure server options for this new object.
The following figure illustrates the name-and-context relationship.
