Document revision date: 28 June 1999

This book describes the Netscape administration server and covers basic concepts common to all Netscape SuiteSpot servers.

Revision/Update Information: This is a new manual.

Software Version: OpenVMS Alpha Version 7.2

Compaq Computer Corporation
Houston, Texas

Compaq Computer Corporation makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description.

Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from Compaq or an authorized sublicensor.

Compaq conducts its business in a manner that conserves the environment and protects the safety and health of its employees, customers, and the community.

© Compaq Computer Corporation 1999. All rights reserved.

The following are trademarks of Compaq Computer Corporation: Alpha, Compaq, DECdtm, DECdirect, DECwindows, DIGITAL, OpenVMS, VAX, VAX DOCUMENT, VAXcluster, VMS, and the Compaq logo.

The following are third-party trademarks:

Display POSTSCRIPT is a registered trademark of Adobe Systems Incorporated.

All other trademarks and registered trademarks are the property of their respective holders.

ZK6562

The OpenVMS documentation set is available on CD-ROM.

Contents

The administration server, included with all Netscape SuiteSpot servers, is a unique, web-based server (HTTP protocol) that you use to configure all of your Netscape SuiteSpot 3.x servers. You access the administration server just like you'd access any web site--you use a browser such as Netscape Navigator or Netscape Communicator.

Use this book to learn the concepts for managing your Netscape servers. You should read the first chapter of this book before you install any Netscape server because it contains information about preparing for installation and lists guidelines for installing multiple servers on a single computer. You should read about cluster management if you plan to install servers on multiple computers and want to manage the servers from a central computer.

This book describes the Netscape administration server and covers basic concepts common to all Netscape SuiteSpot servers. The online help describes the user interface for the administration server and documents how to use it to configure the administration server. It also contains in-depth information about command-line tools. Together, this book and the online help provide a complete documentation set for managing Netscape servers using the administration server.

This book also explains how to:

• start and stop the administration server
• install two or more Netscape servers that use different versions of the administration server (that is, 2.x versus 3.x)
• configure multiple Netscape SuiteSpot servers from a single administration server (cluster management)
• configure and use a local database or an LDAP directory (such as Netscape Directory Server) to manage users and groups for access control to your servers
• use keys and certificates to enable encrypted communications in your servers
• build access-control lists to restrict who can use your servers

How to Use This Manual

Read the first chapter of this book before you install any server. It contains basic information about the administration server and its features. After reading that chapter, you should plan how you will install your servers. You should then read the installation documentation provided with the individual servers you want to install.

Once you install the servers you can read the rest of this book to learn how to configure the administration server and use it to manage your other Netscape servers.

Browser Requirements

To configure any of the SuiteSpot servers, you need a network browser, such as Netscape Navigator or Navigator Gold 3.0 or later, Netscape Communicator, or any other browser that supports Java and JavaScript. If you don't have a browser installed on your computer, install the version of Netscape Navigator from your SuiteSpot CD. In most cases, this is in the /nav30 directory. Because all configuration forms use Java or JavaScript, you must enable that feature in your browser before you can administer your Netscape SuiteSpot servers. To do this in Navigator:

1. Choose Options | Network Preferences from the Netscape Navigator or Navigator Gold menu.
2. Select the Language tab. Make sure Java and JavaScript are checked, and then click OK. To do this in Netscape Communicator:
3. Choose Edit | Preferences from the Netscape Communicator menu.
4. Select the Advanced category in the left column.
5. Check the options labeled "Enable Java" and "Enable JavaScript," and then click OK.

Reader's Comments

Compaq welcomes your comments on this manual.

Print or edit the online form SYS$HELP:OPENVMSDOC_COMMENTS.TXT and send us your comments by:

Internet	openvmsdoc@zko.mts.dec.com
Fax	603 884-0120, Attention: OSSG Documentation, ZKO3-4/U08
Mail	Compaq Computer Corporation OSSG Documentation Group, ZKO3-4/U08 110 Spit Brook Rd. Nashua, NH 03062-2698

How To Order Additional Documentation

Use the following World Wide Web address to order additional documentation:

http://www.openvms.digital.com:81/

If you need help deciding which documentation best meets your needs, call 800-DIGITAL (800-344-4825).

Conventions

The name of the OpenVMS AXP operating system has been changed to the OpenVMS Alpha operating system. Any references to OpenVMS AXP or AXP are synonymous with OpenVMS Alpha or Alpha.

VMScluster systems are now referred to as OpenVMS Cluster systems. Unless otherwise specified, references to OpenVMS Clusters or clusters in this document are synonymous with VMSclusters.

In this manual, every use of DECwindows and DECwindows Motif refers to DECwindows Motif for OpenVMS software.

The following conventions are also used in this manual:

Ctrl/ x	A sequence such as Ctrl/ x indicates that you must hold down the key labeled Ctrl while you press another key or a pointing device button.
[Return]	In examples, a key name enclosed in a box indicates that you press a key on the keyboard. (In text, a key name is not enclosed in a box.)
...	Horizontal ellipsis points in examples indicate one of the following possibilities: Additional optional arguments in a statement have been omitted. The preceding item or items can be repeated one or more times. Additional parameters, values, or other information can be entered.
. . .	Vertical ellipsis points indicate the omission of items from a code example or command format; the items are omitted because they are not important to the topic being discussed.
( )	In command format descriptions, parentheses indicate that, if you choose more than one option, you must enclose the choices in parentheses.
[ ]	In command format descriptions, brackets indicate optional elements. You can choose one, none, or all of the options. (Brackets are not optional, however, in the syntax of a directory name in an OpenVMS file specification or in the syntax of a substring specification in an assignment statement.)
{ }	In command format descriptions, braces surround a required choice of options; you must choose one of the options listed.
bold text	This text style represents the introduction of a new term or the name of an argument, an attribute, or a reason.
italic text	Italic text emphasizes important information and indicates complete titles of manuals and variables. Variables include information that varies in system messages (Internal error number), in command lines (/PRODUCER= name), and in command parameters in text (where device-name contains up to five alphanumeric characters).
UPPERCASE TEXT	Uppercase text indicates a command, the name of a routine, the name of a file, or the abbreviation for a system privilege.
-	A hyphen in code examples indicates that additional arguments to the request are provided on the line that follows.
numbers	All numbers in text are assumed to be decimal unless otherwise noted. Nondecimal radixes---binary, octal, or hexadecimal---are explicitly indicated.
|	The vertical bar is used as a separator for user interface elements. For example, "choose Server Status | Logging Options" means you should click the Server Status button in the top frame of the Server Manager and then click the Logging Options link in the left frame.
/	Forward slash is used to separate directories in a path. If you use the NT operating system, you might be more familiar with the backslash in paths, but NT supports both forward and back slashes.

