Chapter 3 User Administration
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
Table of Contents
- Overview of User Accounts
- Creating Captive Accounts for Named Users
- Creating Captive Accounts for Generic Users
- Creating a Noncaptive Account for a UNIX System User
- Creating Groups
- Displaying User Account Information
- Deleting User Accounts
- Changing Groups for User Accounts
- Changing the Password for an Account
- Changing Mail Services for Users
- Managing the iass Account
- Managing the User Self-Administration Feature
The Manage Users menu lets you perform a variety of user account management functions. To access this menu:
From the Internet Express Administration Utility Main menu, choose Manage Components. The Manage Components menu is displayed.
From the Manage Components menu, under Users, choose Manage Users. The Manage Users menu is displayed (Figure 3-1).
From the Manage Users menu, you can perform the following tasks:
Create named captive accounts (see Section : Creating Captive Accounts for Named Users) or generic captive accounts (see Section : Creating Captive Accounts for Generic Users) for Internet Express users, and elect to store the account information in an LDAP directory server
Create noncaptive accounts for UNIX system users (see Section : Creating a Noncaptive Account for a UNIX System User), and elect to store the account information in an LDAP directory server
Create groups for user accounts (see Section : Creating Groups), and elect to store the group information in an LDAP directory server
Display user account information (see Section : Displaying User Account Information)
Delete user accounts (see Section : Deleting User Accounts)
Change the secondary groups an account is assigned to (see Section : Changing Groups for User Accounts)
Change an account's password (see Section : Changing the Password for an Account)
Change an account's mail service (see Section : Changing Mail Services for Users)
Manage the iass account (see Section : Managing the iass Account)
Allow users to self-manage their accounts (see Section : Managing the User Self-Administration Feature)
The Administration utility supports the management of the following types of user accounts:
Captive accounts for named users—You can create captive accounts for individual users (Section : Creating Captive Accounts for Named Users). This function is useful to create a small number of specifically named accounts. You can specify passwords or let the system generate them for you.
Captive accounts for generic users—Using a batch process, you can create a large number of generically named accounts with system-generated passwords (Section : Creating Captive Accounts for Generic Users).
Noncaptive accounts for system users—You can create standard UNIX accounts for individual system users (Section : Creating a Noncaptive Account for a UNIX System User).
| |
| |
| |
 | Notes: By default, the user accounts are created with regular delivery mail service. To change a user's mail service, see Section : Changing Mail Services for Users. On a system using the Network Information Services (NIS), you cannot create a user name that conflicts with an NIS user name even if that name does not exist in your local /etc/passwd file. Be sure to periodically check the contents of the ~iass/.users.list file to purge obsolete users and passwords (see Section : Purging Obsolete Passwords). |
| |
| |
| |
When you create any user account (captive or noncaptive, named or generic), you can elect to have the account information stored in an LDAP directory (if you are using an LDAP directory server on your system).
The users of the captive accounts that you create have access to the Internet services you install on your system. The accounts are called captive because the user is restricted to a predefined menu of functions (through either a standalone terminal or terminal emulation on a PC), which provides access to the following services and functions:
Electronic mail—Send and receive e-mail from other users on the Internet, including those who use the local system as their e-mail server for POP3 or IMAP clients.
News—Use terminal-type news readers.
World Wide Web—Use a character-cell Web browser (Lynx) or a graphical Web browser (if it is installed and the DISPLAY environment variable is set).
Change Password—Change the current login password for the user's account.
User's Guide—Read an online version of the Internet Services User's Guide, which explains how to access and use mail, news, and the Web browser.
Internet Express captive account users cannot access the Tru64 UNIX shell.
The user of a noncaptive UNIX account that you create has access to the shell and enjoys all privileges of the groups to which the user is assigned.
Accounts are not required for any users who will access your system using only Web browsers or news clients. Remember that user accounts are system resources and must be managed to ensure system security. Create new noncaptive user accounts judiciously.
| |
| |
| |
| Note: Whenever you use the Administration utility to manage user accounts, you may see a message displayed in a box titled Security Information warning you that some unencrypted information may be transmitted over the network. Click on Continue to continue the operation. You can temporarily disable this message by clearing the checkmark in front of Show This Alert Next Time. To enable the message, make sure your browser security preferences are set to display a message before submitting a form over an unsecured connection. |
| |
| |
| |
Note the following rules when specifying the user name for an account (or the user-name prefix for a generic account):
Use only alphabetic, numeric, or a combination of alphabetic and numeric characters.
Do not use nonalphanumeric characters (for example, spaces, colons, hyphens, underscores, or periods) in the user name.
All user accounts have passwords. You can assign a password when you create an account for a named captive Internet Express account or for a UNIX system user. Alternatively, the Administration utility can generate the password for these accounts. (You do not assign passwords to generic captive accounts; the utility automatically generates the passwords for these accounts.)
