Introduction
Prior to diving into this guide, it is recommended that you read the RadiantOne Architect Guide for a high-level overview of the capabilities of the RadiantOne Platform. This guide introduces concepts in addition to step-by-step instructions to configure and administrate the RadiantOne.
For details on deploying RadiantOne including tuning and maintenance, please see the RadiantOne Deployment and Tuning Guide.
How this Manual is Organized
This guide is broken down into the following chapters:
Introduction
This chapter offers a quick introduction to this guide in addition to how the manual is organized and how to contact Radiant Logic technical support.
Concepts
This chapter introduces the main concepts that are essential to understand to configure and administrate RadiantOne.
Front End Settings
This chapter describes the Settings tab, where you can manage the majority of RadiantOne settings.
Backend Settings
This chapter introduces settings that are related to how RadiantOne accesses backend data sources.
Creating Virtual Views
This chapter describes how to create virtual views from LDAP, database or web service backends or local RadiantOne Universal Directory stores.
Security
This chapter describes access controls, security settings for RadiantOne, and how to configure them.
Directory Schema
This chapter describes the RadiantOne LDAP schema and the different ways to extend it.
Directory Browser
This chapter describes the functions offered in the Directory Browser tab.
Logs
This chapter describes the RadiantOne access log, changelog, and log settings.
Monitoring
This chapter introduces persistent cache monitoring, replication monitoring, and alerts.
Technical Support
Refer to the Technical support guide for more information.
Expert Mode
Some settings in the Main Control Panel are accessible only in Expert Mode. To switch to Expert Mode, click the Logged in as, (username) drop-down menu and select Expert Mode.
The Main Control Panel saves the last mode (Expert or Standard) it was in when you log out and returns to this mode automatically when you log back in. The mode is saved on a per-role basis.
RadiantOne Control Panels
The RadiantOne Control Panels are web-based interfaces to provide remote access to the most commonly used tools and wizards. The control panels are used by administrators to configure and maintain the service. In addition, the control panels offer monitoring, access to server statistics, reports, task management, and other administration options. It can be accessed from mobile or non-mobile devices including smartphones and tablets.
To access the control panels, JavaScript must be enabled in the Internet browser you are using.
For cluster deployments, each RadiantOne node includes a Control Panel and administrators can log into any of them.
Accessing the Control Panels
The Control Panels utilize a web server that is installed with RadiantOne. The endpoint to access the Control Panel is defined when you create an environment in the Environment Operations Center. For details on creating environments and locating the Control Panel endpoint, see the RadiantOne Environment Operations Center Guide.
The web browsers supported for using Control Panel are: Microsoft Edge Version 127.0.2651.98 (+), Google Chrome Version 128.0.6613.120 (+).
The background color of the login screen can be customized after you log into the Main Control Panel. Click and enter a value for the Color Theme.
Logging in with Username and Password
You can log in using directory administrator (default cn=directory manager) as the user with the password you set for the directory administrator during the install of RadiantOne. The Control Panel also supports delegated administration accounts if you prefer not to use the directory administrator account. When a user logs in, the control panel application passes the credentials to RadiantOne for authentication. A user can either use their full DN (if known), or their user ID. However, to login with just a user ID, you must configure a user ID to DN Mapping.
The Main Control Panel displays a message when authentication fails. The table below lists the possible error messages.
Message | Cause | Solution |
---|---|---|
“Authentication failed. Reason: Access is denied.” | Incorrect login ID or incorrect password. | Verify the login ID and password and try again. |
"Authentication failed. Reason [LDAP: error code 49 - Password has expired.]" | The user's password has expired. | If the client application supports password reset capabilities, the user can reset their password. |
“Authentication failed. Reason: [LDAP: error code 19 - The password failure limit has been reached and the account is locked. Please retry later or contact the system administrator to reset the password.]” | The account is locked. | Retry later or contact the system administrator to reset the password. |
Last Login Time
The time the user last logged into the Control Panel is displayed above the "Logged in as..." information shown in the top right.
OpenID Connect Token Authentication
The RadiantOne Main Control Panel also supports SSO with your corporate Identity Provider using OpenID Connect (OIDC) token-based authentication. This option provides the security of sending user login credentials to the authentication server (the Identity Provider), not the application (Control Panel, the Relying Party). OpenID Connect token authentication allows you to send your username and password just once, to the Identity Provider (IDP) and then pass the token in the request to the Main Control Panel. When OIDC is configured in RadiantOne, the Main Control Panel login screen displays:
The administrator must click the Login with OpenID Connect option to login with an OpenID Connect token.
The high-level flow is shown below.
