Managing users and groups


his chapter describes how to use the forms in the administration server Users and Groups area. The following topics are covered in this chapter:

Creating users

To create a user entry within the directory, do the following:

  1. From the administration server manager, go to Users & Groups | New User.
  2. At a minimum, you must specify the user's:
    If you enter a given name (or first name) and a surname, then the gateway automatically fills in the user's full name and user ID for you. The user ID is generated as the first initial of the user's first name followed by the user's last name. For example, if the user's name is Babs Jensen, then the user ID is automatically set to bjensen. You can replace this user ID with an ID of your own choosing if you wish.

    Note
    The user ID must be unique. The administration server ensures that the user ID is unique by searching the entire directory from the search base (base DN) down to see if the user ID is in use. Be aware, however, that if you use the ldapmodify command line utility to create a user, that it does not ensure unique user IDs. If duplicate user IDs exist in your directory, the effected users will not be able to authenticate to the directory.

    1. If any organizational units have been defined for your directory, you can specify where you want the new user to be placed using the Add New User To list. The default location is your directory's root point.
    2. Click Create User to add the user and immediately return to the New User form. Click Create and Edit User to add the user and then proceed to the Edit User form for the user you have just added.
      For information on editing users, see "Managing users".

Notes on user entries

The following notes may be of interest to the directory administrator:

Managing users

You edit user attributes from the Manage Users form. From this form you can:

Finding user entries

Before you can edit a user entry, you must display the entry. To find an entry:

  1. From the administration server manager, go to Users & Groups | Manage Users.
  2. In the Find User field, enter some descriptive value for the entry that you want to edit. You can enter any of the following in the search field:
    As an alternative, use the pull down menus in Find all users whose: to narrow the results of your search.

    1. In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point (or top most entry).
    2. In the Format: field, choose either On-Screen or Printer.
    3. Click Find. All the users in the selected organizational unit are displayed.
    4. In the resulting table, click the name of the entry that you want to edit.
    5. The user edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.

The "Find all users whose" field

The Find all users whose: field allows you to build a custom search filter. Use this field to narrow down the search results returned by Find user.

Find all users whose: provides the following search criteria:

Editing user information

To change a user's entry:

  1. Display the user entry as described in "Finding user entries".
  2. Edit the field corresponding to the attribute that you wish to change.
  3. Click Save Changes.
    Note
    It is possible that you will want to change an attribute value that is not displayed by the edit user form. In this situation, use the ldapmodify command line utility.
    NoteYou can change the user's first, last, and full name field from this form, but to fully rename the entry (including the entry's distinguished name), you need to use the Rename User form. For more information on how to rename an entry, see "Renaming users".

Managing a user's password

The password you set for user entries is used by the various Netscape servers for user authentication.

To change or create a user's password:

  1. Display the user entry as described in "Finding user entries".
  2. Click the Password link at the top of the user edit form.
  3. Enter the new password and then the confirmation password.
  4. Click Set Password. The change takes effect immediately.
    You can also disable the user's password by clicking the Disable Password button. Doing this prevents the user from logging into a Netscape server without deleting the user's directory entry. You can reinstate the password by using the Password Management Form to enter a new password.

    To return to the general information form, click General.

Managing user licenses

This area allows you to track which Netscape server products your users are licensed to use. To manage the licenses available to the user:

  1. Display the user entry as described in "Finding user entries".
  2. Click the Licenses link at the top of the User Edit form.
  3. Click next to the Suitespot servers that you want this user to be able to use.
  4. Click Save Changes.
    Note that currently Netscape servers do not enforce these licenses.

    To return to the general information form, click General.

Renaming users

To rename a user entry:

  1. Display the user entry as described in "Finding user entries".
  2. Click the Rename User button.
  3. Enter the new name in the resulting dialog box. If you are using common name-based DNs, specify the user's full name. If you are using uid-based distinguished names, enter the new uid value that you want to use for the entry.
  4. Change the Given Name, Surname, full name, or UID fields as is appropriate to match the new distinguished name for the entry. Note that if you are using common name-based distinguished names, and you change the distinguished name to use a new common name, then you should make sure that this new common name is listed as the first choice in the list of full names. This ensures that the appropriate name is displayed when a list is generated that shows this entry.
    You can tell the administration server to not retain the old full name or uid values when you rename the entry by setting the keepOldValueWhenRenaming parameter to false. You can find this paramter in the following file:

    		NSHOME/admin-serv/config/dsgw-orgperson.conf
    
    Note
    The rename feature changes only the user's name; all other fields are left intact. In addition, the user's old name is still preserved so searches against the old name will still find the new entry.
    Note
    When you rename a user entry, you can only change the user's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have:

Removing users

To delete a user entry:

  1. Display the user entry as described in "Finding user entries".
  2. Click the Delete User button.
  3. Click O.K. in the resulting confirmation box. The user entry is immediately deleted.

