Controlling Access with LDAP or a Local Directory

If you are using LDAP or a local directory, you can use the News Server interface to enable access control and create Users and Groups.

Setting Up LDAP

To set up LDAP:

1. From the General Administration page, click Global Settings > Configure Directory Service > LDAP Directory Server > OK.

2. In the three fields, type the BASE DN, BIND DN, and BIND password.

   There is only one base dn in LDAP, so choose it carefully.

3. Restart the NetWare Web Manager by typing nvxadmdn and then nvxadmup at the server console.

4. Restart the News Server by typing nvxnewdn and nvxnewup at the server console.

5. From the General Administration page, click the News Server server name button > Preferences > Directory Server Options.

6. Type the fully distinguished username and password.

   For example, if your user name is admin, the fully distinguished username is cn=admin, o=mycompany. Be sure to use the LDAP-standard comma.

7. Run the EXTNSCAL.NLM from the server that has both NDS and LDAP running.

   The EXTNSCAL.NLM creates class definitions in NDS so that it works properly with LDAP.

8. In NetWare Administrator, double-click on your LDAP group.

   If nothing happens after you double-click, you might have a version of NetWare Administrator that doesn't understand LDAP groups. If this is the case, you will need to get a version of NetWare Adminstrator that does.

9. Verify that the Allow Clear Text Passwords box is checked > click OK.

   If you have a big tree, this process may take a while.

10. Under your BASE DN, create an OU called Netscape Servers.

    The News Server role information will be kept here.

11. Create an ASCII file in LDIF format.

    The file should have the following information:

    dn: ngcomponent=.,ou=Netscape Servers,basednobjectclass: top objectclass: nginfo ngcomponent: . nsaclrole: reader:rv nsaclrole: poster:prvc? nsaclrole: manager:amnprvcC? nsnewsacl: 1:*:a:D:poster::::d:

12. Using LDAPADD at the command line, create an ASCII file with the following information:

    Ldapadd -a -h <NDS master server ip address> -D <fully distinguished username> -w <password> -v -f <filename>

Enabling and Disabling Access Control

When the server is installed, access control is off by default. Thus, anyone can access your server with no restrictions. This is usually only done in an intranet environment in which users are known and trusted. You might want to enable access control in order to give users access restrictions. If you enable access control, you also enable authentication.

Enabling Access Control

1. From the General Administration page, click the News Server server name button > Access Control > Access Control Options.

2. Click Access Control On.

3. If you want to require authentication when a user first connects, check the box.

4. Under Default Authentication Method, check one of the following authentication methods:

   • Use Basic Username/Password

     If you are not running an SSL-enabled server, the only authentication method available is Basic Username/Password.

   • Use Client Certificate

5. If you want to control access by restricting host connections, check the box. In the Accept Connections from These Clients field, type the hosts you will accept connections for.

   • You can specify hostnames or IP addresses.
   • Specify all clients by specifying an asterisk (*).
   • Use an asterisk (*) to specify domains, such as *.XYZ.COM or 123.456.789.*.
   • Use the exclamation point (!) to deny access. For example, you can specify no clients by typing !*. Deny access to host1 by typing !host1.

   Limiting host connections is especially useful for granting access to users who are external to your organization's internal network. You can grant access to specific host machines without having to create special groups for the external organization.

6. If you do not want to resolve IP addresses into hostnames for access control, check the box.

   If you check the box, you will improve authentication performance. However, you will only see IP addresses in your server reports, and you cannot refer to hostnames when filling out forms (such as in Step 5), specifying search criteria, and so on.

7. Click OK.

Disabling Access Control

1. From the General Administration page, click the News Server server name button > Access Control > Access Control Options.

2. Click Access Control Off.

3. Click OK.

After access control is disabled:

• All users can access all discussion groups
• Any access control rules remain defined, but are no longer enforced
• The server does not check the authenticity of Cancel messages

Defining and Managing Roles

A role is a set of permissions that a user, group, or host has to a particular discussion group or discussion group hierarchy. Three roles are predefined:

• Manager: Has all permissions (Admin, Cancel, Cancel Any, Moderate, Newgroup, Post, Read, and View) to a particular discussion group or discussion group hierarchy
• Poster: Can view, read, and post messages.

  Posters can cancel their own posted messages.

• Reader: Can view and read messages

You can also create new roles and associate permissions with the new roles. The easiest way to grant roles to users is by creating groups and assigning roles to the groups.

Be careful when creating roles because you cannot delete them. If you create a role you do not need, do not assign any user or group to that role.

To create, modify, or view roles:

1. From the General Administration page, click the News Server server name button > Access Control > Manage Roles.

2. Locate the scroll-down menu of the role you want to update.

3. In the associated scroll-down menu, Ctrl+click the permissions you want to add to the role

   or

   To delete permissions from the role, Ctrl+click the highlighted permissions.

4. In the Role Name field, type the name of the role you want to create.

5. In the Role Name scroll-down menu, select the permissions you want the role to have.

6. Click OK.

Specifying Access Control Rules

You specify access to a particular discussion group by creating an access control rule. The access control rule maps the user or group to a particular discussion group and specifies which role the user has in the discussion group.

You specify access control rules in the Discussion Group Manager.

Delegating Discussion Group Management

You can use roles to delegate discussion group management tasks to other managers or end users. The managers or users can perform the following tasks on the discussion group hierarchy they manage:

• View all discussion groups
• Create new discussion groups
• Remove discussion groups
• Access and change basic information about any discussion group
• Add new access to any discussion group
• Modify the access to any discussion group
• Specify managers and moderators for lower-level discussion groups
• Cancel messages posted by other people

The managers or end users must be assigned a manager role to access the discussion group management functions available through a browser.

By delegating discussion group management tasks, you can focus more on system administrative tasks, such as

• Configuration and maintenance
• System security
• Replication of discussion groups
• Load balancing and system tuning

If you decide to delegate discussion group management, educate your delegates about the effect of roles on access control to your server.