3.6 Specifying Configuration Information

When the server reboots, you are required to complete the following configuration information:

3.6.1 Specifying the Password for the System Administrator “root”

In the Password for the System Administrator root page:

  1. Specify the password for the root administrator.

    For security reasons, the root user’s password should be at least five characters long and should contain a mixture of both uppercase and lowercase letters and numbers. Passwords are case sensitive.

    The default password length limit is 8 characters. The maximum possible length for passwords is 72 characters. If you have a password longer than eight characters, click Expert Options > Blowfish > OK.

  2. Confirm the password.

  3. Click Next.

3.6.2 Specifying the Hostname and Domain Name

On the Hostname and Domain Name page:

  1. Specify the DNS hostname associated with the IP address you have or will assign to the server.

  2. Specify the DNS domain name for the server.

  3. Deselect Change Hostname via DHCP.

  4. Click Next.

3.6.3 Specifying Network Configuration Settings

On the Network Configuration page, you can change the configuration for the following, most of which do not apply in an OES server installation scenario:

  • Network Mode

  • Firewall

  • IPv6

  • Network Interfaces

  • DSL Connections

  • ISDN Adapters

  • Modems

  • VNC Remote Administration

  • Proxy

In this section, we give details only for the components that apply to OES servers.

Network Interface

Configuration success is directly tied to specific networking configuration requirements. Make sure that the settings covered in the steps that follow are configured exactly as specified.

Specify the setting for each network board on the server:

  1. On the Network Configuration page, click Network Interfaces.

  2. On the Network Card Configuration Overview page, select the network card you want to configure, then click Edit.

  3. Select Static Address Setup, then specify the IP address and the subnet mask for the interface.

    OES requires a static IP address.

  4. In the Detailed Settings list, select Hostname and Name Server.

    1. In the Name Servers and Domain Search List panel, specify from one to three DNS server IP addresses.

    2. Click OK to return to the Detailed Settings list.

  5. In the Detailed Settings list, select Routing.

    1. Specify the IP address of the default gateway on the subnet where you are installing the OES server.

    2. Click OK to return to the Detailed Settings list.

  6. Click Next to return to the Network Card Configuration Overview page.

  7. Complete Step 2 through Step 6 for each network board, then click Next to return to the main Network Configuration page.

Firewall

For security reasons, a firewall is started automatically on each configured interface. The configuration proposal for the firewall is updated automatically every time the configuration of the interfaces or services is modified.

Many of the OES services require an open port in the firewall. Table 3-2 shows the ports that are automatically opened when each listed OES service is configured.

Table 3-2 Open Enterprise Server Services and Ports

Service

Default Ports

Domain Services for Windows

  • 1636

eDirectory

  • 389 (LDAP)

  • 636 (secure LDAP)

    IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

  • 8028 (HTTP for iMonitor)

  • 8030 (secure HTTP for iMonitor)

  • 524 (NCP)

iManager

  • 80 (HTTP)

  • 443 (secure HTTP)

iPrint

  • 80 (HTTP)

  • 443 (secure HTTP)

  • 631 (IPP)

Novell AFP

  • 548

Novell Archive and Version Services

  • 26029

Novell CIFS

  • 636 (secure LDAP)

    IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

Novell DHCP

  • 67

Novell DNS

  • 53 (HTTP)

  • 953 (secure HTTP)

Novell FTP

  • 21

Novell Information Portal

  • 80 (HTTP)

  • 443 (secure HTTP)

Novell NetWare Core Protocol (NCP)

  • 524

Novell Remote Manager

  • 8008 (HTTP)

  • 8009 (secure HTTP)

OpenWBEM

  • 5988 (HTTP)

  • 5989 (secure HTTP)

QuickFinder

  • 80 (HTTP)

  • 443 (secure HTTP)

Samba

  • 139 (Netbios)

  • 445 (Microsoft-ds)

Secure Shell

  • 22

Storage Management Services (Backup)

  • 40193 (smdr daemon)

UDP

  • 524

To adapt the automatic settings to your own preferences:

  1. Click Change > Firewall.

  2. In the left panel, select the settings you want to change, then make the changes in the right panel.

  3. When you are finished, click Accept.

For more information about the firewall, see Section 44.4.1, “Configuring the Firewall with YaST” in the SUSE Linux Enterprise Server Installation and Administration Guide.

To disable the firewall:

  1. On the Network Configuration page, under Firewall, click enabled on the Firewall is enabled status line.

    When the firewall is disabled, the status for Firewall should read Firewall is disabled.

  2. Verify that the settings on the Network Configuration page are set as desired, then click Next to save the configuration, then continue with Testing the Connection to the Internet.

3.6.4 Testing the Connection to the Internet

On the Test Internet Connection page:

  1. Select Yes, Test Connection to the Internet, then click Next.

    Obtaining the latest SUSE release notes might fail at this point. If it does, view the log to verify that the network configuration is correct, then, click Next.

    If the network configuration is not correct, click Back > Back and fix your network configuration. See Network Interface.

    IMPORTANT:Do not skip this test. For a successful install, you must configure the Novell Customer Center and update SLES 10 SP4 from the patch channel before configuring OES services.

  2. Continue with Specifying Novell Customer Center Configuration Settings.

3.6.5 Specifying Novell Customer Center Configuration Settings

In contrast to OES 2 SP2, OES 2 SP3 requires that the SLES 10 SP4 base be updated prior to installing and configuring OES 2 SP3 services. If not, some OES services, such as Novell FTP, will not function properly after the installation and will need to be configured again after the SLES patches are applied.

Therefore, when you are entering the Novell Customer Center configuration information, it is critical that you enter either your purchased SLES 10 SP4 code or the 60-day evaluation code available with your SLES 10 SP4 download.

  1. On the Novell Customer Center Configuration configuration page, select all of the following options, then click Next.

    Option

    What it Does

    Configure Now

    Proceeds with registering this server and the SLES 10 SP4 and OES 2 SP3 product in the Novell Customer center.

    Hardware Profile

    Sends the information to the Novell Customer Center about the hardware that you are installing SLES 10 SP4 and OES 2 SP3 on.

    Optional Information

    Sends optional information to the Novell Customer Center for your registration. For this release, this option doesn’t send any additional information.

    Registration Code

    Makes the registration with activation codes mandatory.

    Regularly Synchronize with the Customer Center

    Keeps the installation sources for this server valid. It does not remove any installation sources that were manually added.

  2. After you click Next, the following message is displayed.

    contacting server

    Wait until this message disappears and the Manual Interaction Required page displays.

  3. On the Manual Interaction Required page, note the information that you will be required to specify, then click Continue.

  4. On the Novell Customer Center Registration page, specify the required information in the following fields, then click Submit:

    Field

    Information to Specify

    Email Address

    The e-mail address for your Novell Login account.

    Confirm Email Address

    The same e-mail address for your Novell Login account

    Activation Code for SLES Components (optional):

    Specify your purchased or 60-day evaluation registration code for the SLES 10 product.

    If you don’t specify a code, the server cannot receive any updates or patches.

    Activation Code for OES Components (optional):

    Specify your purchased or 60-day evaluation registration code for the OES 2 product.

    If you don’t specify a code, the server cannot receive any updates or patches.

    System Name or Description (optional):

    Specify a description to identify this server.

  5. When the message to complete the registration displays, click Continue.

  6. After you click Continue, the following message is displayed with the Manual Interaction Required screen.

    contacting server

    Wait until this message disappears and Novell Customer Center Configuration page displays.

  7. When you see the message Your configuration was successful on the Novell Customer Center Configuration page, click OK.

    sucess2
  8. Continue with Updating the Server Software.

3.6.6 Updating the Server Software

When you have a successful connection to the Internet and have registered the server in the Novell Customer Center, the server displays the Online Update page. You must run the online update now for a successful OES installation.

  1. On the Online Updates page, click Run Update > Next.

  2. On the page that shows that updates are available, click Accept.

    The check marks that are shown on the summary portion of the page are patches that have already been installed on your system.

