| Sun ONE Web Server 6.1 Administrator's Guide | 
The Global Settings Tab
The Settings tab contains the following pages
The Configure Directory Service PageBased on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP), a directory server such as Sun ONE Directory Server allows you to manage all your user information from a single source. You can also configure the directory server to allow your users to retrieve directory information from multiple, easily accessible network locations. The Configure Directory Service page allows you to create a new directory service, and edit or delete an existing one.
Later, you can assign different directory services per virtual server. For more information, see About Directory Services and also, the The Pick Directory Services for Virtual Server Page in the online help.
Note
If you want to set up distributed administration, the default directory service must be an LDAP-based directory service.
The following elements are displayed:
Create New Service of Type. The choices are:
New. Click to create a new directory service of the selected type.
Delete. To delete a service, select the corresponding radio button and click OK. This deletes the directory service entry from the dbswitch.conf file but does not delete the file itself.
Directory Service ID. The name of the directory service. Click on the name of a service to edit its properties in the configuration page corresponding to the type of service selected.
Directory Service Type. Lists the type of service: LDAP, Key File or Digest File.
OK. Saves your entries and updates the server-root/userdb/dbswitch.conf file with an appropriate entry.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The LDAP Directory Server Configuration PageThe LDAP Directory Server Configuration page allows you to configure basic LDAP settings for your server.
The following elements are displayed:
Directory Service ID. The name of the directory service. If this is the only directory service being configured, the Directory Service Id will be set to “default.”
Host Name. Specifies the name of the LDAP server. You must enter a host name even if the directory server is running on the local machine.
Port. Specifies the port on which the LDAP server runs. If you are going to use SSL with a directory server, then you should enter the port number that the directory server is using for SSL.
Use Secure Sockets Layer (SSL) for connections. Specifies whether the server should use SSL for communications with the directory server. If you click Yes, then you must also configure the Administration Server to use SSL communications.
Base DN. Specifies the distinguished name where directory lookups will occur by default, and where all the Administration Server’s entries will be placed in your directory tree (for example, o=sun.com). A DN is the string representation for the name of an entry in a directory server.
Bind DN. Specifies the distinguished name that the Administration Server will use to initially bind (or log in) to the directory server (for example, cn=Directory Manager). Binding determines the permission level you are granted for the duration of a connection. The DN supplied in a bind request can be the DN of an alias entry.
This bind DN only requires read and search access to the directory. Because this DN and associated password (if any) is easily compromised, it is best to simply leave this field blank and then set up your directory server to allow anonymous search access. If you do not want to allow anonymous search access to your directory, specify a bind DN entry here that only has read and search access to your directory. Do not specify your directory server’s unrestricted user (Root DN) in this field.
Bind Password. Specifies the password used for authentication.
Save Changes. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The Key File Configuration PageThe Key File Configuration page allows you to bind a directory service name with a text file called a key file. This key file will store user and group authentication settings for use by the file realm.
The following elements are displayed:
Directory Service ID: The name of the directory service. If this is the only directory service being configured, the Directory Service Id will be set to “default.”
File Name: The name of the key file. When you click Save Changes, the server checks if this file exists. If it does not, it is created. If the file cannot be created, an error message is displayed.
Save Changes. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The Digest File Configuration PageThe Digest File Configuration Page allows you to bind a directory service name with a digest file.
The following elements are displayed:
Directory Service ID: The name of the directory service. If this is the only directory service being configured, the Directory Service Id will be set to “default.”
File Name: The name of the digest file. When you click Save Changes, the server checks if this file exists. If it does not, it is created. If the file cannot be created, an error message is displayed.
Save Changes. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The Restrict Access PageThe Restrict Access page specifies access control to the Administration Server. For more information, see Setting Access Control Globally.
Note
You must set up and administration group and enable distributed administration from The Distributed Administration Page in the Preferences tab before creating access control for the Administration Server.