To make a password more secure, make sure the password contains:
Between 8 and 64 characters
If you are not running ENHANCED (C2) security on your system, the password can be no more than 8 characters
A mixture of uppercase and lowercase letters
Unusual capitalization, symbols, or digits
Passwords that do not meet these criteria are rejected by the Administration utility.
The passwords that the Administration utility automatically generates (for any type of account) are recorded in the ~iass/.users.list file.
If you specify a password for a named captive account or a UNIX account, the event is noted in this file, but the actual password is not recorded.
Entries are not automatically removed from the ~iass/.users.list file when you delete an account. If you do not periodically remove obsolete entries, this file can become large.
When you log in to the iass account and the ~iass/.users.list file exists, the menu item Manage .users.list is displayed. Use this function to view, print, or remove the recorded passwords.
To ensure a secure system, require users to change their passwords regularly. See the Tru64 UNIX System Administration manual for information on how to change passwords.
You can also access the ~iass/.users.list using the Manage iass Account menu item (see Section : Managing the iass Account).
Several user management tasks (such as displaying or deleting user accounts or changing groups) require you to select the user accounts on which you want to operate. The Administration utility allows you to search for user accounts, using one or more of the following search criteria:
Name Pattern
Group
Mail Service
If you select more than one search criterion, the logical operator AND is applied to the criteria. Therefore, using more than one search criterion tends to refine the search. For example, the Display User Account form in Figure 3-2 (accessed from Manage Users menu) shows how to construct a query to find user accounts that contain the letter a in the name and use the Regular Delivery mail service.
When you click on Apply, the results of your search are displayed in the User Account Selection List frame (to the right of the User Account Selection Criteria frame). You can select individual accounts from the list box (press and hold the Control key and click MB1), or you can select all the accounts by clicking on Display All. In Figure 3-3, the administrator has selected three of the 15 accounts that match the query shown in Figure 3-2. The Administration utility will operate on these three accounts only.
To return the criteria in the User Account Selection Criteria frame to their default values, click on Reset. If you do not clear or reset the previous choices, they remain in effect to be used in a subsequent query. You can omit an individual selection criterion from subsequent queries by turning off its associated checkbox.
When you create a user account, you can assign the user to from one to four logical categories called groups. You can select from existing groups, which are displayed in a list box. To create a new group, see Section : Creating Groups.
The Administration utility allows you to select from groups with a group identifier (GID) of 15 or greater that are defined on the local system. The utility also creates an IASS_Usr group with a GID of 1000 (or the next available GID above 1000), and assigns all captive users to this group. You can select captive accounts (for modification or deletion) by using the IASS_Usr group as a selection criterion.
| |
| |
| |
| Note: If the group Lkr_Usr_ exists from a previously installed version of Internet Express, then the IASS_Usr group is not created and Lkr_Usr_ is used instead. |
| |
| |
| |
There is a limit to the number of users you can assign to a given group and to the length of a group name. See the Tru64 UNIX System Administration manual for more information on these limits.
The forms to create user accounts contain a list box that you can use to select from among the existing groups on your system. To select multiple groups, click on up to four groups in the list box. Optionally, you can also associate a Tru64 UNIX user account with up to four additional secondary groups by selecting more than one group from the list box. (If you select more than four groups, the user is assigned to only the first four groups, starting at the top of the list.)
For captive Internet Express users, group assignment is optional. You can select up to four groups to associate with an Internet Express user account. The Administration utility automatically assigns IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express) as the primary group to Internet Express captive accounts.
| |
| |
| |
| Note: If the Enable Group Attributes field is checked in the LDAP Module for System Authentication — Configure Group Attributes, and the LDAP Module for System Authentication is enabled (see Section : Configuring LDAP Group Attributes), then the LDAP secondary groups will appear on the Create System User Account, Create Named User Account, and Create Generic User Accounts pages. |
| |
| |
| |
For noncaptive Tru64 UNIX system users, you must assign the user to at least a primary group. This group becomes the login group for the account. The Administration utility sets the default primary group for noncaptive accounts to users; if the users group does not exist, the default primary group is IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express).
| |
| |
| |
| Note: If you need to change an account's primary group, you must use Tru64 UNIX commands at the shell prompt. |
| |
| |
| |
After a set of Internet Express accounts is associated with a group, you can use that group to make modifications to the set of accounts. For example, if you assign a set of captive accounts to the group finance, you can later modify or delete the group. All accounts associated with the finance group will be modified or deleted in that one action. Also, if you select Display User Accounts and specify a group, information on all users in that group is displayed.
To create a named captive account, follow these steps:
From the Manage Users menu, choose Create Captive User Accounts.