  3. When you see the following message, click Accept.

  4. When you see the following message, click Next.

  5. In the pop-up that informs you about the kernel update, click OK.

    The system reboots before continuing the installation.

  6. Continue with Specifying Service Configuration Settings.

3.6.7 Specifying Service Configuration Settings

Because the server was rebooted during the installation, the default settings for CA management lost the root password as indicated by the red text under CA Management.

  1. Reset the password for root.

    1. On the Installation Settings page, click the CA Management link.

    2. On the Managing CA and Certificates page, click Edit Default Settings.

    3. On the Edit Default Settings page, specify the password for root in the Password and Confirm Password fields, then click Next.

      The Installation Settings page reappears with no red text.

  2. Observe the settings on the Installation Settings page.

    • CA Management: This indicates the certificate that is used by the Apache Web server if another certificate is not specified.

      By default, OES creates and installs a replacement eDirectory certificate later in the installation process. We recommend that you accept the eDirectory certificate option because it is much more secure than the certificate that is proposed.

      Alternatively, you can install a third-party certificate.

      In all cases, do not disable the configuration at this point because the services that use Apache will not work if you do.

      For more information about OES certificate management, see Certificate Management in the OES 2 SP3: Planning and Implementation Guide.

    • OpenLDAP Server: Do not enable this option. On OES servers, Novell eDirectory LDAP server replaces the SLES 10 OpenLDAP server.

  3. If you are not installing a third-party certificate, click Next.

    or

    If you are installing a third-party certificate, click CA Management and refer to the information about Certificate Authority Management on SLES, see in the “Managing X.509 Certification” in the SUSE LINUX Enterprise Server 10 Installation and Administration Guide. Then return to these instructions to continue your OES installation.

  4. If you did not select the Novell eDirectory pattern for this server, continue with Specifying LDAP Configuration Settings.

    Otherwise, skip the next section and continue with Specifying eDirectory Configuration Settings.

3.6.8 Specifying LDAP Configuration Settings

Many of the OES services require eDirectory. If eDirectory was not selected as a product to install on this server but other OES services that do require LDAP services were installed, the LDAP Configuration service displays, so that you can complete the required information.

To specify the required information on the Configured LDAP Server page:

  1. In the eDirectory Tree Name field, specify the name for the existing eDirectory tree that you are installing this server into.

  2. In the Admin Name and Context field, specify the name and context for user Admin in the existing tree.

  3. In the Admin Password Name field, specify a password for user for user Admin in the existing tree.

  4. Add the LDAP servers that you want the services on this server to use. The servers that you add should hold the master or a read/write replica of eDirectory. Do the following for each server you want to add:

    1. Click Add.

    2. On the next page, specify the following information for the server to add, then click Add.

      • IP address

      • LDAP port and secure LDAP port

  5. When all the LDAP servers that you want to specify are listed, click Next.

  6. Verify that the Novell Open Enterprise Server Configuration page displays the settings that you expected, then click Next.

  7. Continue with Configuring OES Services.

3.6.9 Specifying eDirectory Configuration Settings

When you specify the eDirectory configuration settings, you can specify information to create a new tree and install the server in that new tree or you can install the server into an existing tree by specifying the information for it. Use the following instructions as applicable:

Creating a New eDirectory Tree and Installing the Server in It

  1. On the eDirectory Configuration - New or Existing Tree page, select New Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree that you want to create.

    On OES servers, services that provide HTTPS connectivity are configured to use one of the following certificates:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI),

    • A third-party server certificate,

    • The YaST self-signed common server certificate created in Step 2.

      Self-signed certificates provide minimal security and limited trust. Unless you have invested in a third-party certificate, we recommend that you use the eDirectory certificates instead.

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the existing server certificate and key files (YaST or third-party) will be replaced with eDirectory server certificate and key files.

    The default YaST server certificate and key files are:

    • Key file: /etc/ssl/servercerts/serverkey.pem

    • Certificate file: /etc/ssl/servercerts/servercert.pem

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/eDirkey.pem

    • Certificate file: /etc/ssl/servercerts/eDircert.pem

    For more information on certificate management, see Certificate Management in the OES 2 SP3: Planning and Implementation Guide.

  3. On the eDirectory Configuration - New Tree Information page, specify the required information:

    • The fully distinguished name and context for the user Admin on the existing server

    • The password for user Admin on the existing server.

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree.

    • A location for the eDirectory database.

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests.

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application.

      The default ports are 8028 (non-secure) and 8030 (secure).

  6. Click Next and continue with Specifying Synchronizing Server Time Options.

Installing the Server into an Existing eDirectory Tree

  1. On the eDirectory Configuration - New or Existing Tree page, select Existing Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree you want to join.

    On OES servers, services that provide HTTPS connectivity are configured to use either of the following:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)

    • The YaST self-signed common server certificate created in Step 2.

      Self-signed certificates provide minimal security and limited trust, we recommend that you use the eDirectory certificates instead.

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the existing YaST server certificate and key files will be replaced with eDirectory server certificate and key files.

    The default YaST server certificate and key files are:

    • Key file: /etc/ssl/servercerts/serverkey.pem

    • Certificate file: /etc/ssl/servercerts/servercert.pem

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/eDirkey.pem

    • Certificate file: /etc/ssl/servercerts/eDircert.pem

    For more information on certificate management, see Certificate Management in the OES 2 SP3: Planning and Implementation Guide.

  3. On the eDirectory Configuration - Existing Tree Information page, specify the required information:

    • The IP address of an existing eDirectory server with a replica

    • The NCP port on the existing server

    • The LDAP and secure LDAP port on the existing server.

    • The fully distinguished name and context for the user Admin on the existing server

    • The password for user Admin on the existing server.

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree.

    • A location for the eDirectory database.

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests.

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application.

      The default ports are 8028 (non-secure) and 8030 (secure).

  6. Click Next and continue with Specifying Synchronizing Server Time Options.

Specifying Synchronizing Server Time Options

eDirectory requires that all OES and NetWare servers are time-synchronized.

  1. On the eDirectory Configuration - NTP & SLP page, in the Network Time Protocol (NTP) Server field, specify the IP address or DNS hostname of an NTP server.

    For the first server in a tree, we recommend specifying a reliable external time source.

    When you install multiple servers into the same eDirectory tree, make sure that all servers point to the same time source and not to the server holding the master replica.

    For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it, or the time synchronization request for the installation fails.

    If the time source server is NetWare 5.0 or earlier, you must specify an alternate NTP time source, or the time synchronization request fails.

  2. If you want to use the server’s hardware clock, select Use Local Clock.

    For servers joining a tree, the installation does not let you proceed if you select this option. You must specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree that has been running time services for 15 minutes or more.

  3. Continue with Specifying SLP Configuration Options.

For more information on time synchronization, see Implementing Time Synchronization in the OES 2 SP3: Planning and Implementation Guide.

Specifying SLP Configuration Options

  1. On the eDirectory Configuration - NTP & SLP page, specify the SLP options as desired.

    You have the following options for configuring SLP:

    • Do Not Configure SLP: This option is good for eDirectory trees with three or fewer eDirectory servers.

      Without SLP, users can’t see a tree list, but they should still be able to attach to a tree by name. Users can configure the Novell Client to use DNS, or they can configure the local host file (%SystemDrive%\windows\system32\drivers\etc\hosts on WinXP) to resolve tree and server names. Users can also specify preferred tree and context information in the DHCP Settings page of the Novell Client.

    • Use Multicast to Access SLP: This option allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure SLP to use an existing Directory Agent: This option configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

    • Configure as Directory Agent: This option configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • DASyncReg: This option causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: This option causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: This specifies how often the list of registered services is backed up.

    • Service Location Protocols and Scope: This option configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    • Configured SLP Directory Agents: This option lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.

  2. Click Next and confirm your selection if necessary, then continue with Selecting the Novell Modular Authentication Services (NMAS) Login Method.

