HP DCE Administration Tools

The administration tools are Account Manager, DCM (the Distributed Configuration Manager), and the HP CDS Browser. The Account Manager provides a graphical interface for creating objects in the DCE registry and for administering the DCE registry. HP's DCE Configuration Manager provides a graphical interface for configuring a DCE cell; the HP DCE CDS Browser provides a graphical display for browsing and editing the CDS name space.

All of the HP DCE Administration Tools have extensive online help.

You can invoke the HP DCE Account Manager and the HP CDS Browser from SAM by selecting the DCE Cell Management icon.

HP DCE Account Manager

The Account Manager provides a graphical user interface for managing the DCE Registry. With the Account Manager, you can:

Create and manage users (principals with or without accounts)
Create and manage groups and organizations
Manage Registry Policy (Registry IDs, Tickets, Password and Account policy)
Create and manage Registry Attribute Types (Extended Registry Attributes)
Manage ACLs (Access Control Lists) on the above

HP DCE Account Manager Documentation

Documentation for the Account Manager is provided as online help.

You may also want to view the dcecp man pages. To read the DCE man pages with the man command, you must include /opt/dce/usr/man in your MANPATH shell environment variable.

Installing the Account Manager

The Account Manager is included in the DCE-ACCT-MGR fileset. You must install this fileset on each system on which you want to run the Account Manager.




	NOTE: The Account Manager requires a bit-mapped display; it does not run on ASCII terminals. Also, small bit-mapped displays (such as some PC displays), which may cut off portions of dialog boxes, are unsupported.

Running the Account Manager

If you are running the Account Manager locally, you do not need to set the DISPLAY environment variable ($DISPLAY). If you are running the Account Manager from a remote machine, however, use the following command to set the DISPLAY environment variable to the local machine:

export DISPLAY=<localhostname>:0.0

If $DISPLAY is not set, the following warning displays:

	Warning: You are viewing the Account Manager using a remote X display. Passwords and other confidential information will pan over the network in clear text, and may be seen by network pirates. You may wish to exit the Account Manager and run it from a local X display.

Start the Account Manager with the following command:

/opt/dce/bin/acctmgr

If you want to perform privileged operations (such as registry modifications) with the Account Manager, you must run the Account Manager as the DCE cell_admin principal.

The Account Manager can also be started as follows from SAM:

Log in as root.
Execute sam from a shell prompt.
Select (double click on) DCE Cell Management.
Select (double click on) DCE Account Manager.

Tips for New Users

Log into DCE before starting the Account Manager, or use the Login option from within the Account Manager.
Establish your preferences in the Options "Preferences" dialog box when you initially start the Account Manager.
If you are administering a very large cell, read "Managing Very Large Cells with Account Manager" below.
It is recommended that you bring up the Assistant from the File menu when you initially start the Account Manager, and iconize it when not in use.
Where possible, use batch operations and profiles to automate time-consuming repetitive tasks, such as adding multiple users that have similar characteristics.

Managing Very Large Cells with Account Manager

DCE interfaces can be slow to retrieve lists for very large DCE deployments (For example, if the DCE registry is managing many thousands of users). The performance of the Account Manager will be affected in this case. To aid the Account Manager's performance for very large deployments, take the following steps:

In the Options/Preferences dialog, enable the option to "Display -User/Group/Org/Attribute_Type List as Text instead of Icons."
The Account Manager requires major resources to map very large lists into iconic display, and this option is needed to bypass that step.
In the Options/Preferences dialog, disable the option to "Display -User/Group/Org/Attribute_Type List at Start Up". This step should be done if any of the following are true:
- You know the names of the objects you want to manage.
- You will manage only a subset of objects (for example, users in a certain group).
- You will ask the Account Manager to read in the list of objects to manage from a file (see #3 below).
In this step, the first time that you navigate the Account Manager to an object management screen (for example, User Management), the list will be empty.
Then proceed as follows:
- If you know the names of the objects to manage, select the appropriate Action. You will be prompted to enter the object name or names.
- If you wish to read in names from a file, or retrieve a partial listing (such as all users in group XXX), select Options/Specify List.
If the retrieval of large lists degrades Account Manager performance, you may wish to assist the Account Manager by retrieving the list during an off-time using the dcecp command and saving the list to a file. This file could be generated automatically (for example, nightly by a cron job).
Here is a sample script to retrieve and sort the DCE users list:
dcecp -c "principal catalog -simplename" | sort > usrlist
Once the list has been retrieved, you can read in the list to the Account Manager display from a file. In this case, you must first do step 2 above to set the Preferences dialog; if you do not set the Preferences dialog, the Account Manager will automatically begin to retrieve all objects when you navigate to an object area. Then you navigate to the object area, for example, User Management. To load the list from the local file, select Options/Specify List. In the Specify Users List dialog, select the option "From File" to read in the list.

Account Manager Limitations and Exceptions

The following are limitations and exceptions to Account Manager at HP DCE 1.6:

User inputs for defining and attaching Registry Attribute types may cause improper tool operation if the inputs contain the following special characters:
{ left curly brace
} right curly brace
[ left square bracket
] right square bracket
" double quotation mark
\ backslash
For other inputs (for example, defining user names and group names), the quote and backslash may cause problems. An example of an illegitimate iname is: \dos\dir.
The Account Manager is not internationalized.
Descriptive text for Registry Attribute Types is currently limited to three lines of text. The tool provides no way to view descriptions which occupy more than three lines.
A profile that is created from a View operation (such as "View User") does not correctly handle an alias name. As a workaround, create profiles including aliases only from Add operation dialogs.
Cross-cell administration is not supported.
Importation of user account information from /etc/passwdis not supported.
If a profile directs the removal of a group or organization member, the list of members is retrieved prior to removal, even if preferences state that lists should not be automatically retrieved.