Chapter 3 User Administration

  Table of Contents

  Glossary

  Index

The Manage Users menu lets you perform a variety of user account management functions. To access this menu:

  1. From the Internet Express Administration Utility Main menu, choose Manage Components. The Manage Components menu is displayed.

  2. From the Manage Components menu, under Users, choose Manage Users. The Manage Users menu is displayed (Figure 3-1).

Figure 3-1 Manage Users Menu

Manage Users Menu

From the Manage Users menu, you can perform the following tasks:

Overview of User Accounts

The Administration utility supports the management of the following types of user accounts:

Notes:

By default, the user accounts are created with regular delivery mail service. To change a user's mail service, see Section : Changing Mail Services for Users.

On a system using the Network Information Services (NIS), you cannot create a user name that conflicts with an NIS user name even if that name does not exist in your local /etc/passwd file.

Be sure to periodically check the contents of the ~iass/.users.list file to purge obsolete users and passwords (see Section : Purging Obsolete Passwords).

When you create any user account (captive or noncaptive, named or generic), you can elect to have the account information stored in an LDAP directory (if you are using an LDAP directory server on your system).

The users of the captive accounts that you create have access to the Internet services you install on your system. The accounts are called captive because the user is restricted to a predefined menu of functions (through either a standalone terminal or terminal emulation on a PC), which provides access to the following services and functions:

  • Electronic mail—Send and receive e-mail from other users on the Internet, including those who use the local system as their e-mail server for POP3 or IMAP clients.

  • News—Use terminal-type news readers.

  • World Wide Web—Use a character-cell Web browser (Lynx) or a Netscape browser (if it is installed and the DISPLAY environment variable is set).

  • Change Password—Change the current login password for the user's account.

  • User's Guide—Read an online version of the Internet Services User's Guide, which explains how to access and use mail, news, and the Web browser.

Internet Express captive account users cannot access the Tru64 UNIX shell.

The user of a noncaptive UNIX account that you create has access to the shell and enjoys all privileges of the groups to which the user is assigned.

Accounts are not required for any users who will access your system using only Web browsers (such as Netscape Navigator or Microsoft Internet Explorer) or news clients. Remember that user accounts are system resources and must be managed to ensure system security. Create new noncaptive user accounts judiciously.

Note:

Whenever you use the Administration utility to manage user accounts, you may see a message displayed in a box titled Security Information warning you that some unencrypted information may be transmitted over the network. Click on Continue to continue the operation.

You can temporarily disable this message by clearing the checkmark in front of Show This Alert Next Time. To enable the message, make sure your browser security preferences are set to display a message before submitting a form over an unsecured connection.

Specifying User Names

Note the following rules when specifying the user name for an account (or the user-name prefix for a generic account):

  • Use only alphabetic, numeric, or a combination of alphabetic and numeric characters.

  • Do not use nonalphanumeric characters (for example, spaces, colons, hyphens, underscores, or periods) in the user name.

Assigning Passwords to User Accounts

All user accounts have passwords. You can assign a password when you create an account for a named captive Internet Express account or for a UNIX system user. Alternatively, the Administration utility can generate the password for these accounts. (You do not assign passwords to generic captive accounts; the utility automatically generates the passwords for these accounts.)

To make a password more secure, make sure the password contains:

  • Between 8 and 64 characters

    If you are not running ENHANCED (C2) security on your system, the password can be no more than 8 characters

  • A mixture of uppercase and lowercase letters

  • Unusual capitalization, symbols, or digits

Passwords that do not meet these criteria are rejected by the Administration utility.

Purging Obsolete Passwords

The passwords that the Administration utility automatically generates (for any type of account) are recorded in the ~iass/.users.list file.

If you specify a password for a named captive account or a UNIX account, the event is noted in this file, but the actual password is not recorded.

Entries are not automatically removed from the ~iass/.users.list file when you delete an account. If you do not periodically remove obsolete entries, this file can become large.

When you log in to the iass account and the ~iass/.users.list file exists, the menu item Manage .users.list is displayed. Use this function to view, print, or remove the recorded passwords.

Caution:

The passwords in ~iass/.users.list are not encrypted. Because these passwords are also recorded in encrypted form in /etc/passwd, you may want to consider removing them from .users.list. Use caution when printing or displaying this data.

To ensure a secure system, require users to change their passwords regularly. See the Tru64 UNIX System Administration manual for information on how to change passwords.

You can also access the ~iass/.users.list using the Manage iass Account menu item (see Section : Managing the iass Account).

Searching for User Accounts

Several user management tasks (such as displaying or deleting user accounts or changing groups) require you to select the user accounts on which you want to operate. The Administration utility allows you to search for user accounts, using one or more of the following search criteria:

  • Name Pattern

  • Group

  • Mail Service

If you select more than one search criterion, the logical operator AND is applied to the criteria. Therefore, using more than one search criterion tends to refine the search. For example, the Display User Account form in Figure 3-2 (accessed from Manage Users menu) shows how to construct a query to find user accounts that contain the letter a in the name and use the Regular Delivery mail service.