Selecting the Novell Modular Authentication Services (NMAS) Login Method

  1. On the Novell Modular Authentication Services page, select all the login methods you want to install.

    IMPORTANT:The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods. The NMAS client software is included with the Novell Client software.

    The following methods are available:

    • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

    • Challenge Response: The Challenge-Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

    • DIGEST-MD5: The Digest MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

    • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method is installed by default and supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

    • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

    • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication. It uses the Simple Authentication and Security Layer (SASL), which enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

    For more information about installing and configuring eDirectory, see “Installing or Upgrading Novell eDirectory on Linux in Novell eDirectory 8.8 Installation Guide.

    For more information on these login methods, see the online help and Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.1 Administration Guide.

  2. Click Next, then continue with Specifying OES Common Proxy User Information.

Specifying OES Common Proxy User Information

For information about this option introduced with OES 2 SP3, see Common Proxy User - New in SP3 in the OES 2 SP3: Planning and Implementation Guide.

  1. On the OES Common Proxy User Information page, specify the configuration settings for this user.

    • Use Common Proxy User as Default for OES Products: Selecting this option configures the specified common proxy user for the following services: CIFS, DNS, DHCP, iFolder, NetStorage, and NCS. Optionally, you can specify that LUM uses it.

    • OES Common Proxy User Name: By default, the common proxy user’s name is OESCommonProxy_hostname, but you can specify any name that fits your naming methodology. For more information, see Can I Change the Common Proxy User Name and Context? in the OES 2 SP3: Planning and Implementation Guide.

      IMPORTANT:Do not change the context of the common proxy user object until you read and understand the information in New Container Creation Not Possible During a New Install in the OES 2 SP3 Readme.

    • OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.

      IMPORTANT:Unless you have specific requirements to know the password of this system user, we recommend that you leverage the automatic password functionality that is newly introduced in SP3.

    • Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated is automatically included.

    • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. If desired, you can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, etc.

  2. Continue with Configuring OES Services.

3.6.10 Configuring OES Services

After you complete the LDAP configuration or the eDirectory configuration, the Novell Open Enterprise Server Configuration summary page is displayed, showing all the OES components you installed and their configuration settings.

  1. Review the setting for each component and click the component heading to change any settings.

    For help with specifying the configuration information for OES services, see the information in Configuration Guidelines for OES Services.

  2. When you are satisfied with the settings for each component, click Next.

  3. When you confirm the OES component configurations, you might receive the following error:

    The proposal contains an error that must be resolved before continuing.

    If this error is displayed, check the summary list of configured products for any messages immediately below each product heading. These messages indicate products or services that need to be configured. If you are running the YaST graphical interface, the messages are red text. If you are using the YaST text-based interface, they are not red.

    For example, if you selected Linux User Management in connection with other OES products or services, you might see a message similar to the following:

    Linux User Management needs to be configured before you can continue or disable the configuration.

    If you see a message like this, do the following:

    1. On the summary page, click the heading for the component.

    2. Supply the missing information in each configuration page.

      When you specify the configuration information for OES services, see the information in Configuration Guidelines for OES Services; or, if you are reading online, click a link below:

      When you have finished the configuration of a component, you are returned to the Novell Open Enterprise Server Configuration summary page.

    3. If you want to skip the configuration of a specific component and configure it later, click Enabled in the Configuration is enabled status to change the status to Configuration is disabled.

      If you change the status to Configuration is disabled, you need to configure the OES components after the installation is complete. See Installing or Configuring OES 2 SP3 on an Existing Server.

  4. After resolving all product configuration problems, click Next to proceed with the configuration of all components.

  5. When the configuration is complete, continue with Section 3.7, Finishing the Installation.

3.6.11 Configuration Guidelines for OES Services

Service Configuration Caveats

Keep the following items in mind as you configure the OES 2 SP3:

Table 3-3 Caveats for Configuring OES Services

Issue

Guideline

Software Selections When Using Text-Based YaST

Some older machines, such as a Dell 1300, use the text mode install by default when the video card does not meet SLES 10 specifications. When you go to the Software Selection, and then to the details of the OES software selections, YaST doesn’t bring up the OES selections like it does when you use the graphical YaST (YaST2).

To view the Software Selection and System Task screen, select Filter > Pattern (or press Alt+F > Alt+I).

Specifying a State identifier for a Locality Class object

If you to specify a state identifier, such as California, Utah, or Karnataka, as a Locality Class object in your eDirectory tree hierarchy, you must make sure to use the correct abbreviation in your LDAP (comma-delimited) or NDAP (period-delimited) syntax.

When using LDAP syntax, use st to specify a state. For example:

ou=example_organization,o=example_company,st=utah,c=us

When using NDAP syntax, use s to specify a state. For example:

ou=example_organization.o=example_company.s=utah.c=us

Specifying Typeful Admin Names

When you install OES, you must specify a fully distinguished admin name by using the typeful, LDAP syntax that includes object type abbreviations (cn=, ou=, o=, etc.). For example, you might specify the following:

cn=admin,ou=example_organization,o=example_company

Using Dot-Delimited or Comma-Delimited Input for All Products

For all parameters requiring full contexts, you can separate the names by using comma-delimited syntax; you must be consistent in your usage within the field.

The OES installation routine displays all input in the comma-delimited (LDAP) format. However, it converts the name separators to dots when this is required by individual product components.

IMPORTANT:After the OES components are installed, be sure to follow the conventions specified in the documentation for each product. Some contexts must be specified using periods (.) and others using commas (,). However, eDirectory supports names like cn=juan\.garcia.ou=users.o=novell. The period (.) inside a name component must be escaped.

When using NDAP format (dot), you must escape all embedded dots. For example:cn=admin.o=novell\.provo

When using LDAP format (commas), you must escape all embedded commas. For example:cn=admin,o=novell\,provo

The installation disallows a backslash and period (\.) in the CN portion of the admin name.

For example, these names are supported:

cn=admin.o=novell
cn=admin.o=novell\.provo
cn=admin.ou=deployment\.linux.o=novell\.provo

These names are not supported:

cn=admin\.first.o=novell
cn=admin\.root.o=novell

Before LUM-enabling users whose cn contains a period (.), you must remove the backslash (\) from the unique_id field of the User object container.

For example, cn=juan.garcia has a unique_id attribute = juan\.garcia. Before such a user can be LUM-enabled, the backslash (\) must be removed from the unique_id attribute.

LDAP Configuration for Open Enterprise Services

Table 3-4 LDAP Configuration for Open Enterprise Services Values

Page and Parameters

Configured LDAP Servers

 

  • eDirectory Tree Name: The eDirectory tree name that you specified when configuring eDirectory. The tree you are installing this server into.

 

  • Admin Name and Context: The eDirectory Admin name you specified when configuring eDirectory.

 

  • Admin Password: The password of the eDirectory Admin user.

 

  • Configured LDAP Servers: You can specify a list of servers that can be used to configure other OES services on this server.

    Each added server must have either the master or a read/write replica of the eDirectory tree. The first server added to the list becomes the default server for the installed and configured OES services to use.

    For each server you must specify an IP Address, LDAP Port, Secure LDAP Port, and Server Type.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the OES 2 SP3: Novell Linux User Management Administration Guide.

    Default: The eDirectory server you specified when configuring eDirectory.

Novell AFP Services

Table 3-5 Novell Apple Filing Protocol Parameters and Values

Page and Parameters

AFP Configuration - Mac Client Access to NSS Volumes

 

  • eDirectory Contexts: Specify the FQDN of the eDirectory containers that contain AFP users, for example ou=afp_users.o=novell.

For additional configuration instructions, see Installing and Setting Up AFP in the OES 2 SP3: Novell AFP For Linux Administration Guide.

Novell Archive and Version Services

Table 3-6 Novell Archive and Version Services Parameters and Values

Page and Parameters

Archive and Version Services Configuration

 

  • Database Port Number: Specify a port number to use for the archive database communications.

    Default: 5432

 

  • Database Username: Specify a username for the administrator of the archive database (the PostgreSQL database for the archived data).

