8.2.1 Settings for the operation to use a linkage user

(a) Setting up the directory server linkage (when the expanded directory server linkage function is not used)

The directory server administrator must register JP1 users in one container object when setting up the directory server. Note that a user linked to the directory server must have a CN (common name) attribute value that is the same as the corresponding JP1 user name.

1. Edit the directory server linkage definition file (jp1bs_ds_setup.conf).

   For details on the directory server linkage definition file, see Directory server linkage definition file (Windows only) in 16. Definition Files.

2. Execute the jbssetcnf command.

   The settings are reflected in the common definition information. For details about the jbssetcnf command, see jbssetcnf in 15. Commands.

3. Execute the jbschkds command.

   This command allows you to check the settings for directory server linkage.

   For details on the jbschkds command, see jbschkds (Windows only) in 15. Commands.

(b) Setting up the directory server linkage (when the expanded directory server linkage function is used)

The directory server administrator must register JP1 users under the container object specified with the BASE_DN parameter in the directory server linkage definition file when setting up the directory server. Note that a user linked to the directory server must have the attribute value that is specified with the ATTR_NAME parameter in the directory server linkage definition file and that is the same as the corresponding JP1 user name.

1. Edit the directory server linkage definition file (jp1bs_ds_setup.conf).

   Unlike when the expanded directory server linkage function is not used, the following settings are required:

   BASE_DN

   Specify the ID of the container object that the JP1 users belong to. Linkage to the JP1 users under the container object specified with this parameter will then be available.

   SEARCH_USER_DN

   Specify the ID of the information-search user used to access the directory server. The information-search user is a directory server user who has view permission for the search-origin container object and the underlying container objects.

   ATTR_NAME

   Specify the attribute name to be used as a JP1 user name from CN, sAMAccountName, and UserPrincipalName.

   For details about the directory server linkage definition file, see Directory server linkage definition file (Windows only) in 16. Definition Files.

2. Execute the jbssetcnf command.

   The settings are applied to the common definition information. For details about the jbssetcnf command, see jbssetcnf in 15. Commands.

3. Register the information-search user and the password in the authentication server host.

   Register the information-search user and the password used to log in to the directory server as password management information in JP1/Base on the authentication server host. The password for the information-search user must be from 1 to 64 bytes. Use the jbsmkpass command, jbspassmgr command, or jbsumappass command for registration. Note that the user to be registered (information-search user) must be specified in the format of aduser/information-search-user-name. For example, specify aduser/Groupcsearcher when you specified "CN=Groupcsearcher,OU=GroupC,DC=domain,DC=local" in SEARCH_USER_DN.

   For details about the individual commands, see jbsmkpass (Windows only), jbspassmgr (Windows only), or jbsumappass (Windows only) in 15. Commands.

4. Execute the jbschkds command.

   Check the directory server linkage settings. For details about the jbschkds command, see jbschkds (Windows only) in 15. Commands.

   Important

   When the expanded directory server linkage function is used, if you change the password information managed by the OS, you must also change the password management information for the information-search user set in JP1/Base.

   To change the password management information in JP1/Base, change it on the User Mapping tab in the JP1/Base Environment Settings dialog box or by executing the jbsumappass or jbsrmumappass command.

(c) Change the directory server to be linked

You can temporarily change the directory server to be linked if the specified directory server cannot be used for reasons such as system failure. To change the server temporarily, create a configuration file containing the required definition information, and then execute the jbschgds command. To cancel the change, execute the jbschgds command again.

For details on the jbschkds command, see jbschkds (Windows only) in 15.Commands.

(a) Using the GUI to set JP1 users

You can set JP1 users in the JP1 user area in the Authentication Server page of the JP1/Base Environment Settings dialog box.

To set information in the JP1 user area, you must activate it first. To do this, select (highlight) an authentication server in the Authentication Server field in the Order of authentication server area. Note, however, that the JP1 user area remains dimmed if:

• You change an authentication server in the Order of authentication server area and the Apply button is active

• The selected (highlighted) authentication server is blocked

If the Apply button is active, click the button. If the selected authentication server is blocked, clear that status as described in 8.4 Setup for handling the blocked status (using a secondary authentication server).

Click the Add button to display the JP1 User dialog box.

Figure 8‒12: JP1 User dialog box

In this dialog box, specify a JP1 user. Enter the JP1 user name to be registered, and select the Link to the directory server check box. You do not need to enter a password. Make sure that the JP1 user name to be registered is different from the standard user name. You must use lower-case alphanumeric characters to specify a JP1 user name. If you use upper-case characters, they are automatically converted into lower-case characters.

The following table lists the limit on the number of characters that can be specified for the JP1 user name.

Table 8‒5: Character limit for JP1 user names

Item	Number of bytes	Prohibited characters
JP1 user name	1 to 31 bytes	* / \ " ' ^ [ ] { } ( ) : ; | = , + ? < > spaces and tabs

When you click the OK or Cancel button, the Authentication Server page comes to the front.

The registered JP1 user name appears in the User field. For a linked user, DS is displayed in the Linkage field.

To delete a JP1 user name listed in the User field, select the user name and click the Delete button. The selected JP1 user is deleted.

(b) Using commands to set JP1 users

You can use commands to register and delete JP1 users. JP1/Base also supports a command that lists the registered JP1 users. For details on the commands, see 15. Commands.

Registering a JP1 user:

To register a JP1 user on the authentication server, execute the following command:

jbsadduser -ds JP1-user-name

For JP1-user-name, use lower-case characters. Table 8-5 lists the specifiable characters for the JP1 user name.

Changing the password of a JP1 user:

You cannot change the password of a linked user in JP1/Base. Change the password from the directory server.

Deleting a JP1 user:

To delete a registered JP1 user, execute the following command:

jbsrmuser JP1-user-name

Listing registered JP1 users:

To list the registered JP1 users (standard users and linked users), execute the following command:

jbslistuser 

To list only the registered linked users, execute the following command:

jbslistuser -ds 

(c) Password for a linked user

Passwords for linked users are managed on the directory server, the specifiable characters are the same as those for standard users. The passwords are case-sensitive. The specifiable characters for a password are shown below:

• Byte string (6 to 32 bytes)

• Prohibited characters: \ " : and spaces and tabs

If the number of bytes of a password registered on the directory server in not within the predefined range, or a prohibited character is used in the password, user authentication will fail.