Figure 3-2 Searching for User Accounts

Searching for User Accounts

When you click on Apply, the results of your search are displayed in the User Account Selection List frame (to the right of the User Account Selection Criteria frame). You can select individual accounts from the list box (press and hold the Control key and click MB1), or you can select all the accounts by clicking on Display All. In Figure 3-3, the administrator has selected three of the 15 accounts that match the query shown in Figure 3-2. The Administration utility will operate on these three accounts only.

Figure 3-3 Selecting User Accounts

Selecting User Accounts

To return the criteria in the User Account Selection Criteria frame to their default values, click on Reset. If you do not clear or reset the previous choices, they remain in effect to be used in a subsequent query. You can omit an individual selection criterion from subsequent queries by turning off its associated checkbox.

Assigning Users to Groups

When you create a user account, you can assign the user to from one to four logical categories called groups. You can select from existing groups, which are displayed in a list box. To create a new group, see Section : Creating Groups.

The Administration utility allows you to select from groups with a group identifier (GID) of 15 or greater that are defined on the local system. The utility also creates an IASS_Usr group with a GID of 1000 (or the next available GID above 1000), and assigns all captive users to this group. You can select captive accounts (for modification or deletion) by using the IASS_Usr group as a selection criterion.

Note:

If the group Lkr_Usr_ exists from a previously installed version of Internet Express, then the IASS_Usr group is not created and Lkr_Usr_ is used instead.

There is a limit to the number of users you can assign to a given group and to the length of a group name. See the Tru64 UNIX System Administration manual for more information on these limits.

The forms to create user accounts contain a list box that you can use to select from among the existing groups on your system. To select multiple groups, click on up to four groups in the list box. Optionally, you can also associate a Tru64 UNIX user account with up to four additional secondary groups by selecting more than one group from the list box. (If you select more than four groups, the user is assigned to only the first four groups, starting at the top of the list.)

For captive Internet Express users, group assignment is optional. You can select up to four groups to associate with an Internet Express user account. The Administration utility automatically assigns IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express) as the primary group to Internet Express captive accounts.

Note:

If the Enable Group Attributes field is checked in the LDAP Module for System Authentication — Configure Group Attributes, and the LDAP Module for System Authentication is enabled (see Section : Configuring LDAP Group Attributes), then the LDAP secondary groups will appear on the Create System User Account, Create Named User Account, and Create Generic User Accounts pages.

For noncaptive Tru64 UNIX system users, you must assign the user to at least a primary group. This group becomes the login group for the account. The Administration utility sets the default primary group for noncaptive accounts to users; if the users group does not exist, the default primary group is IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express).

Note:

If you need to change an account's primary group, you must use Tru64 UNIX commands at the shell prompt.

After a set of Internet Express accounts is associated with a group, you can use that group to make modifications to the set of accounts. For example, if you assign a set of captive accounts to the group finance, you can later modify or delete the group. All accounts associated with the finance group will be modified or deleted in that one action. Also, if you select Display User Accounts and specify a group, information on all users in that group is displayed.

Creating Captive Accounts for Named Users

To create a named captive account, follow these steps:

  1. From the Manage Users menu, choose Create Captive User Accounts.

  2. From the Create Captive User Accounts menu, choose Create Named User Account.

  3. Specify the user (login) name for the account in the Login Name field (see Section : Specifying User Names).

  4. Optionally, specify a password in the Password field. To verify the password, enter it again in the Verify Password field. (The system will generate a password if you do not specify one.)

  5. To specify the parent directory for these generic accounts, enter the full pathname of the parent directory (excluding the login name) in the Parent Directory field. The default login directory for generic captive accounts is /data/IASS_Usr/login_name (or /data/Lkr_Usr_/login_name, if the /data/Lkr_Usr_ directory exists from a previously installed version of Internet Express).

  6. Optionally, specify the account name. (This is usually the full given name of the person for whom you are creating the account.)

  7. Optionally, assign the account to up to four existing groups (see Section : Assigning Users to Groups) by selecting the groups from the Secondary Groups list box. (The Administration utility automatically assigns captive user accounts to the IASS_Usr group as the primary group.)

  8. If you installed and enabled the LDAP Module for System Authentication, the Create Named Captive Account form displays a checkbox labeled Store Users in LDAP Directory Server. Check this checkbox when you want to store this user account information in the LDAP directory server.

  9. Click on Submit.

Figure 3-4 shows the Create Named User Account form.

Figure 3-4 Creating a Named User Account

Creating a Named User Account

When the captive account for the named user is successfully added to the system, the Administration utility displays information about the account on a confirmation page.

Creating Captive Accounts for Generic Users

You can create a single Internet Express generic user account, or multiple accounts at once, with system-generated user names and passwords. You can optionally assign generic user accounts to existing or new groups (see Section : Assigning Users to Groups). The Administration utility automatically assigns passwords to generic accounts.

To create a generic captive account, follow these steps:

  1. From the Manage Users menu, choose Create Captive User Accounts.

  2. From the Create Captive User Accounts menu, choose Create Generic User Accounts.

  3. Specify the user-name prefix in the Login Name field (for example, guest).

    The system automatically generates a password for each generic user account.