This chapter describes the concepts behind the administration server and its Server Manager forms you use to configure your Netscape SuiteSpot servers. This chapter also gives you an overview of some new features and tells you how to start and stop the server. For online directions on using specific forms in the Server Manager, click the Help button at the bottom of the form.

Because every Netscape SuiteSpot server is configured using an administration server and the Server Manager forms, you can easily configure your servers remotely, using any computer in your network.

Figure 1-1 shows how you can configure your SuiteSpot servers from any computer in the network.

Figure 1-1 Configuring Server

There are multiple versions of the administration server (2.x and 3.x), and various SuiteSpot servers are configured using different versions. Because of the different versions, this chapter lists suggestions to follow before installing two servers that use different versions of the administration server. For a list of the servers that use the different versions of the administration server, see the printed Quick Start card that comes with SuiteSpot. If you have an individual server, check its documentation for the administration server version it uses.

1.1 Using the administration server

The administration server is a web-based server that contains the Java and JavaScript forms you use to configure your Netscape SuiteSpot servers. Because the forms for each SuiteSpot server have a consistent look and feel, you can quickly learn to configure and manage another server.

The administration server is installed when you install your first SuiteSpot server. The directory where you install the servers is called the server root directory. If you install a second SuiteSpot server and you want to configure it using the same administration server as the first SuiteSpot server, you install the second one in the same server root directory as the first.

After installing a SuiteSpot server and administration server, you use your browser to navigate to the administration server and use its forms to configure your SuiteSpot servers. When you submit the forms, the administration server modifies the configuration for the SuiteSpot server you were administering.

The URL you use to navigate to the administration server depends on the computer host name and the port number you choose when you install any SuiteSpot server. For example, if you installed the administration server on port 12345, the URL would look like this:

http://myserver.mozilla.com:12345

Before you can get to any forms, the administration server prompts you to authenticate yourself. This means you need to type a user name and password. You set up the "superuser" user name and password when you install the first SuiteSpot server and administration server on your computer. After installation, you can use distributed administration to give multiple people access to different forms in the administration server.

The first page you see when you access the administration server is called the Server Administration page. The Server Administration page has three or four sections, depending on the servers you have installed. Figure 1-2 shows all four sections, which are described here:

1. "General Administration" contains buttons for configuring the administration server.
2. "Servers Supporting General Administration" contains all of the SuiteSpot 3.x servers installed on the computer (in the same server root directory).
3. The third section isn't named, but it contains two links: one for migrating a configuration from a 2.x server, and one for removing a server from your computer.
4. "Other Servers" appears only if your computer contains both 2.x and 3.x versions of the administration servers. This might occur, for example, if you install Netscape Directory Server 1.02, which uses the 2.x administration server, and Netscape Enterprise Server 3.0, which uses the 3.x administration server. If you have a 2.x server you want to configure from a 3.x administration server, see the section Installing 2.x and 3.x servers together later in this chapter.

The Server Administration page lets you manage your Netscape servers.

Figure 1-2 Server Administration Page

As stated earlier, the collection of forms used to configure a single server is called the Server Manager. The administration server contains a Server Manager for each Netscape server installed on the computer, including one for the administration server itself.

The Server Administration page, shown in Figure 1-2, contains links to each Server Manager.

To get to the Server Manager forms for the administration server, click any of the category buttons on the Server Administration page.

Figure 1-3 Category Buttons

To get to the Server Manager forms for a particular server, click the button in the General Administration (Figure 1-4) section that has the server's name on it. For directions on configuring a particular server, see that server's documentation or click Help in any online form.

Figure 1-4 General Administration

After clicking on a button, you'll see the Server Manager, which is a three-frame page with buttons in the top frame and links in the left frame.

Figure 1-5 shows the administration server's Server Manager forms that appear in a three-frame page.

Figure 1-5 Server Manager

To use the Server Manager, you click a category button (Figure 1-6) in the top frame (for example, Server Preferences), and then you click a link in the left frame (for example, Distributed Admin). A form appears in the remaining frame where you select options and specify values that configure the server. To submit your changes in the form, click the OK button. Click the Help button in any form to get specific directions on using that form.

Figure 1-6 Button

To return to the Server Administration page (Figure 1-5), click the Server Administration button in the top frame of the Server Manager.

1.3 Features new to the 3.x administration server

The new 3.x features refer to the version of the administration server, not necessarily to the version of the Netscape server products. As of this writing, the SuiteSpot servers using the 3.x administration server are:

• Netscape Enterprise Server 3.0
• Netscape Messaging Server 3.0
• Netscape Collabra Server 3.0

Check your product documentation or the SuiteSpot Quick Start card for the administration version a particular server uses. See the next section for information on installing multiple versions of servers on the same computer.

The following items are some of the new features in the 3.x version of Netscape servers:

• Cluster management lets you administer multiple remote servers from a single administration server. Multiple servers of the same type (for example, multiple web servers) can be configured identically, provided that server type supports this feature. The collection of servers that are configured from a single administration server is called a cluster. Not all 3.x servers support cluster management, so check with your product documentation.
• Distributed administration lets you delegate administrative tasks without giving administrators full access to every server. When you connect to the administration server, it uses the name and password to determine what you can configure. For example, you can set up the administration server to allow three people full control over the administration server and any servers it contains. You could then allow several others access to a limited set of features, such as adding users to the database that is used for access control.
• Directory-enabled access control lets you use either a local database or an LDAP server, such as Netscape Directory Server, for your list of users and groups.
• Keys and certificates are stored and managed in the administration server, which allows multiple Netscape servers to share encryption keys certificate.
• Client certificates let servers check client encryption certificates. Some servers use client certificates for authentication--that is, as a proof of the client's identity. Some servers can compare the certificate with one stored in an LDAP database. This is one way of checking for a revoked certificate.

This section describes the issues you need to resolve before you install your Netscape SuiteSpot servers. You should also read the Administrator's Guide for each server before installation, because they might include other special considerations specific to that server type.

1.4.1 Setting up the SuiteSpot user and group

If you plan on installing multiple SuiteSpot servers on a single computer, create a SuiteSpot system group that includes the system user account you plan to use for each server installed on the computer. (During installation, you specify the user account you want the SuiteSpot server to use.) This gives any servers installed on the computer read and execute permissions to the files or directories owned by other servers (for example, the local directory of users and groups used in access control).

For example, if you're installing Netscape Messaging Server and Netscape Enterprise Server on the same computer, you might create a group called suitespot with system users mail and web.

Creating the user and group is more important on Unix systems, but you can also do this on Windows NT systems.