Figure 4: OIDC Authorization Code Flow
Detailed steps:
-
The RadiantOne Admin navigates his browser to the RadiantOne Main Control Panel and clicks “Login with OpenID Connect”.
-
The browser redirects the user to the OIDC Provider’s authorization endpoint with the necessary parameters (ClientID, redirect URI, scope).
-
The RadiantOne Admin will authenticate to OIDC server (if not already authenticated) and the OIDC server prompts the user for authorization: Control Panel wants to access info (scopes) about you. Do you Authorize this?
-
Admin user gives consent.
-
OIDC server gives Control Panel an Authorization code.
-
The Control Panel sends the OIDC server the authorization code and requests an ID token.
-
OIDC Server sends the ID token to Control Panel.
-
Control Panel uses the information in the token along with the OIDC to FID User Mapping rules to locate the user in the FID namespace to enforce permissions based on what delegated admin role the user is a member of – which dictates what the admin is allowed to do within the Control Panel.
To enable support for OIDC authentication:
-
Have your client ID and secret associated with the Control Panel application configured in your OIDC server ready. The Redirect URL configured for the web application should point to the URL associated with the Main Control Panel. Example: https://cp.federated-identity.com/main/j_spring_openid_security_check
-
Log into the Main Control Panel.
-
Navigate to Settings > Security > OIDC Provider Configuration.
-
Select an OIDC Provider from the drop-down list. If you are using your own provider, select the Custom option.
-
Click Discover. The Authorization Endpoint URL and Token Endpoint URL should auto-populate. If you configure a custom provider, you can enter the needed Authorization Endpoint URL and Token Endpoint URL. In OpenID Connect the authorization endpoint handles authentication and authorization of a user. In the OpenID Connect Authorization Code Flow, the token endpoint is used by a client to obtain an ID token, access token, and refresh token.
-
Enter the Client ID associated with the Control Panel application configured in the OIDC provider.
-
Enter the Client Secret associated with the Control Panel configured in the OIDC provider.
-
Select the Client Authentication Method corresponding to how the Control Panel client has been configured in the OIDC Server. There are two options available: CLIENT_SECRET_POST and CLIENT_SECRET_BASIC.
-
Click the value for Requested Scopes to display a list of possible choices: openid, email, profile. Openid is required. You can add more if needed as long as they match the configuration of the client in the OIDC server.
-
Click Edit next to OIDC to FID User Mapping. This configuration determines the logic to link the user that logs into the Control Panel with an Open ID Connect token with an identity in the RadiantOne namespace. This process determines which identity is used to enforce authorization within the Main Control Panel. The user mappings must result in a single user. If no user is found or if more than one user is found, the login fails. The RadiantOne user that is linked to the authentication token must be a member of a RadiantOne Delegated Administrative group.
-
In the OIDC to FID User Mappings window, click
Add
. -
There are two options for identifying the RadiantOne admin user. If the RadiantOne user can be identified by using values/claims from the token to comprise the DN, use the Simple DN Expression Builder. If the RadiantOne user can be identified by performing a lookup in RadiantOne based on values from the token, use the Search Expression Builder.
-
Click
Save
.
Examples of configuring the Simple DN Expression and the Search Expression are shown below.
In the Simple DN Expression example shown below, the RadiantOne user is identified by using the given_name and family_name claims from the token to compute the DN.
Figure 5: DN Expression Builder
In the Search Expression example shown below, the values of the family_name, given_name, and email claims from the token are used to condition a sub-tree search in RadiantOne, starting at the dc=mydomain naming context to locate the identity.
Figure 6: Search Expression Builder
To disable support for OIDC authentication:
-
Log into the Main Control Panel.
-
Navigate to Settings > Security > OIDC Provider Configuration.
-
Click the Enabled toggle from on to off.
-
Click Save.
Auto-Logout
After 30 minutes of inactivity, a user is automatically logged out.
Adding a Custom Message on the Login Page
The Main Control Panel login page contains a basic username and password text box. To add a custom message on the login page, follow the steps below.
-
Log in to the Main Control Panel as a member of the Directory Administrators role.
-
Go to the Zookeeper tab (requires Expert mode).
-
Navigate to
radiantone/<version>/<clusterName>/config/vds_server.conf
. -
On the right, click Edit Mode.
Each property (corresponding to a line) must end in a comma (,) except for the last property in the configuration.
- Add (or edit) the motdHtml tag containing the message to display on the login page.
"motdHtml": "This is my custom message. Please login with your RadiantOne Administrator account.",
-
Click Save.
-
Log out of the Main Control Panel.
An example of the custom message on the login page is shown below.
