Creating partitions

You can create partitions and access the corporate users and groups information locally from IBM® Rational® Directory Server. These users and groups are accessible to you in a read-only mode to avoid tampering with the original information. Additionally, you can also create local groups in Rational Directory Server and add corporate users to this group.

Note: To specify the installation location, this topic uses RDA_Image, RDA_Install_Dir, RDS_Image, and RDS_Install_Dir as examples. Replace these variables with the name of the folder where the product is installed.

Before you begin

The corporate users must belong to objectClass=person attribute. Only the users who have this attribute are shown in Rational Directory Administrator.

About this task

Rational Directory Server supports the following default corporate logon attributes: CN, UID, samAccountName.
Note: You must create a partition in order to create local users in Rational Directory Server in Corporate Mode. Unless a partition is created local user creation is not possible.

Procedure

  1. Select a partition option by completing one of these steps:
    1. On the Action menu, point to Create New, and then click Partition.
    2. Click the Partition icon.
    3. On the console tree, click Configuration, and then right-click Corporate Partitions, point to Create New, and then click Partition.
  2. In the Partition Creation wizard, under Partition Information, provide these details:
    1. Partition Name: Type the name of the partition.
    2. Partition Description: Type brief information about the partition. For example, type Partition created for the New York finance unit.
    3. Host Name: Type the IP address of the server where the partition is created.
    4. Port Number: Type the port number of the server.
    5. Enable SSL: Select this check box to configure the Secure Socket Layer (SSL) option in the corporate partition.
    6. Allow Blank Password: Select this check box to authenticate a blank password when authenticating to the partition.
    7. Configured partition is a Windows Domain Controller: Select this check box to authenticate a connection to the Radius Server.
  3. Click Next.
  4. In the Enter the Partition configuration Information window, enter the these details:
    1. In Corporate Admin Account Information, type the admin distinguished name (DN) and password for authenticating to the corporate server.

      The following table explains each of these options.

      Field name Description Value
      Admin User DN Specify the distinguished name (DN) of the admin user. The IBM Rational Solutions for Enterprise Lifecycle Management tool uses the Admin account to lookup and search for the corporate server based on the DN and the password of the admin user.

      The admin user must have complete READ access to the corporate server. No write operations are performed on the corporate server.

      		 Enter the admin User DN in this field. For example, enter

      CN=John Allen,OU=Read Administrators,

      OU=Administrators, OU=Users, OU=New York, DC=example, DC=com
      Password Specify the password for the admin user. Enter the admin password in this field.
      Confirm Password   Type the password again in the Confirm Password field. Both the passwords must match to create the partition.
    2. Under Configure Partition Logon Attribute, select an attribute from the list to logon to Rational Directory Server.
      Attribute name Description Example
      CN The common name of the user (the given name, surname of the user).

      Select this attribute to set CN as the logon name for logging on to Rational Directory Server.

      		 You can type the user ID as John Smith‚to log on to Rational Directory Server from the IBM Rational Solutions for Enterprise Lifecycle Management tools.
      SN The surname of the user. You can select this attribute to set the surname as the logon name for logging to Rational Directory Server. You can enter the user ID as Smith to log on to Rational Directory Server from the IBM Rational Solutions for Enterprise Lifecycle Management tool.
      sAMAccountName Specify the NT login name of the user. You can select this attribute to set the NT login as the logon name for logging in to Rational Directory Server. You can enter the user ID as johnsmith to log on to Rational Directory Server from the IBM Rational Solutions for Enterprise Lifecycle Management tool.
    3. Under Configure Search Base, type the primary or multiple search base to retrieve the user and group details from the corporate servers. You can query either primary or multiple search base, depending on the configured search base.

      The search base defines the starting point for the search in the directory tree. For example, a user can query the entire directory by using the primary search base or can query a specific organizational unit (OU) in the directory by using the multiple search base.

      This table explains the options in detail:

      Search Base Description Example
      Primary Search Base This option specifies the root search base for all Rational Directory Server lookup operations. Users or Groups that Rational Directory Server refers to are located in this root node. The primary search base holds the bulk of the user population. The Rational Directory Server authentication attempts to authenticate the user by constructing the DN that uses the primary search base. You provide the search base as follows: dc=example, dc=com

      This example search base specifies the root suffix of the corporation. The search base could be narrowed based on the location, physical distribution of the directory data, and so on. For example: ou=New York,dc=example,dc=com
      Multiple Search Base This option specifies the subtree level lookup operation. An administrator can determine the user and group entry that belong to a specific search path in a directory service. An administrator can search for the entries that belong to a marketing, finance, or sales groups separately. To do so, the search must have a search base that points to the appropriate location in the directory service.

      You provide the subtree scope with a search base of dc=example, dc=com

      • Example user search base: 
        ou=London,ou=users,ou=Finance,ou=users,dc=example,dc=com
      • Example group search base: 
        ou=London,ou=groups,ou=Finance,ou=groups,dc=example,dc=com

      The search operation as depicted in the following diagram is completed as follows:

      • The users and groups are authenticated against the primary search base or multiple search base.
      • The user and group entry is checked in the partition.
      • If the entry is found, the user and group information is retrieved.
  5. You can either click Finish at this stage, or select the Configure MetaGroup Information check box to configure the Meta group information.

    A meta group defines a set of users and groups that are accessible in Rational Directory Server. You can define meta groups and add users and groups to these meta groups. When you configure the meta group information for users and groups, only those users and groups that are part of the meta groups are listed in Rational Directory Server.

    This table explains the options in detail:

    Meta groups Description Example
    User MetaGroup DN Configure the users meta group information. You can define the meta group as follows:

    cn=UsersMetaGroup,ou=Groups,dc=example, dc=com
    Group MetaGroup DN Configure the users meta group information. You can define the meta group as follows: cn=GroupMetaGroup,ou=Groups,dc=example, dc=com

    You can also configure a meta schema to retrieve user or group information from a corporate server. A meta schema consists of an object class and the supported attributes of that object class, which can be used to retrieve the user or group information.

  6. Select the Configure MetaSchema Information check box to configure the meta schema.

    By default, the search filter that contains the object class of the person type and the MemberOf attribute name is configured to retrieve the groups that the user belongs to. You can edit this information as required by providing the object class and the attributes as configured in the corporate server to retrieve specific user and group information.

    This table explains the fields in detail:

    Metatype Object class Attribute name
    Define the search type. By default, the RDS_USER_GROUP_SEARCH is provided. This search retrieves the list of groups that the user is member of. Define the object class as configured in the corporate server.

    By default, the object class of the person type is configured.

    		 Defines the attributes of the specified object class.

    By default, the memberOf attribute is configured.

    This search retrieves all the groups under the person object class.
  7. To edit the default meta schema, click Edit. The Meta Schema Properties window opens.
  8. In ObjectClass, type the object class of an entry.
  9. In AttributeName, type the attribute name.
  10. Click OK.
  11. Click Finish.
  12. Click OK in the message box.
  13. Click Users to view the current user list for that partition.
  14. Click Groups, and then click Corporate Groups to view the current groups in that partition.
  15. To view the details of a particular group, right-click the group, and select Properties.

What to do next

For information on known issues with Microsoft Active Directory Server in Rational Directory Server Metagroup configurations, see Metagroups in Rational Directory Server.