Module 3

Users and Groups

© 2009 EMC Corporation. All rights reserved.

 Module Objectives

• Create a user (individually and by importing an LDIF file)

• Modify an existing user
• Reassign a user
• Configure a repository to run in domain-required mode
• Configure role-based administration
• Configure the Content Server to import users and groups from
one or more supported LDAP servers

Users and Groups 3-2

© 2009 EMC Corporation. All rights reserved.
  Creating, Modifying, and
Steps for Creating a User Reassigning Users
 Role-Based Administration
 Default User Authentication
 Authentication and Domains
• To create a user, you must have System  Integrating with LDAP

Administrator or Superuser privilege

• Add the user to the repository using any one of these tools:
­ Documentum Administrator (DA)
• Individually
• Multiple users using an LDIF import file
­ DQL
­ DFC
­ Obtain from an LDAP directory server

Users and Groups 3-3

© 2009 EMC Corporation. All rights reserved.
 Review: Adding a New User

To create a new user:

1. In the navigation tree,
expand
Administration 
User Management
2. Click Users
3. From the menu, select
File  New  User User
UserSource
Sourcecan canbe:
be:
• • None
None (operatingsystem)
(operating system)
4. Enter the user • • LDAP
LDAP
information • • Inline
InlinePassword
Password(password
(password
stored in the database)
stored in the database)
5. Click OK

Users and Groups 3-4

© 2009 EMC Corporation. All rights reserved.
 Importing Users via an Input File (1 of 2)

• The file must be in LDIF (LDAP Data Interchange Format) format

­ Utilities exist to convert existing formats (such as .csv) to LDIF
­ For boolean values, specify T (for true) or F (for false)
object_type:dm_user Start
Startfile
filewith
withthis
thisline
line
object_type:dm_user
Put
Putaadm_user
dm_user user_name:elvira
user_name:elvira
property,
property,such
such Put
as user_name,
user_group_name:release_spec_group
user_group_name:release_spec_group Putthe
thedesired
desired
as user_name, user_privileges:5 property
propertyvalue
valueafter
after
on
onthe
theleft
leftof
of
user_privileges:5
the :
the ‘:’ user_xprivileges:32
user_xprivileges:32 the :
the ‘:’
default_folder:/elvira
default_folder:/elvira
user_db_name:elvira
user_db_name:elvira
description:engineering
Refer to the Content
description:engineering Server Object
acl_domain:train
acl_domain:train Reference Manual for
acl_name:xyzACL
acl_name:xyzACL valid values for each
home_docbase:train
home_docbase:train dm_user property
user_state:0
user_state:0
client_capability:4
client_capability:4

Users and Groups 3-5

© 2009 EMC Corporation. All rights reserved.
 Importing Users via an Input File (2 of 2)

To import a new user:

1. In the navigation tree, expand
Administration  User
Management.
2. Click Users.
3. From the menu, select File 
Import User.
4. For the Source, enter the
name (including directory
path) to the LDIF file.
5. Click Import.

Users and Groups 3-6

© 2009 EMC Corporation. All rights reserved.
 Modifying a User

To modify a user:
1. In the navigation tree,
expand Administration 
User Management.
2. Click Users.
3. Search for the user to
modify (or select Show All
Users.)
4. Right-click the user to
modify and select
Properties.
5. Revise the user information
as needed.
6. Click OK.

Users and Groups 3-7

© 2009 EMC Corporation. All rights reserved.
 Inactivating Users

• Inactivating a user temporarily blocks that user’s access and is

easily reversible
Active:
Active:can
canlog
login
into
tothe
the
repository
repository
Inactive
Inactive
••Cannot
Cannotlog
loginto
intothe
the
repository
repository
••Will
Willbebeautomatically
automatically
reactivated
reactivatedwhen
whenthe
the
auth_deactivation_interv
auth_deactivation_interv
al
alisisreached
reached
––This
Thisisisaasetting
settingon
onthe
the
repository config object
repository config object
Locked
Locked
••Cannot
Cannotlog
loginto
intothe
the
repository until explicitly
repository until explicitly
made
madeactive
active
Users and Groups 3-8
© 2009 EMC Corporation. All rights reserved.
 Reassigning Users
• Reassigning the user to an existing user changes all references from the old
user to the new user (group membership, permission sets, object owner, etc.)
• Reassigning the user, as shown below, automatically runs the
dm_UserRename job
• After the old user is reassigned to the new one, the old user is deleted
• It is generally better to reassign rather than to delete a user
­ There may be references to the user in permission sets, aliases, groups, etc.
• Groups can also be reassigned (which automatically runs dm_GroupRename)
IfIfthe
thename
nameentered
enteredhere
hereisis
not
notthat
thatofofan
anexisting
existinguser,
user,
aauser with this name
user with this name is is
automatically
automaticallycreated
created

