This article provides an overview on how to designate a user who's authenticated by a Directory Service as a Secure Global Desktop administrator.

In Secure Global Desktop, Administrative privileges are granted to users who are members of the Global Administrators role. The way this is usually done is a User Profile is created for the designated user, and that User Profile is added to the "Global Administrators" role.

This process works fine for "local" users, but if the user(s) you want to act as SGD administrators are authenticated by a Directory Service, then this procedure requires a few additional steps.

note: It's recommended that you keep a functioning "local" SGD Administrator account, since it's possible that the external directory service may fail; you'll want to plan for some mechanism for administering the system in such an event. The "root" id, if enabled, can always be used to administer SGD.

Procedure

This procedure uses a technique called "LDAP Mirroring", in which the structure of your Directory Service is replicated in the local SGD Datastore (despite the name, it also applies to Active Directory environments.) Once the structure is replicated, you can then create a User Profile object for your candidate user in the replicated structure, and add the Profile to the Global Administrators group.

To illustrate the process, we'll use the following values:

Turn on "Attributes Display" in the Administration Console

Login to the "SGD Administration Console", click "Preferences", and ensure that the "Naming Attributes" checkbox is selected.

Mirror the Directory Structure in the SGD Administration Console

In the SGD Administration Console, click the "User Profiles" tab.
In the left-hand pane, expand the "com" attribute, then the "example" attribute.
Click "New", and in the dialog box, enter:

Now, click the "Create" button.

The following displays the dialog:

Note that these values are appropriate for Active Directory; if you're using an Sun Java System Directory Server, you'll likely be creating "ou" directory components, in which case you'll select "Directory" for the "Type" field in the dialog box, " which automatically uses the "ou=" naming attribute.

Once you've created this new component, you may choose to change the "Repository" type from "Local" to "Local+LDAP". Upon making this change, directory objects that are mirrored locally will be be indicated by the following icon:

Create the User Profile Object

With "focus" set on the "cn=Users" attribute, click "New", and fill in the pop-up for appropriately; in this example:

And click the "Create" button.

Note that the "Naming Attribute" for a User Profile for a Sun Directory Server will be "uid".

The newly created User Profile should now appear in "CN=Users" list box, with a "Repository" of "Local+LDAP".

Add the User Profile to the Global Administrators Role

Continuing from above, perform the following:

• • In the left-hand pane, click "System Objects"
  • Click "cn=Global Administrators"
  • In the "Directly Assigned Member Objects" box, click "Add"
  • In the Directory Browser window, browse to the "John Doe" User Profile created in the previous step, select the associated "checkbox", and click "Add" button

Now, when "John Doe" logs in to Secure Global Desktop, he will see the "Administrative" applications on his webtop, and he'll be able to run the "Administration Console." Note, however, that he will not be able to use the Secure Global Desktop command-line commands, (assuming the user has some "non-root" account on the server that's hosting SGD.)

To enable a user to run some SGD command-line commands, (some privileged operations are reserved for root), the user must be a member of the ttaserv group. To add a user to this group, run the following command:

usermod -G ttaserv userid

For further information, see the SGD Administration Guide, SGD Administrators Section