Novell Doc: OES Documentation Home

18.1 Overview

The topics in this section are designed to help you understand when Linux-enabled access is required so that your network services are accessible and work as expected. For more information about Linux User Management, see Overview in the Novell Linux User Management Technology Guide .

18.1.1 A Graphical Preview of Linux User Management

Figure 18-1 illustrates how Linux User Management controls access to the OES server.

Figure 18-1 LUM Provides POSIX Access for eDirectory Users

The following table explains the information presented in Figure 18-1.

Valid POSIX Users	Authentication	eDirectory Authenticated Services
Some services on OES Linux servers must be accessed by POSIX users. eDirectory users can function as POSIX users if they are enabled for Linux access.	When the system receives an action request, it can authenticate both local POSIX users and users who have been enabled for Linux access.	Users can potentially access PAM-enabled services, Samba shares, and Novell Remote Manager as either local or eDirectory users. The passwd command is not enabled for eDirectory access because eDirectory passwords are maintained in eDirectory, not on the local server.

Valid POSIX Users

Authentication

eDirectory Authenticated Services

Some services on OES Linux servers must be accessed by POSIX users.

eDirectory users can function as POSIX users if they are enabled for Linux access.

When the system receives an action request, it can authenticate both local POSIX users and users who have been enabled for Linux access.

Users can potentially access PAM-enabled services, Samba shares, and Novell Remote Manager as either local or eDirectory users.

The passwd command is not enabled for eDirectory access because eDirectory passwords are maintained in eDirectory, not on the local server.

18.1.2 Linux Requires POSIX Users

Linux requires that all users be defined using standard POSIX attributes, such as username, user ID (UID), primary group ID (GID), password, and other similar attributes.

18.1.3 Linux Users Can Be Local or Remote

Users that access a Linux server can be created

Locally (on the server): Local users are managed at a shell prompt (using commands such as useradd) or in YaST. (See the useradd(8) man page and the YaST online help for more information.) These local users are stored in the /etc/passwd file. (See the passwd(5) man page for more information.)
Remotely (off the server): Remote users can be managed by other systems, such as LDAP-compliant directory services. Remote user access is enabled through the Pluggable Authentication Module (PAM) architecture on Linux.

The Linux POSIX-compliant interfaces can authenticate both kinds of users, independent of where they are stored and how they are managed.

18.1.4 About Service Access on OES Linux

Novell Linux User Management (LUM) lets you use eDirectory to centrally manage remote users for access to one or more OES Linux servers.

Said another way, LUM lets eDirectory users function as local (POSIX) users on an OES Linux server. Access is enabled by leveraging the Linux Pluggable Authentication Module (PAM) architecture. PAM makes it possible for eDirectory users to authenticate with the OES Linux server through LDAP.

In OES, the terms LUM-enabling and Linux-enabling are both used to describe the process that adds standard Linux (POSIX) attributes and values to eDirectory users and groups, thus enabling them to function as POSIX users and groups on the server.

You can use iManager to enable eDirectory users for Linux. For instructions, see Section 18.4.1, About Enabling eDirectory Users for Linux Access.

18.1.5 Services in OES Linux That Require Linux-Enabled Access

Some services on an OES Linux server require that eDirectory users be Linux-enabled:

Core Linux Utilities Enabled for LUM: These are the core utilities and other shell commands that you specified during the OES install to be enabled for authentication through eDirectory LDAP. In Linux, these are known as PAM-enabled utilities.

IMPORTANT:Before you accept the default PAM-enabled service settings, be sure you understand the security implications explained in Section 30.1.3, User Restriction Limitations.

The core utilities available for LUM-enablement are summarized in Table 18-1.

Table 18-1 PAM-enabled Services Controlled by LUM

Command	Where Executed	Task
ftp	Another host	Transfer files to and from the OES server which, in this case, is a remote host.
login	OES server SSH session with OES server	Log in to the OES server, either directly or in an SSH session with the server.
passwd	OES SSH session with OES server	Change the POSIX password.
rlogin	Another host	Log in to the OES server which, in this case, is a remote host.
rsh	Another host	Execute a command at the OES server which, in this case, is a remote host.
sshd	Another host	Establish a secure encrypted connection with the OES server which, in this case, is a remote host.
su	OES server SSH session with OES server	Temporarily become another user. This is most often used to temporarily become the root user, who is not a LUM user and is, therefore, not affected by LUM.

NOTE:Logging in to the OES Linux server through a PAM-enabled service for the first time causes the creation of a home directory.

Novell Samba (SMB/CIFS) Shares on the Server: Windows workgroup users who need access to Samba shares defined on the server must also be Linux-enabled eDirectory users who are configured to access the server. This is because Samba requires POSIX identification for access.

By extension, NetStorage users who need access to SMB/CIFS Storage Location objects that point to the server, must also be LUM-enabled eDirectory users with access to the server.

NOTE:Although Samba users must be enabled for Linux, Samba is not a PAM-enabled service. Logging in to the OES Linux server through Samba will not create a home directory.
Novell Remote Manager (NRM) on Linux: You can access NRM as
- The root user with rights to see everything on the Linux server.
- A local Linux user with access governed by POSIX access rights.
- A LUM-enabled eDirectory user, such as the Admin user created during the install.
Novell Storage Management Services (SMS) on Linux: You can access SMS utilities as
- The root user with rights to see everything on the Linux server.
- A local Linux user with access governed by POSIX access rights.
- A LUM-enabled eDirectory user, such as the Admin user created during the install.

18.1.6 Services That Do Not Require Linux-Enabled Access but Have Some LUM Requirements

Some services do not require eDirectory users to be Linux enabled for service access:

QuickFinder, Novell iFolder 2.1 x, and Other Web Services: If only local users access these Web services, Linux-enabling doesn’t apply because the users are not remote eDirectory users.
NCP Server: The NCP™ server that has been ported to Linux remains tightly integrated with eDirectory and does not require eDirectory users to be Linux enabled.

However, when NCP volumes are created that point to partitions other than NSS on the server, not all features are available if the eDirectory user is not Linux enabled. For example, cross-protocol access is not possible if the user is not Linux enabled.
NSS: eDirectory users that access NSS volumes directly using NCP (the Novell Client™) are not required to be Linux enabled.

However, if any other file access protocol is used to access NSS through the virtual file system layer that makes NSS appear to be a POSIX-compliant file system, then the users must be Linux enabled.

IMPORTANT:Although the services in this section do not require Linux-enabled access, the services themselves run as POSIX-compliant system users who function on behalf of the end users that are accessing the service.

If the services must access NSS volumes, then the system users must be Linux enabled because only eDirectory users can access NSS volumes.

For more information, see Section F.0, OES System Users and Groups.

18.1.7 Linux Access Is Not Global Access to OES Linux Servers

As you plan to Linux enable users for access to these services, keep in mind that each OES Linux server that Linux-enabled users need to access must be associated with a Linux-enabled group that the users belong to.

In other words, it is not sufficient to Linux-enable users for access to a single OES Linux server if they need access to multiple servers. An association between the Linux-enabled group that the users belong to and the eDirectory UNIX Workstation object associated with the server must be formed using iManager for each server the users need access to. This can be accomplished for multiple servers using the process described in Section 18.4.3, Enabling Users to Access Multiple OES Linux Servers.

For more information on LUM, see the Novell Linux User Management Technology Guide .