Netscape Console provides you access to a consolidated, networkwide repository for application data about user accounts, group lists, access privileges, and other security information. Use Netscape Console to create or locate and manage records for users and groups on any node in your enterprise.
Creating New Directory Entries
Modifying Existing Directory Entries
Tracking User Licenses
The User and Group interface of Netscape Console helps you create or modify Distinguished Names (DNs). Each user and group in your enterprise is represented in the Directory Server by a distinguished name (DN). A DN is a text string that contains identifying attributes. You use DNs whenever you make changes in the directory's users and groups database. For example, you need to specify DN information each time you
set up access controls
set up user accounts for applications such as mail or publishing.
The Users and Groups Search function works similarly to the basic Search function you find throughout Netscape Console. The search is performed against the default user directory. Any changes you make in the Users and Groups area of Netscape Console are made in the default user directory. You can manually change to a user directory other than the default. See "User Directory Settings" on page 136 for more information.
Figure 4.1 The Users and Groups area of Netscape Console.
In the Search field, enter a user or group name that can be found in the user directory.
To see all the entries currently stored in your directory, you can enter an asterisk (*). However, when the search is performed against a large database, this type of search could take a long time. (Optional) To specify more focused search criteria, click Advanced. In the Advanced Search dialog box, use the pull-down menus to first choose an attribute, then a search operator.
To see all the entries currently stored in your directory, you can enter an asterisk (*). However, when the search is performed against a large database, this type of search could take a long time.
.
Click Search. Results are displayed in the list box.
When you use the Users and Groups Search function, the URL for the default user directory appears. All searches are performed against this user directory. You can choose a user directory other than the default.
Click Directory.
In the Change Directory dialog box, provide user directory information:
User Directory Host. Enter the fully qualified host name where the user directory is installed. User Directory Port. Enter the port number you want to use to connect to the user directory. User Directory Subtree. Use the form o=airius.com to indicate where to find the user directory. Bind DN. Enter the distinguished name of a user authorized to change entries in the user directory. Bind Password. Enter the password of the user directory administrator. Click OK.
The end-user administration page is an HTML page designed to provide end users access to their own entries in the user directory. All users in the user directory are end users. For example, rank-and-file employees in your company might be given access to this page through a company phone book or directory. Using this page, shown in Figure 4.2, an employee can edit his own name, phone number, or other data that does not impact other directory entries. The changes made on this page are made in the default user directory.
In the Administration page, click Edit User Profile.
Figure 4.2 End users can modify, but not create, a user entry.
Organizational Units
An organizational unit can include a number of groups, and it usually represents a division, department, or other discrete business group. A DN can be in more than one organizational unit (ou).
To create an organizational unit:
Use the drop-down list to choose New Organizational Unit, then click Create.
In the Select Organizational Unit window, select the directory subtree (ou) to which the organizational unit will belong, then click OK.
In the Create Organizational Unit dialog box, enter organizational unit information.
Name. Enter the name of the organizational unit. Description. Enter a description of the organizational unit that's meaningful to you. Phone. Enter a phone number where one can reach a contact (such as an administrative assistant) for the organizational unit. Fax. Enter a fax number where one can reach a contact (such as an administrative assistant) for the organizational unit. Alias. Enter another name, such as a nickname or acronym, that you might use in place of the Name entered above. Click OK.
A group consists of all users who share a common attribute. For example, all users with DNs containing the attribute ou=Sales belong to the Sales group. Once you create a new group, you add users, or members, to it. You can use three types of groups in your directory: static, dynamic, and certificate groups.
Create a static group by specifying the same group attribute in the DNs of any number of users. A static group doesn't change unless you add a user to it or delete a user from it. For example, a number of users have the attribute department=marketing in their DN. But none of those users are members of the Marketing group until you explicitly add each one to the group.
Use the drop-down list to choose New Group, then click Create.
In the Select Organizational Unit window, select the directory subtree (ou) to which the group will belong, then click OK.
In the Create Group dialog box, enter group information, then click Members.
Group Name. Enter a name for the group. Description. (Optional) Enter a description to help you identify this group. If you only want to create the group now, and plan to add group members later, click OK and skip the rest of this procedure.
To immediately add members to the group, click Members and then continue to the next step. In the Members dialog box, click Add or Edit as appropriate, then use the Search dialog box to locate a user you want to add to the Members User ID list. Repeat this step until all the users you want to add to the group are displayed in the Member User ID list.
To immediately add members to the group, click Members and then continue to the next step.
Create a dynamic group when you want users to be added automatically to a group based on their DN attributes. For example, you can create a group that automatically includes any DN that contains the attribute department=marketing. Whenever you apply a search filter for deparment=marketing, the search returns a group including all DNs containing the attribute department=marketing. The DNs are included automatically, without your having to add each individual to the group.
In the Create Group dialog box, enter general group information, then click Members.
Group Name. Enter a name for the group. Description. (Optional) Enter a description to help you identify this group. Click Dynamic Group, then click Add.
