|
|
If your existing domain configuration requires it, you can enable ClearCase access for users and computers in multiple domains. Because this configuration can be more complicated to set up and administer, we recommend that you avoid using it unless organizational or security concerns require you to do so.
When a ClearCase LT community includes users from multiple Active Directory domains that are part of the same forest, you can use an Active Directory universal group to provide users logged on to different domains with access to a common set of VOBs and views.
To create an Active Directory universal group that can be used as the ClearCase primary group by users from multiple Active Directory domains in a single forest:
Verify that the Active Directory environment is operating in native mode. (Universal groups cannot be created in an Active Directory domain that is operating in mixed mode.)
Create the ClearCase users group as an Active Directory universal group.
Make each domain global group whose members are part of the ClearCase community a member of the ClearCase users group. We do not recommend adding individual user accounts to a universal group. Instead, group the users from each Active Directory domain into a domain global group defined in that domain, and make each of those domain global group a member of the universal group.
Require each user in each of the domain global groups that are members of the ClearCase users group to set CLEARCASE_PRIMARY_GROUP to the domain-qualified name of the (universal) ClearCase users group. (You cannot use Active Directory account management tools to specify a universal group as a user's primary group.)
NOTE: If you are upgrading a multi-master Windows NT domain environment to Active Directory, use the procedure described in Converting Proxy Groups to convert the proxy groups to members of an Active Directory universal group.
When a ClearCase LT community includes users from multiple Windows NT domains, you must enable the ClearCase domain mapping feature as described in this section to provide all users with access to a common set of VOBs and views.
Suppose that ClearCase LT users have accounts in domains named ATLANTA, BOSTON, and CUPERTINO, and that the primary group of each VOB they need to share is ATLANTA\clearusers. To use ClearCase LT in this environment, create proxy groups and enable the domain mapping feature as follows:
Ensure that each ClearCase LT host is a member of a resource domain that trusts the ATLANTA, BOSTON, and CUPERTINO domains.
Create the ClearCase users group in one of the user account domains. In this example, the domain is Atlanta and the group is ATLANTA\clearusers. VOBs to be shared by users taking advantage of domain mapping must be owned by the ATLANTA\clearusers group.
Create two more domain global groups, one in each of the other domains:
In the Boston domain, create the group BOSTON\clearusers_Boston.
In the Cupertino domain, create the group CUPERTINO\clearusers_Cupertino.
When creating these groups, make sure their description strings contain the following substring:
ClearCaseGroup(Atlanta\clearusers)
This string must be case-correct and contain no spaces. When this text string is present in a group description, ClearCase LT recognizes the group as a proxy group for the group whose name is delimited by the parentheses (in this case, the group ATLANTA\clearusers). When evaluating VOB access rights, ClearCase LT treats members of a proxy group as though they were members of the group named in the ClearCaseGroup substring. In this example, a member of BOSTON\clearusers_Boston will have the same VOB access rights as a member of ATLANTA\clearusers if the description of BOSTON\clearusers_Boston includes the string ClearCaseGroup(ATLANTA\clearusers).
Make ClearCase LT users members of the appropriate groups:
Make users whose accounts are in domain Atlanta members of ATLANTA\clearusers.
Make users whose accounts are in domain Boston members of BOSTON\clearusers_Boston.
Make users whose accounts are in domain Cupertino members of CUPERTINO\clearusers_Cupertino.
Enable domain mapping on each ClearCase LT host. To do so, edit the Windows registry on that host using the following procedure:
Using a Windows registry editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Atria\ClearCase\CurrentVersion.
Click Edit > Add Value.
In the Add Value dialog box, enter DomainMappingEnabled in the Value Name and select REG_DWORD as the value type.
Click OK to start the DWORD editor
In the DWORD editor, enter 1 in the Data box. Make sure that the Radix is set to Hex (the default).
Click OK to add the value.
NOTE: To enable domain mapping for a Windows 98 or Windows Me computer, enable it on the Windows host that is designated as the credentials mapping server; then shut down and restart the Windows Me or Windows 98 computer.
Require each ClearCase LT user to set the user environment variable CLEARCASE_PRIMARY_GROUP to the value ATLANTA\clearusers. See Setting the ClearCase Primary Group.
All elements in any VOB that will be accessed by users who are members of proxy groups must allow Read rights for Other. Newly created elements grant this right by default. You can examine an element's protection from Windows Explorer:
Right-click the element to display the shortcut menu.
Click ClearCase > Properties of Element.
In the Properties of Element dialog box, click the Protection tab. The Read check box in the Other group must be selected.
To reprotect a large number of elements, use the cleartool protect command.
If necessary, you can restrict access to world-readable elements to a smaller set of users by setting the access control list (ACL) on the share that contains the VOB storage directory. For example, if a VOB is registered with the global path \\myserver\vobstorage\src_vob, you can set the ACL on the vobstorage share to restrict access to ATLANTA\clearusers, BOSTON\clearusers_Boston, and CUPERTINO\clearusers_Cupertino.
|
|
Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved. |