Users and Groups 3-9

© 2009 EMC Corporation. All rights reserved.
 Deleting Users
• When deleting a user, the Content Server removes all registry objects that
reference the user as the subject of audit or event notification requests
• It does not remove the user from objects in the repository such as groups,
permission sets, aliases, etc.
­ Consequently, it is necessary to remove or change all references to that user in all
repository objects
­ Alternately, you can reassign the user, as described previously

Users and Groups 3-10

© 2009 EMC Corporation. All rights reserved.
 Administrator Access Sets  Creating, Modifying, and
Reassigning Users
Overview  Role-Based Administration
 Default User Authentication

• In Content Server 6.0, by default, system  Authentication and Domains

 Integrating with LDAP
administrators see an expandable
Administration node in DA
­ When expanded it reveals a full set of administration
nodes, such as User Management, Security, Audit
Management, etc.

Full
Fullset
setof
ofnodes
nodesunder
under
Administration
Administration
• In Content Server 6.5 and later, by default, system
administrators see an unexpandable Administration node in DA
­ In order for system administrators to see any nodes
underneath Administration, it is necessary
• To add them to an administrator access set OR
• Disable administrator access sets
­ Superusers always see all nodes underneath
Administration
No
Nonodes
nodesunder
under
Users and Groups Administration
Administration 3-11
© 2009 EMC Corporation. All rights reserved.
 Example

• Create a role called security admins and populate it with users whose client
capability is system administrator
• Create an administrator access set called manage security
­ Configure this administrator access set to have access to only the Formats, Alias
Sets, Types and Security nodes in DA
­ Assign the security admins role to it
• When users of the role security admins log into the repository using DA,
under the Administration node, they only see the Formats, Alias Sets, Types
and Security nodes

Users and Groups 3-12

© 2009 EMC Corporation. All rights reserved.
 A Caveat

• Administrator access sets do not override Documentum

privileges
­ For example, creating an administrator access set and associating it with
the Audit Management node allows users to see the Audit Management
node
­ However, for any user in that administrator access set who does not
have Extended Privileges that include Config Audit and Purge Audit,
these links will be inactive (“grayed-out”)

Users and Groups 3-13

© 2009 EMC Corporation. All rights reserved.
 Creating an Administrator Access Set (1 of 2)

1. In the left frame of DA, select Administration 

Administrator Access.
2. In the main frame of DA, select File  New 
Administrator Access Set.

Users and Groups 3-14

© 2009 EMC Corporation. All rights reserved.
 Creating an Administrator Access Set (2 of 2)

3. Configure the administration access set to include the desired

roles with the desired level of access, and then click OK.

Enter
EnteraaName
Name
Select
Selectthe
theNodes
Nodesthat that
roles assigned to the
roles assigned to the
set
setwill
willbe
beable
abletoto
access
access

Click
Clickhere
heretotoselect
selectthe
the
roles
roles that will be includedinin
that will be included
this
thisset
set

Users and Groups 3-15

© 2009 EMC Corporation. All rights reserved.
 Disabling Administrator Access Sets

• To disable administrator access sets, configure the

<adminaccesssets> element in DA’s app.xml file
­ app.xml in the ..webapps\da\custom folder on the application
server hosting DA, for example
C:\Tomcat\webapps\DA\custom
­ Inside the <adminaccesssets> element, set the <enabled>
element to be false
<adminaccesssets>
<adminaccesssets>
<enabled>false</enabled>
<enabled>false</enabled>
</adminaccessets>
</adminaccessets>

• After modifying app.xml, restart the application server that

runs DA
­ System administrator users that have not been added to an administrator
access set see all nodes underneath Administration

Users and Groups 3-16

© 2009 EMC Corporation. All rights reserved.
  Creating, Modifying, and
Default User Authentication - UNIX Reassigning Users
 Role-Based Administration
 Default User Authentication
 Authentication and Domains