From the Create Captive User Accounts menu, choose Create Named User Account.
Specify the user (login) name for the account in the Login Name field (see Section : Specifying User Names).
Optionally, specify a password in the Password field. To verify the password, enter it again in the Verify Password field. (The system will generate a password if you do not specify one.)
To specify the parent directory for these generic accounts, enter the full pathname of the parent directory (excluding the login name) in the Parent Directory field. The default login directory for generic captive accounts is /data/IASS_Usr/login_name (or /data/Lkr_Usr_/login_name, if the /data/Lkr_Usr_ directory exists from a previously installed version of Internet Express).
Optionally, specify the account name. (This is usually the full given name of the person for whom you are creating the account.)
Optionally, assign the account to up to four existing groups (see Section : Assigning Users to Groups) by selecting the groups from the Secondary Groups list box. (The Administration utility automatically assigns captive user accounts to the IASS_Usr group as the primary group.)
If you installed and enabled the LDAP Module for System Authentication, the Create Named Captive Account form displays a checkbox labeled Store Users in LDAP Directory Server. Check this checkbox when you want to store this user account information in the LDAP directory server.
Click on Submit.
Figure 3-4 shows the Create Named User Account form.
When the captive account for the named user is successfully added to the system, the Administration utility displays information about the account on a confirmation page.
You can create a single Internet Express generic user account, or multiple accounts at once, with system-generated user names and passwords. You can optionally assign generic user accounts to existing or new groups (see Section : Assigning Users to Groups). The Administration utility automatically assigns passwords to generic accounts.
To create a generic captive account, follow these steps:
From the Manage Users menu, choose Create Captive User Accounts.
From the Create Captive User Accounts menu, choose Create Generic User Accounts.
Specify the user-name prefix in the Login Name field (for example, guest).
The system automatically generates a password for each generic user account.
Specify the number of generic accounts you want to create in the Number of Users field (for example, 5).
Optionally, assign the account to up to four existing groups (see Section : Assigning Users to Groups) by selecting each group from the Secondary Groups list box. (The Administration utility automatically assigns IASS_Usr as the primary group for generic captive accounts.)
To specify the parent directory for these generic accounts, enter the full pathname of the parent directory for generic accounts in the Parent Directory field. The default login directory for generic captive accounts is /data/IASS_Usr/LoginPrefixNumber (or /data/Lkr_Usr_/LoginPrefixNumber, if the /data/Lkr_Usr_ directory exists).
If you installed and enabled the LDAP Module for System Authentication, the Create Generic User Accounts form displays a checkbox labeled Store Users in LDAP Directory Server. Check this checkbox when you want to store this user account information in the LDAP directory server.
Click on Submit.
Figure 3-5 shows the Create Generic User Accounts form.
For example, suppose you specify guest as the prefix and 3 as the number of users. If no existing user name matches the specified prefix (guest), the Administration utility creates accounts for guest1, guest2, and guest3. If any of the combinations of prefix and number results in an existing account name, the utility increments the number by one and tests to be sure this results in a unique account name. For example, if guest1 exists, the Administration utility creates accounts for guest2, guest3, and guest4. If guest3 also exists, the utility creates accounts for guest2, guest4, and guest5, and so on, until three unique accounts are created.
There is no limit to the number of generic user-name prefixes you can specify, and each of these generic user-name prefixes can have from 1 through 999 accounts created for it.
Because creating a large number of accounts can take time, generic account creation runs as a background process. You can use the Administration utility for other purposes while this background process runs. Any errors that occur are logged in the /usr/internet/admin/log/addgenuser.log file.
To create a noncaptive account for a UNIX system user, follow these steps:
From the Manage Users menu, choose Create System User Account.
From the Manage Users menu, choose Create System User Account.
Specify the user's login name in the Login Name field (see Section : Specifying User Names). The login name (and UID) you assign to the account are recorded in the /etc/passwd file.
Specify the login directory for this account in the Login Directory field. You must specify the full path of the user's login directory on the local system. For example, if the system account login name is vpr, then specify the login directory as parent_dir/vpr. If the login directory you specify does not exist, it is created for you and populated with default login script templates (obtained from the /usr/skel directory).
Optionally, you can:
Specify and verify the user password (see Section : Assigning Passwords to User Accounts).
If you do not specify a password, the system generates one.
Provide the full name of the account user (returned as output from the finger command).
Change the user's primary group by selecting from among the existing groups displayed in the Primary Group pull-down menu.
The Administration utility assigns the group users as the default primary group. If the users group does not exist, the default primary group is IASS_Usr (or Lkr_Usr_, if it exists from a previously installed version of Internet Express). The Create System User Account form allows you to change the default primary login group by choosing from a list of existing groups.
To create a group, see Section : Creating Groups.