When you create these accounts, you should create them so that no other system users or groups have write access to the files owned by the servers. In particular, you'll want to write-protect the administration server's password file located at <server_root>/admin-serv/config/admpw. And you should consider protecting any encryption key-pair files and certificates (in the directory <server_root>/alias), and the local database (in the directory <server_root>/userdb).

1.4.2 Installing 2.x and 3.x servers together

There are times when you'll want to install both 2.x and 3.x servers and their administration servers on the same computer. For example:

• You might do this as part of the upgrade process; that is, you install the latest software, test it, and then put it into production before you remove the older version.
• You might also purchase a version of Netscape SuiteSpot that includes server products that use different versions of the administration server. Because the 2.x version of the administration server can't use the forms of a version 3.x administration server, you need to take some precautions before installing both versions on a single computer:
• If you know you'll be installing two servers belonging to different versions, install the 2.x version first and then install the 3.x server in a different server root directory. The 2.x and 3.x servers install to different default directories. Most 3.x servers have a migrate feature that lets you copy the 2.x configuration to the newer 3.x server, which makes it easier to upgrade a single server later on.
• In 3.x servers, the users and groups database is maintained from the administration server. The database can be either a local file or an LDAP directory, such as Netscape Directory Server. If you plan on using Netscape Directory Server, you should install and configure it first because 3.x servers prompt you for LDAP information during installation (you can configure this after installation, too). You can convert a 2.x user database to a local file and then import the users into a Netscape Directory server.
• If you install a 3.x server and then a 2.x server, you need to install the 2.x server in a separate server root directory. If you try to install the 2.x server into a 3.x server root directory, the installation will fail. The 3.x administration server provides you with a link to a 2.x administration server if the 2.x server is installed on the same computer. The administration server uses the file <server_root>/admin-serv/config/sr2x to link to the 2.x server root directory. If you installed the 2.x server in the default directory, the 3.x administration server should automatically provide the link. If it doesn't, you can edit or create the file or specify the 2.x server root directory during the installation process. The sr2x file is a simple text file that contains the absolute path to the 2.x server root directory. For example, on NT the directory might be C:\Netscape\Servers, and on UNIX, /usr/ns-home.

When you first connect to the administration server, you must provide a user name and a password. If the administration server uses distributed administration, the forms that you see and the administrative privileges that you have depend on the user name you use when logging in.

Distributed administration lets multiple people log in to the administration server. Access control rules determine what forms each person can use. There are three general levels of users:

• superuser is the user listed in the file <server_root>/admin-serv/config/admpw. This is the user name (and password) you specified during installation. This user has full access to all features in the administration server and sees all forms in the administration server except the Users & Groups forms, which depend on the superuser having a valid account in an LDAP server such as Netscape Directory Server. If you use the local database, superuser will always have access to the Users & Groups forms.
• administrators bypass the Server Administration page and go directly to the Server Manager forms for a specific server, including the administration server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.
• end users see a limited set of forms that allow them to change information specific to themselves, such as their password and any other information about themselves that is stored in the user database. The following table helps illustrate what access different users get and what affects how they access the administration server.

\login_table)

Table 1-1 What the administration server does when different users log in

Option	Superuser	Administrator (distributed administration)	End User
The user name and password is checked against entry in:	<server_root>/admin-serv/config/admpw	LDAP directory or local database.	LDAP directory or local database.
Can user create users and groups in a local database?	Yes	Yes	No
Can user create users and groups in an LDAP directory?	Yes, but only if there is an entry matching the superuser.	Yes, provided the administrators group has create permission.	No
If LDAP directory is down, can the user access the administration server?	Yes	No	No
What forms are viewable in administration server?	All,except User & Groups depends on the superuser having an account in the LDAP directory (if used).	Depends on access control. If no access control is used, see all forms.	End-user forms only.

If you want to check different areas of the administration server, create a group and user for distributed administration and then create an end-user. To log in as different users and see what they get, insert the username in the URL for the administration server. For example, http://user1@myserver.mozilla.com:12345. If you don't insert the user's name, most web browsers will authenticate you using the last password you entered for that URL. (Netscape Navigator and Netscape Communicator cache the user name, password, and URL for a single-session, so when you close the application, the information is discarded.)

1.5.1 When distributed administration is off

When distributed administration is turned off, you can only log in to the administration server using its superuser name and password. You configure this user name and password when you first install your administration server. For information on how to change this user name and password after your administration server is installed, see Changing the superuser settings.

Logging in as the superuser gives you full access to all the forms and servers running under the administration server. The exception to this is the Users & Groups area of the administration server. Although you have full access to the Users & Groups forms, you might not have the appropriate permissions set in the directory that allow you to manage users. This is an issue only if you are using a directory server to manage users and groups--if you are using the local directory, you automatically have full access to directory management because the local directory does not support access control lists.

If you are using a directory server to manage users and groups, then make sure to create a user entry in your directory that corresponds to your administration server superuser, and grant that entry full read, write, search, and compare permissions for the directory. Netscape Directory Server version 1.02 or later has the ability to automatically create the minimum required superuser user name and access-control information. For more information, see the online documentation that is available with your Netscape Directory Server.

1.5.2 When distributed administration is on

If you enabled distributed administration, then you can log in as the superuser, an administrator, or an end user. The administration server identifies what type of a user you are by using the following process:

1. When you login, you enter your login user ID. This must correspond to the unique user ID attribute value set for your entry in the directory server. The format of your user ID will depend on the policies in use at your site, but by default the administration server Users & Groups form suggests a user ID by appending the user's last name to the first initial of their first name. For example, someone named Barbara Jensen would by default be given a user ID of bjensen. User IDs are not case sensitive in the directory server. Therefore, a user ID of bjensen is the same as BJENSEN.
2. If you use the superuser user name and password when logging in to the administration server, then you are granted full access to all the servers and forms under the administration server. The exception to this is that you might not have full directory access if you are using the directory server.

   Note If you are using a directory server to manage users and groups, then make sure to create a user entry in your directory that corresponds to your administration server superuser. Also make sure to create the appropriate administrators group (discussed below) and grant that group full read, write, search, and compare permissions for the directory. Finally, make sure you add your dministration server's superuser to the administrator's group. Netscape Directory Server version 1.02 or later has the ability to automatically perform these minimum actions for you. For more information, see the online documentation that is available with your Netscape Directory Server.

