why do administrators delegate server administration?
Why do administrators delegate server administration?
l>Managing Servers with Netscape Console: Delegating Server Administration // for older browsers, will just relocation the document function showHideLayerSwitch(ignored) document.location = "contents.htm"; var visibleVar="null"; if (navigator.appName == "Netscape") layerStyleRef="layer."; layerRef="document.layers"; styleSwitch=""; visibleVar="show"; else layerStyleRef="layer.style."; layerRef="document.all"; styleSwitch=".style"; visibleVar="visible"; feature showHideLayerSwitch(layerName) if (eval(layerRef+"<""+layerName+"">"+styleSwitch+".visibility == visibleVar")) hideLayer(layerName); else showLayer(layerName); function showLayer(layerName) eval(layerRef+"<""+layerName+"">"+styleSwitch+".visibility="visible""); feature hideLayer(layerName) eval(layerRef+"<""+layerName+"">"+styleSwitch+".visibility="hidden""); #header z-index: 5; visibility: visible; #pulldownMenu position: absolute; z-index: 10; visibility: hidden; left: 182px; top: 55px; feature onMouseOut() visibility="hide"; Complete Components Summary Chapter 1 Introducing Netscape Console Chapter 2 The Netscape Server Family Setup Program Chapter 3 Using Netscape Console Chapter 4 User and Group Administration Chapter 5 Using SSL Chapter 6 Delegating Server Administration Chapter 7 Using SNMP to Monitor Services Chapter 8 Administration Server Basics Chapter 9 Administration Server Configuration Appendix A Distinguimelted Name Attributes and also Syntaxes Appendix B Administration Server Command also Line Tools Appendix C FORTEZZA Appendix D Introduction to Public-Key Cryptography Appendix E Overview to SSL Managing Servers through Netscape Console: Delegating Server Administration Previous Next Contents Index Chapter 6 Delegating Server AdministrationThstormy the usage of administrative privileges and also Access Control Information (ACIs) you have the right to delegate specific server monitoring tasks to schosen individuals as you deem proper. Keep in mind. Each Netscape server has its very own specialized functions, and also each server has its very own special forms of ACIs. For detailed information about ACIs for a certain Netscape server, watch the server"s Administrator"s Guide.This chapter has the following sections:Rundown of Delegated AdministrationAccess to Network-related ResourcesAccess to Server Tasks Rundown of Delegated AdministrationWhen a user logs into Netscape Consingle, the Administration Server authenticates the user against the Directory Server. During authentication, the Administration Server evaluates the user"s administrative privileges and also any Access Control Indevelopment (ACIs) pertaining to the user. When authentication is completed, Netscape Consingle displays just the sources and server jobs the user is permitted to access. Delegating server management is a two-step process. First, you carry out certain customers and also teams with bureaucratic privileges, or access, to assorted sources, such as host systems and also servers in your enterprise. Once you"ve offered administrative privileges to an individual, you can restrict the scope of the administrator"s netjob-related or server obligations. Network-related Reresources and also Administrative PrivilegesAll network resources registered in the very same configuration catalog form a Netscape topology. The whole navigating tree in Netscape Consingle represents a Netscape topology. An administration domajor is a collection of hold devices and also servers that share the same user brochure. A server group is composed of all servers controlled by the same Administration Server. Servers are the commodities that carry out specific services such as magazine, messaging, and publishing.Netscape Console offers 4 levels of administration privileges to recognize whether individuals are authorized to access network resources. Three levels of administration privileges correspond to entries in the user directory: Configuration Administrator, Domajor Administrator, and Server Administrator. A fourth level, the Administration Server Administrator, has privileges just to the neighborhood Administration Server. A comparikid of administrators and their matching privileges is summarized in Table 6.1.The Configuration Administrator and the Administration Server Administrator are instantly created as soon as you install Netscape Console. You manually create the Doprimary Administrator after you produce an administration domajor (See "Creating an Administration Domain" on web page 29). For more information on the Server Administrator, watch the documentation that comes via your server.Table 6.1 Summary of Administrative Privileges
Administrator Main PurposeDescriptionScope of Administrative Privileges
To regulate servers and also configuration directory data in the entire Netscape topology.
When a configuration magazine is first mounted, the Configuration Administrators group and also the Configuration Administrator user ID are both immediately created in configuration magazine. At first manperiods Administrative Domain configuration until the Domajor Administrators team and its members are in place.