Add the user to up to four additional secondary groups by selecting each group from the Secondary Groups list box.
In the /etc/group file, the user is added to the groups you select. See Section : Assigning Users to Groups for more information on assigning a user to groups.
Change the user's UNIX shell by selecting a shell from the pull-down menu (usr/bin/sh is the default shell).
Among the selections is No shell, which is useful for an account that no one will log into, such as an anonymous FTP account or a mail account that is used only to access mail messages through POP or IMAP.
Disable logins (for instance, in creating an account for FTP activity) by clicking on the Yes radio button in the Disable Login field.
Click on Submit.
| |
| |
| |
| Note: If you have root access to the local system, you can unlock accounts and add accounts to user groups with GIDs less than 15 using UNIX command-line utilities (such as useradd, usermod, and passwd). You can also use the dxaccounts GUI to perform these tasks. |
| |
| |
| |
Figure 3-6 shows the Create System User Account form.
To create a user group, follow these steps:
From the Manage Users menu, choose Create Groups.
On the Create Groups form, enter the name of the new group you want to create in the Unique Group Name field. (The names of existing groups are displayed in the Available Groups list box as a convenience.)
Use only alphabetic, numeric, or combinations of alphabetic and numeric characters. Do not use spaces, colons, hyphens, underscores, periods, or other nonalphanumeric characters.
Optionally, you can specify a group ID (GID) for a group name. If this field is left blank, the GID will be generated by the system. The following rules apply to GIDS:
Group names can share GIDs.
There can be multiple groups with the same GID.
Groups names must be unique.
Multiple group names cannot exist. This applies to each database.
The same group name may be stored in both the local and LDAP database. If this is true, the local group will by default be used first by the application.
If you installed the LDAP Module for System Authentication, the Create Groups form displays a checkbox labeled Store in Directory Server. Check this checkbox when you want to store this group information in the LDAP directory server.
Click on Add.
The group you created is displayed in the Existing Groups list box, and is immediately available to add to user accounts. Figure 3-7 shows the Create Groups form.
| |
| |
| |
| Note: On a system using the Network Information Services (NIS), you cannot create a group name that conflicts with an NIS group name even if that name does not exist in your local /etc/group file. |
| |
| |
| |
You can display user account information for any number of selected users. (See Section : Searching for User Accounts for instructions on searching for users.)
To display user account information, use one of the following methods:
Click on one or more names from the User Account list and click on Display Selected.
Click on Display All to select all the names in the User Name list box.
As shown in Figure 3-8, the Administration utility displays the following information for each account you selected:
User name
UID
Source of user account information (Local means the user information is stored in the /etc/passwd file; LDAP means the information is stored in the an LDAP directory server).
Primary group
Login directory
Login shell
The full account name associated with the user
| |
| |
| |
| Note: On a system using the Network Information Services (NIS), the names of UNIX system accounts (or groups) are not displayed in the User Account Names (or User Account Groups) list box, nor will any NIS user information be included in the output when you click on Submit. |
| |
| |
| |
You can deny a user access to the system by deleting a user's account. You can also specify the removal of the home and mail directories associated with the deleted account.
| |
| |
| |
| Notes: You cannot use the Administration utility to delete a Tru64 UNIX user that has a UID value of less than 105. You also cannot delete a user account while that user is logged in, or delete the Internet Express administrator's account, iass. For more information on managing Tru64 UNIX system user accounts, see the Tru64 UNIX System Administration manual. Internet Express accounts and passwords are stored in the ~iass/.users.list file. Entries are not automatically removed from this file when you delete an account. If you do not periodically remove obsolete entries, the .users.list file can become large. See Section : Purging Obsolete Passwords for information on how to purge obsolete entries from this file. |
| |
| |
| |
To deny access to the account for a period of time without deleting all of the files associated with that account, change the account password rather than deleting the account itself. For more information on changing the password, see Section : Changing the Password for an Account.
If you want to reuse an account, delete the account and its directories and then re-create the account. With this process, you automatically delete all of the previous user's files and avoid the possibility of private or personal files becoming available to the new user of the account.
| |
| |
| |
| Caution: When you delete a user account, the directories and files for that account cannot be restored (unless the directories and files were previously backed up). |
| |
| |
| |
To delete one or more user accounts, follow these steps:
From the Manage Users menu, choose Delete User Accounts.
Search for the user accounts you want to delete. (See Section : Searching for User Accounts for instructions on searching for user accounts.)
To display user account information, use one of the following methods:
Click on one or more names from the User Account list and click on Display Selected.
Click on Display All to select all the names in the User Account list box.
The Delete User Accounts form shows the login name, UID, primary group and login directory for each user you selected.
To remove a user's home directory when the account is deleted, click on the checkbox in the Remove Directory column. (By default, a user's home directory remains on the system after the account is deleted.) All files assigned to that user are deleted and the disk space used by that account is freed for other use.
