3.3 OES User Rights Management (NURM)

The OES User Rights Map utility is used by administrators to map the Access Control List (ACL) of the storage unit that is owned by Identity on OES to Identity on Active Directory. This utility can be used after the user identity is created on both the source and target identity stores. It maps the users from eDirectory to Active Directory using a common name or any other field that is selectable by the tool. With this utility, the administrators can do the following:

  • Create User Maps: Map eDirectory and Active Directory users and groups.

  • Leverage Existing IDM-based User Maps: Leverage NetIQ Identity Manager 4.5 or later maps that are created using IDM Designer (but not the IDM iManager plug-in).

  • Map User Rights: Assign rights to Active Directory users on NSS resources.

  • Viewing Rights: View the rights of Active Directory and eDirectory users on a given volume.

  • Synchronizing Rights: Synchronize the rights of Active Directory and eDirectory users using the user-rights-map command line utility.

3.3.1 Prerequisites

  • Ensure that the CIFS universal password policy is enabled for the eDirectory user who is accessing NURM. This utility uses CIFS to fetch the volume information. Hence, when a user who is not universal password enabled accesses NURM, the volumes are not listed under the View Rights and Map Rights pages. For more information on enabling Universal Password Policy, see CIFS and Universal Password in the OES 2015: Novell CIFS for Linux Administration Guide. In addition to this, the user must also have sufficient rights on /_admin/Manage_NSS/manage.cmd.

  • Ensure that CIFS user context is configured for the eDirectory user who is accessing NURM. For more information, see Configuring a CIFS User Context in the OES 2015 SP1: Novell CIFS for Linux Administration Guide.

  • If you are to use NURM in an environment where eDirectory and Active Directory are synchronized using NetIQ IDM, ensure that DirXML-ADContext attribute is populated in eDirectory server.

3.3.2 Accessing OES User Rights Map Utility (NURM)

Along with the installation and configuration of NSS AD, the NURM utility gets installed.To access NURM:

  1. Open the OES 2015 SP1 server's welcome page, then click Management Services > OES User Rights Map.

    OR

    Point your browser to https://<OES2015 SP1 server’s IP address or the host name>/storm.

  2. Specify the user name or the FQDN of the eDirectory administrator in the User Name, specify the password, then click Login.

    NURM is also available as a command line utility (map-users and user-rights-map). For more information on the CLI utility, see Section B.17, map-users and Section B.18, user-rights-map

3.3.3 Mapping Users

In an NSS AD environment, the OES servers are joined to an Active Directory domain to provision AD users and groups native NSS resources access. To aid this, identities from Active directory will have to be mapped with identities on eDirectory, and assigned the same rights as that of the eDirectory identities. NURM helps in creating this identity map, which is termed as user maps. These user maps can be used to assign rights to AD identities on the NSS resources.

Using the Map Users feature, administrators can do the following:

  • Create new user maps: Map eDirectory and Active Directory (AD) users and groups.

  • Import user maps

  • Export user maps

  • Refresh user maps

  • Delete user maps

    Before creating user maps, ensure that you are connected to an AD server.

Connecting to an Active Directory Server

To connect to the target AD server, click Connect to Active Directory, specify the following details, then click Connect.

  • User Name: Specify the AD Administrator user name or the FQDN.

  • Password: Specify the AD Administrator password.

  • Server Name: Specify the IP address or the realm of the AD domain.

  • Port: Specify the port with which you would like to connect to the AD server. If you would like this connection to be secure, select Use SSL. Some of the standard LDAP ports for Active Directory are 389, 636, 3268, and 3269.

After you successfully establish the connection with the AD server, the icon is displayed. The NURM screen should look similar to the following:

To disconnect from the target AD server, click > .

NOTE:NURM supports multiple AD forests. Login to the respective forest before generating the user map.

Creating a New User Map

The user map could be created using any of the following methods:

  • Propose Map: Use this method to view, validate, and edit the generated user map before saving it on the server.

  • Save Map: Use this method when the number of records to be mapped are high and when you anticipate the user map generation to take more than five minutes. You can initiate the user map generation operation and continue using the application. The user map generation operation continues on the server side, and on completion, the generated user map is saved on the server and gets listed in the Map Users page.

  1. Click New, then specify the following details:

    • Match Type: Select an object mapping (user to user, group to group, or container to group). In the Target Matching Pattern, specify the wildcard-based search criteria.

