Novell Doc: OES Documentation Home - Overview of Access Services

33.1.1 Access to Services

Figure 33-1 illustrates the variety of user interfaces supported by OES services. Novell® eDirectory™ provides authentication to each service.

Figure 33-1 Access Interfaces and the Services They Access

The interfaces available for each service are largely determined by the protocols supported by the service.

Browsers and personal digital assistants require support for the HTTP protocol.
Each workstation type shown in the graphic has a native protocol associated with it. Linux uses NFS as its native protocol for file services access, Macintosh workstations communicate using AFP, and Windows workstations use the CIFS protocol by default for file services.
Novell Client software uses NetWare Core Protocol™ (NCP™) software to provide the benchmark-setting file services for which Novell is so well known.

Understanding the protocol support for OES services can help you begin to plan your OES implementation. For more information, see Section 33.2.5, Matching Protocols and Services to Check Access Requirements. Information about user interface support is also contained in the individual service sections, beginning with Section VI, End User Services.

33.1.2 NetWare Access Control to Directories and Files

eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories and files. These trustee rights determine what the user or group can do with a directory or file, provided that the directory or file attributes allow the action.

This is illustrated in Figure 33-2.

Figure 33-2 Directory and File Access is determined by File System Trustee Rights

Table 33-1 explains the effective access rights illustrated in Figure 33-2.

Table 33-1 Access Rights Explanation

eDirectory Objects	File System Trustee Rights	Directory and File Attributes	Directories and Files
eDirectory objects (in most cases users and groups) gain access to the file system through eDirectory.	File system trustee rights govern access and usage by the eDirectory object specified for the directory or file to which the rights are granted. Trustee rights are overridden by directory and file attributes. For example, even though Nancy has the Supervisor (all) trustee right at the directory (and, therefore, to the files it contains), she cannot delete File2 because it has the Read Only attribute set. Of course, Nancy could modify the file attributes so that File2 could then be deleted.	Each directory and file has attributes associated with it. These attributes apply universally to all trustees regardless of the trustee rights an object might have. For example, a file that has the Read Only attribute is Read Only for all users. Attributes can be set by any trustee that has the Modify trustee right to the directory or file.	The possible actions by the eDirectory users and group shown in this example are as follows: Nancy has the Supervisor trustee right at the directory level, meaning that she can perform any action not blocked by a directory or file attribute. The Di (Delete Inhibit) and Ri (Rename Inhibit) Attributes on DirectoryA prevent Nancy from deleting or renaming the directory unless she modifies the attributes first. The same principle applies to her ability to modify File2. Because Joe is a member of the Reporters group, he can view file and directory names inside DirectoryA and also see the directory structure up to the root directory. Joe also has rights to open and read any files in DirectoryA and to execute any applications in DirectoryA. Because Bert is a member of the Reporters group, he can view file and directory names inside DirectoryA and also see the directory structure up to the root directory. Bert also has rights to open and read File1 and to execute it if it's an application. And Bert has rights to grant any eDirectory user access to File1. Because all three users are members of the Reporters group, they can grant any eDirectory user access to File2. Of course, for Nancy this is redundant because she has the Supervisor right at the directory level.

eDirectory Objects

File System Trustee Rights

Directory and File Attributes

Directories and Files

eDirectory objects (in most cases users and groups) gain access to the file system through eDirectory.

File system trustee rights govern access and usage by the eDirectory object specified for the directory or file to which the rights are granted.

Trustee rights are overridden by directory and file attributes.

For example, even though Nancy has the Supervisor (all) trustee right at the directory (and, therefore, to the files it contains), she cannot delete File2 because it has the Read Only attribute set.

Of course, Nancy could modify the file attributes so that File2 could then be deleted.

Each directory and file has attributes associated with it. These attributes apply universally to all trustees regardless of the trustee rights an object might have.

For example, a file that has the Read Only attribute is Read Only for all users.

Attributes can be set by any trustee that has the Modify trustee right to the directory or file.

The possible actions by the eDirectory users and group shown in this example are as follows:

Nancy has the Supervisor trustee right at the directory level, meaning that she can perform any action not blocked by a directory or file attribute.

The Di (Delete Inhibit) and Ri (Rename Inhibit) Attributes on DirectoryA prevent Nancy from deleting or renaming the directory unless she modifies the attributes first. The same principle applies to her ability to modify File2.
Because Joe is a member of the Reporters group, he can view file and directory names inside DirectoryA and also see the directory structure up to the root directory.

Joe also has rights to open and read any files in DirectoryA and to execute any applications in DirectoryA.
Because Bert is a member of the Reporters group, he can view file and directory names inside DirectoryA and also see the directory structure up to the root directory.

Bert also has rights to open and read File1 and to execute it if it's an application.