  4. Specify the number of generic accounts you want to create in the Number of Users field (for example, 5).

  5. Optionally, assign the account to up to four existing groups (see Section : Assigning Users to Groups) by selecting each group from the Secondary Groups list box. (The Administration utility automatically assigns IASS_Usr as the primary group for generic captive accounts.)

  6. To specify the parent directory for these generic accounts, enter the full pathname of the parent directory for generic accounts in the Parent Directory field. The default login directory for generic captive accounts is /data/IASS_Usr/LoginPrefixNumber (or /data/Lkr_Usr_/LoginPrefixNumber, if the /data/Lkr_Usr_ directory exists).

  7. If you installed and enabled the LDAP Module for System Authentication, the Create Generic User Accounts form displays a checkbox labeled Store Users in LDAP Directory Server. Check this checkbox when you want to store this user account information in the LDAP directory server.

  8. Click on Submit.

Figure 3-5 shows the Create Generic User Accounts form.

Figure 3-5 Creating Generic User Accounts

Creating Generic User Accounts

For example, suppose you specify guest as the prefix and 3 as the number of users. If no existing user name matches the specified prefix (guest), the Administration utility creates accounts for guest1, guest2, and guest3. If any of the combinations of prefix and number results in an existing account name, the utility increments the number by one and tests to be sure this results in a unique account name. For example, if guest1 exists, the Administration utility creates accounts for guest2, guest3, and guest4. If guest3 also exists, the utility creates accounts for guest2, guest4, and guest5, and so on, until three unique accounts are created.

There is no limit to the number of generic user-name prefixes you can specify, and each of these generic user-name prefixes can have from 1 through 999 accounts created for it.

Because creating a large number of accounts can take time, generic account creation runs as a background process. You can use the Administration utility for other purposes while this background process runs. Any errors that occur are logged in the /usr/internet/admin/log/addgenuser.log file.

Creating a Noncaptive Account for a UNIX System User

To create a noncaptive account for a UNIX system user, follow these steps:

  1. From the Manage Users menu, choose Create System User Account.

  2. From the Manage Users menu, choose Create System User Account.

  3. Specify the user's login name in the Login Name field (see Section : Specifying User Names). The login name (and UID) you assign to the account are recorded in the /etc/passwd file.

  4. Specify the login directory for this account in the Login Directory field. You must specify the full path of the user's login directory on the local system. For example, if the system account login name is vpr, then specify the login directory as parent_dir/vpr. If the login directory you specify does not exist, it is created for you and populated with default login script templates (obtained from the /usr/skel directory).

  5. Optionally, you can:

    • Specify and verify the user password (see Section : Assigning Passwords to User Accounts).

      If you do not specify a password, the system generates one.

    • Specify a user identifier (UID).

      You can enter a UID greater than 105 (up to the maximum UID value available on the system), but if you leave the user ID field blank, the Administration utility assigns the next available UID from the list maintained in the /etc/passwd file.

    • Provide the full name of the account user (returned as output from the finger command).

    • Change the user's primary group by selecting from among the existing groups displayed in the Primary Group pull-down menu.

      The Administration utility assigns the group users as the default primary group. If the users group does not exist, the default primary group is IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express). The Create System User Account form allows you to change the default primary login group by choosing from a list of existing groups.

      To create a group, see Section : Creating Groups.

    • Add the user to up to four additional secondary groups by selecting each group from the Secondary Groups list box.

      In the /etc/group file, the user is added to the groups you select. See Section : Assigning Users to Groups for more information on assigning a user to groups.

    • Change the user's UNIX shell by selecting a shell from the pull-down menu (usr/bin/sh is the default shell).

      Among the selections is No shell, which is useful for an account that no one will log into, such as an anonymous FTP account or a mail account that is used only to access mail messages through POP or IMAP.

    • If you installed and enabled the LDAP Module for System Authentication, the Create System User Account form displays a checkbox labeled Store Users in LDAP Directory Server. Check this checkbox when you want to store this user account information in the LDAP directory server.

    • Disable logins (for instance, in creating an account for FTP activity) by clicking on the Yes radio button in the Disable Login field.

  6. Click on Submit.

Note:

If you have root access to the local system, you can unlock accounts and add accounts to user groups with GIDs less than 15 using UNIX command-line utilities (such as useradd, usermod, and passwd). You can also use the dxaccounts GUI to perform these tasks.

Figure 3-6 shows the Create System User Account form.

Figure 3-6 Creating a System User Account

Creating a System User Account

Creating Groups

To create a user group, follow these steps:

  1. From the Manage Users menu, choose Create Groups.

  2. On the Create Groups form, enter the name of the new group you want to create in the Unique Group Name field. (The names of existing groups are displayed in the Available Groups list box as a convenience.)

    Use only alphabetic, numeric, or combinations of alphabetic and numeric characters. Do not use spaces, colons, hyphens, underscores, periods, or other nonalphanumeric characters.

  3. Optionally, you can specify a group ID (GID) for a group name. If this field is left blank, the GID will be generated by the system. The following rules apply to GIDS:

    • Group names can share GIDs.