3. If you do not use the superuser user name and password when logging in, then the administration server searches for your user ID in the directory. How this search is performed is determined by whether you are using a directory server or a Netscape local directory:
   Directory Server
   The administration server logs into (binds to) the directory using the Bind DN set for the administration server in Global Settings | Configure Directory Service. If no Bind DN is set for the administration server, then an anonymous search is attempted.
   The search is conducted for the subtree Directory identified in the Base DN field of your server administration server's Global Settings | Configure Directory Service form. Also the administration server looks for the matching uid attribute, that is, the user name, not surname (sn) or common name (cn).
   For information on uid, sn, and cn attributes, see the "Object classes and attributes" appendix that is available with your administration server's online documentation.
   Local Database
   The search is performed on the database directly. No access control permissions or Bind DNs are required. The search starts with the directory's root point (top most entry), and the match is performed on the uid (user name) attribute.
4. Once a matching entry has been found, the administration server attempts to log into (bind to) the directory using that entry's distinguished name. The administration server uses the password that you provided to the login prompt. If the log in fails, then either you entered a user ID that is unknown to the directory, or you entered an incorrect password. Either way, you are offered a chance to try the log in procedure again.
5. If you log in as a user who is a member of the administrators group for distributed administration, you are given administration-level access to the administration server, depending on how access control is configured. If you log in as a user who is not a member of the administrators group, then you will be given end-user access if it is enabled for your administration server; if end-user access isn't enabled, you'll get an access denied message. For information on distinguished names, directory services and how to use them with your administration server, and how to configure your administration server to use directory services, see the chapter User and group management.

For detailed information on binding to the directory server, creating directory server users and groups, setting directory server access control privileges, and performing directory searches, see the Netscape Directory Server Administrator's Guide.

1.6 Stopping the administration server

If you enable end-user access to the administration server, you should keep the administration server running as often as possible. If you don't enable end-user access, consider shutting down the administration server when you aren't using it. This minimizes chances of a break in, which could happen if someone learns any of your superuser or administrator passwords.

To shut down the administration server from the Server Manager:

1. Go to the Server Manager and choose Server Preferences | Shut Down.
2. Click Shut down the administration server.

Before you read the rest of this book, you need to install at least one of your SuiteSpot servers. The following steps offer installation guidelines to follow.

1. Create a system user and group that your servers will use. This is more important for Unix systems than Windows NT.
2. Install Netscape Directory Server 1.02 and create one "superuser" account, and then create and add users to an "administrators" group. These accounts are crucial if you want to administer users and groups from the administration server.
3. Install other SuiteSpot servers that use the 2.x administration server. See the Quick Start card that comes in the SuiteSpot package for a list of servers using the 2.x administration server. When installing, you should use the default server-root directory. For more information, consult the documentation for those servers.
4. Install SuiteSpot servers that use the 3.x administration server. Make sure you install the 3.x servers to a different server-root directory. If you installed 2.x into non-default directory, specify the directory to the 2.x administration server during the 3.x installation. For more information, consult the documentation for those servers.
5. Install any servers you need to run on other computers. If you want to sue cluster management, make sure they all use the same superuser account or create at least one common administrator account.
6. Set up any clusters you need.

This document describes the forms in the Admin Preferences and Global Settings categories of the administration server's Server Manager.

2.1 Removing a server from your system

You can remove a server from your system using the Server Administration page. Be sure that you don't need the server again before you remove it--this process cannot be undone.

Some NT servers have an uninstall program that you can use to remove a server and it's administration server. Check with your product documentation.

To remove a server from your machine, perform the following steps:

1. Shut down the server by clicking the on/off icon to the left of the server name in the Server Administration page.
2. Click the Remove Server link in the Server Administration page.
3. Select the server you want to remove from the drop-down list.
4. Check whether you want to remove the administration server binaries (programs), including the administration server's configuration files.
   Do not remove the administration binaries if there are other servers installed in the same directory. Checking this option permanently deletes the administration server programs from the computer, and then you won't be able to configure your remaining servers.
   • Verify that you want to remove the server or the administration binaries by checking the Yes boxes, and then click OK. The administration server deletes the server's configuration files, Server Manager forms, and the directory <server_root>/<servertype>-<id> and its subdirectories.

Network settings affect the way the administration server runs. You can change the system user account that runs the administration server. This is a user account you set up with your computer's operating system. (By default, the user is nobody on Unix and LocalSystem on Windows NT.)

You can also change the port number that the administration server listens to. The port number can be any number between 1 and 65535, but it is typically a random number greater than 1024. For security reasons, consider changing the port number regularly.

2.3 Changing the superuser settings

You can configure superuser access for your administration server. These settings affect only the superuser account. That is, if your administration server uses distributed administration, you need to set up access control for the administrators you allow. The following settings apply only to the superuser for the administration server.

1. Choose Admin Preferences | Superuser Access Control.
2. In the Hostnames to allow field, type the hostnames of computers you want to use when configuring your administration server. You can list multiple hosts by separating them with commas. You can also use wildcard patterns to match multiple computers. For example, you could type *.mozilla.com to allow all hosts from the mozilla.com domain.
3. In the IP addresses to allow field, type the IP addresses of computers you want to use when configuring your administration server. You can separate IP addresses by using commas. You can also type wildcard patterns, such as 198.95.*. Using hostnames is more flexible; if a system's IP address changes, you won't need to update the server. Using IP addresses is more reliable; if a DNS lookup fails for the connected client, hostname restriction can't be used.
4. In the Authentication user name field, type the name you want to assign as the "superuser" server administrator. (This is the name you entered during installation.) This user name can be used only to log in to the administration server. This information is stored in the admpw file.
5. Type the password of the user you previously specified.The password can have up to 8 characters and can include any character other than control characters. If you leave the password field blank, the password remains unchanged. Click OK.
   If you use Netscape Directory Server to manage users and groups, you need to update the superuser entry in the directory before you change the username or password in this form! If you don't update the directory first, you won't be able to access the Users & Groups forms in the administration server. To fix this, you'll need to either access the administration server with an administrator account that does have access to the directory, or you'll need to update the directory using the Netscape Directory Server's administration server or configuration files.

With version 2.x administration servers, an administrator could configure all aspects of a server because there was only one user name to use when logging in (the superuser). Distributed administration in 3.x servers lets multiple administrators hange specific parts of the server. With distributed administration you have three levels of users:

• superuser is the user listed in the file <server_root>/admin-serv/config/admpw. This is the ser name (and password) you specified during installation. This user has full access to all features in the administration server and sees all forms in the administration server except the Users & Groups forms, which depend on the superuser having a valid ccount in an LDAP server such as Netscape Directory Server. If you use the local database, superuser will always have access to the Users & Groups forms.
• administrators bypass the Server Administration page and go directly to the Server Manager forms for a specific server, including the administration server. The forms they see depend on the access control rules set up for them (usually done by the superuser). Administrators can perform limited administrative tasks and can make changes that affect other users, such as adding users or changing access control.
• end users see a limited set of forms that allow them to change information specific to themselves, such as their password and any other information about themselves that is stored in the user database.

