Realms and user templates

The realm and user template objects found in the Web administration tool are used in order to relieve the user of the need to understand some of the underlying LDAP issues.

A realm identifies a collection of users and groups. It specifies information, in a flat directory structure, such as where users are located and where groups are located. A realm defines a location for users (for example, "cn=users,o=acme,c=us") and creates users as immediate subordinates of that entry (for example John Doe is created as "cn=John Doe,cn=users,o=acme,c=us"). You can define multiple realms and give them familiar names (for example Web Users). The familiar name can be used by the people that are creating and maintaining the users.

A template describes what a user looks like. It specifies the objectclasses that are used when creating users (both the structural objectclass and any auxiliary classes that you want). A template also specifies the layout of the panels used to create or edit users (for example, names of tabs, default values, and attributes to appear on each tab).

When you add a new realm, you are creating an ibm-realm object in the directory. The ibm-realm object keeps track of the properties of the realm such as where users and groups are defined, and what template to use. The ibm-realm object can point to an existing directory entry that is the parent of users, or it can point to itself (the default), making it the container for new users. For example, you could have an existing cn=users,o=acme,c=us container, and create a realm named users elsewhere in the directory (maybe a container object called cn=realms,cn=admin stuff,o=acme,c=us) that identifies cn=users,o=acme,c=us as the location for users and groups. This creates an ibm-realm object:

dn: cn=users,cn=realms,cn=admin stuff,o=acme,c=us
objectclass: top
objectclass: ibm-realm
objectclass: ibm-staticGroup
ibm-realmUserTemplate: cn=users template,cn=realms,cn=admin stuff,o=acme,c=us
ibm-realmUserContainer: cn=users,o=acme,c=us
ibm-realmGroupContainer: cn=users,o=acme,c=us
ibm-realmAdminGroup: cn=users,cn=realms,cn=admin stuff,o=acme,c=us
ibm-realmUserSearchFilter:
cn: users

Or, if there was no existing cn=users,o=acme,c=us object, you could create the realm users under o=acme,c=us and have it point to itself.

The directory administrator is responsible for managing user templates, realms and realm administrator groups. After a realm is created, members of that realm's administrator group are responsible for managing the users and groups within that realm.