If you would like the message to be prefixed with a “Warning” icon and be in bold font, go back to the Zookeeper tab and add or edit the "motdWarning" tag with a value of true. An example is shown below.
"motdWarning": true,
If you would like the custom message and “Warning” icon to display as a popup window, go back to the Zookeeper tab, and add or edit the “motdPopup” tag with a value of true. An example is shown below.
"motdPopup" : true,
Using the Main Control Panel
The Main Control Panel allows administrators to manage and monitor the RadiantOne service. If a cluster is deployed, all nodes can be monitored and managed from the Main Control Panel.
All settings configured in the Main Control Panel apply to all cluster nodes.
Node/server specific configuration is managed from the Server Control Panel. The Server Control Panel associated with each node can be launched from the Dashboard tab of the Main Control Panel.
The configuration and monitoring features described in this section are applicable to the Main Control Panel. Configuration and monitoring features associated with the Server Control Panel are described here.
Accessing the Server Control Panel
Once the Main Control Panel is started, you can also access the Server Control Panel by clicking in the top banner. The Server Control Panel opens in a new browser tab and you are automatically logged in based on the identity used in the Main Control Panel.
Using the Server Control Panel
The Server Control Panel allows RadiantOne administrators to configure and monitor a specific RadiantOne node.
The configuration and monitoring features described in this section are applicable to the Server Control Panel. Configuration and monitoring features associated with the Main Control Panel are described here.
Dashboard Tab
A series of graphs are displayed on the Dashboard tab and allow for monitoring a variety of aspects related to a given RadiantOne node. The graphs display CPU usage, JVM memory usage, disk space usage, disk latency and number of client connections.
To use this feature, enable the cluster monitor at Main Control Panel > Settings > Logs > Clustermonitor.
In the upper right, you can indicate the time range the graphs should display. To indicate a time period of longer than 12 hours, choose the Custom option.
It is generally not recommended to expand the graph range beyond a 12-hour period since it causes a large amount of HTTP and LDAP requests to RadiantOne that is proportional in quantity to the length of the time period requested. For example, a 12-hour period generates ~100 requests.
Usage & Activity Tab
From the Usage & Activity tab on the Server Control Panel, you can access information about the RadiantOne software version installed on the node, monitor the current connections and operations, view statistics for all Universal Directory (HDAP) stores and view network latency between nodes (only applicable to cluster deployments).
Server Information
Specific product details associated with the node are shown in the Server Information section.
Server Name – Indicates the machine name where RadiantOne is installed.
Resolved IP – The resolved IP address associated with the host name of the machine.
Port – Indicates the internal non-SSL (LDAP) port for the RadiantOne service.
SSL Port – Indicates the internal SSL (LDAPS) port for the RadiantOne service.
SSL Enabled – Indicates if SSL is enabled for the RadiantOne service. This is the LDAPS port.
Installation Path – Indicates the file system path where RadiantOne is installed.
Java Home – Indicates the location of Java in the environment being used by RadiantOne.
Java Version – Indicates the Java version used by RadiantOne.
Server Startup Time – Indicates the time the RadiantOne service was last started.
Cloud ID – The unique GUID associated with the RadiantOne node.
Created Time – Indicates the time RadiantOne was installed.
Node Type – Indicates the type of node. If RadiantOne is deployed in a cluster, the value could be core (leader), core (follower) or follower only.
RadiantOne Leader – Has a value of true if the RadiantOne node is the leader of the cluster. Otherwise the value is false, meaning it is a follower or follower only node in the cluster.
Product - SKU associated with the RadiantOne version.
Version – Indicates the version of the RadiantOne.
Build – Indicates a specific build ID associated with RadiantOne.
License Type – Indicates the type of RadiantOne license used along with the email address and company name the license key was issued to.
Connections & Operations
From the Connections & Ops section you can view the current usage summary in terms of connections and operations to RadiantOne.
In the Usage Summary section, you see connection usage since startup and average per minute. You all see operations since startup and average per minute.
In the Current Connections section, there is a summary of operation types per connection (including a total number of operations) and the bind user that established the connection. You will also see the Client IP address associated with the open connections. To export current connection data into a CSV-format report, click Export to CSV. The .csv file is downloaded the client machine according to the web browser’s configuration.
The Processing Activity Details section, shows how many operations are waiting to be processed, how many operations are currently being executed in addition to the maximum working threads available and peak worker threads used.
RadiantOne Universal Directory (HDAP) Status
Statistics for the stores can be viewed from the Universal Directory Status section. To filter the stores displayed, click on and then click Select Filters. Select the stores to display and click OK.
For each store, you see total number of entries, index size, search operations per second and write operations per second.