    • There can be multiple groups with the same GID.

    • Groups names must be unique.

    • Multiple group names cannot exist. This applies to each database.

    • The same group name may be stored in both the local and LDAP database. If this is true, the local group will by default be used first by the application.

  4. If you installed the LDAP Module for System Authentication, the Create Groups form displays a checkbox labeled Store in Directory Server. Check this checkbox when you want to store this group information in the LDAP directory server.

  5. Click on Add.

The group you created is displayed in the Existing Groups list box, and is immediately available to add to user accounts. Figure 3-7 shows the Create Groups form.

Note:

On a system using the Network Information Services (NIS), you cannot create a group name that conflicts with an NIS group name even if that name does not exist in your local /etc/group file.

Figure 3-7 Creating Groups

Creating Groups

Displaying User Account Information

You can display user account information for any number of selected users. (See Section : Searching for User Accounts for instructions on searching for users.)

To display user account information, use one of the following methods:

  • Click on one or more names from the User Account list and click on Display Selected.

  • Click on Display All to select all the names in the User Name list box.

As shown in Figure 3-8, the Administration utility displays the following information for each account you selected:

  • User name

  • UID

  • Source of user account information (Local means the user information is stored in the /etc/passwd file; LDAP means the information is stored in the an LDAP directory server).

  • Primary group

  • Login directory

  • Login shell

  • The full account name associated with the user

Figure 3-8 Displaying User Account Information

Displaying User Account Information
Note:

On a system using the Network Information Services (NIS), the names of UNIX system accounts (or groups) are not displayed in the User Account Names (or User Account Groups) list box, nor will any NIS user information be included in the output when you click on Submit.

Deleting User Accounts

You can deny a user access to the system by deleting a user's account. You can also specify the removal of the home and mail directories associated with the deleted account.

Notes:

You cannot use the Administration utility to delete a Tru64 UNIX user that has a UID value of less than 105. You also cannot delete a user account while that user is logged in, or delete the Internet Express administrator's account, iass. For more information on managing Tru64 UNIX system user accounts, see the Tru64 UNIX System Administration manual.

Internet Express accounts and passwords are stored in the ~iass/.users.list file. Entries are not automatically removed from this file when you delete an account. If you do not periodically remove obsolete entries, the .users.list file can become large. See Section : Purging Obsolete Passwords for information on how to purge obsolete entries from this file.

To deny access to the account for a period of time without deleting all of the files associated with that account, change the account password rather than deleting the account itself. For more information on changing the password, see Section : Changing the Password for an Account.

If you want to reuse an account, delete the account and its directories and then re-create the account. With this process, you automatically delete all of the previous user's files and avoid the possibility of private or personal files becoming available to the new user of the account.

Caution:

When you delete a user account, the directories and files for that account cannot be restored (unless the directories and files were previously backed up).

To delete one or more user accounts, follow these steps:

  1. From the Manage Users menu, choose Delete User Accounts.

  2. Search for the user accounts you want to delete. (See Section : Searching for User Accounts for instructions on searching for user accounts.)

  3. To display user account information, use one of the following methods:

    • Click on one or more names from the User Account list and click on Display Selected.

    • Click on Display All to select all the names in the User Account list box.

  4. The Delete User Accounts form shows the login name, UID, primary group and login directory for each user you selected.

    To remove a user's home directory when the account is deleted, click on the checkbox in the Remove Directory column. (By default, a user's home directory remains on the system after the account is deleted.) All files assigned to that user are deleted and the disk space used by that account is freed for other use.

    When deleting a large number of user accounts, you can go directly to a specific page in the listing by entering the page number in the text field at the top of the form and clicking on Go To Page. Note that when you click the Delete button, all of the selected user accounts are deleted, not just the user accounts on the current page.

    Newsgroup postings and messages that the user sent to other users are not deleted. This applies to user accounts that you delete individually or as a group (when you select accounts to delete based groups to which they belong).

  5. Click on Delete to delete the displayed accounts. To cancel the deletion, click on Reset.

Note:

On a system using the Network Information Services (NIS), the names of UNIX system accounts are not displayed in the User Account Names list box, but will be included (if any match the selection criteria) with the Internet Express captive accounts when you click on Submit.

Figure 3-9 shows the result of a request to delete the val1 account. The home and mail directories for the val1 account will be deleted with the account.

Figure 3-9 Deleting User Accounts

Deleting User Accounts

Changing Groups for User Accounts

You can use the Administration utility to change the list of secondary groups to which one or more user accounts are assigned. (To change an account's primary group, you must use Tru64 UNIX commands.)

To modify the secondary groups to which a user belongs, follow these steps:

  1. From the Manage Users menu, choose Change User Account Secondary Groups. The User Account Selection Criteria form then displays.

  2. Search for the user accounts whose secondary group assignments you want to change. (See Section : Searching for User Accounts for instructions on searching for users.)

    After you select the user accounts and press Apply, the User Accounts Selection List displays.

  3. Use one of the following methods to select user accounts:

    • Click on one or more names from the User Account Selection List and click on Display Selected.