The superuser's username and password are kept in a file called <server_root>/admin-serv/config/admpw. If you forget the username, you can view this file, but the password is encrypted and unreadable. The file has the format user:password.

If you forget the password, you can edit the admpw file and simply delete the encrypted password. You can then go to the Server Manager forms and specify a new password. Because you can do this, it is very important that you keep the server computer in a secure place and restrict access to its file system. On Unix systems, consider changing the file ownership so that it's writable only by root or whatever system user runs the administration server daemon. On NT systems, restrict the file ownership to the user account the administration server uses.

2.4.2 Enabling distributed administration

To enable distributed administration:

1. If you need to create a group, choose Users & Groups | New Group. Create an "administrators" group in the LDAP directory and add the users you want to let configure the administration server or any of the servers installed in its server root.
2. Choose System Settings | Distributed Admin.
3. Check Yes to activate distributed administration.
4. Type the name of the administrator group. This is set to "Administrators" by default, but it can be any group found in the user database (local or LDAP server).
5. Check Yes to allow end-user access to the user database. Doing this means users can access the administration server using the same URL that administrators do, except they only see a single form with their user information. End users can then change their own passwords or update any other information stored in their entry of the user database.
6. Click OK.
   All users in the "administrators" group have full access to the administration server, but you can use access control to limit the servers and forms they can configure.
   Once you create an access-control list, the distributed administration group is added to that list. If you change the name of the "administrators" group, you must manually edit the access-control list to change the group it references.

Server log files can help you monitor your server's activity. You can use these logs to monitor your server and troubleshoot problems. Server logs are in a Common Logfile Format, a commonly supported format that provides a fixed amount of information about the server.

The error log file, located in admin/logs in the server root directory,lists all the errors the server has encountered.

The access log, located in admin/logs in the server root directory, records information about requests to the server and the responses from the server. You can specify what is included in the access log file from the Server Manager.

To configure logging options for the administration server:

1. Choose Admin Preferences | Logging Options.
2. Type a path to the directory where you want the administration server to store the access log file. You can type either an absolute path or a path relative to your server root directory. Leaving this field blank deactivates access logging.
3. Type the path to the directory where you want the administration server to store the error log file. Leaving this field blank deactivates the error log.
4. Type a path to the directory where you want the administration server to store the change log file. Leaving this field blank deactivates the change log. The change log lists details of the configuration changes made to the server.
5. Click OK.

You can view the server's active and archived access log files from the Server Manager.

To view an access log:

1. Choose Admin Preferences | View Access Log.
2. Choose the access log file you want to see. Active log files for resources and archived log files appear in the list.
3. To limit how much of the access log to display, type the number of lines you want to see in the Number of entries field.
4. If you'd like to filter the access log entries for a particular word, type the word in the Only show entries with field. Case is important; make sure the case for your entry matches the case of the word you're searching for. (For example, if you only want to see access log entries that contain "POST," type POST.) If you use this search feature, the Number of entries field determines how many entries to search, not how many will display.
5. Click OK.

The following is a sample of an access log in the Common Logfile Format:

a.moz.com - [16/May/1997:21:18:26 -0800] "GET /admin-serv/icons/dot.gif HTTP/1.0" 200 2575 a.moz.com - [17/May/1997:11:04:38 -0800] "GET /admin-serv/bin/frames?index+pref HTTP/1.0" 204 342 a.moz.com - [20/May/1997:14:36:53 -0800] "GET /admin-serv/manual/ag/config.htm HTTP/1.0" 200 890 arrow.a.com -[20/May/1997:14:36:53 -0800] "GET /admin-serv/manual/ag/so.gif HTTP/1.0" 401 571

The last line of the access log file has several fields.

Table 2-1 Access Log Fields

Access Log Field	Example
Hostname or IP address of client	user.mozilla.com In this case, the hostname is shown because the server is using DNS lookups; if DNS cannot resolve the name or if DNS lookups are disabled, the client's IP address would appear.
RFC 931 information	RFC 931 identity--not implemented
Username	john (username entered by the client for authentication)
Date/time of request	29/Mar/1998:4:36:53 -0800
Request	GET /help
Protocol	HTTP/1.0
Status code	401
Bytes transferred	571

2.5.2 Viewing the error log file

The error log file contains errors the server has encountered since the log file was created. It also contains informational messages about the server, such as when the server was started and who tried unsuccessfully to log in to the server.

To view the error log file from the Server Manager:

1. Choose Admin Preferences | View Error Log.
2. If you want to see more or less than 25 lines of the error log, use the Number of errors to view field to enter the number of lines you'd like to see.
3. If you'd like to filter the error messages for a particular word, type the word in the Only show entries with field. Case is important; make sure the case for your entry matches the case of the word you're searching for. (For example, if you only want to see error messages that contain "warning," type warning.)
4. Click OK.
   The following is an example of an error log:

   [13/May/1997:16:56:51] info: successful server startup [13/May/1997:16:56:51] info: Netscape-Administrator/3.0 97.117.0455 [13/Mar/1997:19:08:52] security: for host user.mozilla.com trying to GET /admin-serv/bin/ index, acl-state reports: access of /usr/suitespot/bin/admin/admin/bin/index denied by ACL admin-serv directive 3 [13/May/1997 20:05:43] failure: for host ceo.mozilla.com trying to POST /admin-serv/bin/distadm, cgi-parse-output reports: the CGI program /usr/suitespot/bin/admin/admin/bin/distadm did not produce a valid header (program terminated without a valid CGI header. Check for core dump or other abnormal termination)

   
   In this example, the first two lines are informational messages— the server started up successfully. The third entry shows that the client user.mozilla.com tried to access the server but was denied access. The last log entry shows that the user ceo.mozilla.com tried to post a file incorrectly, probably by not using the Server Manager forms.

This chapter describes clusters of Netscape servers and explains how you can use them to share configurations among the various types of servers.

The administration server stores the information about clusters and provides the interface for managing the servers in the clusters. Because this feature is new to 3.x servers, not all Netscape servers fully support it; however, Netscape Enterprise Server version 3.0 supports all of the cluster-management features.

You can use clusters to do the following:

• Share one or more configuration files between servers of the same type. The servers must use the 3.x version of the administration server.
• Create a central place for administering many different Netscape servers. Some Netscape SuiteSpot 3.0 servers support this feature, but check your server documentation.

Clusters are groups of Netscape servers that can be administered from a single Netscape administration server. All servers in a cluster must be of the same type (web, proxy, mail, directory, and so on), and the administration server can store a cluster for each type of Netscape server. This enables you to have a central administration server for administering all of your Netscape servers. The servers can be installed on any computer in a network, but the administration server containing the clusters must have access to the administration servers for each of the servers in the cluster, as shown in the following figure.