Unlimited accessibility to all resources in the Netscape topology. This is the only administrator that deserve to assign Domain Administrators; have the right to additionally carry out server accessibility to other administrators.
To manage servers and also user information in an governmental domajor.
Configuration Administrator should manually produce a Domajor, then asauthorize a Domain Administrator to it. Domain Administrator deserve to set accessibility permissions for a server team, or for an individual server.
Restricted accessibility to all servers and user data in a domain; can carry out server accessibility permissions to various other administrators.
To percreate server management tasks.
Configuration or Domajor Administrator must administer this user access to a server. Once a user has actually server accessibility pergoals, he is a Server Administrator and can provide server access permissions to others.
Restricted access to work for a specific server, relying on task ACIs.
Administration Server Administrator
To start or soptimal a server even as soon as tbelow is no Directory Server link.
When an Administration Server is installed, this administrator"s enattempt is instantly produced locally. (This administrator is not a user in the user directory.)
Restricted server jobs (generally just Restart Server and Speak Server) for all servers in a neighborhood server team.
Configuration AdministratorDuring installation, you"re asked to specify a username and also password for the Configuration Administrator. The Configuration Administrator is authorized to accessibility and modify the Configuration Directory of your LDAP server. Netscape Consingle creates the Configuration Administrator as an enattempt in the LDAP user magazine under: ou=Administrators, out=Mission Control, ou=, o=NetscapeRoot. Generally, when you log in to Netscape Consingle as the Configuration Administrator, the username and password you enter are authenticated against the LDAP entry. But if the Directory Server cannot be accessed or the user LDAP entry cannot be uncovered, Netscape Console authenticates the username and password against the Administration Server Administrator"s credentials. Administration Server AdministratorThe Administration Server Administrator deserve to execute restricted CGI programs such as beginning, avoiding, or rebeginning servers in the local Server Group. It was designed to carry out a way for you to log in the Netscape Console once the Directory Server is not running. During installation, Netscape Console supplies the exact same username and password you stated for the Configuration Administrator to automatically develop the Administration Server Administrator username and also password. The Administration Server Administrator does not have actually an LDAP entry; it exists just as an entity called in a local configuration file stored at /admin-serv/config/admpw. The user id and also password stored in this file are provided for authentication once the Directory Server cannot be reached. This is what provides it feasible for you to access an Administration Server and perdevelop limited server administration also once the Directory Server is not running. Changing Administrator Usernames and also PasswordsKeep in mind that the Configuration Administrator and also Administration Server Administrator are two separate entities also though they are produced at the very same time in the time of installation. If you change the username or password for one, Netscape Console does not immediately make the exact same alters for the various other. To adjust the username or password for the Configuration Administrator:In Netscape Console, click Users and also Groups. In the Users and Groups window, click Directory. .In the Change Directory Window, enter a new Bind DN or Bind Password, then click OK. To change the username or password for the Local Administrator:In the Netscape Console navigating tree, find and also pick the Administration Server you desire to reconnumber. Click Open to open the Administration Server home window. In the Administration Server home window, click Configuration. In the Configuration tab, click Access. In the Access tab, enter a brand-new Username or Password. Restart the Administration Server. Examples of Delegated AdministrationJane is an administrator that troubleshoots netjob-related problems for finish individuals. She demands to have the ability to accessibility any kind of server in any type of domain, and commonly modifies many kinds of user account indevelopment. She has actually a broad variety of access pergoals. When Jane logs right into Netscape Consingle, she has actually a fairly unrestricted check out of servers and also work. Figure 6.1   A member of the Administrator"s team has actually an unrestricted view of network-related sources and server tasks.
John is likewise an administrator, yet his job is focused on controlling mail servers in the network-related. John"s accessibility pergoals are even more limited than Jane"s. John is only allowed to accessibility mail servers and also can only modify user information pertained to mail accounts. When John logs right into Netscape Consingle, he sees just the servers and also jobs he needs to view in order to carry out his jobFigure 6.2   A member of the Messaging Administrators team sees only the servers and work assigned to him.
Access to Netoccupational ResourcesYou carry out accessibility to network resources by adding customers to administrators teams or by establishing access perobjectives for a certain server. Adding Users to the Configuration Administrators GroupKeep in mind. The Configuration Administrators group is immediately produced once the configuration brochure is mounted. Only members of the Configuration Administrators group deserve to include even more individuals to the group. Members of the Configuration Administrators team have actually unlimited access pergoals. To include customers to the Configuration Administrators group:In Netscape Console, click Users and Groups, then click Directory.In the Change Directory window, suggest the place of the user brochure that has the Configuration Administrators team, then click OK.