    IMPORTANT:The Postgres user must be an unprivileged user, not the root user.

    Default: arkuser

 

  • Database Password: Specify and validate a password for the database user.

    Default: The password for the eDirectory Admin user.

For additional configuration instructions, see Setting Up Archive and Version Services in the OES 2 SP3: Novell Archive and Version Services 2.1 Administration Guide for Linux.

Novell Backup/Storage Management Services (SMS)

Table 3-7 Novell Backup/Storage Management Services Parameters and Values

Page and Parameters

SMS Configuration

 

  • Directory Server Address: If you do not want to use the default shown, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server selected in the LDAP Configuration list of servers.

For additional configuration instructions, see Installing and Configuring SMS in the Installing and Configuring SMS.

Novell CIFS for Linux

Table 3-8 Novell CIFS Parameters and Values

Page and Parameters

Novell CIFS Service Configuration

 

  • eDirectory server address or host name: Leave the default or select from the drop-down list to change to a different server.

 

  • LDAP port for CIFS Server: Displays the port value.

 

  • Local NCP Server context: Displays the NCP Server context.

 

  • CIFS Proxy User

    • Use existing user as CIFS Proxy User: Select this option to use an existing proxy user for the CIFS service.

      If you specified the server’s common proxy user, this option is selected.

    • Create a new CIFS Proxy User: Select this option to create a new proxy user for the CIFS service.

    • CIFS Proxy User Name: Specify the FQDN (fully qualified distinguished name) of the CIFS proxy user.

      For example: cn=user, o=novell

      NOTE:This user is granted rights to read the passwords of any users, including non-CIFS users, that are governed by any of the password policies you select in the Novell CIFS Service Configuration page.

    • CIFS Proxy User Password: Specify a password for the CIFS proxy user to use when authenticating to the CIFS server, and verify the password if you are specifying an existing proxy user.

      For more information on proxy user and password management, see Planning Your Proxy Users in the OES 2 SP3: Planning and Implementation Guide.

 

  • Credential Storage Location: Accept CASA or specify the Local File option.

    The CIFS proxy user password is encrypted and encoded in the credential storage location.

    Default: CASA

Novell CIFS Service Configuration (2)

 

  • eDirectory Contexts: Provide a list of contexts that are searched when the CIFS User enters a username. The server searches each context in the list until it finds the correct user object.

Novell CIFS Service Configuration (3)

 

For additional configuration instructions, see Installing Upgrading and Setting Up CIFS in the OES 2 SP3: Novell CIFS for Linux Administration Guide and the OES 2 SP3: Novell AFP For Linux Administration Guide

Novell Cluster Services

Table 3-9 Novell Cluster Services Parameters and Values

Page and Parameters

Novell Cluster Services (NCS) Configuration

 

  • New or Existing Cluster: Specify whether the server is part of a new cluster or is joining an existing cluster.

    Default: New Cluster

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server selected in the LDAP Configuration list of servers.

 

  • Cluster FDN: Specify or browse to the fully distinguished name (FDN) of the cluster. Use the comma format illustrated in the example. Do not use dots.If you are creating a new cluster, this is the name of the new cluster and the eDirectory context where the new cluster object will reside. You must specify an existing context. Specifying a new context does not create a new context.If you are adding a server to an existing cluster, this is the name and eDirectory context of the cluster that you are adding this server to.

    Cluster names must be unique. You cannot create two clusters with the same name in the same eDirectory tree. Cluster names are case sensitive on Linux.

 

  • Cluster IP Address: If you are creating a new cluster, specify a unique IP address for the cluster.

    The cluster IP address is separate from the server IP address and is required to be on the same IP subnet as the other servers in the cluster.

 

  • Storage Device With Shared Media: If you are creating a new cluster, select the device where the Split Brain Detector (SBD) partition will be created.

    If you have a shared disk system attached to your cluster servers, Novell Cluster Services creates a small cluster partition on that shared disk system. This small cluster partition is referred to as the Split Brain Detector (SBD) partition. Specify the drive or device where you want the small cluster partition created.

    You must have at least 20 MB of free space on one of the shared disk drives to create the cluster partition. If no free space is available, the shared disk drives cannot be used by Novell Cluster Services.

    If you do not have a shared disk system connected to your cluster servers, accept the default (none). You must create the SBD manually before adding a second server to the cluster.

    Default: none

 

  • Optional Device for Mirrored Partitions: If you want to mirror the SBD partition for greater fault tolerance, select the device where you want the mirror to be.You can also mirror SBD partitions after installing Novell Cluster Services.

Novell Cluster Services (NCS) Configuration (2)

 

  • IP Address of this Node: This field contains the IP address of this node. If this server has multiple IP addresses, you can change the default address to another value if desired.

 

  • Start Cluster Services Now: Select this box if you want clustering to start now. If you want clustering to start after rebooting, or if you want to manually start it later, deselect this box.

    This option applies only to installing Novell Cluster Services after the OES installation because it starts automatically when the server initializes during the installation.

    If you choose to not start Novell Cluster Services software, you need to either manually start it after the installation, or reboot the cluster server to automatically start it.You can manually start Novell Cluster Services by going to the /etc/init.d directory and entering ./novell-ncs start at the server console of the cluster server.

    Default: Selected

Proxy User Configuration

 

Specify one of the following users as the NCS Proxy user.

  • OES Common Proxy User: If the OES common proxy User is enabled in eDirectory, the Use OES Common Proxy User check box is automatically selected and the NCS Proxy User Name and Specify NCS Proxy User Password fields are populated with the credentials of the OES common proxy User.

  • LDAP Admin User: If the OES common proxy User is disabled in eDirectory, the Use OES Common Proxy User check box is automatically deselected and the NCS Proxy User Name and Specify NCS Proxy User Password fields are populated with the credentials of the LDAP Admin user. The fields are also automatically populated with the LDAP Admin credentials if you deselect the Use OES Common Proxy User check box.

  • Another Administrator User: Deselect the Use OES Common Proxy User check box, then specify the credentials of an administrator user.

For additional instructions, see the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux.

Novell DHCP Services

Table 3-10 Novell DHCP Services Parameters and Values

Page and Parameters

Novell DHCP Services Configuration

 

  • DHCP Server Context: Specify a context for the DHCP Server object.

    Default: o=example

 

  • DHCP Server Object Name: Specify the name of the Server object that these DHCP services will be running on.

    This is the DHCP server object that contains a list of DHCP Services (configuration) served by the DHCP Server.

    Default: DHCP_example_server

 

  • Common DHCP Configuration Object Contexts

    • DHCP Locator Object: Specify the context for the DHCP Locator object.

      The DHCP Locator object has references to dhcpServer and dhcpService objects.

    • Group Context: Specify the context for the DHCP Group object.

      This object is used to grant the necessary rights to the eDirectory user used by the DHCP server to access the DHCP objects.

    Default: o=example

 

  • Log File Location: Specify the path and filename for the DHCP Services log file. You can type the path manually or click Browse to locate the log.

    Default: Usually /var/log/

 

  • LDAP Method

    • Static: Select this option if you do not want the DHCP server to query the LDAP server for host details.

    • Dynamic: Select this option if you want the DHCP server to query the LDAP server on every request for host details.

      Selecting the dynamic LDAP method ensures that the responses you receive to queries are accurate, but the server takes a longer time to respond.

    Default: Static

 

  • Referrals

    A referral is a message that the LDAP server sends to the LDAP client informing it that the server cannot provide complete results and that more data might be on another LDAP server.

    • Chase Referral: Select this option if you want the DHCP server to follow referrals.

    • Do Not Chase Referral: Select this option to ignore LDAP referrals.

Novell DHCP LDAP and Secure Channel Configuration

 

  • eDirectory Server Address or Host Name: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server selected in the LDAP Configuration list of servers.

 

  • Use Secure Channel for Configuration: Leaving this option selected causes DHCP configuration information to be transferred over a secure channel.