When deleting a large number of user accounts, you can go directly to a specific page in the listing by entering the page number in the text field at the top of the form and clicking on Go To Page. Note that when you click the Delete button, all of the selected user accounts are deleted, not just the user accounts on the current page.
Newsgroup postings and messages that the user sent to other users are not deleted. This applies to user accounts that you delete individually or as a group (when you select accounts to delete based groups to which they belong).
Click on Delete to delete the displayed accounts. To cancel the deletion, click on Reset.
| |
| |
| |
| Note: On a system using the Network Information Services (NIS), the names of UNIX system accounts are not displayed in the User Account Names list box, but will be included (if any match the selection criteria) with the Internet Express captive accounts when you click on Submit. |
| |
| |
| |
Figure 3-9 shows the result of a request to delete the val1 account. The home and mail directories for the val1 account will be deleted with the account.
You can use the Administration utility to change the list of secondary groups to which one or more user accounts are assigned. (To change an account's primary group, you must use Tru64 UNIX commands.)
To modify the secondary groups to which a user belongs, follow these steps:
From the Manage Users menu, choose Change User Account Secondary Groups. The User Account Selection Criteria form then displays.
Search for the user accounts whose secondary group assignments you want to change. (See Section : Searching for User Accounts for instructions on searching for users.)
After you select the user accounts and press Apply, the User Accounts Selection List displays.
Use one of the following methods to select user accounts:
Click on one or more names from the User Account Selection List and click on Display Selected.
Click on Display All to select all the names in the User Name list box.
The Change User Secondary Groups form shows the current group assignments for the selected users. In the Secondary Groups list box, click on one or more secondary groups to which the selected users are to be assigned. (See Section : Assigning Users to Groups for more information on assigning users to groups.)
To retain existing group assignments for an account, select the existing groups in addition to the new groups.
If a user account's primary group is the same as one of the secondary groups you select, the duplicate group is dropped from the secondary group assignment for this account.
Click on Submit to replace the existing secondary group assignments with the new ones.
In Figure 3-10, the val1 and dylan accounts will be added to the sysadmin group. To retain the assignment to groups httpd and operator, these groups must also be selected (not shown).
The Change User Account Password function is useful when a user has forgotten the password for an account, or if you want to retain a user account on the system but deny access temporarily to the account. You do not need to know the current password for an account to change the account's password. You can view passwords in the .users.list file by logging into the iass account (see Section : Purging Obsolete Passwords).
To change the password for a captive or system user account, follow these steps:
From the Manage Users menu, choose Change User Account Password.
Use the User Account Selection Criteria frame to search for the user account whose password you want to change. (See Section : Searching for User Accounts for instructions on searching for users.)
In the resulting User Account Selection List frame, click on one user whose password you want to change and click on Display Selected.
Enter the new password for the selected account in the New Password field, and again in the Verify Password field. If you make a mistake, click on Clear.
Passwords must conform to the conventions described in Section : Assigning Passwords to User Accounts.
If you want the Administration utility to generate a password for you, leave these fields blank.
Click on Submit to change the password.
The utility displays a message to tell you that a record of this transaction was sent to the iass account. Log in to the iass account periodically to review the contents of the .users.list file, and to delete obsolete account information in that file (see Section : Purging Obsolete Passwords).
You can use the Administration utility to change the mail service for a single user, a group of users, or all the users on your system. You must have root privileges to change a user's mail service.
Some mail services require you to specify a password to protect a user's mail. In addition, the Cyrus IMAP mail service requires you to specify access rights for the user's mail directories (subdirectories for folders inherit the access rights of the user's top-level mail directory).
To change the mail service for one or more users:
Search for the user accounts you want to change. Click on the check boxes corresponding to one or more of the following search criteria:
Name Pattern — Search for user account names using any UNIX regular expression. The default name pattern searches for all user accounts.
Group — Select one or more groups from the list box. The Administration utility searches for all user accounts belonging to any of the chosen groups.
Mail Service — Select one or more mail service types from the list box. The Administration utility searches for all user accounts assigned to any of the chosen mail services.
Click on Apply to conduct the search. The Administration utility lists all user accounts matching the selection criteria.
To erase your choices and start a new search, click on Reset.
Click on one or more names from the resulting list box.
To conduct another search without choosing names from the resulting list box, click on the up arrow icon to return to the User Account Selection Criteria frame.
Note: On a system using the Network Information Services (NIS), the names of UNIX system accounts are not displayed in the User Account Names list box, but will be included (if any match the selection criteria) with the Internet Express captive accounts when you click on Submit.
