G.4. Managing Directory Server Users and Groups

Users for both multiple Red Hat Directory Server instances and Administration Server can be created, edited, and searched for in the Red Hat Management Console. The main Console window can also be used to create organizational units and groups and to add entries to the new ous and groups.
Section G.5, “Setting Access Controls” describes how to work with user and group information when setting access privileges and other security information.

G.4.1. Searching for Users and Groups

The Users and Groups searches for directory entries; by default, it looks in the default user directory configured for the Administration Server, but the directory can be changed to any Red Hat Directory Server instance.
To search the directory:
  1. Click the Users and Groups tab.
  2. Enter the search criteria, and click Search.
    • For a simple search, enter all or part of an entry name in the text box. To return all entries, leave the search field blank or enter an asterisk (*).
    • For a more complex or focused search, click the Advanced button, and enter the attributes to search (such as cn, givenname, or ou), the kind of search, and the search term. To add or remove search criteria, click the More and Fewer buttons.
  3. Click Search. Results are displayed in the list box.
To change the search directory:
  1. Click the Users and Groups tab.
  2. In the top menu, select the User menu item, and choose Change Directory.
  3. Fill in the user directory information.
    • User Directory Host. The fully qualified host name for the Directory Server instance.
    • User Directory Port and Secure Connection. The port number for the connection and whether this is a TLS (LDAPS).
    • User Directory Subtree. The DN of the subtree to search in the directory; for example, dc=example,dc=com for the base DN or ou=Marketing, dc=example,dc=com for a subtree.
    • Bind DN and Bind Password. The credentials to use to authenticate to the directory.
  4. Click OK.

G.4.2. Creating Directory Entries

The Red Hat Management Console can be used to add, edit, and delete users, groups, and organization units in the Users and Groups tab. The different kinds of entries and options for creating entries is explained in more detail in the Red Hat Directory Server Administration Guide.

G.4.2.1. Directory and Administrative Users

Note

A user can be added to the Directory Server user database through the Console or a user can be added as an Administration Server administrator. The process is almost identical, with two exceptions:
  • A Directory Server user is added by clicking the Create button, then the Users option, while an administrator is created by selecting the Administrator option.
  • An administrator does not require selecting an organization unit, while the Directory Server user does, because the administrator is automatically added to ou=Groups,ou=Topology,o=NetscapeRoot.
  1. Click the Users and Groups tab.
  2. Click the Create button, and choose User.
    Alternatively, open the User option in the top menu, and choose Create > User.
  3. Select the are in the directory tree under which the entry is created.

    Note

    When creating an administrator, there is no option to select the ou to which to add the user as there is with a regular Directory Server user. This is because the administrator is added to ou=Groups,ou=Topology,o=NetscapeRoot, with the admin users.
    The entry can be added to an ou or a view, if views have been added to the directory.
  4. In the Create User window, enter user information. The Common Name and User ID fields are automatically filled in with the combined values the First Name and Last Name fields. These first, last, and common name fields are required; a password is also required for the user to be able to log into the Directory Server and the Console, but is not a required attribute.
  5. Optionally, click the Languages link on the left, select an alternate language and fill in internationalized values for common attributes.
    This option allows international users to select a language other than English and to represent their names in their preferred language. The pronunciation attribute allows for phonetic searching against the international name attributes.
  6. Click OK.

G.4.2.2. Groups

A group consists of users who share a common attribute or are part of a list. Red Hat Directory Server supports three types of groups: static, dynamic, and certificate. Each group differs by the way in which users, or members, are added to it:
  • A static group has members who are manually added to it, so it is static because the members do not change unless an administrator manually adds or removes users.
  • A dynamic group automatically includes users based on one or more attributes in their entries; the attributes and values are determined using LDAP URLs. For example, a dynamic group can use an LDAP filter which searches for entries which contain the attributes and values st=California and department=sales. As entries are added to the directory with those two attributes, the users are automatically added as members to the dynamic group. If those attributes are removed from the entry, the entry is removed from the group.
  • A certificate group includes all users who have a specific attribute-value pair in the subject name of the certificate. For example, the certificate group could be based on having the string st=California,ou=Sales,ou=West in the subject name. If a user logs onto a server using a certificate with those attributes in his certificate, the user is automatically added to the group and is granted all of the access privileges of that group.
To create a group:
  1. Click the Users and Groups tab.
  2. Click the Create button, and choose Group.
    Alternatively, open the User option in the top menu, and choose Create > Group.
  3. Select the are in the directory tree under which the entry is created.
    The subtree entry can be an ou or a view, if views have been added to the directory.
  4. Enter the group's name and description.
    It is possible to save the new group entry at this point, without adding members. Click OK.
  5. Click the Members link to add members to the group, and click the tab of the type of group membership, Static, Dynamic, or Certificate.
  6. Configure the members. For static groups, manually search for and add users; for dynamic groups, construct the LDAP URL to use to find entries; and for certificate groups, enter the values to search for in user certificate subject names.

Note

The different kinds of groups and how to configure their members are explained in more detail in the Red Hat Directory Server Administration Guide.