Creating groups

To create a group entry within the directory, do the following:

  1. From the administration server manager, go to Users & Groups | New Group.
  2. Enter the group's name. You can optionally also add a description for the group.
  3. If any organizational units have been defined for your directory, you can specify where you want the new group to be placed using the Add New Group To: list. The default location is your directory's root point, or top-most entry.
  4. Click Create Group to add the group and immediately return to the New Group form. Click Create and Edit Group to add the group and then proceed to the Edit Group form for the group you have just added.
    For information on editing groups, see "Editing group attributes".

Managing groups

You edit groups and manage group memberships from the Group Edit form. From this form you can:

Finding group entries

To find group entries:

  1. Go to Users & Groups | Manage Groups.
  2. Enter the name of the group that you want to find in the Find Group field. You can enter any of the following in the search field:
    As an alternative, use the pull down menus in Find all groups whose to narrow the results of your search.

    1. In the Look within field, select the organizational unit under which you want to search for entries. The default is the directory's root point, or top-most entry.
    2. In the Forma: field, choose either On-Screen or Printer.
    3. Click Find. All the groups matching your search criteria are displayed.
    4. In the resulting table, click the name of the entry that you want to edit.

The "Find all groups whose" field

The Find all groups whose: field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find groups:

Find all groups whose: provides the following search criteria:

Editing group attributes

To change a group entry, do the following:

  1. Locate the group you want to edit as described in "Finding group entries".
  2. The Group Edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.
    Note
    It is possible that you will want to change an attribute value that is not displayed by the group edit form. In this situation, use the ldapmodify command line utility.

Adding group members

To add members to the group:

  1. Locate the group you want to manage as described in "Finding group entries".
  2. Click the Edit button under Group Members. A new form is displayed that allows you to search for entries. If you want to add user entries to the list, make sure Users is shown in the Find pull-down menu. If you want to add group entries to the group, make sure Group is shown.
  3. In the right-most text field, enter a search string. Enter any of the following:
    If the search returns any entries that you do not want add to the group, click the box in the Remove from list? column. You can also construct a search filter to match the entries you want removed and then click Find and Remove.

    1. When the list of group members is complete, click Save Changes. The currently displayed entries are now members of the group.

Adding groups to the group members list

You can add groups (instead of individual members) to the group's members list. Doing so causes any users belonging to the included group to become a member of the receiving group. For example, if Babs Jensen is a member of the Marketing Managers group, and you make the Marketing Managers group a member of the Marketing Personnel group, then Babs Jensen is also a member of the Marketing Personnel group.

To add a group to the members list of another group, add the group as if it were a user entry. See "Adding group members" for more information.

Removing entries from the group members list

To delete an entry from the group members list, do the following:

  1. Locate the group you want to manage as described in "Finding group entries".
  2. Click Edit under Group Members.
  3. For each member that you want to remove from the list, click the corresponding box under the Remove from list? column.
    Alternatively, you can construct a filter to find the entries you want to remove and click the Find and Remove button. For more information on creating a search filter, see "Adding group members".

    1. Click Save Changes. The entry(s) are deleted from the group members list.

Managing owners

You manage a group's owners list the same way as you manage the group members list. The following table shows you which section to read for more information:
If you want to...

Use the steps in. . .

Add owners to the group

"Adding group members"

Add groups to the owners list

"Adding groups to the group members list"

Remove entries from the owners list

"Removing entries from the group members list"

Managing see alsos

See alsos are references to other directory entries that may be relevant to the current group. They allow users to easily find entries for people and other groups that are related to the current group.

You manage see alsos the same way as you manage the group members list. The following table shows you which section to read for more information:
If you want to...

Use the steps in. . .

Add users to see alsos

"Adding group members"

Add groups to see alsos

"Adding groups to the group members list"

Remove entries from see alsos

"Removing entries from the group members list"

Removing groups

To delete a group, do the following:

  1. Locate the group you want to delete as described in "Finding group entries".
  2. Click Delete Group.
  3. Click O.K. in the resulting confirmation box. The group entry is immediately deleted.