Data Source Status
In the Data Source Status you can see the status of all data sources defined in RadiantOne. A green dot in the Status column indicates that the data source is configured properly and running. A red dot in the Status column indicates that something is wrong with the data source configuration and RadiantOne cannot currently access it. There is a corresponding error message that states the main problem. If the error is due to incorrect connection information, update the data source on the Main Control Panel > Settings Tab > Server Backend section. Once the error has been corrected click on the refresh icon next to “Data Source Status” and the data source information refreshes to reflect your changes.
The status values are on, off, offline, and unavailable. The following table describes each status.
Status | Definition |
---|---|
On | RadiantOne can connect to the data source. |
Off | The connection test to the data source failed. |
Offline | The data source’s active property is set to false. |
Unavailable | No classname property is defined for the data source. |
Network Latency
The graphs in the Network Latency section display the network latency between nodes in a cluster in addition to the network latency on the local node. In the upper right, you can indicate the time range the graphs should display.
To use this feature, enable the cluster monitor at Main Control Panel > Settings > Logs > Clustermonitor.
Tasks Tab
From the Server Control Panel > Tasks tab, you can start and stop the scheduler and manage defined tasks. When you perform various actions in the tools or wizards, a notification appears alerting you that the task has been defined and added to the scheduler. These tasks can be viewed and updated in the task list section of the Tasks tab. You can define a task as re-occurring in addition to setting the execution interval. You can also configure the JVM parameters for tasks that run inside their own dedicated JVM.
The following operations are considered tasks and generate an event in the Task Scheduler when they occur:
- Initializing a persistent cache
- Initializing a RadiantOne Universal Directory (HDAP) store
- Re-indexing a cache
- Exporting entries to an LDIF file
- Importing entries from an LDIF file
- Login Analysis (initiated from the Global Identity Builder)
Task Scheduler Configuration
Task Scheduler parameters can be modified by clicking Config in the Task Scheduler section. The Scheduler Configuration menu appears and allows you to modify the default JVM parameters and the lifespan of terminated tasks in the scheduler.
By default, each task executes in its own dedicated JVM. If the option “Dedicated JVM” is not checked in the specific task configuration, then the task executes inside the JVM of the scheduler. Users can customize the default JVM parameters to allow more memory, or change the performance settings. Users can customize the default JVM parameters to allow more memory to the virtual machine, or change the performance settings. However, tuning the JVM of the task scheduler is less important than tuning the dedicated JVM for the individual task. For a full list of possible behavioral and performance options, please see the link below.
http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
You can specify the number of days that completed tasks are kept on the task list for users to see. For example, if you set the parameter to “10 days” then after 10 days all of the tasks with a status of “Finished” are deleted from the system.
Task List
When operations are added as tasks, they appear in the Task List section, with information about the task displayed. Completed tasks by default are not displayed in the Task List unless the “Terminated” checkbox is checked. When there is a checked box by “Recurrent” this means that the task occurs more than once, on a regularly scheduled basis. The Last Termination date shows when the task was last executed.
To edit an existing task, click the pencil icon. The Task Configuration menu displays all task components. The name and status are shown, but cannot be changed. To make the task non-recurring (the task no longer repeats) uncheck the “Recurrent” box, the task runs one final time and then the status automatically changes to “Finished.” The execution interval (the frequency at which the task is executed) can be modified by changing the hours, minutes, and second boxes.
By default, all tasks run in their own dedicated JVM and the memory allocated for the task automatically expands up to ¼ of the total machine memory. For example, if the machine where RadiantOne is installed has 16 GB of RAM, the task memory expands up to 4 GB to process a task. If you prefer, you can define a max Java heap size in the JVM parameters instead of leveraging this default expansion. Other custom settings can be entered in the JVM Parameters as well. For a full list of possible behavioral and performance options, please see the link below.
http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
If the “Dedicated JVM” option is unchecked, the task runs inside the JVM of the Task Scheduler.
Users must click “Update Task” before closing out of the task configuration screen to save the changes.
Log Viewer Tab
On the Server Control Panel > Logs Viewer Tab, you will find the logging console.
Only users that belong to the Directory Administrators group have access to the Log Viewer tab.
Select the log from the Log File drop-down list. You can also set a filter to limit your view of the log based on certain criteria (this only filters on the subset of log data visible in the log window), refresh the log view and/or choose to refresh continuously.
To download a log file, select it from the Log File drop-down list and click Download
. The log file is downloaded to your web browser's default download location.
To include a log's rollover files in the download, select the log from the Log File drop-down menu. Click the drop-down menu beside Download and select Download from All with Rollovers
. A compressed file is downloaded to your web browser's default download location.