    • Click on Display All to select all the names in the User Name list box.

  4. The Change User Secondary Groups form shows the current group assignments for the selected users. In the Secondary Groups list box, click on one or more secondary groups to which the selected users are to be assigned. (See Section : Assigning Users to Groups for more information on assigning users to groups.)

    • To retain existing group assignments for an account, select the existing groups in addition to the new groups.

    • If a user account's primary group is the same as one of the secondary groups you select, the duplicate group is dropped from the secondary group assignment for this account.

  5. Click on Submit to replace the existing secondary group assignments with the new ones.

In Figure 3-10, the val1 and dylan accounts will be added to the sysadmin group. To retain the assignment to groups httpd and operator, these groups must also be selected (not shown).

Figure 3-10 Changing User Account Secondary Groups

Changing User Account Secondary Groups

Changing the Password for an Account

The Change User Account Password function is useful when a user has forgotten the password for an account, or if you want to retain a user account on the system but deny access temporarily to the account. You do not need to know the current password for an account to change the account's password. You can view passwords in the .users.list file by logging into the iass account (see Section : Purging Obsolete Passwords).

To change the password for a captive or system user account, follow these steps:

  1. From the Manage Users menu, choose Change User Account Password.

  2. Use the User Account Selection Criteria frame to search for the user account whose password you want to change. (See Section : Searching for User Accounts for instructions on searching for users.)

  3. In the resulting User Account Selection List frame, click on one user whose password you want to change and click on Display Selected.

  4. Enter the new password for the selected account in the New Password field, and again in the Verify Password field. If you make a mistake, click on Clear.

    Passwords must conform to the conventions described in Section : Assigning Passwords to User Accounts.

    If you want the Administration utility to generate a password for you, leave these fields blank.

  5. Click on Submit to change the password.

The utility displays a message to tell you that a record of this transaction was sent to the iass account. Log in to the iass account periodically to review the contents of the .users.list file, and to delete obsolete account information in that file (see Section : Purging Obsolete Passwords).

Changing Mail Services for Users

You can use the Administration utility to change the mail service for a single user, a group of users, or all the users on your system. You must have root privileges to change a user's mail service.

Some mail services require you to specify a password to protect a user's mail. In addition, the Cyrus IMAP mail service requires you to specify access rights for the user's mail directories (subdirectories for folders inherit the access rights of the user's top-level mail directory).

To change the mail service for one or more users:

  1. Search for the user accounts you want to change. Click on the check boxes corresponding to one or more of the following search criteria:

    • Name Pattern — Search for user account names using any UNIX regular expression. The default name pattern searches for all user accounts.

    • Group — Select one or more groups from the list box. The Administration utility searches for all user accounts belonging to any of the chosen groups.

    • Mail Service — Select one or more mail service types from the list box. The Administration utility searches for all user accounts assigned to any of the chosen mail services.

    Click on Apply to conduct the search. The Administration utility lists all user accounts matching the selection criteria.

    To erase your choices and start a new search, click on Reset.

  2. Click on one or more names from the resulting list box.

    To conduct another search without choosing names from the resulting list box, click on the up arrow icon to return to the User Account Selection Criteria frame.

    Note:

    On a system using the Network Information Services (NIS), the names of UNIX system accounts are not displayed in the User Account Names list box, but will be included (if any match the selection criteria) with the Internet Express captive accounts when you click on Submit.

  3. Assign one of the following mail services to the selected user accounts, depending on which mail services are installed and active on your system:

Assigning Regular Delivery Mail Service

With regular delivery, mail is delivered into the /var/spool/mail directory. Assign the Regular Delivery mail service to users who read their mail as follows:

  • Locally, with a UNIX client (such as mailx, mh commands, or dxmail)

  • Using a POP mail server

  • Using the University of Washingon IMAP (UW-IMAP) Server

For users who want to use a password other than their login password to access mail using POP, choose either POP with Password (see Section : Assigning POP with Password Mail Service) or APOP (see Section : Assigning APOP with Password Mail Service).

Note:

If you choose either POP with Password or APOP, the user's mail client must be configured accordingly. Otherwise, the users will be unable to access their mail.

To assign regular delivery service to the users you selected, follow these steps:

  1. From the Change User Account Mail Service form, choose Regular Delivery from the Mail Service menu.

  2. Click on Submit. A new form is displayed, requesting one or more types of authentication.

  3. If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)

  4. Click on Submit. A status message confirms the change in mail service.

  5. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.

  6. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.

Assigning POP with Password Mail Service

You can set up selected users to use POP mail with a clear-text password other than their login password. This password is stored in the popauth file, and protects the users' mail from unauthorized access.

To assign POP with password mail service to the users you selected, follow these steps:

  1. From the Change User Account Mail Service form, choose POP with Password from the Mail Service menu.

  2. Click on Submit. A new form is displayed, requesting one or more types of authentication.

  3. If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)

  4. To specify the POP password for the selected users, enter the password in the Enter Alternate Mail Password field and enter it again in the Verify Password field. A password is required.

    Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.

  5. Click on Submit. A status message confirms the change in mail service.

  6. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.