Figure 3-1 shows how Netscape servers in a cluster can share all or part of their configurations.

Figure 3-1 Servers in a Cluster

When you configure a cluster, the administration server containing the cluster (the master administration server) communicates with the administration servers for each of the servers in the cluster. Because of this, each administration server in the cluster must have an administrative user and password that the master administration server can use to authenticate itself. When you log in to your administration server and you supply a username and password, that information is sent to any remote administration servers in a cluster, as shown in Figure 3-2.

You use one password to log into the administration servers.

Figure 3-2 Master Administration Servers

Before you can create a cluster, you must first install all of the servers you want to include in the cluster. For example, if you want one administration server where you can configure two Netscape Enterprise Servers, a Netscape Messaging Server, and a Netscape Collabra Server, you would first need to install all of the servers (and their respective administration servers) on the computers where they'll run, and then you would configure one of the administration servers as the master for the clusters. In this example, you'd have one administration server with a cluster containing two Netscape Enterprise Servers, another cluster containing only the Netscape Messaging Server, and another containing the Netscape Collabra Server. It doesn't matter which administration server you choose as the master.

The following list offers some guidelines to follow when configuring a cluster:

• Install the Netscape servers and their respective 3.x administration servers on the computers where you want them to run. Clusters won't work with 2.x administration servers.
• Make sure each administration server has a username and password that matches one used in the master administration server. If you are using an LDAP directory, such as a Netscape Directory Server, you must set up the "administrators" group first, making sure there is at least one user in the directory that will be used for cluster administration. You can use the distributed administration feature to set up multiple administrators on each administration server.
• Make sure all administration servers are version 3.x and use the same protocol (HTTP or HTTPS). You'll get an error if you try to add a 2.x administration server to a cluster, and if you add a 3.x administration server that has 2.x servers, the 2.x servers are not added to the clusters. If you change the protocol of one administration server in a cluster, you must change the protocols for all administration servers, and then you need to update the cluster information by modifying the servers in the cluster.

To set up a cluster:

1. Install the SuiteSpot servers on the computers you want to include in the cluster. Make sure the administration servers for each of the servers have a username and password that the master administration server will use for authentication. You can do this either by using the default username and password or by setting up distributed administration.
2. Install the server product that will contain the master administration server, making sure the username and password matches the one set in Step 1.
3. Add a server to the cluster list.
4. You can administer a remote server by accessing its Server Manager forms from the cluster form or by copying a configuration file from one server in the cluster to another, provided the server type (web, mail, and so on) supports this feature.
   After changing the configuration for a remote server, restart the remote server.

When you add a server to a cluster, you specify its administration server and port number. If that administration server contains more than one server, all of its servers are added to the cluster. (You can remove the individual servers later.) For example, if a remote administration server has a Netscape Collabra Server and a Netscape Enterprise Server, then both servers are added to the cluster in the master administration server.

If the remote administration server contains a cluster, the servers in the remote cluster are not added. The master administration server adds only those servers that are physically installed on the remote administration server computer; it doesn't add servers that might be installed in a cluster on the remote administration server.

To add a remote server to the list:

1. Access the Server Administration page and click Cluster Management.
2. Choose Cluster Mgmt | Add Server. The Add Remote Servers to Cluster Database form appears.
3. Choose the protocol that the remote administration server uses. This is the protocol used when contacting the remote administration server. Choose http for normal administration servers. Choose https if the remote administration server is secure.
4. Type the hostname for the remote administration server. If your DNS can resolve host names, you don't need to type the fully qualified domain name; otherwise type the full host and domain name. For example, type www.mozilla.com.
5. Type the port number that the remote administration server uses.
6. Click OK. The master administration server attempts to contact the remote server. When it succeeds, the server identifiers appear on the form for every server installed on the remote administration server, as shown in Figure 3.3. If you have two or more servers on different computers that use the same identifier, the form shows the server identifier and the hostname for the computer. If both server identifier and hostnames are the same, the form shows the port number. If you don't want all of the servers in the cluster, you can remove individual servers.

Figure 3-3 shows servers in a cluster appearing on the form with links to their respective Server Manager forms.

Figure 3-3 Cluster Servers Control

If you change an administration server's host name, port number, or protocol used (HTTP or HTTPS), you also need to modify the information about that administration server that is stored in the cluster.

To modify information about a server in a cluster:

1. Go to the Server Administration page for the master administration server and click Cluster Management. Choose the Modify Server link.
2. Using the Product Selector drop-down list, select the type of server you want to change. All servers of that type appear listed by their unique server identifier.
3. Check the servers you want to modify. You can change the information for all servers in the cluster by clicking Select All. Click Reset Selection to unselect any servers you have chosen in the form.
4. Choose the administration server protocol that the remote administration server uses, if it has changed.
5. If applicable, type the new hostname for the remote administration server.
6. If applicable, type the new port number that the remote administration server uses.
7. Click OK. The information is updated.

To remove a server from the cluster:

1. Go to the Server Administration page for the master administration server and click Cluster Management. Click the Remove Server link.
2. Using the Product Selector drop-down list, select the type of server you want to remove.
3. Check the server you want to remove. You can remove all servers of that type by clicking Select All. Click Reset Selection to unselect all servers.
4. Click OK. The form displays a status saying the servers are removed from the cluster database and are no longer available for cluster control. You can still access the removed servers using their administration server; you just can't access them from the cluster.

To manage a cluster of servers:

1. Go to the Server Manager forms for the master administration server, and then choose Cluster Management | Cluster Control.
2. Using the Product Selector drop-down list, select the type of server cluster you want to configure. For example, if you select Netscape Enterprise Server, a list of all the Enterprise servers appears in the form. The cluster form changes to display fields that apply to that server type.
3. Check the server or servers you want to change. You can select all of the servers in the cluster by clicking Select All. Click Reset Selection to unselect any servers you have chosen in the form.
4. Configure the servers using the form elements specific to the type of server you selected. Most Netscape servers let you start, stop, or restart the server by clicking the corresponding buttons on the form. The following list describes some of the tasks you can do with clusters. Because the form elements vary depending on the type of server product you are configuring, you should consult the documentation specific to your server product for more detailed information, or click the Help button on the form.
   • You can start and stop the servers.
   • You can view the access and error logs for the servers you selected.
   • You can transfer configuration files from one server to another.

You can control who accesses the administration server forms. This chapter discusses the various methods you can use to determine who has access to forms in the administration server. For example, you can specify who has full control of all the servers installed on a computer and who has partial control of one or more servers. Before you can use access control on the administration server, you must enable distributed administration and set up an administrators group in your LDAP directory. This chapter assumes you've already configured distributed administration and have entries in the users and groups directory.