Renaming groups

To rename a group, do the following:

  1. Locate the group you want to manage as described in "Finding group entries".
  2. Click the Rename Group button.
  3. Enter the new group name in the resulting dialog box.
    Note
    When you rename a group entry, you only change the group's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have:

Creating organizational units

For information on organizational units and how they should be used, see "Planning your directory structure". To create an organizational unit, do the following:

  1. From the administration server manager, go to Users & Groups | New Organizational Unit.
  2. In the Unit Name field, enter the name of the organizational unit.
  3. In the Description field, you can optionally add a description of the unit.
  4. In the Add Organizational Unit to list, select the organization under which this new organization will reside.
  5. Click Create Organizational Unit. The new entry is added immediately.

Notes on organizational units

The following notes may be of interest to the directory administrator:

Managing organizational units

You edit and manage organizational units from the Organizational Unit Edit form. From this form, you can:

Finding organizational units

To find organizational units:

  1. Go to Users & Groups | Manage Organizational Units.
  2. Enter the name of the unit you want to find in the Find organizational unit field. You can enter any of the following in the search field:
    As an alternative, use the pull down menus in Find all units whose: to narrow the results of your search.

    1. In the Look within: field, select the organizational unit under which you want to search for entries. The default is the root point of the directory.
    2. In the Format: field, choose either On-Screen or Printer.
    3. Click Find. All the organizational units matching your search criteria are displayed.
    4. In the resulting table, click the name of the organizational unit that you want to find.

The Find all units whose: field
The Find all units whose: field allows you to build a custom search filter. Use this field to narrow down the search results that are otherwise returned by Find organizational unit:

Find all units whose: provides the following search criteria:

Editing organizational unit attributes

To change a organizational unit entry:

  1. Locate the organizational unit you want to edit as described in "Finding organizational units".
  2. The organizational unit edit form is displayed. Change the displayed fields as desired and click Save Changes. The changes are made immediately.
    Note
    It is possible that you will want to change an attribute value that is not displayed by the organizational unit edit form. In this situation, use the ldapmodify command line utility.

Renaming organizational units

To rename an organizational unit entry, do the following:

  1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.
  2. Locate the organizational unit you want to edit as described in "Finding organizational units".
  3. Click the Rename button.
  4. Enter the new organizational unit name in the resulting dialog box. .
    Note
    When you rename an organizational unit entry, you can only change the organizational unit's name; you cannot use the rename feature to move the entry from one organizational unit to another. For example, suppose you have:

Deleting organizational units

To delete an organizational unit entry do the following:

  1. Make sure no other entries exist in the directory under the organizational unit that you want to rename.
  2. Locate the organizational unit you want to delete as described in "Finding organizational units".
  3. Click the Delete button.
  4. Click O.K. in the resulting confirmation box. The organizational unit is immediately deleted.

Importing a directory from LDIF

If you do not currently have a directory, or if you want to add a new subtree to an existing directory, you can use the Users and Groups import function. This function accepts a file containing LDIF and attempts to build a directory or a new subtree from the LDIF entries.

If you are using the Netscape local directory, the import function will optionally overwrite any existing directories. If you are using a directory server and you attempt to import an entry that already exists, then that operation will fail.

To merge LDIF formatted entries into an existing directory (either for a local directory, or for directory server), it is best to convert the LDIF to LDIF update statements and use ldapmodify to perform the merge.

To create an new directory or subtree from Users and Groups, do the following:

  1. Go to Users & Groups | Import.
  2. Enter the full path name to the LDIF file containing the entries you want to add to your directory.
  3. Check Stop on errors if you want the import to fail completely if any single add operation fails.
  4. If you are using the local directory, then Erase existing database is available to you. Check this field if you want your existing database to be erased when a new directory is imported from LDIF. If Erase existing database is not checked, then the import function will attempt to add the contents of the LDIF file to the existing directory. However, if the import function attempts to add an entry to the directory that already exists, then an error is returned. Whether the import function continues or stops immediately is dependent on whether Stop on errors is checked.
  5. Click Begin Import. The import proceeds immediately.

Exporting a database to LDIF

You can export your current directory to LDIF using the Users and Groups export function. This function creates an LDIF-formatted file that represents your directory.

To export your directory to an LDIF file:

  1. Go to Users & Groups | Export.
  2. Enter the full path name to the file in which you want the LDIF to be placed. Note that if you do not enter a full path name here, the file is placed in NSHOME\db\ldap\tools where NSHOME is your administration server's installation root directory.
  3. The Suffix to add field is available if you are exporting a local directory to the directory server. In this situation, you must specify a suffix to successfully import your local directory into directory server.
    The suffix you specify must match at least one of the suffixes configured for your directory server.

    1. Click OK. The export proceeds immediately.


Copyright 1997 Netscape Communications Corporation. All rights reserved.