  7. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.

Assigning the Cyrus IMAP Mail Service

To assign the Cyrus IMAP service to the users you selected, follow these steps:

  1. From the Change User Account Mail Service form, choose Cyrus IMAP from the Mail Service menu.

  2. Click on Submit. A new form is displayed, requesting one or more types of authentication.

  3. If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)

  4. You must specify access privileges for the selected users' mail directories. Select one of the following from the Access Control List menu:

    • All — Grants the user full access rights.

    • Read — Grants the user lookup, read, and seen access rights.

    • Post — Grants the user lookup, read, seen, and post access rights.

    • Append — Grants the user lookup, seen, post, write, and insert access rights.

  5. Click on Submit. A status message confirms the change in mail service.

  6. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.

  7. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.

Assigning Cyrus IMAP with Password Mail Service

To assign the Cyrus IMAP service with a password to the users you selected, follow these steps:

  1. From the Change User Account Mail Service form, choose Cyrus IMAP with Password from the Mail Service menu.

  2. Click on Submit. A new form is displayed, requesting one or more types of authentication.

  3. If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)

  4. You must specify access privileges for the selected users' mail directories. Select one of the following from the Access Control List menu:

    • All — Grants the user full access rights.

    • Read — Grants the user lookup, read, and seen access rights.

    • Post— Grants the user lookup, read, seen, and post access rights.

    • Append — Grants the user lookup, read, seen, post, write, and insert access rights.

  5. To specify the users' IMAP password, enter the password in the Alternate Mail Password field and enter it again in the Verify Password field. A password is required.

    Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.

  6. Click on Submit. A status message confirms the change in mail service.

  7. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.

  8. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.

Assigning APOP with Password Mail Service

You can set up selected users to use POP mail with an encrypted password (using MD5 encryption). This password is stored in the popauth file, and protects the users' mail from unauthorized access. To assign POP with an alternate password service to the users you selected, follow these steps:

  1. From the Change User Account Mail Service form, choose APOP from the Mail Service menu.

  2. Click on Submit. A new form is displayed, requesting one or more types of authentication.

  3. If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)

  4. To specify the users' encrypted POP password, enter the password in the Alternate Mail Password field and enter it again in the Verify Password field. A password is required.

    Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.

  5. Click on Submit. A status message confirms the change in mail service.

  6. Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.

  7. When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.

Managing the iass Account

The installation procedure for Internet Express allows you to create the iass account. Using the Manage the iass Account menu, you can perform the following tasks:

Changing the iass Account Forwarding Address

The installation procedure for Internet Express allows you to set a forwarding address for e-mail addressed to the iass account. This is useful if, for example, the administrator wants to have e-mail forwarded to root or some other e-mail account that is regularly monitored.

If you did not set a forwarding address during installation, you can set it by using the Modify iass Account menu. To do this, follow these steps:

  1. From the Manage Users menu, choose Manage iass Account.

  2. From the Manage iass Account menu, choose Change iass Account Mail Forward Address.

  3. Enter the forwarding address in the Mail Forwarding Address field. If you had previously set a forwarding address, it will be displayed in this field.

  4. Click on Change to modify the forwarding address.

  5. To remove the forwarding address, click on Remove.

Managing the .users.list File

The file ~iass/.users.list contains the account names and passwords of users. From the Manage the .users.list file menu, you have the following options:

Listing User Accounts and Passwords

Use the Manage iass Account menu to list user accounts and passwords stored in the ~iass/.users.list file.

To do this, follow these steps:

  1. From the Manage Users menu, choose Manage iass Account.

  2. From the Manage iass Account menu, choose Manage .users.list.

  3. From the Manage .users.list menu, choose List User Accounts and Passwords.

    The user accounts and passwords are displayed.

Purging Passwords for User Accounts

Use the Manage iass Account menu to purge passwords for user accounts stored in the ~iass/.users.list file.

To do this, follow these steps:

  1. From the Manage Users menu, choose Manage iass Account.

  2. From the Manage iass Account menu, choose Manage .users.list.

  3. From the Manage .users.list menu, choose Purge Passwords for User Accounts.

    A confirmation message is displayed.

Removing the .users.list File

Use the Manage iass Account menu to remove the ~iass/.users.list file.

To do this, follow these steps:

  1. From the Manage Users menu, choose Manage iass Account

  2. From the Manage iass Account menu, choose Manage .users.list.

  3. From the Manage .users.list menu, choose Remove .users.list.

    A confirmation message is displayed.

Managing the User Self-Administration Feature

The User Self-Administration feature allows users to directly manage their own account information without requesting help from an administrator. This feature enables users to change their password and, if the Procmail subset (IAEPROC) is installed, users can enable vacation mail. Additional administrative options allow administrators to selectively enable or disable different functionality. For example, you can allow users to change their passwords but not enable vacation mail, or vice a versa. You can also use the Administration utility to create a template to add your own functionality.

Note:

In order to administer the User Self-Administration feature, you must have a public Web server instance installed. Without a public Web server instance, the Manage User Self-Administration link will not appear on the Manage Users menu.