For complete details on logs and troubleshooting, please see the RadiantOne Logging and Troubleshooting Guide.
Administration and Configuration
Delegated Administration of RadiantOne
Any user that can bind to RadiantOne can potentially administrator the server if they belong to the proper group. A user can belong to multiple groups and the value(s) of the vdPrivilege operational attribute assigned to the group entry dictates the operations that members are authorized to do. The following administration groups are defined for RadiantOne:
Directory Administrator Role
– members of this group can perform all operations (all operations that the other groups defined below can perform) in addition to:
-
Change privileges for the delegated roles
-
Update username and password properties for data sources via LDAP modify command
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- acl-read
- acl-write
- admin-write
- config-lock
- config-read
- config-write
- data-source-read
- data-source-write
- data-store-read
- data-store-write
- globalidviewer-designer
- globalidviewer-read
- globalidviewer-write
- ics-admin
- logs-read
- naming-context-read
- naming-context-write
- security-write
- services-restart
- services-shutdown
- tasks-admin
- update-schema
The group entry is located in the RadiantOne namespace at: cn=directory administrators,ou=globalgroups,cn=config
Read Only Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Read settings for any configured instances
- Read naming context configurations
- Read configured data sources and view synchronization topologies on the Global Sync Tab
- Log into the Global Identity Viewer console and access the Global Identity Viewer application
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- instance-read
- naming-context-read
- data-source-read
- globalidviewer-read
The group entry is located in the RadiantOne namespace at: cn=readonly,ou=globalgroups,cn=config
Namespace Administrator Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Restart the RadiantOne service from Main Control Panel
- Create, update, or delete naming contexts
- Create, update, or delete backend mappings
- Create, update, and manage persistent cache
- Create, update, or delete data sources
- Create, update, or delete RadiantOne Universal Directory (HDAP) stores
- Update RadiantOne LDAP schema
- Launch tasks
- View synchronization topologies and manage synchronization components on the Global Sync Tab
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- config-write
- services-restart
- update-schema
- naming-context-read
- naming-context-write
- data-source-read
- data-source-write
- data-store-read
- data-store-write
- tasks-admin
- ics-admin
The group entry is located in the RadiantOne namespace at: cn=namespaceadmin,ou=globalgroups,cn=config
Operator Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Create, update, or delete RadiantOne Universal Directory (HDAP) Stores
- Restart the RadiantOne service from the Main Control Panel
- Stop the RadiantOne service from the Main Control Panel
- Launch tasks
- View synchronization topologies and manage synchronization components on the Global Sync Tab
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- config-write
- services-restart
- services-shutdown
- data-store-read
- data-store-write
- tasks-admin
- naming-context-read
The group entry is located in the RadiantOne namespace at: cn=operator,ou=globalgroups,cn=config
Schema Administrator Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Create, update or delete schema objects (objectclasses or attributes)
- Extend RadiantOne LDAP schema with objects and attributes from orx files
- Create, update or delete data sources
- View synchronization topologies and manage synchronization components on the Global Sync Tab
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- update-schema
- data-source-read
- data-source-write
The group entry is located in the RadiantOne namespace at: cn=schemaadmin,ou=globalgroups,cn=config
ACI Administrator Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Create, update and delete access controls
- View synchronization topologies and manage synchronization components on the Global Sync Tab
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- acl-read
- acl-write
- naming-context-read
The group entry is located in the RadiantOne namespace at: cn=aciadmin,ou=globalgroups,cn=config
ICS Administrator Role
– Members of this group can perform the following operations:
- Read RadiantOne configuration
- Stop and start pipelines on the Global Sync Tab
- Log into the Global Identity Viewer Console and access all applications
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- config-write
- naming-context-read
- data-source-read
- ics-admin
- ics-workflow-approve
- tasks-admin
- globalidviewer-read
- globalidviewer-write
- globalidviewer-designer
The group entry is located in the RadiantOne namespace at: cn=icsadmin,ou=globalgroups,cn=config
ICS Operator Role
– This role varies from the ICS Admin role in that this role cannot perform uploads from the Global Sync tab, nor can it modify connector properties. Members of this group can perform the following operations:
- Read RadiantOne configuration
- Log into the Global Identity Viewer Console and access all applications
These functions are dictated by the following values of the vdPrivilege attribute in the group entry:
- config-read
- ics-operator
The group entry is located in the RadiantOne namespace at: cn=icsoperator,ou=globalgroups,cn=config
Managing Default Delegated Administration Roles
As mentioned above, the groups used for delegated administration are Directory Administrator, Namespace Administrator, Operator, Read Only, Schema Administrator, ICS Administrator, ICS Operator and ACI Administrator. These roles can be assigned to static members or dynamic members. Both are described below. Any user that is assigned to one of the delegated administration roles can login to the Control Panels and manage certain server settings based on the privileges (vdPrivilege attribute) assigned to the role.
