Micro Focus Enterprise Test Server 2.3 Update 2 > Enterprise Server > Enterprise Server Security > Securing an Enterprise Server Installation > Configuring Security using Active Directory > Setting Up Security with AD LDS > Configuring the AD LDS Repository > Adding Repository Objects using ADSIEdit

Adding Repository Objects using ADSIEdit

You can also use ADSIEdit to create new objects in the repository, such as new MSS users, using Action > New. Select the appropriate object type, then complete the wizard, which will prompt for required values and give you an opportunity to enter optional ones. (You can change any of these later by editing the object.)

Creating an MSS user

To create an MSS user, select the CN=Enterprise Server Users container, right-click and select to create a new microfocus-MFDS-User object:
- Set the cn attribute to the username
- The dialog will prompt for some mandatory MSS attributes such as microfocus-MFDS-User-MTO-Timeout. You can set the Timeout, Priority, and OperatorClass attributes to 0 (or any other value which is valid under MSS).
- Set the microfocus-MFDS-User-AllowLogon attibute to TRUE.
- The microfocus-MFDS-UID attribute must be set, but currently the format of this value does not matter. You can set it to the username, for example.
- If you want to set an initial password, when you reach the final page of the dialog (with the "Finish" button), click More Attributes, find the microfocus-MFDS-User-Pwd attribute, and double-click it. Set its value to "literal:password". Note that this password will be stored in plaintext (and so will be visible by anyone who has read access to the repository) until you change it.
- Other optional attributes you may want to set:
  - displayName to the user's "display" name (often a person's legal name, etc)
  - description to any descriptive text you want to associate with the user
  - microfocus-MFDS-User-DefaultGroup to the user's default MSS group (eg ALLUSR)
  - microfocus-MFDS-User-MTO-GroupPrefix and microfocus-MFDS-User-MTO-OperatorID if you use MSS group prefixes and/or operator IDs with your normal MSS user definitions
  - microfocus-MFDS-User-CreateToken and microfocus-MFDS-User-UseToken if you use passtokens (typically, set both of these to self for users who will be using MFDS and ESMAC)

Creating an MSS user group

To create an MSS user group, right-click the CN=Enterprise Server User Groups" container and select to create a new microfocus-MFDS-Group object:
- Set the cn attribute to the group name. Note that this name must be no longer than 8 characters.
- The microfocus-MFDS-UID attribute must be set, but currently the format of this value does not matter. You can set it to the group name, for example.
- To set the members of the group (you can change this later by editing the group object), click More Attributes on the final page of the dialog. Double-click the microfocus-MFDS-Group-Member attribute to get a dialog that lets you add or remove members.
- Each group member can be either the name of a user (the cn of a microfocus-MFDS-User object), or the name of another group preceded by the keyword group. For example, adding "group DEV" as a member to the ALLUSERS group makes all members of DEV members of ALLUSERS as well. You can use this to organize groups into hierarchies or create very large user groups.

Creating a resource class and resource access control object

To create an MSS resource class, right-click the CN=Enterprise Server Resources container and create a new container object. Set its cn attribute to the name of the resource class.
To create an MSS resource access control object, expand the CN=Enterprise Server Resources container in the tree view, then right -click the container for the class of the resource you want to create. Create a new microfocus-MFDS-Resource object:
- Set the cn attribute to the resource name, or to a string that contains wildcards to create a generic rule. Wildcards are explained in the documentation for the MLDAP ESM Module in your product documentation.
- The microfocus-MFDS-UID attribute must be set, but currently the format of this value does not matter. Since resource names can be long, it may be easiest just to put a dummy value here, such as 1.
- You must set the microfocus-MFDS-Resource-Class attribute, but this attribute is no longer used and is only in the schema for compatibility with pre-release versions. You can set this to the resource's class name or to any other value.
- If you want to set an initial ACL, click More Attributes on the final page of the dialog. Double-click the microfocus-MFDS-Resource-ACE attribute to get a dialog that lets you add or remove access-control entries. See MLDAP ESM Module for more information.

You may want to create a new AD LDS user for ES to use. If you want to give ES permission to change objects in the repository -to let users change their passwords when they sign on, or to enable LDAP administration through MFDS - then you will want to configure the MLDAP Security Manager in MFDS with a different Authorized ID and Password. (It's not safe to give the default MFReader account write permission to the repository, because that username and its password are available to anyone who reads the ES LDAP setup materials.)

Creating an AD LDS user

To create an AD LDS user, expand the CN=AD LDS container, then create a new user object:
- The cn is the only required attribute.
- After creating the user, you can give it the appropriate permissions by editing the appropriate object in the CN=Roles container and double-clicking on the member attribute, which will give you a dialog box where you can add users to that role. Adding your new user to the Administrators role will give it administrative access to the repository, for example.
- You can also give your new user more specific permissions by editing the ACLs for specific parts of the repository. See the AD LDS documentation for more information.