This section describes how to perform the following tasks:

Note:

The user's Web browser must support cookies to access the User Self-Administration feature. If users do not have this support or if they choose not to accept cookies, they cannot access this feature.

Enabling and Disabling the User Self-Administration Feature

To enable the User Self-Administration feature:

  1. From the Manage Users menu, choose Manage User Self–Administration. The Manage User Self-Administration menu is displayed (Figure 3-11).

    Figure 3-11 Manage User Self-Administration Menu

    Manage User Self-Administration Menu
  2. From the Manage User Self-Administration menu, choose Enable/Disable User Self-Administration.

    The Administration utility displays the current status allowing you to enable or disable user self-administration, depending on which is appropriate. Figure 3-12 shows a page where the User Self-Administration feature is disabled.

  3. Click on Enable to enable user self-administration. Once this feature has been enabled, the Enable button changes to Disable.

    Figure 3-12 Enable/Disable User Self-Administration Page

    Enable/Disable User Self-Administration Page

When you disable the User Self-Administration feature, users will not be able to access the User Self-Administration pages. In this case, a system administrator might need to reset the user account information. You can also customize the default status message (Section : Customizing the User Self-Administration Feature).

Enabling User Self-Administration When No Web Server Configuration Exists

When you enable the User Self-Administration feature for the first time or enable it after removing a previous Web server configuration, the Administration utility prompts you to select a virtual host for the public Web server, which serves the self-administration pages. If there is no configured virtual host on the public Web server, you must create a virtual host before proceeding. It is highly recommended that you select (or create) a Secure Sockets Layer (SSL) virtual host to protect sensitive information such as user names and passwords. The following steps complete the process:

  1. From the Configure Web Server for User Self-Administration form, select an SSL virtual host from the list box.

  2. Enter an alias name or accept the default name. (The alias name is used to access the self-administration pages.) The alias name should begin and end with a slash (/). For example, if you set the virtual host to _default_:443 and the alias name to /SelfAdmin/, the administration pages will be accessed by https://hostname/SelfAdmin/login.php.

  3. Click on the Submit button. Your public Web server is configured and the User Self-Administration feature is enabled. A status message is displayed.

Enabling User Self-Administration When a Current Web Server Configuration Exists

When you enable the User Self-Administration feature subsequent times, the public Web server is running and the current configuration options are displayed. When you click on Enable from the Enable/Disable User Self-Administration page, a form is displayed listing the current configuration of virtual host and alias name. You can enable the User Self-Administration feature in one of the following ways:

  1. Click on Accept to enable the User Self-Administration feature without changing configurations. A status message is displayed when completed. To modify the configuration, continue with the remaining steps.

  2. Click on Modify to change the virtual host and alias name of the public Web server.

  3. Select an SSL virtual host from the list box.

  4. Accept the default alias name for the virtual host or optionally enter an alias name. (The alias name is used to access the pages.) Figure 3-13 shows the virtual host selection and default alias name.

    Figure 3-13 Configure Web Server for Self-Administration Form

    Configure Web Server for Self-Administration Form
  5. Click on the Submit button. Your public Web server is configured and the User Self-Administration feature is enabled. A status message is displayed.

Modifying the Web Server Configuration

You can modify the Web server configuration for the User Self-Administration feature without disabling it; you can change or remove the Virtual Host and Alias Name configurations. When you choose to remove these configurations, the User Self-Administration feature then becomes disabled.

To modify the Web server configurations for the User Self-Administration feature:

  1. From the Manage User Self-Administration menu, choose Modify Web Server Configuration.

  2. Select a Virtual Host from the list of virtual hosts or click on Remove Configurations to remove all user self-administration configurations from the httpd.conf file (Figure 3-14: Modify Web Server Configuration Page).

    When you select a virtual host, it must be configured on your system. See Section : Enabling User Self-Administration When No Web Server Configuration Exists for more information.

    Figure 3-14 Modify Web Server Configuration Page

    Modify Web Server Configuration Page
  3. Edit the alias name, if desired. The alias name must begin and end with a slash (/).

  4. Click on Submit. If you chose to remove configurations, you will be prompted to confirm that action. A status message is displayed.

Enabling and Disabling Login Delays

By default, a security measure is in place which causes a delay in the processing of login requests after a number of successive failed login attempts. This feature can be disabled, though not recommended, because disabling will expose your system to security risks.

To enable or disable a delay in the processing of login requests:

  1. From the Manage Users menu, choose Manage User Self–Administration.

    The Manage User Self-Administration menu is displayed.

  2. From the Manage User Self-Administration menu, choose Enable/Disable Login Delay. The Enable/Disable Login Delay page is displayed.

  3. Click on Enable to enable login delays. Figure 3-15 shows that login delays have been enabled. Once this feature has been enabled, the Enable button changes to Disable.

    Figure 3-15 Enable and Disable Login Delays

    Enable and Disable Login Delays

Managing User Self-Administration Groups

The User Self-Administration feature is organized in different groups that can be enabled and disabled independently. User self-administration groups contain the following elements:

  • ID – A unique, short word used to identify a group.

  • Description – Information used as menu item text and as page headers.