The following elements are displayed:
For the ACL. Allows you to choose an ACL entry from the drop-down list.
Go. Click this button to load data.
Create ACL. Click this button to create an ACL for the server.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
Access Control Rules for PageThe Access Control Rules page is divided into two frames that set the access control rules. If the resource you chose already has access control, the rules will appear in the top frame. For more information, see Setting Access Control Globally.
The following elements are displayed:
Upper Frame
The upper frame displays access control rules representing each configurable setting as a link. When you click on a link, the page divides into two frames, and you can use the Lower Frame to set the access control rules. The ACL for the Administration Server, begins with two non-editable deny statements by default.
The following elements are displayed in the upper frame:
Action
Specifies whether to deny or allow access to the users, groups, or hosts. For the Administration Server, the first two lines of the access control rules are set to deny everyone except the group admin access to any portion of the Administration Server. If allow users and groups outside of the group admin access, you must click New Line and create an access control rule. For more information, see Setting Access Control Globally.
Users/Groups
Allows you to specify user and group authentication when you click “anyone.” The bottom frame allows you to configure User-Group authentication. By default, no users or groups outside of the group admin can access the Administration Server resources. For more information, see Specifying Users and Groups.
From host
Allows you to specify the computers you want to include in the rule when you click “anyplace”. In the bottom frame, you can enter wildcard patterns of host names or IP addresses to allow or deny. For more information, see Specifying the From Host.
Programs
Restricts access to areas in the Administration Server. For example, you can restrict access to all pages for configuring the administration server by selecting All Programs. If you want to restrict access to one or more areas, choose the name of the program group in the drop-down list. If you want to restrict access to one page in a tab, enter the name of the page in Program Items. For example, to restrict access to the Access Control List Management page, type distacl in Program Items. For more information, see Restricting Access to Programs.
Extra
Allows you to specify a customized ACL entry. This is useful if you use the access control API to customize ACLs. For more information, see Writing Customized Expressions.
Continue
Specifies that the next line in the access control rule chain is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access control entry, it’s best to work from the most general restrictions to the most specific ones.
Trash can icon
Deletes the corresponding line from the access control rules.
Access control is on
Specifies whether access control is enabled.
New Line
Adds a default ACL rule to the bottom row of the table.
To swap an access control restriction with the access control restriction preceding it, click the up arrow figure. To swap an access control restriction with the access control restriction after it, click the down arrow figure.
Response when Denied
Specifies the response a user sees when denied access. You can create a different message for each access control object. By default, the user is sent the following message: “FORBIDDEN. Your client is not allowed access to the restricted object.” For more information, see Responding When Access is Denied.
Submit. Saves your entries.
Revert. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
Lower Frame
The lower frame allows you to configure access control rules for the ACL in the Upper Frame.
The following elements are displayed in the lower frame:
Allow/Deny
For more information, see Setting the Action.
Allow. Allows the user, group, or host access.
Deny. Denies the user, group, or host access.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
User/Group
For more information, see Specifying Users and Groups.
Anyone (No Authentication). Allows everyone access to the resource. No authentication is required.
Authenticated people only. Allows only authenticated users and groups to access the resource. Choose from the following options:
Prompt for authentication. Allows you specify message text that appears in the authentication dialog box. You can use this text to describe what the user needs to enter. Depending on the operating system, the user will see about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password and associate them with the prompt text. This means that if the user accesses areas (files and directories) of the server that have the same prompt, the user will not have to retype usernames and passwords. Conversely, if you want to force users to reauthenticate for various areas, you must change the prompt for the ACL on that resource.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
From Host
For more information, see Specifying the From Host.
Any place. Allows any machine access to the resource.
Only from. Allows you to restrict access based on:
Enter wildcard patterns that match the machines’ host names or IP addresses in these fields. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matches all hosts from that domain, such as *.sun.com.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
Programs
For more information, see Restricting Access to Programs.
All programs. Allows users or groups access to all the tabs in the Administration Server.
