About this Guide

What this Guide Contains

The Athena Administration Guide provides information about:

• Configuration for Athena

• Exposing users and groups

• Troubleshooting Athena

This guide is intended for administrators who are already familiar with eDirectory and Active Directory directories and using LDAP queries to access directory data.

Related Documentation

Getting Started

Complete the installation and configuration instructions specified in Installation Guide 1.0.3 

• To access Athena Setup:

Initial Configuration

Connection Settings

1. Select Directory Vendor:

   1. AD for Microsoft Active Directory

   2. eDir for Novell eDirectory

   3. Other will default to eDir specific behavior

2. Specify the Scheme for the LDAP connection

   1. LDAP - Unsecured LDAP access.  The Default port for this is 389.

      Open

      

   2. LDAPS - Secured LDAP access.  The Default port for this is 636.

      1. If you select LDAPS, Athena will display the certificate info is has stored.  You may either click Get Server Certificate to retrieve the certificate from the server specified by Host and Port or you can click Choose to upload a certificate.

         Open

         

3. Host
   This is the Host IP Address or Server Name of the target LDAP server.

4. Port
   This is the port Athena will use to access the LDAP server.  Consult your LDAP administrator to determine which port the LDAP server uses.

5. Once you have set the fields, click Validate Connection. 

6. Set the Service Account Settings

   1. Enter the username for the Principal account you want to use

      1. If you have set your directory type to eDir, this is a DN.  

      2. If you have selected AD it can be either a DN or a User Principal Name

          

   2. Enter the credentials (password) for the Principal user

      Open

      

   3. Click Save
      
      

   Open

   

7. Review Main Attributes.  You may change the default mappings for any of the default Main attributes.  

8. To edit an attribute see Managing Required Attributes to learn how to manage the required attributes.

9. Click Next .

10. Specify the search contexts for Users. 

    Open

    

11. Click on the arrow next to the folder icon to expand the directory tree view.

    Open

    

12. Browse the tree and Ctrl-click on each folder to be included in the search contexts.

13. Click Next

    Open

    

14. Select a search scope for the context.

15. Click Next

    Open

    

16. If you have defined multiple search contexts, you may change the order in which they are searched.

17. Add Group Search contexts, set the scope and search order.

18. Click Next

    Open

    

1. Click OK
   
   

Athena General Configuration

This option is used to configure security roles and attributes which apply across the Athena Framework and modules

To access Athena Configuration:

1. From your web browser type: http://<Athena server IP or DNS>/main/configuration

2. Login name: admin
   Default password: admin

   Open

   

   
   
   

Licensing Athena

1. Click Check Licensing Status

   1. If you have not uploaded a license, or if your license is not valid Athena will display the following screen.

      Open

      

   2. If the license if valid Athena will display a screen similar to the one below.

      Open

      

   3. Click OK to return to Athena Configuration

Security Roles

About Roles

Athena Security Roles are required for creating roles, assigning users to a role and user access.  All users accessing Athena must belong to a role. No security roles exist after the initial deployment of Athena and the roles must be created and populated using the admin user created during the deployment phase.  Additional roles will be needed to add users and control directory access.

The Security Roles section of the screen serves two functional purposes.  First, you may define security roles by clicking the Add Roles button.  A role consists of a Name, a Description, and a set of users to which the role applies.   You may specify a set of directory contexts, groups and even specific users to which a role applies.  The set of users will be populated by the union of all users found within the directory contexts, groups and specific user objects selected.  Once roles have been defined, you can associate them with each of the modules configured for Athena and apply permissions based on the roles.  This is the second function of the Security Roles section of the screen.

Managing Default Roles

Athena is pre-configured with two default Security Roles.  

• Admin Role

• Basic User Role

These Security Roles have default permissions for each of the modules associated with them.  Once a set of users, groups and directory containers have been assigned to these Security Roles, Athena is ready for use.  See Managing Roles to learn how to assign users, groups or directory containers to each of these roles.  

Creating Roles

To create a new role:

1. Using a web browser use the url: http://<Athena server IP or DNS>/main/configuration

2. Login using the admin account created in the deployment section

3. Now you can add roles.

   1. Click Add Role
      
      
      
      

   2. Enter the Role Name

   3. Enter the Role Description

   4. Assign users to the Role.  Users can be assigned using any combination of the following:

      1. Using the Pick the contexts tree control, browse to and select any number of directory contexts.  Control-click each context you wish to select.

         Open

         

      2. Search for groups to include

      3. Search for users to include

         1. As you enter a user or group to search for, Athena will search the search contexts defined in Module Configurations | Main | Search Contexts section of this document.  When a match is found Athena will display the information for the user.

            Open

            

         2. Click on the displayed object information to add it to the list of users or groups to which the new role will apply.

            Open

            

         3. When you have finished configuring contexts, groups and users for the role, click Save 

Managing Roles

To modify the set of users to which a roles applies

1. Using a web browser use the url: http://<Athena server IP or DNS>/main/configuration

2. Login using a user that has Athena Admin rights

3. In the Security Roles section

   1. Select a Role

   2. Click the Edit pencil in the Edit column

      Open

      

   3. Edit this list of directory contexts by adding or removing contexts as desired.

   4. Edit the list of groups as desired.  

      1. Delete groups by clicking the X next to the group DN.  

      2. Add groups by typing the name of a desired group found in the defined search contexts.

   5. Edit the list of users as desired

      1. Delete users by clicking the X next to the user's DN

      2. Add users by typing the name of the desired user found in the defined search contexts.

Configuring Modules for the Athena Framework

About Module Configuration

The Athena framework provides a scheme to enable modules to manage the sets of Permissions, Attributes, Search Contexts and Filters they use.  Modules can inherit from the sets defined for the Main module, or can require specific sets to be configured.