    Deselecting the option lets a user with fewer privileges configure LDAP services and allows configuration information to be transferred over a non-secure channel.

    Default: Selected

 

  • LDAP User Name with Context: Specify a typeful, distinguished name and context for an LDAP user.

    This user should be an eDirectory user that can access the DHCP server.

    Default: If you specified a common proxy user, it is used by default. If you didn’t specify a common proxy user, the eDirectory Admin name and context that you specified when configuring eDirectory is specified.

  • LDAP User Password: Type a password for the LDAP user.

 

  • LDAP Port for DHCP Server: Select a port for the LDAP operations to use.

    IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

    Default: 636

 

  • Use Secure LDAP Channel: Selecting this option ensures that the data transferred between the DHCP server and the LDAP server is secure and private.

    If you deselect this option, the data transferred is in clear text format.

    Default: Selected

 

  • Certificates (optional)

    • Request Certificate: Specifies what checks to perform on a server certificate in a SSL/TLS session. Select one of the following options:

      • Never: The server does not ask the client for a certificate. This is the default

      • Allow: The server requests a client certificate, but if a certificate is not provided or a wrong certificate is provided, the session still proceeds normally.

      • Try: The server requests the certificate. If none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated

      • Hard: The server requests a certificate. A valid certificate must be provided, or the session is immediately terminated.

    • Paths to Certificate Files: Specify or browse the path for the certificate files.

      • The LDAP CA file contains CA certificates

      • The LDAP client certificate contains the client certificate.

      • The LDAP client key file contains the key file for the client certificate.

Novell DHCP Services Interface Selection

 

  • Network Boards for the Novell DHCP Server: From the available interfaces, select the network interfaces that the Novell DHCP server should listen to.

For additional configuration instructions, see Installing and Configuring DHCP in the OES 2 SP3: Novell DNS/DHCP Administration Guide.

Novell DNS Services

Table 3-11 Novell DNS Services Parameters and Values

Page and Parameters

Novell DNS Configuration

 

  • Directory server address: If you have specified multiple LDAP servers by using the LDAP Configuration for Open Enterprise Services dialog box, you can select a different LDAP server than the first one in the list.

    If you are installing into an existing tree, you must ensure that the selected server has a master or read/write replica of eDirectory.

    Default: The first LDAP server in the LDAP Server Configuration dialog box.

 

  • Common DNS Configuration Object and User Contexts:

    • Get Context and Proxy User Information from Existing DNS Server: Select this option if you are configuring DNS in an existing tree where DNS is already configured, and you want to use the existing Locator, Root Server Info, Group and Proxy User contexts.

    • Existing Novell DNS Server Address: If you have enabled the previous option, you can type the IP address of an NCP server (must be up and running) that is hosting the existing DNS server.

      To automatically retrieve the contexts of the objects that follow, click Retrieve.

      If you do not want to use the retrieved contexts, you can change them manually.

    • Novell DNS Services Locator Object Context: Specify the context for the DNS Locator object.

      The Locator object contains global defaults, DHCP options, and a list of all DNS and DHCP servers, subnets, and zones in the tree.

      Default: The context you specified for the OES server you are installing.

    • Novell DNS Services Root Server Info Context: Specify the context for the DNS Services root server.

      The RootSrvrInfo Zone is an eDirectory container object that contains resource records for the DNS root servers.

      Default: The context you specified for the OES server you are installing.

    • Novell DNS Services Group Object Context: Specify the context for the DNS Group object.

      This object is used to grant DNS servers the necessary rights to other data within the eDirectory tree.

      Default: The context you specified for the OES server you are installing.

    • Proxy User for DNS Management: Specify the FDN of the DNS proxy user.

      An existing user must have eDirectory read, write, and browse rights under the specified context. If the user doesn’t exist, it is created in the context specified.

      Default: If you specified a common proxy user, it is used by default. If you didn’t specify a common proxy user, the eDirectory Admin name and context that you specified when configuring eDirectory is specified.

    • Specify Password for eDirectory User: Specify the password for the DNS proxy user.

      For more information on proxy user and password management, see Planning Your Proxy Users in the OES 2 SP3: Planning and Implementation Guide.

      Default: The password that you specified for the OES server you are installing.

 

  • Local NCP Server Context: Specify a context for the local NCP Server object.

    Default: The eDirectory context specified for this OES server.

 

  • Use Secure LDAP Port: Selecting this option ensures that the data transferred by this service is secure and private.

    If you deselect this option, the transferred data is in clear text format.

    Default: Selected

 

  • Credential Storage Location: Specify where the DNS proxy user’s credentials are to be stored.

    Default: For security reasons, the default and recommended method of credential storage is CASA.

For additional configuration instructions, see Installing and Configuring DNS in the OES 2 SP3: Novell DNS/DHCP Administration Guide.

Novell Domain Services for Windows

There are multiple configuration scenarios, depending on your deployment. For information, see Installing Domain Services for Windows in the OES 2 SP3: Domain Services for Windows Administration Guide.

Novell eDirectory Services

IMPORTANT:You specified the eDirectory configuration for this server in either Specifying LDAP Configuration Settings or Specifying eDirectory Configuration Settings, and the settings you specified were extended to your OES service configurations by the OES install.

If you change the eDirectory configuration at this point in the install, your modifications might or might not extend to the other OES services. For example, if you change the server context from o=example to ou=servers.o=example, the other service configurations might or might not reflect the change.

Be sure to carefully check all of the service configuration summaries on the Novell Open Enterprise Server Configuration summary screen. If any of the services don’t show the eDirectory change you made, click the service link and modify the configuration manually. Otherwise your installation will fail.

Table 3-12 Novell eDirectory Parameters and Values

Page and Parameters

eDirectory Configuration - New or Existing Tree

 

  • New or Existing Tree

    • New Tree: Creates a new tree.

      Use this option if this is the first server to go into the tree or if this server requires a separate tree. Keep in mind that this server will have the master replica for the new tree, and that users must log into this new tree to access its resources.

    Default: New Tree

 

  • eDirectory Tree Name: Specify a unique name for the eDirectory tree you want to create or the name of the tree you want to install this server into.

    • Use eDirectory Certificates for HTTPS Services: Selecting this option causes eDirectory to automatically back up the currently installed certificate and key files and replace them with files created by the eDirectory Organizational CA (or Tree CA).

      Most OES services that provide HTTPS connectivity are configured by default to use the self-signed common server certificate created by YaST. Self-signed certificates provide minimal security and limited trust, so you should consider using eDirectory certificates instead.

      For all server installations, this option is enabled by default and is recommended for the increased security it provides.

      To prevent third-party CA certificates from being accidentally backed up and overwritten, deselect this option.

      For more information on certificate management and this option, see Security in the OES 2 SP3: Planning and Implementation Guide.

    • Require TLS for Simple Binds with Password: Select this option to make connections encrypted in the Session layer.

    • Install SecretStore: Select this option to install Novell SecretStore (SS), an eDirectory-based security product.

eDirectory Configuration - New/Existing Tree Information

 

  • IP Address of an Existing eDirectory Server with a Replica: Specify the IP address of a server with an eDirectory replica.

    This option appears only if you are joining an existing tree.

 

  • NCP Port on the Existing Server: Specify the NCP port used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    Default: 524

 

  • LDAP and Secure LDAP Ports on the Existing Server: Specify the LDAP ports used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

    Default: 389 (LDAP), 636 (Secure LDAP)

 

  • FDN Admin Name with Context: Specify the name of the administrative user for the new tree.

    This is the fully distinguished name of a User object that will be created with full administrative rights in the new directory.

    Default: The eDirectory Admin name and context that you specified when initially configuring eDirectory.

 

  • Admin Password: Specify the eDirectory administrator's password.

    This is the password of the user specified in the prior field.

 

  • Verify Admin Password: Retype the password to verify it.

    This option only appears if you are creating a new tree.

eDirectory Configuration - Local Server Configuration

 

  • Enter Server Context: Specify the location of the new server object in the eDirectory tree.