Assign one of the following mail services to the selected user accounts, depending on which mail services are installed and active on your system:
Regular Delivery (see Section : Assigning Regular Delivery Mail Service)
POP with Password (see Section : Assigning POP with Password Mail Service)
Cyrus IMAP (see Section : Assigning the Cyrus IMAP Mail Service)
Cyrus IMAP with Password (see Section : Assigning Cyrus IMAP with Password Mail Service)
With regular delivery, mail is delivered into the /var/spool/mail directory. Assign the Regular Delivery mail service to users who read their mail as follows:
Locally, with a UNIX client (such as mailx, mh commands, or dxmail)
Using a POP mail server
Using the University of Washingon IMAP (UW-IMAP) Server
For users who want to use a password other than their login password to access mail using POP, choose either POP with Password (see Section : Assigning POP with Password Mail Service) or APOP (see Section : Assigning APOP with Password Mail Service).
| |
| |
| |
| Note: If you choose either POP with Password or APOP, the user's mail client must be configured accordingly. Otherwise, the users will be unable to access their mail. |
| |
| |
| |
To assign regular delivery service to the users you selected, follow these steps:
From the Change User Account Mail Service form, choose Regular Delivery from the Mail Service menu.
Click on Submit. A new form is displayed, requesting one or more types of authentication.
If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)
Click on Submit. A status message confirms the change in mail service.
Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.
When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.
You can set up selected users to use POP mail with a clear-text password other than their login password. This password is stored in the popauth file, and protects the users' mail from unauthorized access.
To assign POP with password mail service to the users you selected, follow these steps:
From the Change User Account Mail Service form, choose POP with Password from the Mail Service menu.
Click on Submit. A new form is displayed, requesting one or more types of authentication.
If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)
To specify the POP password for the selected users, enter the password in the Enter Alternate Mail Password field and enter it again in the Verify Password field. A password is required.
Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.
Click on Submit. A status message confirms the change in mail service.
Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.
When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.
To assign the Cyrus IMAP service to the users you selected, follow these steps:
From the Change User Account Mail Service form, choose Cyrus IMAP from the Mail Service menu.
Click on Submit. A new form is displayed, requesting one or more types of authentication.
If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)
You must specify access privileges for the selected users' mail directories. Select one of the following from the Access Control List menu:
All — Grants the user full access rights.
Read — Grants the user lookup, read, and seen access rights.
Post — Grants the user lookup, read, seen, and post access rights.
Append — Grants the user lookup, seen, post, write, and insert access rights.
Click on Submit. A status message confirms the change in mail service.
Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.
When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.
To assign the Cyrus IMAP service with a password to the users you selected, follow these steps:
From the Change User Account Mail Service form, choose Cyrus IMAP with Password from the Mail Service menu.
Click on Submit. A new form is displayed, requesting one or more types of authentication.
If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)
You must specify access privileges for the selected users' mail directories. Select one of the following from the Access Control List menu:
All — Grants the user full access rights.
Read — Grants the user lookup, read, and seen access rights.
Post— Grants the user lookup, read, seen, and post access rights.
Append — Grants the user lookup, read, seen, post, write, and insert access rights.
To specify the users' IMAP password, enter the password in the Alternate Mail Password field and enter it again in the Verify Password field. A password is required.
Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.
Click on Submit. A status message confirms the change in mail service.
Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.
When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.
You can set up selected users to use POP mail with an encrypted password (using MD5 encryption). This password is stored in the popauth file, and protects the users' mail from unauthorized access. To assign POP with an alternate password service to the users you selected, follow these steps:
From the Change User Account Mail Service form, choose APOP from the Mail Service menu.
Click on Submit. A new form is displayed, requesting one or more types of authentication.
If prompted for the Administrator Password, enter the password for the iass account. (For new installations of Internet Express, the iass account password is specified during installation.)
To specify the users' encrypted POP password, enter the password in the Alternate Mail Password field and enter it again in the Verify Password field. A password is required.
Mail passwords must contain at least six characters, in a combination of upper- and lowercase letters and numbers. Special characters, such as the at sign (@), dollar sign ($), percent sign (%), number sign (#), period ( . ), hyphen ( - ), or underscore ( _ ), while not required, are recommended.
Click on Submit. A status message confirms the change in mail service.
Optionally, you can select additional user accounts and modify their mail delivery methods by choosing User Account Selection from the navigation bar.
When finished, use the navigation bar at the top of the form to return to the Manage Users menu or the Home menu.
The installation procedure for Internet Express allows you to create the iass account. Using the Manage the iass Account menu, you can perform the following tasks:
Change the forwarding address for the iass account (Section : Changing the iass Account Forwarding Address).
Manage the ~iass/.users.list file (Section : Managing the .users.list File).
The installation procedure for Internet Express allows you to set a forwarding address for e-mail addressed to the iass account. This is useful if, for example, the administrator wants to have e-mail forwarded to root or some other e-mail account that is regularly monitored.
