All the information on what users can invoke the RAS and what operations they are allowed to perform can be found in the following two files: users.ldif and roles.ldif. To edit user permissions, you may either make use of the "Admin" GUI that is included with the RAS Monitor application that can run out of your system tray; or you may edit the users.ldif and roles.ldif configuration files directly by hand.
The users and passwords for RAS access, together with the roles configured for each, can be found in the following file: admrem/users.ldif. This file can be edited with any text editor to add or modify the users that have access to the tool.
Attributes uid and (encrypted value) epasswd are the credentials a DSGUI instance will need to pass (via Basic HTTP Authentication) to the RAS to identify itself as a user allowed to send commands. After changing them in your RAS configuration, you obviously need to change them in your DSGUI Preferences (see Admin Server Preferences ).
These values are also used to set the authentication of users accessing the WRAS tool, using a web browser. Typically, the browser will automatically cause an Authentication dialog window to pop up when a page is accessed, and will expect matching username/uid and password/epasswd values to be provided.
This is the fragment that corresponds to the user "demanager", who has the "administrator" role:
dn: uid=demanager,ou=users,cn=conf,o=dsproxyremote objectclass: RASuser uid: demanager epasswd: 56BVBjTBf33TU3I7MI98dA== role: administrator
The file which describes the different roles that can be assigned to each user is: admrem/roles.ldif. This file can be edited with any text editor to configure existing roles or to add new ones.
Each role is described as a set of permissible operations. allowopgui values refer to commands sent by the DSGUI interface; while allowopras are related to WRAS operations. For a complete list with description of the operations please check sections DSGUI, Operation IDs and WRAS, Operation IDs.
This is the fragment that corresponds to the "administrator" role, which has all operations enabled by default:
dn: role=administrator,ou=roles,cn=conf,o=dsproxyremote objectclass: RASrole role: administrator allowopgui: ListRoots allowopgui: CreateDir allowopgui: GetFile allowopgui: PutFile allowopgui: ListDirectory allowopgui: GetFileInfo allowopgui: PutConf allowopgui: RmConf allowopgui: GetConf allowopgui: GetStatus allowopgui: Start allowopgui: Stop allowopgui: GDump allowopgui: FetchLog allowopwras: access allowopwras: start allowopwras: stop allowopwras: restart allowopwras: remove allowopwras: rfile allowopwras: wfile allowopwras: rlog
As seen in the section titled Main Configuration, RAS can be flexibly configured to output audit information of the operations it performs. The directory where the auditing files are stored is admrem/log. This is a sample:
20081024192441|deguest|127.0.0.1|GUI|ListRoots|200|OK 20081024192457|deoperator|127.0.0.1|GUI|ListRoots|200|OK 20081024195707|demanager|127.0.0.1|WRAS|access,CacheSearchesDesign|200|OK 20081024195710|demanager|127.0.0.1|WRAS|rlog,live,/opt/dell/vds/R6.1.0/confs\ /CacheSearchesDesign/logs/STDOUT|200|OK
The audit information is formatted in columns separated by the "|" character, each having the following meaning:
1- Date and time of the operation, in "YYYYMMDDHHMMSS" format
2- Uid of the user performing the operation
3- IP of the machine from which the access is performed
4- Identifier of the tool that performs the operation (GUI if DSGUI interface, or WRAS)
5- Operation identifier and parameters
6- HTTP result
7- Operation result (OK or Error message)
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center