Managing Permissions

Permissions are assigned to a defined role and will be enforced for all members of that role.  This allows for each role to have different Search permissions for ease of administration.  Permissions control access to specific modules, groups, users and their attributes within Athena.  

Each module requires some base permissions

• Administrative roles require Access and Configure

• User roles at minimum require Access

The Access permission is named slightly differently from module to module.   For instance, for the My Profile module, the Access permission is named Access user profile module.   

To manage permissions for a module

1. Select the tab for the desired module.

2. Click on the arrow to the left of the Permissions section to expand the module's permissions.

   Open

   

3. Click the Edit pencil icon on the right of the security role for which you wish to edit the permissions list.

   Open

   

4. Select the permissions to enable for the selected Security Role.  In some instances, the list of permissions can be very long.  You can narrow the set of permissions displayed by typing search terms next to the magnifying glass icon.  As you type the list of permissions will be narrowed.

   Open

   

5. When you are finished specifying permissions for the selected security role:

   1. Click the checkmark icon to save your changes
      or

   2. Click the X to cancel your changes.

Managing Attributes

Modules can view and interact with a set of attributes for users and groups.  The set of attributes can be managed using the Attributes section.  The Required Attributes section lists attributes which a module requires.  Note that the attribute names shown in Required Attributes are namespace specific to the target directory.  It is possible to edit the attributes's Name or OID value to map it to a different attribute in the target directory if necessary.

Additional attributes can be added for each module.  

Viewing Attributes

1. With the desired module tab selected, expand the Attributes section

   Open

   

   
   
   

Managing Required Attributes

1. To edit the Name or OID value for an attribute in Required Attributes click on the Edit pencil icon to the right of the desired attribute

   Open

   

2. Edit the Name or OID field.

3. Click the checkmark to save your changes
   or

4. click the X to cancel your change.

Adding Optional Attributes

1. To add an optional attribute, click on Add Attribute.  A new empty row appears in the Optional Attributes section.

   Open

   

Editing Optional Attributes

1. Click on the Edit pencil icon to the right side of the attribute to edit.

2. The attribute being edited will be shown in a grey background.

   Open

   

3. Edit the fields

   1. Label

   2. Description

   3. Name or OID

   4. Type

4. Click the checkmark to save your changes
   or

5. Click the X to cancel your changes.

Deleting Optional Attributes

1. Click on the Remove trash can icon to the right side of the attribute to delete.

Managing Search Contexts  

Search contexts are defined in the Main module for user and group objects and will be used by the other modules.  Setting the search context defines where in the directory objects searches will begin.

1. Expand the Search Contexts section

   Open

   

2. Click the Edit pencil button to edit the Group Search Base

   Open

   

3. Select the directory context you wish to use for Groups and click Next  

   Open

   

4. Select a scope for the context.  Click Next

   Open

   

5. You can specify multiple search contexts.  If necessary, reorder the contexts.  Click Save

6. Repeat steps 1 through 5 as many times as necessary to set the desired groups search contexts.

7. Click on the Edit pencil for Users and then repeat steps 2 through 5 as many times as necessary to set the desired user search contexts.

Managing Filters

Athena uses LDAP to access the target directory.  Filters are used to make LDAP queries more specific, thus limiting the amount of data returned for a query based on a Search request.  The use of filters improve performance and scalability.  Filters are defined in LDAP syntax.  To learn more about LDAP filters see http://tools.ietf.org/html/rfc4515.

To manage filters

1. Click the arrow to the left of Filters to expand the list of defined filters

   Open

   

   
   
   

2. Click the text in the cell in the Value column that you wish to edit. 

   Open

   

3. An In-place editor will open, allowing you to edit the filter text

   1. Add the LDAP filter

   2. For example for User class:

      1. (&(objectClass=organizationalPerson)(|(userPrincipalName={0}*)(displayName={0}*)(mail={0}*)))

   3. For Group class:

      1. (&(objectClass=group)(|(name={0}*)(cn={0}*)))

4. Click the check mark to save the filter, or the X on the far right to cancel the changes.

Module Specific Configuration

Main

Permissions

To Manage the permissions for the Main module, see Managing Permissions

The Main module requires some base permissions

• Administrative roles require Access Main Module and Configure Permission

• User roles at minimum require Access Main Module

Attributes

The Main module comes pre-configured with a set of attributes needed for the module to operate.  You may wish to map one of those attributes to a different schema element.   See Managing Attributes for an explaination of how to edit required attributes.

No other attributes are needed by Main.  Adding attributes will have no affect on the functionality or user experience of the module. 

Search Contexts  

Search contexts are defined in the Main module for user and group objects and will be used by the other modules.  Setting the search context defines where in the directory objects searches will begin. See Managing Search Contexts to learn how to manage Search Contexts.

Filters

The Main module uses five defined filters.  

• Container Search Filter

• Group Search Filter

• User Search Filter

• Object Search Filter

• Group by Member Search Filter

These filters tell the LDAP server how to search for these specific objects types.  See Managing Filters to learn how to manage these filters.

My Profile 

About My Profile

The My Profile module allows a user to view their attribute values for their object or other users' objects in the target directory.

Configuring My Profile

Permissions

See Managing Permissions to learn how to configure the permissions for My Profile.