Realms and user templates
The realm and user template objects found in the Web administration tool are used in order to relieve the user of the need to understand some of the underlying LDAP issues.
A realm identifies a collection of users and groups. It specifies information, in a flat directory structure, such as where users are located and where groups are located. A realm defines a location for users (for example, "cn=users,o=acme,c=us") and creates users as immediate subordinates of that entry (for example John Doe is created as "cn=John Doe,cn=users,o=acme,c=us"). You can define multiple realms and give them familiar names (for example Web Users). The familiar name can be used by the people that are creating and maintaining the users.
A template describes what a user looks like. It specifies the objectclasses that are used when creating users (both the structural objectclass and any auxiliary classes that you want). A template also specifies the layout of the panels used to create or edit users (for example, names of tabs, default values, and attributes to appear on each tab).
When you add a new realm, you are creating an ibm-realm object in the directory.
The ibm-realm object keeps track of the properties of the realm such as where
users and groups are defined, and what template to use. The ibm-realm object
can point to an existing directory entry that is the parent of users, or it
can point to itself (the default), making it the container for new users.
For example, you could have an existing cn=users,o=acme,c=us container, and
create a realm named users
elsewhere in the directory (maybe
a container object called cn=realms,cn=admin stuff,o=acme,c=us) that identifies
cn=users,o=acme,c=us as the location for users and groups. This creates an
ibm-realm object:
dn: cn=users,cn=realms,cn=admin stuff,o=acme,c=us
objectclass: top
objectclass: ibm-realm
objectclass: ibm-staticGroup
ibm-realmUserTemplate: cn=users template,cn=realms,cn=admin stuff,o=acme,c=us
ibm-realmUserContainer: cn=users,o=acme,c=us
ibm-realmGroupContainer: cn=users,o=acme,c=us
ibm-realmAdminGroup: cn=users,cn=realms,cn=admin stuff,o=acme,c=us
ibm-realmUserSearchFilter:
cn: users
Or, if there was no existing cn=users,o=acme,c=us object, you could create
the realm users
under o=acme,c=us and have it point to itself.
The directory administrator is responsible for managing user templates, realms and realm administrator groups. After a realm is created, members of that realm's administrator group are responsible for managing the users and groups within that realm.