 

  • Enter Directory Information Base (DIB) Location: Specify a location for the eDirectory database.

    Default: The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect the number of objects in your tree to be large and the current file system does not have sufficient space.

 

  • Enter LDAP Port: Specify the LDAP port number this server will use to service LDAP requests.

    Default: 389

 

  • Enter Secure LDAP Port: Specify secure LDAP port number this server will use to service LDAP requests.

    IMPORTANT:The scripts that manage the common proxy user introduced in OES 2 SP3 require port 636 for secure LDAP communications.

    Default: 636

 

  • Enter iMonitor Port: Specify the port this server will use to provide access to the iMonitor application.

    iMonitor lets you monitor and diagnose all servers in your eDirectory tree from any location on your network where a Web browser is available.

    Default: 8028

 

  • Enter Secure iMonitor Port: Specify the secure port this server will use to provide access to the iMonitor application.

    Default: 8030

eDirectory Configuration - NTP and SLP

 

  • Network Time Protocol (NTP) Server: Specify the IP address or DNS hostname of an NTP server.

    • For the first server in a tree, we recommend specifying a reliable external time source.

    • For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it, or the time synchronization request for the installation fails.

      If the time source server is NetWare 5.0 or earlier, you must specify an alternate NTP time source, or the time synchronization request fails. For more information, see Time Services in the OES 2 SP3: Planning and Implementation Guide.

  • Use Local Clock: Alternatively, you can select Use Local Clock to designate the server’s hardware clock as the time source for your eDirectory tree.

    This is not recommended if there is a reliable external time source available.

 

  • (SLP Options)

    • Do Not Configure SLP: Is sufficient for eDirectory trees with three or fewer eDirectory servers.

      Without SLP, users can’t see a tree list, but they should still be able to attach to a tree by name. Users can configure the Novell Client to use DNS, or they can configure the local host file (%SystemDrive%\windows\system32\drivers\etc\hosts on WinXP) to resolve tree and server names. Users can also specify preferred tree and context information in the DHCP Settings page of the Novell Client.

      IMPORTANT:If the tree where you are installing this server has or will have more than three servers, you must configure SLP.

    • Use Multicast to Access SLP: Allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure as Directory Agent: Configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • DASyncReg: Causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: Causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: Specifies how often the list of registered services is backed up.

    • Configure SLP to use an existing Directory Agent: Configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

 

  • Service Location Protocols and Scope: Configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    This information is required when selecting the Use Multicast to Access SLP or Configure SLP to Use an Existing Directory Agent option is selected.

    Default: Default

 

  • Configured SLP Directory Agents: Lets you manage the list of hostname or IP addresses of one or more external servers on which a SLP Directory Agent is running.

    It is enabled for input only when you configure SLP to use an existing Directory Agent.

Novell Modular Authentication Services

 

IMPORTANT:NMAS client software (included with Novell Client software) must be installed on each client workstation where you want to use the NMAS login methods.

  • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

  • Challenge Response: The Challenge-Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

  • DIGEST-MD5: The Digest MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

  • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

  • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

  • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication by using the Simple Authentication and Security Layer (SASL) that enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

If you want to install all of the login methods into eDirectory, click Select All.

If you want to clear all selections, click Deselect All.

For more information on these login methods, see Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.1 Administration Guide.

Defaults: Challenge Response and NDS

OES Common Proxy User Information

 

  • Use Common Proxy User as Default for OES Products: Selecting this option configures the specified common proxy user for the following services: CIFS, DNS, DHCP, iFolder, NetStorage, and NCS. Optionally, you can specify that LUM use it.

  • OES Common Proxy User Name: By default, the common proxy user’s name is OESCommonProxy_hostname, but you can specify any name that fits your naming methodology.

    By default, the common proxy user is created in the container that you specify for the server object.

    You can specify a different container, but it must meet one of the following qualifications:

    • New Tree Installation: The container must be included in either the path specified for the eDirectory Admin user or the path for Server object.

    • Existing Tree Installation: The container must already exist in eDirectory.

    IMPORTANT:You cannot create a new container by specifying a non-qualifying path. If you attempt this, the installation program will appear to proceed normally until the eDirectory Configuration (ndsconfig) runs. At that point the installation will fail with an Error creating Common Proxy User: 32 error, and you will need to install the server again.

  • OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.

  • Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated password is automatically included.

  • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. You can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, etc.

For additional configuration instructions, see Installing or Upgrading Novell eDirectory on Linux in the Novell eDirectory 8.8 Installation Guide.

Novell FTP Services

No additional configuration is required.

Novell iFolder

When you configure iFolder as part of the OES install and configuration, you can specify only an EXT3 or ReiserFS volume location for the System Store Path, which is where you store iFolder data for all your users. You cannot create NSS volumes during the system install.

If you want to use an NSS volume to store iFolder data, you must reconfigure iFolder after the initial OES installation. To reconfigure, use Novell iManager to create an NSS volume, then go to YaST > Open Enterprise Server > Install and Configure Open Enterprise Services and select iFolder 3.8 to enter new information. All previous configuration information is removed and replaced.

Table 3-13 Novell iFolder 3.8 Parameters and Values

Page and Parameters

Novell iFolder System Configuration Options

 

  • iFolder Component to Be Configured

    • iFolder Server: Lets you configure the settings for the iFolder server that is the central repository for storing user iFolders and synchronizing files for enterprise users.

    • iFolder Web Admin: Lets you create and configure settings for the administrator user.

      The iFolder Admin user is the primary administrator of the iFolder Enterprise Server. The Web Admin server does not need to be configured on the iFolder Enterprise Server. Devoting a separate server to the Web Admin application improves the performance of the iFolder Enterprise Server by reducing the admin traffic.

    • iFolder Web Access: Lets you configure the Web Access server, which is an interface that lets users have remote access to iFolders on the enterprise server.

      The Web Access server lets users perform all the operations equivalent to those of the iFolder client through using a standard Web browser.

      The Web Access server does not need to be configured in the same iFolder Enterprise Server. Directing the user tasks to a separate server and thereby reducing the HTTP requests helps to improve the performance of the iFolder Enterprise Server.

    Default: All three items are selected.

Novell iFolder System Configuration

 

  • Name Used to Identify the iFolder System to Users: Specify a unique name to identify your iFolder Enterprise Server.

    Default: iFolder

 

  • System Description (optional): Specify a descriptive label for your iFolder Enterprise Server to identify it to the users.

    Default: iFolder Enterprise System

 

  • Path to Server's Data Files: Specify the case-sensitive address of the location where the iFolder Enterprise Server stores iFolder application files as well as the user iFolders and files.

    IMPORTANT:This location cannot be modified after iFolder is installed.

    Default: /var/simias/data/

 

  • Path to the Recovery Agent Certificates (optional): Specify the path to the recovery agent certificates that are used for recovering the encryption key.

    Default: /var/simias/data/simias

Novell iFolder System Configuration (2)

 

  • Name of iFolder Server: Specify a unique name to identify your iFolder Enterprise Server. For example: Host1.

    Default: The name of the OES server

 

  • iFolder Public URL: Specify the public URL for users to reach the iFolder Enterprise Server.

    Default: The OES server’s IP address

 

  • iFolder Private URL: Specify the private URL corresponding to the iFolder Enterprise Server to allow communication between the servers within the iFolder domain. The private URL and the public URL can be the same.

    Default: The OES server’s IP address

 

  • Select SSL Option for iFolder: Select the SSL option you want to set up a secure connection between the iFolder server and the iFolder clients.

    There are three options for the channel for data transfer: SSL, Non SSL, and Both. However, authentication is always over SSL (not optional).

    • Both: (default) This option lets you select a secure or a non-secure channel for communication among the iFolder server, Web Admin server, Web Access server and the clients. By default, these components use the HTTPS (secure) communication channel. However, all components can also be configured to use HTTP.

    • Non SSL: Select this option to enable non-secure communication between the iFolder server, Web Admin server, Web Access server and the clients. The iFolder uses the HTTP channel for communication.