And Bert has rights to grant any eDirectory user access to File1.
Because all three users are members of the Reporters group, they can grant any eDirectory user access to File2.

Of course, for Nancy this is redundant because she has the Supervisor right at the directory level.

33.1.3 Understanding NSS-Specific Access Control Features

Table 33-2 provides links to documentation that discusses the various NSS-specific access control features.

Table 33-2 Summary of NSS Access Control Documentation Links

Feature	To Understand	See
Linux Mode vs. NetWare Mode NOTE:This applies only to Linux servers.	The difference between Linux Mode access and NetWare Mode access.	Access Control for NSS on Linux in the File Systems Management Guide for OES .
NetWare directory and file attributes on NSS volumes on OES Linux NOTE:This is about only what is displayed. POSIX permissions are not used for access control to NSS volumes.	How NSS file attributes are reflected in Linux directory and file permissions viewable through POSIX.	Displaying Key NSS Directory and File Attributes as Linux POSIX Permissions in the File Systems Management Guide for OES .

33.1.4 Understanding General File System Access Control

Table 33-3 provides links to documentation that discusses general access control features.

Table 33-3 General File System Access Control

Feature	To Understand	See
Access Control Lists (ACLs) on Linux	How ACLs are supported on the most commonly used Linux traditional file systems and let you assign file and directory permissions to users and groups who do not own the files or directories.	Access Control Lists in Linux in the SUSE LINUX Enterprise Server 9 Administration Guide .
Directory and file attributes	Directory and file attributes on OES NetWare.	Directory and File Attributes for NSS Volumes or NetWare Traditional Volumes in the File Systems Management Guide for OES .
File system trustee rights	File system trustee rights on NetWare (NSS and traditional volumes), including how NetWare determines effective file system trustee rights.	File-System Trustee Rights in the File Systems Management Guide for OES .
NetWare Connection Manager	How the NetWare Connection Manager tracks active user connections and provides access permission information for NSS and Traditional volumes on NetWare.	The Connection Manager for NetWare in the File Systems Management Guide for OES .
Novell Client™ and the NetWare Connection Manager	How the Novell Client works with the Connection Manager to ensure that users have correct access rights to the file system.	Novell Client in the File Systems Management Guide for OES .
NetWare trustee rights and directory and file attributes	How to control who can see which files and what they can do with them.	Understanding File System Access Control for NSS and NetWare Traditional File Systems in the File Systems Management Guide for OES .
POSIX file system rights and attributes on Linux	How to configure file system attributes on OES Linux servers.	POSIX Access Control Lists in the File Systems Management Guide for OES .
Rights to install applications on NetWare	The access rights required to install applications on NetWare file systems.	Security Guidelines in the File Systems Management Guide for OES .
Security Equivalence in eDirectory	The concept of Security Equivalence in eDirectory.	eDirectory Objects and Security Equivalence in the File Systems Management Guide for OES .

33.1.5 Novell Client (NCP File Services)

If you have not already determined whether to use the Novell Client on your network, we recommend that you consider the following information:

About the Novell Client

The Novell Client extends the capabilities of Windows and Linux desktops with access to NetWare and Open OES Linux servers.

After installing Novell Client software, users can enjoy the full range of Novell services, such as

Authentication via Novell eDirectory.
Network browsing and service resolution.
Secure and reliable file system access.
Support for industry-standard protocols.

The Novell Client supports the traditional Novell protocols (NDAP, NCP, and RSA) and interoperates with open protocols (LDAP, CIFS, and NFS).

Is the Novell Client Right for Your Network?

Although Novell offers well seasoned services that don’t require Novell Client, (such as NetStorage, Novell iFolder® 2.1 x, and iPrint), many network administrators continue to prefer the Novell Client as the access choice for their network users for the following reasons:

They prefer eDirectory authentication to LDAP authentication because they believe it is more secure.
They prefer the NetWare Core Protocol (NCP) over the Microsoft CIFS protocol because they believe that CIFS is more vulnerable to the propagation of viruses on the network.

Conversely, other network administrators are equally adamant that their users function better without the added overhead of running an NCP client on each workstation.

We can’t determine what is best for your network, but we do provide you with viable choices.

Differences between Linux and Windows

There are some differences between the Linux and Windows clients. These are documented in Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/XP in the Novell Client for Linux 1.2 Administration Guide .

33.1.6 Linux User Management Requirements

Some services that run on OES Linux servers require that the users accessing them be (or, at least, appear to the Linux system to be) standard Linux users with Linux user credentials, such as a user ID (UID) and primary group ID (GID).

So that eDirectory users can access these services, Novell provides the Linux User Management (LUM) technology. The impact of this on you as the network administrator is that these users and groups must be enabled for eDirectory LDAP authentication to the local server. For more information, see Linux Access for eDirectory Users (LUM).

33.1 Overview of Access Services