If you did not set a forwarding address during installation, you can set it by using the Modify iass Account menu. To do this, follow these steps:
From the Manage Users menu, choose Manage iass Account.
From the Manage iass Account menu, choose Change iass Account Mail Forward Address.
Enter the forwarding address in the Mail Forwarding Address field. If you had previously set a forwarding address, it will be displayed in this field.
Click on Change to modify the forwarding address.
To remove the forwarding address, click on Remove.
The file ~iass/.users.list contains the account names and passwords of users. From the Manage the .users.list file menu, you have the following options:
List User Accounts and Passwords (see Section : Listing User Accounts and Passwords)
Purge Passwords for User Accounts (see Section : Purging Passwords for User Accounts)
Remove the .users.list file (see Section : Removing the .users.list File)
Use the Manage iass Account menu to list user accounts and passwords stored in the ~iass/.users.list file.
To do this, follow these steps:
From the Manage Users menu, choose Manage iass Account.
From the Manage iass Account menu, choose Manage .users.list.
From the Manage .users.list menu, choose List User Accounts and Passwords.
The user accounts and passwords are displayed.
Use the Manage iass Account menu to purge passwords for user accounts stored in the ~iass/.users.list file.
To do this, follow these steps:
From the Manage Users menu, choose Manage iass Account.
From the Manage iass Account menu, choose Manage .users.list.
From the Manage .users.list menu, choose Purge Passwords for User Accounts.
A confirmation message is displayed.
Use the Manage iass Account menu to remove the ~iass/.users.list file.
To do this, follow these steps:
From the Manage Users menu, choose Manage iass Account
From the Manage iass Account menu, choose Manage .users.list.
From the Manage .users.list menu, choose Remove .users.list.
A confirmation message is displayed.
The User Self-Administration feature allows users to directly manage their own account information without requesting help from an administrator. This feature enables users to change their password and, if the Procmail subset (IAEPROC) is installed, users can enable vacation mail. Additional administrative options allow administrators to selectively enable or disable different functionality. For example, you can allow users to change their passwords but not enable vacation mail, or vice a versa. You can also use the Administration utility to create a template to add your own functionality.
| |
| |
| |
| Note: In order to administer the User Self-Administration feature, you must have a public Web server instance installed. Without a public Web server instance, the Manage User Self-Administration link will not appear on the Manage Users menu. |
| |
| |
| |
This section describes how to perform the following tasks:
Enable (or disable) the User Self-Administration feature (Section : Enabling and Disabling the User Self-Administration Feature)
Modify the Web server configuration (Section : Modifying the Web Server Configuration)
Enable (or disable) a delay in the processing of login requests (Section : Enabling and Disabling Login Delays)
Manage groups (Section : Managing User Self-Administration Groups)
Customize the User Self-Administration feature (Section : Customizing the User Self-Administration Feature)
To enable the User Self-Administration feature:
From the Manage Users menu, choose Manage User Self–Administration. The Manage User Self-Administration menu is displayed (Figure 3-11).
From the Manage User Self-Administration menu, choose Enable/Disable User Self-Administration.
The Administration utility displays the current status allowing you to enable or disable user self-administration, depending on which is appropriate. Figure 3-12 shows a page where the User Self-Administration feature is disabled.
Click on Enable to enable user self-administration. Once this feature has been enabled, the Enable button changes to Disable.
When you disable the User Self-Administration feature, users will not be able to access the User Self-Administration pages. In this case, a system administrator might need to reset the user account information. You can also customize the default status message (Section : Customizing the User Self-Administration Feature).
When you enable the User Self-Administration feature for the first time or enable it after removing a previous Web server configuration, the Administration utility prompts you to select a virtual host for the public Web server, which serves the self-administration pages. If there is no configured virtual host on the public Web server, you must create a virtual host before proceeding. It is highly recommended that you select (or create) a Secure Sockets Layer (SSL) virtual host to protect sensitive information such as user names and passwords. The following steps complete the process:
From the Configure Web Server for User Self-Administration form, select an SSL virtual host from the list box.
Enter an alias name or accept the default name. (The alias name is used to access the self-administration pages.) The alias name should begin and end with a slash (/). For example, if you set the virtual host to _default_:443 and the alias name to /SelfAdmin/, the administration pages will be accessed by https://hostname/SelfAdmin/login.php.
Click on the Submit button. Your public Web server is configured and the User Self-Administration feature is enabled. A status message is displayed.
When you enable the User Self-Administration feature subsequent times, the public Web server is running and the current configuration options are displayed. When you click on Enable from the Enable/Disable User Self-Administration page, a form is displayed listing the current configuration of virtual host and alias name. You can enable the User Self-Administration feature in one of the following ways:
Click on Accept to enable the User Self-Administration feature without changing configurations. A status message is displayed when completed. To modify the configuration, continue with the remaining steps.