  • Main Page – Information that identifies the file to which the user's main menu provides a link.

  • Enabled status – Message that specifies whether the group is accessible to users.

Internet Express provides two groups as built-ins, Vacation Mail and Change User Password. In addition to these groups, you can add your own group. The following sections describe how to add and modify existing groups.

Adding Groups

You can add new groups to contain additional functionality for the User Self-Administration feature. Groups allow you to easily enable and disable parts of your configuration and create templates to wrap new functionality. Templates perform the following functions:

  • Verify that the group is enabled.

  • Verify that a user is logged in.

  • Make sure that the login has not expired.

  • Create a header if these conditions are met or display the customizable disabled message.

To add a group:

  1. From the Manage Users menu, choose Manage User Self–Administration. The Manage User Self-Administration menu is displayed.

  2. From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups form is displayed.

  3. Enter a description in New Group Description field. Click on Add. The Add Group form is displayed (Figure 3-16), allowing you to specify group attributes.

  4. On the Add Group form, enter a unique ID in ID field. The ID should be a short, one-word value.

  5. Optionally, revise the description you entered in Step 3.

  6. Enter the pathname and file name for the main page of this group. The path should be relative to the User Self-Administration home directory. For example, if the file is located at $selfadmin_home/data/foo.php, set the value to data/foo.php.

  7. Click on the Create Template check box if you would like a template created for the main page. Use the template file as the basis for all files you create in this group. Existing templates are not overwritten.

  8. Click on the Enabled checkbox to enable the group. When a group created with the User Self-Administration feature is disabled, users cannot access the pages and the link is not available from the main menu.

  9. Click on Submit. A status message is displayed when the group is created. Figure 3-16 shows the Add Group form completed for a new group, System Mail.

    Figure 3-16 Adding Groups

    Adding Groups

Deleting and Modifying Groups

To modify the properties for an existing group or delete an existing group:

  1. From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups forms is displayed. Existing groups are listed in the Existing Group Descriptions field.

  2. Select the group you want to delete or modify from this list.

    • To delete a group, click on the Delete button. This will remove the group definition and menu item from the user's main menu but will not remove any files. A status message is displayed.

    • To modify group attributes, click on the Modify button. For built-in groups, you can only modify the Enabled status and the description string. All group attributes, except ID, are available for custom groups.

      1. Change the group description in the Description field.

      2. Change the name for the main page. This name should be relative to User Self-Administration home directory. For example, if the file is located at $selfadmin_home/data/foo.php, then its name should be set to data/foo.php.

      3. Select the Create Template check box if you want a template created for the main page. Use the template file as the basis for all files you create in this group. Existing templates will not be overwritten.

      4. Select the Enabled check box to enable the group. When a group created with the User Self-Administration feature is disabled, users cannot access the pages and the link is not available from the menu.

      5. Click on Submit. A status message is displayed when the group modifications are processed.

Enabling and Disabling Groups

To enable or disable groups and not edit other properties, do the following:

  1. From Manage User Self-Administration menu, choose Enable/Disable Groups. A list of existing group descriptions is displayed. Each description is followed by a check box.

    A checked box indicates that the group is enabled and an unchecked box indicates it is disabled. Enable or disable a group as desired.

  2. Click on Submit. A status message is displayed.

Customizing the User Self-Administration Feature

You can add functionality to allow users to make changes to other user account information. The Administration utility allows users to change their passwords and use a vacation mail service.

Note:

Changes to the vacation mail service can be made only if you have installed the Procmail subset (IAEPROC).

To add functionality, you should create a new group for each menu item to be added to the user's main menu page (see Section : Managing User Self-Administration Groups). All new files must be in the /usr/internet/httpd/admin/htdocs/osis/selfadmin/data directory to ensure that they are not deleted during future Internet Express updates.

To customize the User Self-Administration feature:

  1. From the Manage Users Menu, choose Manage User Self-Administration.

  2. Follow instructions in Section : Adding Groups to add a new group. Select the option to create a template in the Add Group form. Use the created page as a basis for each PHP page in group.

  3. Follow instructions in Section : Enabling and Disabling Groups to enable the group after you have completed adding your custom functionality.

Alternately, you can add new functionality without using groups. This method will, however, prevent you from selectively enabling or disabling groups. For more information and instructions, refer to the /usr/internet/httpd/admin/htdocs/osis/selfadmin/data/template.php file.

You can customize the display properties of the user pages by editing defaults.inc and style.css files located in the /usr/internet/httpd/admin/htdocs/osis/selfadmin/data directory.

The defaults.inc file contains paths to the image files used for the header, bullets, and link arrows. This file also contains the definition of attributes used to create the header. The most important attribute is the width attribute, which defines the width of the page.

The style.css file is the stylesheet used by all pages. It defines the styles applied to fonts and background color.

When you disable the User Self-Administration feature or individual groups, a default status message is displayed when users attempt to access these pages. You can customize this message by editing the page_disabled.inc file in the /usr/internet/httpd/admin/htdocs/osis/selfadmin/data directory. By changing this message, you can direct your users to contact the administrator to change their account information.