• When the Content Server is installed on UNIX  Integrating with LDAP

platforms, it uses dm_check_password.exe to validate users

• By default, these users must have operating system accounts
• Optional: dm_check_password.exe can be modified to change
how users are authenticated
­ Source code is provided in $DM_HOME/install/external_apps/checkpass
­ If authenticating users with LDAP and using SSL authentication, do not modify the
program; you must use the provided dm_check_password.exe

Content
Server
user_name dm_check_password.exe
*******

Users and Groups 3-17

© 2009 EMC Corporation. All rights reserved.
 Default User Authentication – Windows
Overview

• Content Server uses the operating system for authentication

­ Unlike UNIX, it does NOT use dm_check_password.exe
• Users must have a Windows account
• Windows-based Content Servers have two authentication
modes:
­ No domain required
­ Domain required

Users and Groups 3-18

© 2009 EMC Corporation. All rights reserved.
  Creating, Modifying, and
Authentication: No Domain Required Reassigning Users
 Role-Based Administration
 Default User Authentication
 Authentication and Domains
• The user’s name must be unique in the repository  Integrating with LDAP

­ Content Server versions >= 5.3: the user’s name in the underlying
operating system is stored in the user’s user_login_name attribute
­ Content Server versions < 5.3: the user’s name in the underlying
operating system is stored in the user’s user_os_name attribute
• Users are not required to enter a domain name when they connect to
the repository
• If the user’s user_os_domain attribute is blank
­ The Content Server authenticates the user using the user’s login (in the
operating system) and the domain specified in the connection request
­ If no domain is included in the connection request, the Content Server uses the
domain defined in the user_auth_target key in the server.ini file
• If the user’s user_os_domain attribute contains a domain name
­ Content Server authenticates against the domain identified in the
user_os_domain attribute
• This is the default operating mode
Users and Groups 3-19
© 2009 EMC Corporation. All rights reserved.
 Authentication: Domain Required

• The user’s name does not have to be unique in the repository

• The combination of a user’s name (user_login_name) and
user_os_domain must be unique in the repository
­ If each user is in a different domain, it is possible to have multiple users
with the same value for their user_login_name attribute
­ For example, the repository could have users in the finance domain and
and engineering domain that have their user_login_name attributes set
to elvira
­ It is also possible for one user to be represented by several user objects
in the repository – elvira in finance and elvira in engineering could be
the same person

Users and Groups 3-20

© 2009 EMC Corporation. All rights reserved.
 Changing to Domain Required Mode

• Important: changing a repository to domain required mode is a

one-way process; once changed, it cannot be reverted!
­ It is recommended that the repository be backed up before converting to
domain required mode
• The dm_domain_conv.ebs script is provided to convert a
repository to domain-required mode
• The script
­ Is found in %DM_HOME%\install\tools
­ Resets the auth_protocol attribute of dm_docbase_config
­ Recreates some indexes used by Content Server
­ Can be run at the command prompt:
cd
cd %DM_HOME\install\tools
%DM_HOME\install\tools
dmbasic
dmbasic –f
–f dm_domain_conv.ebs
dm_domain_conv.ebs

­ For more information, refer to the Content Server Administrator’s Guide

Users and Groups 3-21
© 2009 EMC Corporation. All rights reserved.
 Integrating With an LDAP Directory  Creating, Modifying, and
Server Reassigning Users
 Role-Based Administration
 Default User Authentication
 Authentication and Domains
• Using an LDAP directory server provides a single place  Integrating with LDAP

where additions and changes to users and groups can be made

• The changes from the directory server are propagated to the repository
­ Note the direction of the synchronization!
• Map repository object attributes to LDAP attributes or constant values
­ The mappings are defined when you define the LDAP setup values
­ When the user is imported into the repository or updated from the directory
server, the mapped attributes are set to the values of the LDAP attributes or the
defined constants

Content
LDAP Directory Server
Server
Users, groups,
attributes

Users and Groups 3-22

© 2009 EMC Corporation. All rights reserved.
 LDAP Integration Overview

• The LDAP integration supports the following directory servers:

­ Active Directory ­ IBM Tivoli Directory Server
­ Oracle Internet Directory Server ­ Novell eDirectory
­ Netscape/iPlanet Directory Server ­ Microsoft ADAM

• LDAP integration is configured using Documentum

Administrator (DA)
­ Create an LDAP default configuration object and one or more extra
LDAP configuration objects
­ Each LDAP configuration object describes how to import users and
groups from a different LDAP directory server or even from different
parts of the same tree in a single directory server
­ Configure the dm_LDAPSynchronization job to perform the
synchronization of LDAP Directory users/groups as described in the
LDAP configuration objects