Click on Modify to change the virtual host and alias name of the public Web server.
Select an SSL virtual host from the list box.
Accept the default alias name for the virtual host or optionally enter an alias name. (The alias name is used to access the pages.) Figure 3-13 shows the virtual host selection and default alias name.
Click on the Submit button. Your public Web server is configured and the User Self-Administration feature is enabled. A status message is displayed.
You can modify the Web server configuration for the User Self-Administration feature without disabling it; you can change or remove the Virtual Host and Alias Name configurations. When you choose to remove these configurations, the User Self-Administration feature then becomes disabled.
To modify the Web server configurations for the User Self-Administration feature:
From the Manage User Self-Administration menu, choose Modify Web Server Configuration.
Select a Virtual Host from the list of virtual hosts or click on Remove Configurations to remove all user self-administration configurations from the httpd.conf file (Figure 3-14: Modify Web Server Configuration Page).
When you select a virtual host, it must be configured on your system. See Section : Enabling User Self-Administration When No Web Server Configuration Exists for more information.
Edit the alias name, if desired. The alias name must begin and end with a slash (/).
Click on Submit. If you chose to remove configurations, you will be prompted to confirm that action. A status message is displayed.
By default, a security measure is in place which causes a delay in the processing of login requests after a number of successive failed login attempts. This feature can be disabled, though not recommended, because disabling will expose your system to security risks.
To enable or disable a delay in the processing of login requests:
From the Manage Users menu, choose Manage User Self–Administration.
The Manage User Self-Administration menu is displayed.
From the Manage User Self-Administration menu, choose Enable/Disable Login Delay. The Enable/Disable Login Delay page is displayed.
Click on Enable to enable login delays. Figure 3-15 shows that login delays have been enabled. Once this feature has been enabled, the Enable button changes to Disable.
The User Self-Administration feature is organized in different groups that can be enabled and disabled independently. User self-administration groups contain the following elements:
ID – A unique, short word used to identify a group.
Description – Information used as menu item text and as page headers.
Main Page – Information that identifies the file to which the user's main menu provides a link.
Enabled status – Message that specifies whether the group is accessible to users.
Internet Express provides two groups as built-ins, Vacation Mail and Change User Password. In addition to these groups, you can add your own group. The following sections describe how to add and modify existing groups.
You can add new groups to contain additional functionality for the User Self-Administration feature. Groups allow you to easily enable and disable parts of your configuration and create templates to wrap new functionality. Templates perform the following functions:
Verify that the group is enabled.
Verify that a user is logged in.
Make sure that the login has not expired.
Create a header if these conditions are met or display the customizable disabled message.
From the Manage Users menu, choose Manage User Self–Administration. The Manage User Self-Administration menu is displayed.
From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups form is displayed.
Enter a description in New Group Description field. Click on Add. The Add Group form is displayed (Figure 3-16), allowing you to specify group attributes.
On the Add Group form, enter a unique ID in ID field. The ID should be a short, one-word value.
Optionally, revise the description you entered in Step 3.
Enter the pathname and file name for the main page of this group. The path should be relative to the User Self-Administration home directory. For example, if the file is located at $selfadmin_home/data/foo.php, set the value to data/foo.php.
Click on the Create Template check box if you would like a template created for the main page. Use the template file as the basis for all files you create in this group. Existing templates are not overwritten.
Click on the Enabled checkbox to enable the group. When a group created with the User Self-Administration feature is disabled, users cannot access the pages and the link is not available from the main menu.
Click on Submit. A status message is displayed when the group is created. Figure 3-16 shows the Add Group form completed for a new group, System Mail.
To modify the properties for an existing group or delete an existing group:
From the Manage User Self-Administration menu, choose Manage Groups. The Manage Groups forms is displayed. Existing groups are listed in the Existing Group Descriptions field.
Select the group you want to delete or modify from this list.
To delete a group, click on the Delete button. This will remove the group definition and menu item from the user's main menu but will not remove any files. A status message is displayed.
To modify group attributes, click on the Modify button. For built-in groups, you can only modify the Enabled status and the description string. All group attributes, except ID, are available for custom groups.
Change the group description in the Description field.
Change the name for the main page. This name should be relative to User Self-Administration home directory. For example, if the file is located at $selfadmin_home/data/foo.php, then its name should be set to data/foo.php.
Select the Create Template check box if you want a template created for the main page. Use the template file as the basis for all files you create in this group. Existing templates will not be overwritten.
Select the Enabled check box to enable the group. When a group created with the User Self-Administration feature is disabled, users cannot access the pages and the link is not available from the menu.
Click on Submit. A status message is displayed when the group modifications are processed.