Next: D.2 OpenLDAP Up: D.1 Sun One (iPlanet) Previous: D.1.5 Populating an H.350
|
Next: D.2 OpenLDAP Up: D.1 Sun One (iPlanet) Previous: D.1.5 Populating an H.350
|
(1) Start the Sun One Console.
(2) Login as the Directory Manager or Administrator.
(3) You should see the iPlanet Console.
(4) Navigate to your Directory Server and click 'Open' on the screen.
(5) You should now see the task list for your Directory Server.
(6) Click on the 'Configuration' tab.
(7) Select 'Data' in the tree view.
(8) Right-click on the 'Data' option and click on 'New Root Suffix'. This new suffix will be the suffix of your Enterprise Directory so that you will be able to authenicate to this directory using your Enterprise Identity.
(9) You should see the 'Create new root suffix' window.
(10) Uncheck 'Create associated database automatically' and then enter the DN for where your 'people' entries are stored in your Enterprise Directory under 'New suffix'. Click 'OK'.
(11) You should see the new suffix under the 'Data' option in the tree view.
(12) Click on the new suffix.
(13) Right-click the new suffix and choose 'New Database Link'.
(14) You should now see the 'Create New Database Link' window.
(15) Enter a name for the new link under 'Database link name'.
(16) Enter the domain name for your Enterprise Directory under 'Remote Server' and then click 'OK'.
(17) Click on 'Yes' to enable the suffix.
(18) You should now see a dialog confirming that the link has been created. Click 'OK'.
(19) You should confirm that the link is present under your new suffix.
These instructions will ensure that only the owner of a commObject will have full access to that commObject.
(1) Start the Sun One Console.
(2) Login as the Directory Manager or Administrator.
(3) You should see the iPlanet Console.
(4) Navigate to your Directory Server and click 'Open' on the screen.
(5) You should now see the task list for your Directory Server.
(6) Click on the 'Configuration' tab.
(7) Select the 'Schema' option under the tree view.
(8) Click the 'Create...' button. This new object class will be used to hold the DN of the owner of the commObject. In this way, you will be able to leverage your Enterprise Identity to facilitate authorization.
(9) Type in the new name for your class under 'Name'. 'commObjectOwnerDN' is the suggested name for your new class.
(10) Find 'owner' under the attribute list. The 'owner' attribute will contain the owner's DN.
(11) Click 'Add' next to 'Allowed Attributes' in order to add owner to the list of allowed attributes for your new class.
(12) Click 'OK' to add your class.
(13) You should now see a confirmation dialog that your class has been created. Click 'OK'.
(14) Click on the 'Directory' tab.
(15) Right-click on the base DN for your server.
(16) Click on 'Set Access Permissions...'.
(17) Click 'New' to create a new ACI rule.
(18) Click on 'Edit Manually' when you see the edit window.
(19) You should see the manual edit window.
(20) Paste the following over the existing code in the window :
(targetattr = "*")
(version 3.0;
acl "Allow only owner to have full control";
allow (all)
(userattr = "parent[0,1,2,3].owner#USERDN")
;)
(21) Click 'OK' to create the new ACI rule. This new rule ensures that the BIND DN matches the DN in the attribute 'owner' before allowing full access.
