IMPORTANT:The information explained in Section 2.3, OES eDirectory Rights Needed for Installing OES is prerequisite to the information contained in this section.
This section outlines the required eDirectory rights and explains how a subcontainer administrator approaches various installation tasks.
For security reasons, you might want to create one or more subcontainer administrators (administrators that are in a container that is subordinate to the container that user Admin is in) with sufficient rights to install additional OES servers, without granting them full rights to the entire tree.
A subcontainer administrator needs the rights listed in Table 2-2 to install an OES server into the tree. These rights are typically granted by placing all administrative users in a Group or Role in eDirectory, and then assigning the rights to the Group or Role. Sample steps for assigning the rights to a single subcontainer administrator are provided as a general guide.
Table 2-2 Subcontainer Administrator Rights Needed to Install
Rights Needed |
Sample Steps to Follow |
---|---|
Supervisor right to itself |
|
Supervisor right to the container where the server will be installed |
|
Supervisor right to the W0 object located inside the KAP object in the Security container |
|
Supervisor right to the W1 object located inside the KAP object in the Security container |
|
Supervisor right to the Security container when installing the NMAS login methods |
If the subcontainer administrator will install the NMAS login methods:
|
Create right to its own container (context) |
|
Create right to the container where the UNIX Config object is located |
|
Read right to the Security container object for the eDirectory tree |
This is not needed if the Supervisor right was assigned because of NMAS. If the subcontainer administrator won’t install the NMAS login methods, do the following:
|
Read right to the NDSPKI:Private Key attribute on the Organizational CA object (located in the Security container) |
|
Read and Write rights to the UNIX Config object |
|
Write right to the [All Attribute Rights] property for the admingroup object |
|
When you install DNS/DHCP into an existing tree with DNS/DHCP, see the following additional guidelines:
For DNS, see eDirectory Permissions
in the OES 2023: DNS/DHCP Services for Linux Administration Guide.
For DHCP, see eDirectory Permissions
in the OES 2023: DNS/DHCP Services for Linux Administration Guide.
You can install a new OES server into an existing tree as a subcontainer administrator if you have the following:
The rights described in Rights Required for Subcontainer Administrators
(If applicable) The rights described for the server installations in OES eDirectory Rights Needed for Installing OES
When you reach the eDirectory Configuration - Existing Tree page, enter your fully distinguished name (FDN) and password. After verifying your credentials, the installation proceeds normally.
To add or configure OES services on an OES server that another administrator installed, see Adding/Configuring OES Services on a Server That Another Administrator Installed.