User Directory Host. Go into the totally qualified organize name where the user catalog is installed. User Directory Port. Go into the port number you want to use to connect to the user catalog. User Directory Subtree. Enter o=NetscapeRoot to show wbelow to uncover the Configuration Administrators group. Bind DN. Enter the user ID or DN of a user authorized to change entries in the user brochure. Bind Password. Enter the password of the user catalog Administrator.Use the Search function to situate and also highlight the Configuration Administrators team, then click Edit.In the Edit Group window, click Members.
Click Add.In the Search Users and Groups home window, situate the user you desire to include, then click OK.Repeat this action until all the users you desire to include to the team are shown in the Add Group Members list, then click OK. Setting Access Permission for an Individual ServerUsers who have accessibility permissions to a certain server deserve to administer the very same accessibility to added individuals. By default, the Configuration Administrator has actually the appropriate access permissions; Domain-level administrators and also server managements who have actually been offered accessibility perobjectives for an individual server can likewise administer the exact same access to other customers. To collection accessibility pergoals for an individual server:In Netscape Console, select the server you desire to allow or deny access to. From the Object food selection, choose Set Access Pergoals, and a list shows up. The list includes the names individuals and also groups who currently have accessibility permissions for the schosen object. By default, the Configuration Administrators team has actually unlimited accessibility to all servers, even though its name does not display screen on this list.
To deny access permission to a user or group in the list, pick the user or team name, then click Delete User. Skip the rest of this procedure.To permit access permission to extra users or groups, click Add User.Use the Search dialog box as usual to locate the user or team you desire to permit or deny accessibility permissions to, then click OK. In the Set Access Pergoals dialog box, be sure that the user or group is added to the list, then click OK. Access to Server TasksYou provide accessibility to server tasks by developing Access Control Indevelopment (ACI) rules. ACI rules identify that has actually permission to perdevelop certain server tasks such as starting, stopping, or configuring a server. The ACI Editor is a graphical interface that helps you produce Access Control Information or rules. ( See the illustration in "Setting Access Perobjectives for a Server Task" on web page 105.)Note. Each Netscape 4.0 server may have its own ACI extensions and also various supplies for the ACI Editor. For thorough information around a particular server"s ACI alternatives, watch the Administrator"s Guide for that server. What"s in an ACIEach enattempt in the user catalog kept by a Directory Server have the right to encompass one or more ACI characteristics. Attributes contain accessibility manage indevelopment for the entry. The access manage indevelopment is composed of 3 parts: a target, pergoals, and bind rules. TargetThe tarobtain specifies the object, object features, or team of objects and also qualities you"re managing access to. PermissionsThe permission especially outlines what legal rights you are either permitting or denying. Read, write, and execute are typical access permissions mentioned in ACIs. See Table 6.1 on page 95 for a brief summary of accessibility pergoals. Bind RulesThe bind rules specify the scenarios under which accessibility is to be permitted or denied. Bind rules might include any kind of of the following:the user or team enabled or denied accessibility permissionsorganize computer systems from which users are permitted or denied accessan interval of time in the time of which the user"s access is enabled or deniedthe form of permissions to be granted or denied to users or groupsACI attributes are stored in the Directory Server entry for the targeted reresource. The following example illustrates the use of 2 ACIs in the very same magazine enattempt. The first ACI allows all members of the Directory Administrators team unminimal accessibility to the Directory Server. The second ACI denies access to the Directory Administrators group from 1:00 a.m. to 3:00 a.m. (0100 to 0300) on Sunday, Tuesday, and Friday:dn: o=airius.comobjectClass: topobjectClass: organizationACI: (target="ldap:///o=airius.com")(targetattr=*)(variation 3.0; acl "acl 1"; allow (all)groupdn = "ldap:///cn=Directory Administrators, o=airius.com";)ACI: (target="ldap:///o=airius.com")(targetattr=*)(version 3.0; acl "acl 2"; deny (all)groupdn != "ldap:///cn=Directory Administrators, o=airius.com" and also dayofweek = "Sun, Tues, Fri" and(timeofday >= "0100" and also timeofday Setting Access Pergoals for a Server TaskTo set access permission for a server task:In Netscape Consingle, pick a server and also open its console. From the server Tasks, choose the job you want to enable or deny access permission to.