G.4.2.3. Organizational Units

An organizational unit can include a number of groups and users. An org unit usually represents a distinct, logical division in an organization, such as different departments or geographical locations. Each organizationalUnitName (ou) is a new subtree branch in the directory tree. This is reflected in the relative distinguished name of the ou, such as ou=People,dc=example,dc=com, which becomes part of the distinguished names of its sub-entries.
  1. Click the Users and Groups tab.
  2. Click the Create button, and choose Organizational Unit.
    Alternatively, open the User option in the top menu, and choose Create > Organizational Unit.
  3. Select the directory subtree under which to locate the new organizational unit.
  4. Fill in the organizational unit information. The Alias offers an alternative name for the organizational unit that can be used instead of the full name.
  5. Click OK.

G.4.3. Modifying Directory Entries

G.4.3.1. Editing Entries

  1. Search for the entry to edit.
    See Section G.4.1, “Searching for Users and Groups” for more information on searching for entries.
  2. Select the entry, and click Edit.
  3. Edit the entry information, and click OK to save the changes.

G.4.3.2. Allowing Sync Attributes for Entries

Red Hat Directory Server and Active Directory synchronization unify some Unix and Windows-specific directory attributes; to carry over a Directory Server entry to Active Directory, the entry must have ntUser attributes. (Likewise, Windows entries must have posixAccount attributes.)
Windows (NT) attributes must an be enabled on entries. By default, these attributes are added manually to individual entries. The user edit windows have links on the left for NT User to allow Directory Server entries to contain Windows-specific attributes for synchronization.
It is also possible to configure the server so that all new entries will automatically possess the ntUser object class; this is described in the Directory Server—Active Directory synchronization chapter of the Red Hat Directory Server Administration Guide.

Note

Any Red Hat Directory Server entry must have the ntUser object class and required attributes added in order to be synchronized to Active Directory.
To enable synchronization:
  1. Select or create a user, and click the NT User link.
  2. Enable the NT account, and check how the entry will be synchronized (meaning, whether a new entry will be created and whether that entry should be deleted on Active Directory if it is delete on Directory Server).
  3. Click OK.

G.4.3.3. Changing Administrator Entries

When the Administration Server is installed, two entries are created with administrator access in the Console. The main entry is the Configuration Administrator, who is authorized to access and modify the entire configuration directory (o=NetscapeRoot). The Configuration Administrator entry is stored in the uid=username, ou=Administrators,ou=TopologyManagement,o=NetscapeRoot entry.
The Configuration Administrator's user name and password are automatically used to create the Administration Server Administrator, who can perform a limited number of tasks, such as starting, stopping, and restarting servers. The Administration Server Administrator is created so that a user can log into the Red Hat Management Console when the Directory Server is not running. The Administration Server Administrator does not have an LDAP entry; it exists in the Administration Server's configuration file, /usr/share/dirsrv/properties/admpw.

Important

Even though they are created at the same time during installation, and are identical at that time, the Configuration Administrator and Administration Server Administrator are two separate entities. If the user name or password is changed for one, Red Hat Management Console does not automatically make the same changes for the other.
G.4.3.3.1. Changing the Configuration Administrator and Password
  1. In the Users and Groups, click Advanced.
  2. Search for the Configuration Administrator. Select the Administrators object, and enter the administrator's user name, Configuration Administrator by default.
  3. Select the Configuration Administrator from the list of search results, and then click Edit.
  4. Change the administrator's uid and password. The uid is the naming attribute used to log into the Console and run commands.
  5. Click OK.

Note

If you are logged into the Console as the Configuration Administrator when you edited the Configuration Administrator entry, update the login information for the directory.
  1. In the Users and Groups tab, click the User menu in the top menu and select Change Directory.
  2. Update the Bind DN and Bind Password fields with the new information for the Configuration Administrator, and click OK.
G.4.3.3.2. Changing the Admin Password
  1. Select the Administration Server in the Servers and Applications tab, and click Open.
  2. Click the Configuration tab, and open the Access tab.
  3. Set the new password.

    Warning

    Do not change the admin user name.
  4. Click Save.
  5. Restart the Administration Server.
    systemctl restart dirsrv-admin.service
G.4.3.3.3. Adding Users to the Configuration Administrators Group
  1. In the Users and Groups tab, click the User menu in the top menu and select Change Directory.
  2. Change to the o=NetscapeRoot subtree, which contains the configuration information and the Configuration Administrators group.
  3. Search for the Configuration Administrators group, and click Edit.
  4. Click the Members link in the left of the edit window.
  5. Click Add, and search for the user to add to the group.

    Note

    Only users in the o=NetscapeRoot database can be added to the Configuration Administrators group. This means that the entry must be created as an administrator, not a regular user, when added through the Console. See Section G.4.2.1, “Directory and Administrative Users”.

G.4.3.4. Removing an Entry from the Directory

  1. Search for the entry to deleted.
    See Section G.4.1, “Searching for Users and Groups” for more information on searching for entries.

    Note

    All entries must be removed from under an organization unit before it can be deleted.
  2. Select the entry in the results list, and click Delete. Click OK to confirm the deletion.