Users and Groups 3-23

© 2009 EMC Corporation. All rights reserved.
 LDAP Configuration Objects

• In the repository, create one or

dc=co
m
more LDAP configuration
objects, each corresponding to a
part of the LDAP tree that is to be
dc=People imported
dc=Whatever
­ One default and multiple extra
LDAP configuration objects are
permitted
dc=Canad dc=USA
a • Example: if only the Canadian
users are to be imported from the
LDAP directory server, create
and use an LDAP configuration
cn=Joseph
Smallwood Other object that brings in only those
Canadian users under the node
users
dc=Canada
• Create and use other LDAP
configuration objects to bring in
users from other parts of the tree
or from other LDAP directory
servers, as needed
Users and Groups 3-24
© 2009 EMC Corporation. All rights reserved.
 LDAP Configuration Objects
Content Server >= version 5.3 (Slide 1 of 2)

• After configuring the initial LDAP configuration object and enabling it, notice that the
server config object (dm_server_config) already includes a reference to it (pictured,
below)
• When additional LDAP configuration objects are created and enabled, they are
automatically associated with the dm_server_config object (pictured, below)
­ Important! Before the directory object can be used, it is necessary to click the Re-Initialize
checkbox at the bottom of the server config object properties page
• By default, the dm_LDAPSynchronization job uses all LDAP configuration objects that
have been added to the server config object

Users and Groups 3-25

© 2009 EMC Corporation. All rights reserved.
 LDAP Configuration Objects
Content Server >= version 5.3 (Slide 2 of 2)

• In the dm_LDAPSynchronization job, all enabled LDAP

configuration objects are used
• If it is desired that the dm_LDAPSynchronization job only
use a subset of the available LDAP configuration objects,
add individual source_directory method arguments, as
needed
­ The source_directory argument has one value: the name of an
LDAP configuration object
­ To synchronize with multiple LDAP servers, add the
source_directory argument multiple times, each specifying a
separate LDAP configuration object

Users and Groups 3-26

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
To create an LDAP configuration object
1. In the left frame of DA, select Administration  Basic Configuration
 LDAP Servers.
2. In the main frame of DA, select File  New  LDAP Server
Configuration.

Users and Groups 3-27

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Info Tab

3. Configure the settings on the Info tab as needed to match the

directory server to be used.
For
Forthis
thisconfiguration
configurationtotobe
be
used, Enable this LDAP
used, Enable this LDAP
Configuration
Configurationmust
mustbebe
selected
selected

The
ThePort
Portisisthe theport
portnumber
number
on which the LDAP directory
on which the LDAP directory
server
serverisislistening
listening

The
TheBinding
BindingName
Nameisisthe
the
account
accountthat
thatthe
theContent
Content
Server
Server uses to connecttotothe
uses to connect the
LDAP directory server
LDAP directory server

Users and Groups 3-28

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Sync & Authentication Tab (1 of 2)

4. In the Synchronization section, specify how to import users

and groups into the repository.
InInthe
theImport
Importfield,
field,indicate
indicate
whether
whether user, groups,or
user, groups, orboth
both
are imported
are imported

InInthe
theSync
SyncType
Typefield,
field,indicate
indicate
whether
whether to do incrementalor
to do incremental orfull
full
synchronizations
synchronizations
Configure
Configurehow
howtoto
handle
handleLDAP
LDAPusers
users
that
that are deletedor
are deleted InInthe
or theUser
UserType
Typefield,
field,indicate
indicate
updated
updated that LDAP users are to be
that LDAP users are to be
imported
importedas
asdm_user
dm_userobjects
objectsoror
aacustom
customuser
usertype
type

Users and Groups 3-29

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Sync & Authentication Tab (2 of 2)

5. In the User Authentication section, specify how users

connect to the directory server.

