I.3 Common Proxy User - New in SP3

I.3.1 Common Proxy User FAQ

Why Would I Want to Specify Common Proxy Users?

The implementation of a common proxy user in OES 2 SP3 addresses the following administrative needs:

  • Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree can quickly become quite large. And even though proxy users don’t consume user license connections, many administrators are disconcerted by the sheer number of objects to manage and track.

    Common proxy users reduce the default number of proxy users from one per service to basically one per OES 2 SP3 server.

  • Accommodate Password Security Policies: Many organizations have security policies that require periodic password changes. Some administrators are overwhelmed by having to manually track all proxy users, change their passwords, and restart the affected services after every change.

    Common proxy users can have their passwords automatically generated and changed at whatever interval is required. Services are restarted as needed with no manual intervention required.

  • Prevent Password Expiration: When proxy user passwords expire, OES 2 services are interrupted, leading to network user frustration and administrator headaches.

    Automatic password management for common proxy users ensures that services are never disrupted because of an expired password.

Why Has a Proxy User Been Added to Novell Cluster Services?

For SP3 the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.

This aligns NCS functionality with other OES services that use proxy (system) users for similar functions. For more information, see OES Common Proxy User in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux.

Which Services Can and Cannot Leverage the Common Proxy User?

Services That Can Leverage the Common Proxy User

The following OES services are automatically configured at install time by default to use your Common Proxy User (if specified):

  • Novell CIFS

  • Novell Cluster Services

  • Novell DNS

  • Novell DHCP

  • Novell iFolder

  • Novell NetStorage

The following OES service can be configured at install time to use your Common Proxy User (if specified):

  • Linux User Management (having a proxy user is optional)

Services That Cannot Leverage the Common Proxy User

The following services that use proxy users do not leverage the Common Proxy user for the reasons listed:



Archive and Version Services

This service uses the installing administrator as in the past.

Novell AFP

The need for an AFP proxy user has been eliminated in OES 2 SP3 due to a new NMAS method used for client authentication.

Novell Samba

Samba proxy password requirements are not a good fit with the Common Proxy user.

Novell Storage Services

This requires full rights to administer NSS and continues to require a system-named user with a system-generated password.

Can a Common Proxy User Service Multiple Servers?


The common proxy user is designed and configured to be the common proxy for the OES services on a single server. Each subsequent new server needs a separate and distinct proxy created for its services.

Can I Change the Common Proxy User Name and Context?


However, best practice suggests that eDirectory object names and locations within the tree reflect the object purpose and scope of influence or function. For this reason, the default Common Proxy User name is OESCommonProxy_hostname, where hostname is the name of the OES server being installed, and the default eDirectory context is the same as for the server for which the common proxy is created.

IMPORTANT:If you specify a different context from the server, the Organizational Unit that you specify must already exist in eDirectory. Otherwise, the server installation will fail, and you’ll need to start over.

Can I Assign the Common Proxy User After Services Are Installed?

Yes. See Assigning the Common Proxy to Existing Services.

What About Upgraded Servers Using a Common Proxy?

You can change the services running on an OES 2 server that has been upgraded to OES 2 SP3 to leverage a Common Proxy user. See Assigning the Common Proxy to Existing Services.

Are There Important Limitations to Keep in Mind?


iFolder must not be configured to use a Common Proxy on a cluster node.

I.3.2 Managing Common Proxy Users

Common proxy users are eDirectory objects and can therefore be managed via iManager. However, after the initial setup is complete, there should generally be no reason for OES administrators to directly manage Common Proxy users.

Use the information in the following sections to understand and implement common proxy user management.

Always Use LDAP Port 636 to Communicate with eDirectory

The Common Proxy user management scripts communicate with eDirectory using port 636 only. See the instructions in Installing OES 2 SP3 as a New Installation in the OES 2 SP3: Installation Guide).

Assigning the Common Proxy to Existing Services

You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User using the move_to_common_proxy.sh script on your OES 2 SP3 server. In fact, if you have upgraded from SP2 and the server doesn’t have a common proxy user associated with it, simply running the script will create and configure the proxy user and assign the services you specify.

  1. In the /opt/novell/proxymgmt/bin folder, run the following command:

    ./move_to_common_proxy.sh service1,service2

    where the service entries are OES service names.

Example scenario:

  • You have upgraded server myserver, which is located in o=novell and uses IP address, from SP2 to SP3.

  • The secure LDAP port for the server is 636.

  • You are installing the server as the eDirectory Admin user, and your LDAP user FQDN is cn=admin,o=novell.

  • Your Admin password is 123abc.

  • You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.

  • Therefore, you enter the following commands:

    cd /opt/novell/proxymgmt/bin

    ./move_to_common_proxy.sh -d cn=admin,o=novell -w 123abc -i -p 636 -s novell-dhcp,novell-dns

User cn=OESCommonProxy_myserver.o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user.

NOTE:Running the move_to_common_proxy.sh script automatically enables automatic changing of proxy user passwords. This feature is explained in the next section, Changing Proxy Passwords Automatically.

Changing Proxy Passwords Automatically

You can configure your server so that your proxy users are regularly assigned new system-generated passwords by doing the following:

  1. Open the file /etc/opt/novell/proxymgmt/proxy_users.conf in a text editor.

  2. List the FQDN of each proxy user on the server that you want to automatic password management set up for.

    For example you might insert the following entries:

    • cn=OESCommonProxyUser_myserver,o=novell
    • cn=myproxy,o=novell

    IMPORTANT:Users listed here must not be listed in the proxy_users.conf file on any other servers in the tree.

  3. Save the file.

  4. Enter the following commands:

    cd /opt/novell/proxymgmt/bin

    change_proxy_pwd.sh -A Yes

    By default, the crontab job will run every 30 days.