4.1 What is access control?

Access control lets you determine who can access the administration server and which servers and forms (also called programs) they can access. You can use two attributes for controlling access:

• User-Group requires users to enter a username and password before accessing the server.
• Host-IP requires the user to access the administration server from a specific computer, where the server recognizes the computer by either its hostname or its IP address.

You can require users to authenticate themselves before getting access to your administration server. Authentication means that users verify their identity by entering a username and password.

If you require users to enter a username and password to get access to your server, you store the list of users and groups in an LDAP database, which can be either a file stored on the administration server computer or an LDAP server on a remote computer (for example, a computer running Netscape Directory Server). To use this type of authentication, you need a database containing the users and groups you want to reference when restricting access to your server.

When users attempt to access a form that has User-Group authentication, the web browser displays a dialog box asking the user to enter a username and password. After entering the information, the user either sees the Server Administration page or a message that says they don't have access. (You can customize the access-denied message that they see.) Figure 4-1 shows the authentication window. This window shows a custom message.

Users see this window when authenticating themselves to the server.

Figure 4-1 Authentication Window

If your server doesn't use SSL encryption, the username and password that the end user types are sent unencrypted across the network. Someone could intercept the network packets and read the username and password being sent to the administration server. For this reason, User-Group authentication is most effective when combined with SSL encryption or Host-IP authentication, or both.

4.1.2 Host-IP authentication

You can limit access to forms on your administration server by making them available only to people using specific computers. You specify hostnames or IP addresses for the computers that you want to allow or deny. You can use wildcard patterns to specify multiple computers or entire networks. If you want to use this feature, you must have DNS running in your network and your computer must be configured to use it.

It's possible for more than one person to have access to a particular computer. For this reason, Host-IP authentication is most effective when combined with User-Group authentication. If both methods of authentication are used, the end user will have to enter a username and password before getting access.

4.1.3 Access control files

When you use access control on your administration server, the settings are stored in a file with the extension .acl. Access control files are stored in the directory <server_root>/<server_type> acl where <server_type> is the name of the server. For example, the administration server uses the directory adminacl. Netscape Enterprise server uses httpacl.

The administration server uses three ACL files, all located in the directory <server_root>/adminacl:

• admin-defaults.acl is the first level of access control. This file contains the restrictions set using the distributed administration form. That is, it contains the administrators group information.
• admin-serv.acl is the main ACL file for the administration server. It contains any restrictions you set up using the Restrict Access forms.
• user-environment.acl is the ACL file that determines access for end users. There is no way to edit this file from the administration server forms. By default, this forms gives access to the end-user forms to anyone in the LDAP directory or local database (depending on which one your administration server uses). The administration server also has an ACL file for every server it manages. The files are named after the server: <type>-<serverid>.acl. For example, if you have a Netscape Enterprise Server named "www" that has access control for its forms, the acl file would be called https-www.acl.

When the server evaluates an incoming request, it determines access based on a hierarchy of rules called access-control entries (ACEs), and then it uses the last entry to determine if the request is allowed or denied. Each ACE specifies whether or not the server should continue to the next ACE in the hierarchy. The collection of ACEs is called an access-control list (ACL). By default, the server has one ACL file that contains multiple ACLs.

When the server gets a request for a form, the server uses the ACL file and the rules in that file to determine if it should grant access or not. The rules can reference the hostname or IP address of the computer sending the request. The rules can also reference users and groups stored in the LDAP directory or local database.

For example, the following ACL file contains the two default entries for the administration server (admin-serv) plus one that allows users in the "admin-reduced" group administer the Admin Preferences forms in the administration server.

Version 3.0; acl "admin-serv" deny with file = "/usr/suitespot/adminacl/admin-denymsg.html"; deny (all) (user = "anyone"); deny absolute (all) group != "admin"; allow (all) (group = "admin-reduced") and (program = "Admin Preferences")

The first line that starts with "deny" tells the server what file to return if a user isn't allowed access to the server. The second deny message denies everyone access, but because the rule isn't absolute (like the next one), the server continues down the list to see if the user is allowed in a subsequent line. The third line is an absolute statement that denies anyone who isn't in the "admin" group in the LDAP directory. In this case, the "admin" group is the group specified for distributed administration.

The last rule explicitly allows access to the forms in the Admin Preferences section of the administration server to anyone in the "admin-reduced" group.

4.2 Restricting access

This section takes you through the process of restricting access to your administration server. The sections following this one describe in detail each option available when using access control. Keep in mind that most access-control rules use only a subset of the available options.

To create an access-control rule:

1. Go to the Server Manager and choose Global Settings | Restrict Access.
2. Specify the server that you want to control. For example, you can select admin-serv to set up access control for the administration server. The drop-down list contains an entry for each 3.x server you have installed in the server root.
3. Click the Edit ACL button. The right frame divides into two frames that you use to set the access control rules. If the server you chose already has access control, the rules will appear in the top frame. With the administration server, each ACL begins with two deny statements. The following figure briefly describes the function of each form element.

The ACL form shown in Figure 4-2 contains links that, when clicked, display another form in the bottom frame (not shown).

Figure 4-2 ACL Form

1. Click the New Line button. This adds a default ACL rule to the bottom row of the table. You can use the up and down arrows in the left column to move the rule, if needed.
2. Select the action you want to apply to the rule by clicking the Deny link. The bottom frame displays a form where you can check if you want to deny or allow access to the users, groups, or hosts you'll specify in the following steps.

Check the option you want, and then click Update.

1. Specify User-Group authentication by clicking the anyone link listed under the Users/Groups column. The bottom frame displays a form for configuring User-Group authentication. By default, there is no authentication, meaning anyone can access the server.

Check the options you want, and then click Update.

1. Specify the computers you want to include in the rule by clicking the anyplace link. The bottom frame displays a form where you can enter wildcard patterns of host names or IP address to allow or deny.

Check the options you want, and then click Update.

1. Specify the programs you want to restrict. Programs are the forms in the Server Manager for the server you selected. For example, you can restrict access to all forms for configuring the administration server by checking the "All Programs" radio button. If you want to restrict access to one or two sets of forms, choose the categories in the drop-down list. If you want to restrict access to one form in a category, type the name of the form in the "Program Items" field. For example, to restrict access to the access control form, type distacl in the Program Items field. For more information, see the "Access to programs" section later in this chapter.

Click Update to add the programs options to the rules for the line you're editing.

