Show Table of Contents
G.4. Managing Directory Server Users and Groups
Users for both multiple Red Hat Directory Server instances and Administration Server can be created, edited, and searched for in the Red Hat Management Console. The main Console window can also be used to create organizational units and groups and to add entries to the new
ou
s and groups.
Section G.5, “Setting Access Controls” describes how to work with user and group information when setting access privileges and other security information.
G.4.1. Searching for Users and Groups
The Users and Groups searches for directory entries; by default, it looks in the default user directory configured for the Administration Server, but the directory can be changed to any Red Hat Directory Server instance.
To search the directory:
- Click the Users and Groups tab.
- Enter the search criteria, and click.
- For a simple search, enter all or part of an entry name in the text box. To return all entries, leave the search field blank or enter an asterisk (
*
). - For a more complex or focused search, click the Advanced button, and enter the attributes to search (such as
cn
,givenname
, orou
), the kind of search, and the search term. To add or remove search criteria, click the and buttons.
- Click Search. Results are displayed in the list box.
To change the search directory:
- Click the Users and Groups tab.
- In the top menu, select themenu item, and choose .
- Fill in the user directory information.
- User Directory Host. The fully qualified host name for the Directory Server instance.
- User Directory Port and Secure Connection. The port number for the connection and whether this is a TLS (LDAPS).
- User Directory Subtree. The DN of the subtree to search in the directory; for example,
dc=example,dc=com
for the base DN orou=Marketing, dc=example,dc=com
for a subtree. - Bind DN and Bind Password. The credentials to use to authenticate to the directory.
- Click OK.
G.4.2. Creating Directory Entries
The Red Hat Management Console can be used to add, edit, and delete users, groups, and organization units in the Users and Groups tab. The different kinds of entries and options for creating entries is explained in more detail in the Red Hat Directory Server Administration Guide.
G.4.2.1. Directory and Administrative Users
Note
A user can be added to the Directory Server user database through the Console or a user can be added as an Administration Server administrator. The process is almost identical, with two exceptions:
- A Directory Server user is added by clicking thebutton, then the option, while an administrator is created by selecting the option.
- An administrator does not require selecting an organization unit, while the Directory Server user does, because the administrator is automatically added to
ou=Groups,ou=Topology,o=NetscapeRoot
.
- Click the Users and Groups tab.
- Click the User.button, and chooseAlternatively, open theoption in the top menu, and choose .
- Select the are in the directory tree under which the entry is created.
Note
When creating an administrator, there is no option to select theou
to which to add the user as there is with a regular Directory Server user. This is because the administrator is added toou=Groups,ou=Topology,o=NetscapeRoot
, with the admin users.The entry can be added to anou
or a view, if views have been added to the directory. - In the Create User window, enter user information. The Common Name and User ID fields are automatically filled in with the combined values the First Name and Last Name fields. These first, last, and common name fields are required; a password is also required for the user to be able to log into the Directory Server and the Console, but is not a required attribute.
- Optionally, click the Languages link on the left, select an alternate language and fill in internationalized values for common attributes.This option allows international users to select a language other than English and to represent their names in their preferred language. The pronunciation attribute allows for phonetic searching against the international name attributes.
- Click OK.
G.4.2.2. Groups
A group consists of users who share a common attribute or are part of a list. Red Hat Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs by the way in which users, or members, are added to it:
- A dynamic group automatically includes users based on one or more attributes in their entries; the attributes and values are determined using LDAP URLs. For example, a dynamic group can use an LDAP filter which searches for entries which contain the attributes and values
st=California
anddepartment=sales
. As entries are added to the directory with those two attributes, the users are automatically added as members to the dynamic group. If those attributes are removed from the entry, the entry is removed from the group. - A certificate group includes all users who have a specific attribute-value pair in the subject name of the certificate. For example, the certificate group could be based on having the string
st=California,ou=Sales,ou=West
in the subject name. If a user logs onto a server using a certificate with those attributes in his certificate, the user is automatically added to the group and is granted all of the access privileges of that group.
To create a group:
- Click the Users and Groups tab.
- Click the Group.button, and chooseAlternatively, open theoption in the top menu, and choose .
- Select the are in the directory tree under which the entry is created.The subtree entry can be an
ou
or a view, if views have been added to the directory. - Enter the group's name and description.It is possible to save the new group entry at this point, without adding members. Click.
- Click the Members link to add members to the group, and click the tab of the type of group membership, Static, Dynamic, or Certificate.
- Configure the members. For static groups, manually search for and add users; for dynamic groups, construct the LDAP URL to use to find entries; and for certificate groups, enter the values to search for in user certificate subject names.
Note
The different kinds of groups and how to configure their members are explained in more detail in the Red Hat Directory Server Administration Guide.