    • SSL: Select this option to enable a secure connection among the iFolder server, iFolder Web Admin server, iFolder Web Access server, and the iFolder clients. The iFolder uses the HTTPS channel for communication.

    Default: Both

 

  • iFolder Port to Listen On: Specify the port for the iFolder to listen on.

    Default: 443

 

  • Install into Existing iFolder Domain: Select this option when you want to attach to an existing iFolder domain.

    If this option is not selected, this server becomes the Master iFolder server.

    Default: Deselected

 

  • Private URL of the Master Server: Specify the private URL of the Master iFolder server that holds the master iFolder data for synchronization to the current iFolder Enterprise Server.

 

  • Configure LDAP Groups Plugin: Select this option to configure the LDAP Groups plug-in.

    If this option is left unselected, iFolder does not have LDAP Group support enabled.

Novell iFolder LDAP Configuration

 

  • Directory server address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you need to add another eDirectory LDAP server to the list, use the LDAP Configuration for Open Enterprise Services dialog box.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory.

    If you are installing into an existing tree, you must enter the password of an admin user in the tree.

    Default: The first server selected in the LDAP Configuration list of servers

 

  • Use Alternate LDAP server: If you need to add another LDAP server to the list, select this option and enter the following information:

    • Alternate Directory Server Address: Specify the host or IP address of the alternate LDAP server that iFolder will use.

    • LDAP Port: Specify the LDAP port to use for this alternate server.

    • LDAP Secure Port: Specify the LDAP secure port to use for this alternate server.

    • Admin Name and Context: Specify the administrator name and context for the alternate LDAP server.

    • Admin Password: Type the specified administrator’s password.

Novell iFolder System Configuration

 

  • The iFolder Default Administrator: Specify the username for the default iFolder administrative user. Use the full distinguished name of the iFolder administrative user.

    Default: The eDirectory Admin user you specified while configuring eDirectory.

 

  • iFolder Admin Password: Specify a password for the iFolder administrative user.

 

  • Verify iFolder Admin Password: Type the password for the iFolder administrative user again.

 

  • LDAP Proxy User: Specify the full distinguished name of the LDAP Proxy user.

    This user must have the Read right to the LDAP service. This user is used to provision the users between iFolder Enterprise Server and the LDAP server. If it does not already exist, this user is created and granted the Read right to the root of the tree. The LDAP proxy user's domain name (DN) and password are stored by iFolder.

    Default: If you specified a common proxy user, it is used by default if possible. If you didn’t specify the common proxy user, a user object named iFolderProxy is created in the server context you specified.

    The common proxy user cannot be used if iFolder is running on a cluster node. If the NCS pattern is selected along with iFolder, this field will be populated with the iFolderProxy by default.

 

 

  • Verify LDAP Proxy User Password: Type the password for the LDAP Proxy user again.

 

  • LDAP Search Context: Click Add, then specify an LDAP tree context to be searched for users to provision them in iFolder. For example, o=acme, o=acme2, or o=acme3

    If no context is specified, only the iFolder administrative user is provisioned for services during the install.

    Default: The server context you specified while configuring eDirectory.

 

  • LDAP Naming Attribute: Select which LDAP attribute of the User account to apply when authenticating users. This setting cannot be changed after the install.

    Each user enters a username in this specified format at login time. Common Name (CN) is the default, and an e-mail address (email) is the other option.

    For example, if a user named John Smith has a common name of jsmith and e-mail of john.smith@example.com, this field determines whether the user enters jsmith or john.smith@example.com as the username when logging in to the iFolder Enterprise Server.

    Default: Common Name (CN)

 

  • Require a Secure Connection Between the LDAP server and the iFolder Server: If the LDAP server co-exists on the same computer as the iFolder Enterprise Server, you can deselect this option, which increases the performance of LDAP authentications.

    Default: Selected

Novell iFolder Web Access Configuration

 

  • An Apache Alias That Will Point to the iFolder Web Access Application: This is a user-friendly pointer for the Apache service.

    Default: /ifolder

 

  • The Host or IP Address of the iFolder Server That Will Be Used by the iFolder Web Access Application: This Web Access application performs all the user-specific iFolder operations on the host that runs the iFolder Enterprise Server.

    Default: The IP address of the OES server you are installing

 

  • Redirect URL for iChain/Access Gateway (optional): Specify the redirect URL for iChain/Access Gateway that will be used by the iFolder Web Access application. This URL is used for the proper logout of iChain/Access Gateway sessions along with the iFolder session.

 

  • Connect to the iFolder Server Using SSL: Select the check box to establish a secure connection between the iFolder enterprise server and the iFolder Web Admin application.

    Default: Selected

 

  • iFolder Server Port to Connect on: Specify the port for the iFolder server to connect to the Web Acess application.

    Default: 443 (SSL communications), 80 (non-SSL communication)

 

  • Require a secure connection between the Web browser and the iFolder Web Access application: Select the check box to establish a secure connection between the Web browser and the iFolder Web Access application.

    Default: Selected

Novell iFolder Web Admin Configuration

 

  • An Apache Alias That Will Point to the iFolder Web Admin Application: This is an admin-friendly pointer for the Apache service.

    Default: /admin

 

  • The Host or IP Address of the iFolder Server That Will Be Used by the iFolder Web Application: The iFolder Web admin application manages this host.

    Default: The IP address of the OES server you are installing

 

  • Redirect URL for iChain/Access Gateway (optional): Specify the redirect URL for iChain/Access Gateway that will be used by the iFolder Web Admin application. This URL is used for the proper logout of iChain/Access Gateway sessions along with the iFolder session.

 

  • Connect to the iFolder Server Using SSL: Select the check box to establish a secure connection between the iFolder Enterprise Server and the iFolder Web Admin application.

 

  • iFolder Server Port to Connect on: Specify the port for the iFolder server to connect to the Web Admin application. Port 443 is the default. Port 80 is the default value for non-SSL communication.

 

  • Require a secure connection between the Web browser and the iFolder Web Access application: Select the check box to establish a secure connection between the Web browser and the iFolder Web Admin application.

For additional configuration instructions, see “Installing and Configuring iFolder Services” in the Novell iFolder 3.8.4 Administration Guide.

Novell iManager

Table 3-14 Novell iManager Parameters and Values

Page and Parameters

iManager Configuration

 

  • eDirectory Tree: Shows the name of a valid eDirectory tree that you specified when configuring eDirectory.

    To change this configuration, you must change the eDirectory configuration.

 

  • FDN Admin Name with Contextt: Shows the eDirectory Admin name and context that you specified when configuring eDirectory. This is the user that has full administrative rights to perform operations in iManager.

    To change this configuration, you must change the eDirectory configuration.

For additional configuration instructions, see Installing iManager in the Novell iManager 2.7.4 Installation Guide.

Novell iPrint

Table 3-15 Novell iPrint Parameters and Values

Page and Parameters

iPrint Configuration

 

  • Directory server address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

 

  • Top-Most Container of eDirectory Tree: iPrint uses LDAP to verify rights to perform various iPrint operations, including authenticating users for printing and performing management tasks such as uploading drivers.

    During the installation of the iPrint software, iPrint attempts to identify the topmost container of the eDirectory tree and sets the base dn to this container for the AuthLDAPURL entry in /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf.

    For most installations, this is adequate because users are often distributed across containers.

    IMPORTANT:If you have mutliple peer containers at the top of your eDirectory tree, leave this field blank so that the LDAP search begins at the root of the tree.

For additional configuration instructions, see Installing and Setting Up iPrint on Your Server in the OES 2 SP3: iPrint for Linux Administration Guide.

Novell Linux User Management

Table 3-16 Novell Linux User Management Parameters and Values

Page and Parameters

Linux User Management Configuration

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the OES 2 SP3: Novell Linux User Management Administration Guide.