Remember that you might require a User ID to DN Mapping configuration depending on the ID that users log in with (their full DN versus just an ID). Also, delegated administrators do not have default permissions to manage virtual entries in the directory. If this is required, assign the proper access controls for the delegated admin groups.
Managing Explicit Members
It is generally advised to assign only local (in a RadiantOne Universal Directory store) user accounts to delegated admin roles. Although you can assign any user in the RadiantOne namespace to a delegated admin role, use caution with this approach because if the backend isn’t accessible, then the user login to the Control Panel will fail and the user will not be able to administer RadiantOne. Also, performance can be degraded because RadiantOne must delegate the bind (authentication) to the backend instead of processing it locally.
-
Log into the Main Control Panel as the super user and click on the Directory Browser tab.
-
Navigate below ou=globalgroups,cn=config node to locate all of the groups.
-
Select the group you want to manage and click (Manage Group). From here you can remove users from groups and search for new users (located anywhere in the virtual namespace) to add to groups.
Managing Dynamic Members
It is generally advised to assign only local (in a RadiantOne Universal Directory store) user accounts to delegated admin roles. Although you can assign any user in the RadiantOne namespace to a delegated admin role, use caution with this approach because if the backend isn’t accessible, then the user login to the Control Panel will fail and the user will not be able to administer RadiantOne. Also, performance can be degraded because RadiantOne must delegate the bind (authentication) to the backend instead of processing it locally.
-
Log into the Main Control Panel as the super user and click on the Directory Browser tab.
-
Navigate below ou=globalgroups,cn=config node to locate all of the groups.
-
Select the group you want to manage and on the right side, select the objectclass attribute.
-
Choose Modify Attribute > Add Value.
-
Enter a new value of groupOfURLS and click OK.
-
Select the group entry and click (Manage Group).
-
Click Edit Dynamic Members. From here you can manage the criteria for dynamic members.
-
Click Add Member(s).
-
Enter the base DN where users/potential group members are located, or click to navigate to this location.
-
Select the scope associated with the base DN to locate potential members.
-
Enter an LDAP filter that qualifies group members (e.g. l=Casper, meaning all users that have a location of Casper would be a member of the group).
-
Click Confirm.
-
Either add more members, or click Close to close the window.
-
After the configuration, the group entry has a memberURL attribute that contains the criteria for group members.
-
Now, configure RadiantOne to translate the dynamic group criteria into static members by setting Special Attributes Handling for Dynamic Groups. Navigate to the Main Control Panel > Settings tab.
-
Switch the Control Panel to Expert Mode.
-
After the browser reloads, navigate to the Settings tab > Interception > Special Attributes Handling.
-
In the Dynamic Group section click Add.
-
Click Choose and either navigate to the exact dynamic group entry or the parent node where all of your dynamic groups are located. For example, if you wanted all of the delegated admin groups to be dynamic, you can select the cn=config branch in the RadiantOne namespace like shown in the screen below.
-
Click OK.
- Set the member attribute to either member or uniqueMember (to match your membership attribute) and click Save in the upper right.
Any user that is dynamically assigned to a delegated admin group can log in to the Control Panel and administer the server based on the role they are associated with.
Managing Default Delegated Administration Users
As mentioned above, the groups used for delegated administration are Directory Administrator, Namespace Administrator, Operator, Schema Administrator, ACI Administrator, ICS Administrator, ICS Operator, and one role for Read Only access.
Delegated administrators do not have default permissions to manage virtual entries in the directory. If this is required, assign the proper access controls for the delegated admin groups.
Default administrative users are included as members of these groups. They are as follows.
Default administrative user | Group membership |
---|---|
uid=aciadmin,ou=globalusers,cn=config | Member of the ACI Administrator Group. |
uid=namespaceadmin,ou=globalusers,cn=config | Member of the Namespace Administrator Group. |
uid=operator,ou=globalusers,cn=config | Member of the Operator Group. |
uid=schemaadmin,ou=globalusers,cn=config | Member of the Schema Administrator Group. |
uid=superadmin,ou=globalusers,cn=config | Member of the Directory Administrator Group. |
uid=icsadmin,ou=globalusers,cn=config | Member of the ICS Administrator Group. |
uid=icsoperator,ou=globalusers,cn=config | Member of the ICS Operator Group. |
uid=readonly,ou=globalusers,cn=config | Member of the Read Only Group. |
You can use the default users for delegated administration of RadiantOne activities, or you can add your own users to the various admin roles as described in the Managing Delegation Administration Roles. To use the default users, you can log in with any of the following (depending on the RadiantOne configuration you want to manage). For details on what activities these users can perform, please see Delegated Administration of RadiantOne.