InInthe
theBind
Bindto
toUser
UserDN
DNfield,
field,indicate
indicateone
oneofof
the
thefollowing:
following:
•• The
Theuser’s
user’slogin
loginname
nameininthe
therepository
repositoryisisused
usedtoto
search
searchfor
forthe
theuser’s
user’sentry
entryininthe
thedirectory
directoryserver
server
•• The
TheDNDN(distinguished
(distinguishedname)
name)stored
storedininthe
the
repository
repository in the user_ldap_dn propertyisisused
in the user_ldap_dn property used
totoaccess the user’s entry in the directory server
access the user’s entry in the directory server

IfIfan
anexternal
externalpassword
passwordprogram
program
isisbeing
being used, check theExternal
used, check the External
Password Check box.
Password Check box.
Users and Groups 3-30
© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Tab (1 of 3)

6. On the top of the Mapping tab, dc=com

specify what users and groups are

dc=emc
imported from the directory server
into the repository.
ou=Droid
ou=Peopl ou=Othe s
e rs

These
Thesesettings
settingsdetermine
determine
how
howmuch
muchofofthe
theLDAP
LDAPtree
tree
totoimport
import
Example:
Example: all
allusers
usersunder
under
ou=People,dc=emc,dc=com
ou=People,dc=emc,dc=com
are
areimported
importedbut
butnot
notusers
users
under ou=Others,dc=emc,
under ou=Others,dc=emc,
dc=com;
dc=com;oror
ou=Droids,dc=emc,dc=com
ou=Droids,dc=emc,dc=com

Users and Groups 3-31

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Tab (2 of 3)
• If desired, use the Search Builder to create the User (or Group)
Search Filter
­ Search Builder automatically creates a value in standard LDAP filter format

The
Thevalues
valuesininthis
thischoice
choicebox
boxare
are
populated based on the
populated based on the UserUser
Object
ObjectClass;
Class;select
selectone
onetotoadd
addtoto
the
thefilter
filter
Select
Selectan
ancomparison
comparisonoperator
operator
and enter a value
and enter a value
Click
ClickAdd
AddCriteria
Criteriatotoadd
add
additional
additional criteria to thefilter
criteria to the filter

Users and Groups 3-32

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Tab (3 of 3)

7. On the bottom of the Mapping tab:

­ Add mappings of repository properties to LDAP attributes
­ Edit or Delete mappings of repository properties to LDAP
attributes

These
Theseare
arethe
thedefault
defaultrepository
repository
property to LDAP attribute
property to LDAP attribute
mappings;
mappings;use,
use,change,
change,or or
delete as needed.
delete as needed.

Users and Groups 3-33

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Repository Properties to LDAP Attributes (1 of 3)

• Select the object type and

repository property name to
map
• Select how the repository
property is to be mapped
­ Single LDAP Attribute:
Replace with the LDAP attribute
selected from the provided list
­ Fixed value: Always replace
with the value specified in the
provided text box
­ Expression: Specify literal
values and references to LDAP InInan
anexpression,
expression,LDAP
LDAPattributes
attributesare
arespecified
specifiedinin
attributes the
theform
form{attrName#stringLen}
{attrName#stringLen}where
where
• Anything that is not a reference attrName
to an LDAP attribute is attrNameisisananLDAP
LDAPattribute
attribute
considered a literal string stringLen
stringLenisisthe
thenumber
numberofofcharacters
characterstotoextract,
extract,
starting from the beginning
starting from the beginning
Users and Groups 3-34
© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Repository Properties to LDAP Attributes (2 of 3)

In this example:
• If roomNumber is J22 and
telephoneNumber is 867-5309,
then the expression yields Room
J22, Telephone 867-5309
• If telephoneNumber is 867
(less than 8 characters), then the
value of the expression depends
upon the Reject User/Group
setting; see next slide

Click
ClickTest
TestExpression
Expressiontoto
validate
validatethe
theexpression
expression This
Thisvalues
valuesininthis
thisbox
boxare
arepopulated
populated
based
based on the value of user orgroup
on the value of user or groupobject
object
class specified on the Mapping tab
class specified on the Mapping tab

Users and Groups 3-35

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Mapping Repository Properties to LDAP Attributes (3 of 3)

Configure the Reject User/Group

setting as needed:
• Is empty or has insufficient
characters: The user/group is
rejected
­ If the value of an LDAP attribute
is empty
­ If using an expression with the
#stringLen, and the expression
has less than #stringLen
characters
• Is empty: reject user/group only
if the LDAP attribute value is
empty
• Never reject any user/group

Users and Groups 3-36

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Failover Tab

8. On the Failover tab, specify information used to control

when users are connected to a failover directory server.

Configure
Configurewhen
whenand
andhow
howoften
often
totoattempt to reconnect to the
attempt to reconnect to the
primary
primarydirectory
directoryserver.
server.

Click
ClickAdd
Addtotoaddaddaafailover
failoverLDAP
LDAP
directory server and configure
directory server and configure
the
theentries
entriesininthe
theorder
orderininwhich
which
they
theyshould
shouldbe beselected.
selected.