Only the following. Allows users or groups you have specified access to specific areas of the server. Select the areas form the drop-down Program Groups list. You can choose multiple program groups by pressing the control key and clicking the names.
Program Items. Allows you to restrict access to one page in a program group by entering the name of the page in the Program Items field. For example, to restrict access to the Access Control List Management page, type distacl in Program Items. For more information, see Restricting Access to Programs.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
Customized Expressions
Customize expressions. Allows you to enter custom expressions for an ACL in the text box. You can use this feature if you are familiar with the syntax and structure of ACL files. For more information on customized expressions, see Writing Customized Expressions, and ACL File Syntax.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
Access Denied Response
Respond with the Default File (Redirection Off). The following message is sent: “FORBIDDEN. Your client is not allowed access to the restricted object.”
Respond with the Following URL: (Redirection On). When selected, allows you to create a different message for each ACL. Enter the absolute path of a URL or a relative URI.
Update. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays the online help.
The Cron Control Page (UNIX/Linux)The Cron Control page allows you to start and stop all the cron jobs scheduled for Sun ONE Web Server in the file server-root/config/schedulerd.
For more information, see Using schedulerd Control-based Log Rotation (UNIX/Linux).
The following elements are displayed:
Start. Starts schedulerd, and starts all scheduled cron jobs.
Stop. Stops all cron jobs defined in schedulerd.
Restart. Restarts all cron jobs in schedulerd.
Help. Displays the online help.
The SNMP Master Agent Community Page (UNIX/Linux)A community string is a password that an SNMP agent uses for authentication, which means that a network management station would have to send the special password with each message it sent to the agent. The agent can then verify whether the network management station is authorized to get information. Community strings are not concealed when sent in SNMP packets; strings are sent in ASCII text. Therefore, you should consider changing the community string on a regular basis. The master agent uses the community string for authentication.
The Community Strings page allows you to create, edit, and remove communities.
For more information, see Configuring the Community String.
The following elements are displayed:
Community. Specifies the name of the community you want to create.
Operation. Specifies the permissions for the new community. Choose from the following:
- ALLOW ALL OPERATIONS. Allows this community string to request data or reply to messages, and set variable values.
- ALLOW GET OPERATIONS. Allow this community string to only request messages or reply to messages, and not set variables.
- ALLOW SET OPERATIONS. Allows this community string to only set variable values.
Current communities. Lists all communities currently defined for the server. To modify a community, click Edit in the community row. To delete a community, click Remove in the community row.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The SNMP Master Agent Trap Page (UNIX/Linux)The Manager Entries page allows you to create, edit, and remove SNMP trap destinations. An SNMP trap is a message the SNMP agent sends to a network management station. For example, an SNMP agent would send a trap when an interface’s status has changed from up to down. The SNMP agent must know the address of the network management station so it knows where to send traps; you can configure this trap destination for the SNMP master agent from the Server Manager.
For more information, see Configuring Trap Destinations.
The following elements are displayed:
Manager station. Specifies the name of the system that is running your network management software.
Trap port. Specifies the port number on which your network management system listens for traps (the well-known port is 162).
With community. Specifies the community string you want to use in the trap.
Current manager entries. Lists all manager stations defined for the server. To modify a manager entry, click Edit in the manager entry row. To delete a manager entry, click Remove in the manager entry row.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values they contained before your changes.
Help. Displays online help.
The SNMP Master Agent Control Page (UNIX/Linux)The master SNMP agent exchanges information between the subagent and the network management station. A master agent runs on the same host machine as the subagents it talks to. You can have multiple subagents installed on a host machine. All subagents can communicate with the master agent. The SNMP Master Agent Control page allows you to start, stop, or restart the SNMP master agent after installing the SNMP master agent.
For more information, see the following sections:
The following elements are displayed:
Start. Starts the SNMP master agent.
Stop. Stops the SNMP master agent.
Restart. Restarts the SNMP master agent.
Help. Displays online help.