For details on how to update the default delegate admin user’s passwords, see the RadiantOne Hardening Guide.
user: aciadmin
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: namespaceadmin
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: operator
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: schemaadmin
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: superadmin
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: icsadmin
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: icsoperator
password: <set to the same password you defined for the super user (cn=directory manager) during the installation>
user: readonly
password: <set to the same password you defined for the
super user (cn=directory manager) during the installation>
The reason you can login with just the user ID as opposed to the full DN is because a default user ID to DN mapping has been configured for the cn=config branch in RadiantOne. This allows RadiantOne to identify the proper user DN based on the ID they log into the Main Control Panel with. This default mapping is shown below.
Leveraging Existing Groups for Delegated Administration
As an alternative to using the default delegated admin groups for enforcing authorization in the Control Panels, you can leverage your existing groups for these roles. Your groups and members must be in either a RadiantOne Universal Directory store, or persistent cache. If you choose to use your own existing groups and users, the default delegated admin users will not be able to log into the Control Panel.
If your users and groups are in a persistent cache, the bind (credentials-checking) step during the login to the Control Panel is delegated to the backend directory for validation. If the backend isn’t accessible, then the user login to the Control Panel will fail and the user will not be able to administer RadiantOne. Also, performance can be degraded because RadiantOne must delegate the bind to the backend instead of processing it locally.
To configure groups and users for delegated administration, follow the steps below.
-
The groups and users that you want to use for delegated administration must all be located under the same root naming context. Either import your groups and users into a RadiantOne Universal Directory store (e.g. import an LDIF file), or create a virtual view of groups and users and configure it as persistent cache. For assistance on creating RadiantOne Universal Directory stores, see the RadiantOne Namespace Configuration Guide. For assistance on configuring persistent cache, see the RadiantOne Deployment and Tuning Guide.
-
(Optional) If your groups and users are in persistent cache, go to the Main Control Panel > Directory Namespace > Cache node and select your cache branch. On the Properties tab on the right, enter vdPrivilege in the Extension Attributes list and click Save.
-
Navigate to the Main Control Panel > Directory Browser tab.
-
Navigate to the group location and select the group that you want to be associated with a delegated administrator role. Click Add Attribute and enter the name vdPrivilege and enter a value associated with the delegated admin role.
Image 20: Modify Attribute > Add Value
- Select the vdPrivilege attribute and click Modify Attribute > Add Value.
Image 21: Adding the vdPrilvilege Attribute
-
Add a required value for the role. The required values and corresponding roles are described in Delegated Administration Roles.
-
In the Add Value window, click to add another value. Repeat this step to add all required values as outlined in Delegated Administration Roles. Click Confirm after all values have been added. In the example below, a group named Management has been assigned the privileges required for the Directory Administrator role.
Delegated administrators do not have default permissions to manage virtual entries in the directory. If this is required, assign the proper access controls for the delegated admin groups.
-
Go to the Main Control Panel > Zookeeper tab (requires Expert Mode).
-
Navigate to
/radiantone/<version>/<clusterName>/config/vds_server.conf
. -
Click Edit Mode.
-
Locate the “roleBase” property and set the value to the root naming context where your users and groups are located (e.g. “roleBase” : “o=companydirectory”,).
-
Locate the “roleName” property and set the value to the RDN/attribute name containing the group name (e.g. “roleName” : “cn”,).
-
Locate the “roleSearch” property and if the group objectclass stores the members in the uniqueMember attribute, set the value to: "(uniqueMember:1.2.840.113556.1.4.1941:={0})",
If the group objectclass stores the members in the member attribute, set the value to "(member:1.2.840.113556.1.4.1941:={0})",
-
Click Save.
-
To test, logout of the Control Panel and login with a user that is a member of one of your existing groups. Make sure the user can perform the activities associated with their role as outlined in Delegated Administration Roles. Remember, you must either use the full user DN as the login name, or define the proper User to DN mapping rules to allow the user to login with just an “ID”.
Delegated Administration Roles
The roles and corresponding required permissions are described in the table below.
