2.5 Installing and Configuring OES as a Subcontainer Administrator

IMPORTANT:The information explained in Section 2.4, eDirectory Rights Needed for Installing OES is prerequisite to the information contained in this section.

This section outlines the required eDirectory rights and explains how a subcontainer administrator approaches various installation tasks.

2.5.1 Rights Required for Subcontainer Administrators

For security reasons, you might want to create one or more subcontainer administrators (administrators that are in a container that is subordinate to the container that user Admin is in) with sufficient rights to install additional OES servers, without granting them full rights to the entire tree.

A subcontainer administrator needs the rights listed in Table 2-2 to install an OES server into the tree. These rights are typically granted by placing all administrative users in a Group or Role in eDirectory, and then assigning the rights to the Group or Role. Sample steps for assigning the rights to a single subcontainer administrator are provided as a general guide.

Table 2-2 Subcontainer Administrator Rights Needed to Install

Rights Needed

Sample Steps to Follow

Supervisor right to itself

  1. In iManager > View Objects > the Browse tab, browse to and select the subcontainer administrator.

  2. Click the administrator object, then select Modify Trustees.

  3. Click the Assigned Rights link for the administrator object.

  4. For the [All Attributes Rights] property, select Supervisor, then click Done > OK.

Supervisor right to the container where the server will be installed

  1. Browse to the container where the subcontainer administrator will install the server.

  2. Click the container object and select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Supervisor right to the W0 object located inside the KAP object in the Security container

  1. Browse to Security > KAP.

  2. In KAP, click W0 and select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Supervisor right to the Security container when installing the NMAS login methods

If the subcontainer administrator will install the NMAS login methods:

  1. Browse to and select Security

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Create right to its own container (context)

  1. Browse to and select the container where you created the subcontainer administrator.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [Entry Rights] property, select Create, then click Done > OK > OK.

Create right to the container where the UNIX Config object is located.

  1. Browse to and select the container where the UNIX Config object is located. By default, this is the Organization object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [Entry Rights] property, select Create, then click Done > OK > OK.

Read right to the Security container object for the eDirectory tree

This is not needed if the Supervisor right was assigned because of NMAS.

If the subcontainer administrator won’t install the NMAS login methods, do the following:

  1. Browse to and select Security

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Read, then click Done > OK > OK.

Read right to the NDSPKI:Private Key attribute on the Organizational CA object (located in the Security container)

  1. Browse to Security and select the Organizational CA object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. Click the Add Property button.

  6. Select NDSPKI:Private Key and click OK.

    The Read right should be automatically assigned.

  7. Click Done > OK > OK.

Read and Write rights to the UNIX Config object.

  1. Browse to and select the UNIX Config object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Write (Read is already selected), then click Done > OK > OK.

Write right to the [All Attribute Rights] property for the admingroup object.

  1. Browse to and select the admingroup object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Write (Compare and Read are already selected), then click Done > OK > OK.

When you install DNS/DHCP into an existing tree with DNS/DHCP, see the following additional guidelines:

2.5.2 Starting a New Installation as a Subcontainer Administrator

You can install a new OES server into an existing tree as a subcontainer administrator if you have:

When you reach the eDirectory Configuration - Existing Tree page, enter your fully distinguished name (FDN) and password. After verifying your credentials, the installation proceeds normally.

2.5.3 Adding/Configuring OES Services as a Different Administrator

To add or configure OES services on an OES server that another administrator installed, see Adding/Configuring OES Services on a Server That Another Administrator Installed.