G.4.2.3. Organizational Units
An organizational unit can include a number of groups and users. An org unit usually represents a distinct, logical division in an organization, such as different departments or geographical locations. Each
organizationalUnitName
(ou
) is a new subtree branch in the directory tree. This is reflected in the relative distinguished name of the ou
, such as ou=People,dc=example,dc=com
, which becomes part of the distinguished names of its sub-entries.
- Click the Users and Groups tab.
- Click the Organizational Unit.button, and chooseAlternatively, open theoption in the top menu, and choose .
- Select the directory subtree under which to locate the new organizational unit.
- Fill in the organizational unit information. The Alias offers an alternative name for the organizational unit that can be used instead of the full name.
- Click OK.
G.4.3. Modifying Directory Entries
G.4.3.1. Editing Entries
- Search for the entry to edit.See Section G.4.1, “Searching for Users and Groups” for more information on searching for entries.
- Select the entry, and click.
- Edit the entry information, and clickto save the changes.
G.4.3.2. Allowing Sync Attributes for Entries
Red Hat Directory Server and Active Directory synchronization unify some Unix and Windows-specific directory attributes; to carry over a Directory Server entry to Active Directory, the entry must have
ntUser
attributes. (Likewise, Windows entries must have posixAccount
attributes.)
Windows (NT) attributes must an be enabled on entries. By default, these attributes are added manually to individual entries. The user edit windows have links on the left for NT User to allow Directory Server entries to contain Windows-specific attributes for synchronization.
It is also possible to configure the server so that all new entries will automatically possess the
ntUser
object class; this is described in the Directory Server—Active Directory synchronization chapter of the Red Hat Directory Server Administration Guide.
Note
Any Red Hat Directory Server entry must have the
ntUser
object class and required attributes added in order to be synchronized to Active Directory.
To enable synchronization:
- Select or create a user, and click the NT User link.
- Enable the NT account, and check how the entry will be synchronized (meaning, whether a new entry will be created and whether that entry should be deleted on Active Directory if it is delete on Directory Server).
- Click OK.
G.4.3.3. Changing Administrator Entries
When the Administration Server is installed, two entries are created with administrator access in the Console. The main entry is the Configuration Administrator, who is authorized to access and modify the entire configuration directory (
o=NetscapeRoot
). The Configuration Administrator entry is stored in the uid=
username, ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
entry.
The Configuration Administrator's user name and password are automatically used to create the Administration Server Administrator, who can perform a limited number of tasks, such as starting, stopping, and restarting servers. The Administration Server Administrator is created so that a user can log into the Red Hat Management Console when the Directory Server is not running. The Administration Server Administrator does not have an LDAP entry; it exists in the Administration Server's configuration file,
/usr/share/dirsrv/properties/admpw
.
Important
Even though they are created at the same time during installation, and are identical at that time, the Configuration Administrator and Administration Server Administrator are two separate entities. If the user name or password is changed for one, Red Hat Management Console does not automatically make the same changes for the other.
G.4.3.3.1. Changing the Configuration Administrator and Password
- In the Users and Groups, click Advanced.
- Search for the Configuration Administrator. Select theobject, and enter the administrator's user name,
Configuration Administrator
by default. - Select the Configuration Administrator from the list of search results, and then click Edit.
- Change the administrator's
uid
and password. Theuid
is the naming attribute used to log into the Console and run commands. - Click.
Note
If you are logged into the Console as the Configuration Administrator when you edited the Configuration Administrator entry, update the login information for the directory.
- In the Users and Groups tab, click the menu in the top menu and select .
- Update the Bind DN and Bind Password fields with the new information for the Configuration Administrator, and click OK.
G.4.3.3.2. Changing the Admin Password
- Select the Administration Server in the Servers and Applications tab, and click .
- Click the Configuration tab, and open the Access tab.
- Set the new password.
Warning
Do not change the admin user name. - Click.
- Restart the Administration Server.
systemctl restart dirsrv-admin.service
G.4.3.3.3. Adding Users to the Configuration Administrators Group
- In the Users and Groups tab, click the menu in the top menu and select .
- Change to the
o=NetscapeRoot
subtree, which contains the configuration information and the Configuration Administrators group. - Search for the Configuration Administrators group, and click Edit.
- Click the Members link in the left of the edit window.
- Click Add, and search for the user to add to the group.
Note
Only users in theo=NetscapeRoot
database can be added to the Configuration Administrators group. This means that the entry must be created as an administrator, not a regular user, when added through the Console. See Section G.4.2.1, “Directory and Administrative Users”.
G.4.3.4. Removing an Entry from the Directory
- Search for the entry to deleted.See Section G.4.1, “Searching for Users and Groups” for more information on searching for entries.
Note
All entries must be removed from under an organization unit before it can be deleted. - Select the entry in the results list, and click. Click to confirm the deletion.