Role | Required Permissions (Value of vdPrivilege) |
---|---|
Directory Administrator | admin-write |
Read Only | config-read |
Namespace Administrator | config-readconfig-write |
Operator | config-read |
Schema Administrator | config-read |
ACI Administrator | config-read |
ICS Administrator | config-read |
ICS Operator | config-read |
Global ID Viewer Design | config-read |
Global ID Viewer Write | config-read |
Delegated Administration Permissions
The permissions and corresponding required vdPrivilege values are described in the table below.
vdPrivilege Value | Permission |
---|---|
acl-read | View access controls |
acl-write | Create, update and delete access controls |
admin-write | Modifying within Settings -> Server Front End -> Administration |
config-lock | Managing Main Control Panel -> Settings -> Configuration -> Configuration Lock |
config-read | Read RadiantOne configuration |
config-write | Write access to RadiantOne configuration |
data-source-read | Read configured data sources |
data-source-write | Create, update, and delete data sources |
data-store-read | View RadiantOne Universal Directory stores |
data-store-write | Create, update, or delete RadiantOne Universal Directory stores |
globalidviewer-designer | Edit and delete templates and queries in the Global Identity Viewer |
globalidviewer-read | Log into the RadiantOne Global Identity Viewer |
globalidviewer-write | Can modify attribute values in the Global Identity Viewer |
ics-admin | Stop and start pipelines on the Sync Tab |
ics-operator | Access the Synchronization tab and read topologies |
ics-workflow-approve | Access the Approvals Application in the RadiantOne Insights, Reports and Administration Console |
instance-read | Read settings for any configured instances |
instance-write | Modify settings for any configured instances |
logs-read | Reading Server Control Panel's Log Viewer tab |
naming-context-read | Read naming context configurations |
naming-context-write | Create, update, or delete naming contexts |
security-write | Modifying the following: |
services-restart | Restart the RadiantOne service from Main Control Panel |
services-shutdown | Stop the RadiantOne service from the Main Control Panel |
tasks-admin | Launch tasks |
update-schema | Extend RadiantOne LDAP schema with objects and attributes from orx files |
Configuration Lock
The RadiantOne super user account (e.g. cn=directory manager) and members of the cn=directory administrators group (cn=directory administrators,ou=globalgroups,cn=config) can enable a lock on all configuration changes. This ensures that no changes are being made while the configuration is being backed up and/or migrated. To lock the configuration, navigate to Main Control Panel > Settings > Configuration > Configuration Lock. Toggle the Configuration Changes property to the Locked position. Click Save.
When the configuration is locked, no one can make changes to the RadiantOne configuration (either from the UI or command line tools). In the UI, an icon appears at the top of the Control Panel, configuration options are read-only, and FID can be restarted but not stopped. Command-line operations that display information still function, but operations that modify the configuration do not. Only the RadiantOne super user, or a member of the cn=directory administrators group, can unlock the configuration. When they log into the Control Panel, there is a message along with a button, prompting them to unlock the configuration.
When other users log into the Control Panel, there is a message prompting the user to contact the Directory Manager to unlock the configuration.
File Manager
RadiantOne does not allow access to its files via operating system user interfaces. The File Manager option allows you to view, upload, and download files that reside under the RLI_HOME directory. It also allows you to build jar files. To access the File Manager, in the Main Control Panel, go to Settings > Configuration > File Manager. The default location displayed is RLI_HOME.
Files at the RLI_HOME level cannot be modified with File Manager.
To navigate within File Manager, click a folder in the main File Manager pane, or click a link the navigation bar at the top of the File Manager. To go up one folder, click the up-arrow button.
Some files types are hidden from view in File Manager. These file types include the following.
- .cer
- .keystore
- .truststore
Uploading Files
Uploads can be made anywhere within the <RLI_HOME>, except within <RLI_HOME> itself.
To upload a file, click Upload Files. In the File Upload window, navigate to the file to be uploaded, select the file, and click Open.
Actions Drop-down Menu
The Actions drop-down menu allows perform the following functions.
- Download files
- Delete files
- Open a selection
- Clear a selection
Downloading Files
To download a file in File Manager, navigate in File Manager to the file's location. From the Actions drop-down menu, select Download Files.
Deleting Files
The Delete Files option allows you to delete one file at a time. To delete a file in File Manager, navigate to the file's location. From the Actions drop-down menu, selct Delete Files. The file is downloaded to the location indicated by your web browser.
Open Selection
Some files, such as text, LDIF, XML, and jar files are viewable in File Manager. To view a file in File Manager, navigate to the file's location. From the Actions drop-down menu, select Open Selection.
Files such as .class files are not openable in File Manager.
Building Jar Files
The File Manager allows you to build jar files.
To build jar files:
-
In the Main Control Panel, click Settings > Configuration > File Manager.
-
In File Manager, browse to RLI_HOME/vds_server/custom or any folder within. In the menu bar beneath the navigation bar, the Build drop-down menu displays.
-
From the Build drop-down menu, select an option.