1. If you are familiar with ACL files, you can enter a customized ACL entry by clicking X under the Extra column. This area is useful if you use the access control API to customize ACLs.
2. Check Continue if you want the access-control rule to continue in a chain. This means the next line is evaluated before the server determines if the user is allowed access. When creating multiple lines in an access-control entry, it's best to work from the most general restrictions to the most specific ones.
3. Repeat steps 4 through 10 for each rule you need. If you want the user to be redirected to another URL if their request is denied, check Redirection when denied. Click the link to specify the URL for redirection.
4. Click the Submit button to store the new access-control rules in the ACL file. If you click Revert, the server removes any changes you made to the rules from the time you first opened the 2-frame window. Be cautious when using Revert because you can't restore your edits. In most cases, it's probably better to delete the rule lines individually.
   The following sections describe the options that appear in the bottom frame of the access-control window.

You can restrict access to your administration server based on the user who requests a form. The administration server uses a list of users in the administrators group (the group you set up for distributed administration) to determine access rights for the user requesting a resource. The list of users are stored either in a database on the server computer or in an LDAP server, such as Netscape Directory Server. You should make sure the database has users and the administrators group in it before you set access control.

You can allow or deny access to everyone in the administrators group, or you can allow or deny specific people by using wildcard patterns or lists of users.

To configure access control with users and groups, follow the general directions for restricting access. When you click the Users/Groups field, a form appears in the bottom frame. The following list describes the options in the form.

• Anyone (No Authentication) is the default and means anyone in the administrators group that you specified with distributed administration can access the form. However, the user might be denied access based on other settings, such as host name or IP address.
• Authenticated people only lets you restrict users within the administrators group. If the username they enter isn't in the administrators group in the database, the access- control rule won't apply to them.
• All in the authentication database matches any user who has an entry in the administrators group in the database.
• Only the following people lets you specify certain users to match. You can list the users and groups of users individually by separating the entries with commas. Or, you can enter a wildcard pattern.
  • Group matches all users in the groups you specify. The users in the groups you specify must also be in the "administrators" group you specified for distributed administration.
  • User matches the individual users you specify.
• Prompt for authentication lets you specify message text that appears in the authentication window. You can use this text to describe what the user needs to enter. Depending on the operating system the user has, they will see about the first 40 characters of the prompt. Netscape Navigator and Netscape Communicator cache the username and password and associate them with the prompt text. This means that if the user accesses areas of the server that have the same prompt, they won't have to retype their usernames and passwords. Conversely, if you want to force users to reauthenticate for various areas, you simply need to change the prompt for the ACL on that resource.

You can restrict access to your administration server based on which computer the request comes from. You specify this restriction by using wildcard patterns that match the computers host names or IP addresses. For example, to allow or deny all computers in a specific domain, you would enter a wildcard pattern that matched all hosts from that domain, such as *.netscape.com.

This setting doesn't affect the Host/IP setting for the administration server's superuser. That is, you can set different hostnames and IP addresses that the superuser must use when accessing the administration server.

To specify users from hostnames or IP addresses, follow the general directions for restricting access. When you click the From Host field (the link called anyplace), a form appears in the bottom frame. Check the Only from option and then type either a wildcard pattern or a comma-separated list of hostnames and IP addresses. Restricting by hostname is more flexible than by IP address--if a user's IP address changes, you won't have to update this list. Restricting by IP address, however, is more reliable--if a DNS lookup fails for a connected client, hostname restriction cannot be used.

The hostname and IP addresses should be specified with a wildcard pattern or a comma-separated list. The wildcard notations you can use are specialized; you can only use the *. Also, for the IP address, the * must replace an entire byte in the address. That is, 198.95.251.* is acceptable, but 198.95.251.3* is not. When the * appears in an IP address, it must be the right-most character. For example, 198.* is acceptable, but 198.*.251.30 is not.

For hostnames, the * must also replace an entire component of the name. That is, *.netscape.com is acceptable, but *sers.netscape.com is not. When the * appears in a hostname, it must be the left-most character. For example, *.netscape.com is acceptable, but users.*.com is not.

4.3.2 Access to programs

You can select areas of the administration server that administrators can access. You can choose groups of forms that appear in the top frame of the Server Manager (such as Cluster Management), or you can choose specific forms that appear as links in the left frame of the Server Manager (such as "New User" under User & Groups).

Access to programs affects the server you choose when restricting access. For example, if your administration server contains a Netscape Enterprise Server and a Netscape Collabra Server, you choose the server you want to restrict, and then you set up the access control rules for that server. In this case, you could allow some administrators to configure agents in the Netscape Enterprise Server, and then you could allow a different set of administrators to configure newsgroups in the Netscape Collabra Server.

To control access to a program in a server:

1. Go to the Server Manager forms for the administration server. Choose Global Settings | Restrict Access.
2. Use the drop-down list to choose the server whose administration access you want to restrict. The administration server is labeled "admin-serv." Other servers are labeled with their type and their server id (for example, https-mozilla). When you select a server to restrict, you are restricting who can view the Server Manager forms and which forms they can use to configure that server. For example, you might allow some administrators to configure the Users & Groups section of the administration server and not allow them access to the Global Settings. After you choose a server, click Edit ACL. The two-frame access-control forms appear.
   • Each ACL begins with two deny lines (the default setting), one that restricts access to only those users in the "administrators" group set for distributed administration, and another that restricts access to all users. If you want to change either of these lines, you need to manually edit the ACL file. Click the New Line button to add a rule to the ACL. Each rule you create allows access to the server. By specifically allowing access for users, you reduce the risk that you'll allow access to users you don't want.
   • Choose the users, groups, hosts, and IP addresses you want to apply to this access control rule.
   • By default, administrators have access to all programs for a server. Click the All link under Programs in the top frame. The bottom frame displays a form that lists the programs for the server type you selected.
   • Check the radio button labeled "Only the following," and then select the Program Groups you want to apply to the rule. You can choose multiple groups by pressing the Control key and then clicking the groups you want.
   
   The Program Groups listed use the same name as the buttons in the top frame of the Server Manager for the server type you selected. For example, in the administration server, there are buttons labeled Admin Preferences, Global Settings, and so on. When an administrator accesses the administration server, the server uses their username, host, and IP to determine what forms they'll see. If they have access to only one or two forms, they will only see those forms.
   • You can control access to a specific form within a group. Type the name of the form program in the Program Items field.
   
   To determine the name of a form, place your pointer over the link in the left frame of the Server Manager and then view the text in the status bar of your browser. The last word after the + is the name for that form, shown in Figure 4-3.

   Figure 4-3 Form Name

   ---

   
   For example, suppose you have one person who administers a Netscape Directory Server and you want that person to have access only to the "Configure Directory Service" form. In this case, you would set up a rule that applies to them (host, IP, and so on), and then you would enter dsconfig in the Program Items name.
   • Click Update and then Submit to save the access control rule.

	privacy and legal statement
6562PRO.HTML