OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

271

272

273

274

275

276

277

278

279

280

Restructuring a Namespace

See the cdsalias(8dce) reference page for a complete description of the cdsalias

object.

In order to be able to run the cdsalias connect command successfully, you need

administrative permission to the child cell’s root (/.:) directory, and the cds-

server principal on the machine that contains the master replica of the child

cell’s root directory needs insert permission to the parent cell’s root directory.

The DCE administrator of the parent cell will need to modify the root directory’s

ACL to give the cds-server principal on the /.: master replica machine in the

child cell the proper permissions. There are several ways to accomplish this

task. One way is to modify the ACL so that the cds-server principal on the

machine in the child cell where you plan to run the dcecp cdsalias connect

command has i permission to the parent cell’s root. For example, the DCE

administrator on the parent cell can use the dcecp acl modify command as

follows:

dcecp> acl modify /.: {foreign_user

/.../coolco.com/northeast/marketing/inbound/hosts\

/mr/cds-server -i}

If you choose this method of granting permission to the parent cell’s root

directory, the DCE administrator of the parent cell will also need to edit the

dcelocal/etc/security/pe_site ﬁle on the machine within the parent cell that he or

she is using to modify the parent cell’s /.: ACL to include the child cell’s name.

This step is necessary to permit dcecp to contact the child cell’s registry during

the ACL modiﬁcation process (dcecp needs to contact the registry in the child

cell to verify the foreign user). Once the cdsalias connect process is complete,

the parent cell’s DCE administrator can remove the child cell name from the

dcelocal/etc/security/pe_site ﬁle.

Another way to ensure the appropriate permission to the parent cell’s /.: directory

is to modify its ACL to include the any_other type entry and the

unauthenticated mask entry. This method grants unauthenticated insert

permission to the cell’s root directory, so you should modify the ACL again to

remove the possibility for this kind of access after you have ﬁnished adding the

child cell to the hierarchy. See Section 28.2.5 for more details about these

entries. If you choose this method of granting permission, no modiﬁcation to a

parent cell pe_site ﬁle is necessary.

Once the cdsalias connect command successfully completes, the cell is established as

a member of the hierarchy.

Note that the old name for the cell continues to exist as a cell name alias so that cells

outside the hierarchy that previously communicated with the cell by using its old name,

and which do not know its new primary name, can still reach it by using the old name.

For example, the old cell name

/.../ﬁneprint.com

continues to exist as a cell name alias for the newly created child cell

/.../C=US/O=BIGCO/OU=LEGAL/contracts/ﬁneprint

124243 Tandem Computers Incorporated 21− 17