Users and Groups 3-37

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Adding a Failover LDAP Directory Server (1 of 2)

• On the Failover tab, when the

Add button is clicked, the
Secondary LDAP Server page
appears
• On this page, enter the parameters
needed to communicate with the
directory server to be used in case
of failover
­ This page is nearly identical to
Info tab and asks for the same
information

Users and Groups 3-38

© 2009 EMC Corporation. All rights reserved.
 Creating an LDAP Configuration Object
Adding a Failover LDAP Directory Server (2 of 2)

• After adding one or more failover directory server, note that the
Move Up, Move Down, and Delete buttons appear
• Use these buttons to arrange the directory servers in the order they
are to be tried in case the primary directory server fails (or to delete
entries)

Select
Selectaafailover
failoverserver
server
and
and use the buttonstoto
use the buttons
delete
deleteititor
ormove
moveititupuporor
down in the priority list
down in the priority list

Users and Groups 3-39

© 2009 EMC Corporation. All rights reserved.
 dm_LDAPSynchronization Job (1 of 4)

• Use the dm_LDAPSynchronization job to do one way

synchronization of LDAP objects to the repository
­ Note that this synchronization is one way, from LDAP to the repository
­ No objects will move from the repository to LDAP via this process
• Both additions and updates will be synchronized
• By default, all LDAP configuration objects are used
­ Make sure that the LDAP configuration objects do not cause any
conflicts with each other
OR
­ Edit the properties dm_LDAPSynchronization job to specify which
LDAP configuration objects to use

Users and Groups 3-40

© 2009 EMC Corporation. All rights reserved.
 dm_LDAPSynchronization Job (2 of 4)

Configure the Info tab of the job as needed:

IfIfdesired,
desired,set
setthe
theTrace
TraceLevel
Level
toto10 (verbose logging)
10 (verbose logging)

Make
Makethe
thejob
jobActive
Active

IfIfdesired,
desired,check
checkRunRunAfter
AfterUpdate
Updatetoto
immediately
immediatelystartstartthe
thesynchronization
synchronization
job
job after clicking the OKbutton.
after clicking the OK button.

Users and Groups 3-41

© 2009 EMC Corporation. All rights reserved.
 dm_LDAPSynchronization Job (3 of 4)
Configure the Schedule tab of the job to run as often as
needed:

Users and Groups 3-42

© 2009 EMC Corporation. All rights reserved.
 dm_LDAPSynchronization Job (4 of 4)

• If needed, specify one or more source_directory arguments

followed by the name of an LDAP configuration object
­ By default, all LDAP configuration objects associated with the server
config object are used
­ In this example, only user and group entries from directory servers dante
and randall are imported

Users and Groups 3-43

© 2009 EMC Corporation. All rights reserved.
 Synchronizing to a Directory Server

Here is another way to synchronize to a directory server:

1. In the left frame of DA, select Administration  Basic Configuration
 LDAP Servers.
2. Right-click an LDAP configuration object and select Synchronize
Server.
3. Click OK.

Users and Groups 3-44

© 2009 EMC Corporation. All rights reserved.
 Test Your Knowledge  Creating, Modifying, and
Reassigning Users
 Role-Based Administration
 Default User Authentication

1. You must have at minimum _________ privi-  Authentication and Domains

 Integrating with LDAP

lege to create a user in a repository.

2. True/False: You may import a large number of users into
the repository at once.
3. True/False: It is good practice to delete a user when that
user quits the company.
4. True/False: dm_LDAPSynchronization synchronizes users
and groups from the repository to the LDAP directory
server.
5. True/False: To make the dm_LDAPSynchronization job
use all LDAP config objects, you must pass the id for each
LDAP config object to the job.

Users and Groups 3-45

© 2009 EMC Corporation. All rights reserved.
 Lab 3 – Users and Groups Estimated time: 30
min

• Goals
­ Create and manage user accounts
­ Create and use an administrator access set
• Tasks
­ Create new users
­ Reassign a user
­ Observe the effect of reassigning users
­ Create new operating system accounts for the users and then try to log
into the repository
­ Create new role called security admins and assign users klinger and
winchester to it
­ Create a new administrator access set called manage security and assign
the role security admins to it
­ Test the manage security administrator access set to see if it works

Users and Groups 3-46

© 2009 EMC Corporation. All rights reserved.