    Default: The first server selected in the LDAP Configuration list of servers

 

  • Unix Config Context: The UNIX Config object holds a list of the locations (contexts) of UNIX Workstation objects in eDirectory. It also controls the range of numbers to be assigned as UIDs and GIDs when User objects and Group objects are created.

    Specify the eDirectory context (existing or created here) where the UNIX Config object will be created. An LDAP search for a LUM User, a LUM Group, or a LUM Workstation object begins here, so the context must be at the same level or higher than the LUM objects searched for.

    If the UNIX Config Object is placed below the location of the User objects, the /etc/nam.conf file on the target computer must include the support-outside-base-context=yes parameter.

    Geographically dispersed networks might require multiple UNIX Config objects in a single tree, but most networks need only one UNIX Config object in eDirectory.

    Default: The Organization object you specified in the eDirectory configuration

 

  • Unix Workstation Context: Computers running Linux User Management (LUM) are represented by UNIX Workstation objects in eDirectory. The object holds the set of properties and information associated with the target computer, such as the target workstation name or a list of eDirectory groups that have access to the target workstation.

    Specify the eDirectory context (existing or created here) for the UNIX Workstation object created by the install for this server. The context should be the same as or below the UNIX Config Context specified above.

    Default: The context you specified for this OES server in the eDirectory configuration

 

  • Proxy User Name with Context (Optional): If you specified a common proxy user, and you select the Use OES Common Proxy User option (below) it is used by default. If you didn’t specify a common proxy user, you can specify a user (existing or created here) with rights to search the LDAP tree for LUM objects.

 

 

  • Use OES Common Proxy User: Check this option if you specified a common proxy user and want to use it as the proxy user for LUM.

 

  • Restrict Access to the Home Directories of Other Users: This option is selected by default to restrict read and write access for users other than the owner to home directories.

    Using the default selection changes the umask setting in /etc/login.defs from 022 to 077.

    Default: Selected

Linux User Management Configuration (2)

 

IMPORTANT:Before you change the PAM-enabled service settings, be sure you understand the security implications explained in User Restrictions: Some OES 2 Limitations in the OES 2 SP3: Planning and Implementation Guide.

  • Services to LUM-enable for authentication via eDirectory: Select the services to LUM-enable on this server. The services marked yes are available to authenticated LUM users.

    • login: no

    • ftp: no

    • sshd: no

      If you want to use the SSH protocol to define a NetStorage storage location object, you must select SSHD as a LUM-enabled service.

      If do not select SSHD, users cannot to log in to NetStorage through SSH to access their files.

    • su: no

    • rsh: no

    • rlogin: no

    • xdm: no

    • openwbem: yes

      This is selected by default because it is used by many of the OES services such as iPrint, NSS, SMS, Novell Remote Manager, and Samba. To access iManager, you must enable OpenWBEM.

    • gdm: no

    • gdm-autologin: no

    • gnome-passwd: no

    • gnome-screensaver: no

    • gnomesu-pam: no

For additional configuration instructions, see Setting Up Linux User Management in the OES 2 SP3: Novell Linux User Management Administration Guide.

Novell NCP Server / Dynamic Storage Technology

Table 3-17 Novell NCP Server Parameters and Values

Page and Parameters

NCP Server Configuration

 

  • Admin Name with Context: The eDirectory Admin user you specified in the eDirectory configuration.

For additional configuration instructions, see Installing and Configuring NCP Server for Linux in the OES 2 SP3: NCP Server for Linux Administration Guide.

Novell NetStorage

Table 3-18 Novell NetStorage Parameters and Values

Page and Parameters

NetStorage Configuration

 

  • Authentication Domain Host: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services page.

    Default: The first server selected in the LDAP Configuration list of servers.

 

  • Proxy User Name with Context: Specify the proxy user name including the context, or accept the default.

    This user performs LDAP searches for users logging into NetStorage.

    Default: If you specified a common proxy user, it is used by default. If you didn’t specify a common proxy user, the eDirectory Admin name and context that you specified when configuring eDirectory is specified.

 

 

  • User Context: Specify the NetStorage user context, or accept the default.

    This is the eDirectory context for the users that will use NetStorage. NetStorage searches the eDirectory tree down from the specified context for User objects. If you want NetStorage to search the entire eDirectory tree, specify the root context.

    Default: The Organization object you specified while configuring eDirectory

For additional configuration instructions, see Installing NetStorage in the OES 2 SP3: NetStorage Administration Guide.

Novell Pre-Migration Server

No additional configuration is required. For information, see Preparing the Source Server for Migration the OES 2 SP3: Migration Tool Administration Guide.

Novell QuickFinder

Table 3-19 Novell QuickFinder Parameters and Values

Page and Parameters

Novell QuickFinder Admin User

 

  • Novell QuickFinder Admin User Type: Make the QuickFinder administrator a LUM-enabled eDirectory user or a local Linux user.

    • Local: Select this option to give QuickFinder Server administration rights to a local Linux user (the default is the root user if no other local users exist).

    • Directory LUM Enabled: Gives QuickFinder Server administration rights to an eDirectory user.

    Default: Directory LUM enabled

 

  • QuickFinder Admin Name: Specify the QuickFinder administrator name.

    If you selected Directory LUM enabled as the user type, include the full context (such as cn=admin,o=novell).

    If you selected Local as the user type, specify only the admin name (such as root). If the user does not already exist, it is created.

    Default: The eDirectory Admin user you specified while configuring eDirectory

 

  • Add novlwww User to the Shadow Group: If only LUM-enabled eDirectory users will use QuickFinder, this option does not need to be set.

    QuickFinder uses Pluggable Authentication Modules (PAM) to authenticate users for both administration and rights-based searching. Because QuickFinder is a servlet under Tomcat, it has the same rights to the system as the Tomcat user (wwwrun).

    For QuickFinder to verify user credentials for local users (including root), the wwwrun user must be added to the local shadow group.

    Default: Yes

Novell QuickFinder Admin Password

 

  • eDirectory Admin Name: Specified on the previous page.

 

  • Novell QuickFinder Admin User Type: If a different admin user was created, specify a password.

For additional configuration instructions, see Installing QuickFinder Server in the OES 2 SP3: Novell QuickFinder Server 5.0 Administration Guide.

Novell Remote Manager

No additional configuration for the installation is required. To change the configuration after the installation, see Changing the Configuration in the OES 2 SP3: Novell Remote Manager for Linux Administration Guide.

Novell Samba

Table 3-20 Novell Samba Parameters and Values

Page and Parameters

Novell Samba Configuration

 

  • Directory server address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    This is the primary IP address of the LDAP server to which CIFS client users (such as Windows users) authenticate, to use LDAP for access to the directories and files on this OES server.

    Default The first server selected in the LDAP Configuration list of servers.

 

  • Base Context for Samba Users: The eDirectory context (existing or created here) where the default Samba group is created.

    Default: The Organization object you specified for your tree. Do not change the default unless you are altering the standard Samba configuration.

 

  • Proxy User Name with Context: A user on the specified LDAP server that has rights to search the LDAP tree for Samba users.

    The name and context must be specified by using typeful syntax. (cn=name,ou=organizational_unit,o=organization)

    Default: cn=servername-sambaProxy.o=organization

 

For additional configuration instructions, see Installing the Novell Samba Components in the OES2 SP3: Samba Administration Guide.

Novell Storage Services (NSS)

Table 3-21 Novell Storage Services Parameters and Values

Page and Parameters

NSS Unique Admin Object

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default The first server selected in the LDAP Configuration list of servers.

 

  • FD NSS Admin Name with Context: Specify the NSS Admin name and context or accept the default.

    This is the fully distinguished name of a User object with administrative rights to NSS. You must have a unique NSS admin name for each server that uses NSS.

    For more information, see Planning Your Proxy Users in the OES 2 SP3: Planning and Implementation Guide.

    Default: The server hostname concatenated with the LDAP Admin Name you entered for this server,. cn=myserveradmin,o=organization.

For additional configuration instructions, see Installing and Configuring Novell Storage Services in the OES 2 SP3: NSS File System Administration Guide for Linux.