Use the Construct and Test LDAP URL dialog box to specify the criteria for including users in the dynamic group.
Enter an LDAP URL and skip to step 8, or click Construct to build a new URL and continue to the next step. The LDAP URL will take the form: ldap:///o=airius.com??sub?(department=marketing) In the Construct LDAP URL dialog box, provide search criteria:
Enter an LDAP URL and skip to step 8, or click Construct to build a new URL and continue to the next step.
The LDAP URL will take the form:
ldap:///o=airius.com??sub?(department=marketing)
LDAP Server Host. Enter the fully qualified host name of the user directory you want to search. Example: <host>:<domain> Port. Enter port number for the Directory Server that contains the specified user directory. Base DN. Enter the base DN for from which to begin the search. Example: ou=Marketing, o=Klondike Corp, c=US Search. Indicate the user directory subtree you want to search against. for. Indicate whether you want to search users, groups, or both. where. Use the pull-down menus to first choose an attribute, then a search operator. Choices are described in the table below. In the last input field, enter a search string, then click Search. More. Provides additional fields for specifying more attributes against which to search. Click OK.
(Optional) In the Construct and Test LDAP URL dialog box, to see a list of users and groups included in the dynamic group, click Test.
To accept the URL and add it to the list of dynamic group members, click OK. Click Account, then select the accounts the group will use.
To accept the URL and add it to the list of dynamic group members, click OK.
Click OK.
Create a certificate group when you want to group all users who have a certificate containing a common attribute. For example, you can create a certificate for all users who share these attributes: ou=Sales, ou=West, ou=CA. When an individual user logs on to a server, if all of these attributes are found in his certificate, the user is automatically recognized as belonging to the Western Sales group located in California. If the user's certificate does not contain these matching attributes, he is not recognized as a member of the group and does not receive the same access, privileges, or permissions as group members.
Group Name. Enter a name for the group. Description. (Optional) You can enter a description to help you identify this group. Click Certificate Group, then click Add or Edit as appropriate.
In the Certificate Group dialog box, provide the following information:
Common Name. Enter the full name of the group. Example: cn=Database Administrators Organization. Enter the name of the organization the group belongs to. Example: o=Operations Group Mail. Enter the street address of the groups' business. Country. Enter the country code for the group's business. Locality. Enter the city name for the group's business. State/Province. enter the state or province name for the group's business. Unit. Enter the name of the unit within an organization that the group belongs to. Example: ou=IS Department Click Account. Select the accounts the group will use.
A user entry contains information about an individual person or object in the directory.
To create a new user entry in the directory:
Use the drop-down list to choose New User, then click Create.
In the Select Organizational Unit, select the directory subtree (ou) to which the user will belong, then click OK.
In the Create User window, enter user information.
First Name. Enter the user's full given name. Last Name. Enter the user's full surname. Full Name(s). This is equivalent to the common name (cn) in the directory and is automatically generated based on the First Name and Last Name entered above. You can edit this name as necessary. User ID. When you enter a first and last name, the user ID is automatically generated. You can replace this user ID with one of your choosing. The userID must be unique from all other user ID's in the directory. Password. (Optional) Enter the user's password. Confirm Password. Enter the user's password again to confirm it. E-Mail. (Optional) Enter the user's email address. Phone. (Optional) Enter the user's telephone number. Access Permissions Help. Provides information about setting access controls that apply to users and groups. Click Licenses. Select the servers this user is licensed to use, then click OK.
Click Account. Select the accounts the user will use, than then click OK.
(Optional) Click Languages. Use the drop-down list to select the user's preferred language. Select (highlight) a language to see the Pronunciation field when appropriate.
(Optional) Enter language-related information:
First Name. Enter the user's given name. Last Name. Enter the user's surname. Full Name(s). Enter the user's name as it should appear on official documents. Phone. Enter the user's telephone number. Pronunciation. If the selected language is commonly represented phonetically, additional fields are displayed. Enter the phonetic representation for the user's first, last, and full names. Click OK.
To edit a directory entry:
Once the user or group name appears in the Search list, click it to select it, then click Edit.
Modify user or group information as necessary, then click OK.
To change a user password:
Click Change Password.
Enter password as prompted, then click OK.
New Password. Enter a password string. Alphanumeric characters, spaces, and punctuation marks are all acceptable. Confirmed Password. Enter the password again to confirm. The changes take effect immediately.
Before you can remove an organizational unit, you must first remove all users or groups belonging to it.
Click Delete, and when prompted to confirm the deletion, click OK.
From the File menu, choose License Tracking.
Select the servers you want to count licenses for, then click Refresh at the bottom of the dialog box.
edit existing user or group data
change a user or group password
create a new user, group, or organizational unit
Use the drop-down list to indicate whether you're creating a new user, group, or organizational unit.
Appendix A, "Distinguished Name Attributes and Syntax,"
"Creating a New Static Group"
"Creating a Dynamic Group"
ldap:///o=mcom.com??sub?(department=marketing)
If you want to construct a new URL, click Construct.