      For example, if you want to match a group from the source identity store with a group on the target identity store that differs in naming conventions, you can use the Target Matching Pattern.

      For example, assume that you have the following groups on the source identity: eng-group-acme, sales-group-acmeUS, and so on; and technology-acme, sales-acmeUS, and so on in the target identity. In the Target Matching Pattern, specifying *-acme finds the match from eng-group-acme and technology-acme groups.

    • LDAP Attributes: Select Common Name to Common Name (CN to CN), Common Name to SAM-Account-Name (CN to SAM), or Custom Attributes matching criteria.

      If you choose custom attributes, you will have to specify the eDirectory and Active Directory object attributes.

      Examples of eDirectory object attributes include User Name (uid), Common Name (cn), Last Name (sn), and First Name (givenName).

      Examples for Active Directory object attributes include SAMAcountName, First Name (givenName), Last Name (sn), and email address (email).

    • eDirectory Context: Specify or browse and select the eDirectory tree search base context. If you would like to do a subtree search, select Search Subtree.

    • Active Directory Context: Specify or browse and select the AD server context. If you would like to do a subtree search, select Search Subtree.

  2. Click Propose Map to generate the user map.

  3. Validate the user mapping. If you need to modify any user mapping:

    1. Click <<, then specify or browse the AD server context.

    2. To replace or add an AD user in the proposed user map, select a row in the proposed user map, then from the search results, click (add) found next to a search result.

    3. To remove a user from the proposed user map, click (remove). To undo the deletion, click (undo).

    HINT:

    • To modify an existing user mapping, click the user map name in the Map Users page, then follow the instructions in Step 3.

    • Pagination and Filtering: When the number of records to be displayed are huge, they are paginated, and each page holds up to 1000 records. The filter option works based on records in all the pages.

    • Sorting: Click any column title to sort the data either in ascending or descending order.

If the number of records to be displayed are more than 1000, pagination is displayed at the bottom of the page for ease of navigation. Pagination includes the following:

  • Number of Pages: Displays the total number of pages. For example, Pages 4.

  • First: Displays the first page.

  • Last: Displays the last page.

  • <: Displays the previous page.

  • >: Displays the next page.

  • Page Numbers: Clicking on these numbers, displays the respective page.

  • Go To Page: If you would like to navigate directly to a particular page, click the drop-down arrow, specify the page number, then click Go.

Importing a User Map

  1. Click Import, then select the user map XML file using the Browse button.

  2. Specify an appropriate name for the user map, then click Import.

Exporting a User Map

Select the user map of your choice, click Export, then save it to a location of your choice on your computer.

Refreshing a User Map

If you feel that the mapping have changed since the time you have created a user map, you could refresh them using the same conditions that were used while creating them.

To refresh an old user map, select the desired user map and then click Refresh. If there are any differences since the time there were created, those entries are highlighted with an information icon (undo). If you would like to revert changes, use the undo icon. After verifying the changes, click Save Map.

Delete a User Map

Select the user maps that you want to delete, then click Delete.

3.3.4 Mapping Rights

Using this feature, you can map rights to AD users on a specific NSS volume. While doing so, you can choose to remove eDirectory trustees from the NSS file system and migrate the eDirectory IDs (owner, modifier, archiver, metadata modifier, and deletor) to AD users.

To map rights:

  1. Select a Volume on which you want to map rights to AD users.

  2. Select the appropriate user map. The user map is displayed along with the rights that will be assigned to the AD users. You can hide or display the user map and rights details using the Show >> and << Hide buttons

  3. Select the following options as needed:

    • Apply to Salvage: Applies rights to AD users on salvaged files and folders.

    • Remove eDirectory Trustees: After assigning AD users as trustees, the eDirectory user as a trustee will be removed from the NSS file system.

    • Migrate IDs: Assign eDirectory trustee IDs (owner, modifier, archiver, metadata modifier, and deletor) to AD users.

  4. Click Apply.

To delete the mapped rights, select the Map Rights, then click Delete.

NOTE:After deletion, you can no longer synchronize rights on the volume using the deleted map rights.

3.3.5 Viewing Rights

Using this feature, an administrator can view the explicit rights of both eDirectory and Active Directory users on the selected volume. When you select the volume name, the explicit rights are displayed along with the path, trustee, and rights information.

Beginning with OES 2015 SP1, a Refresh button is added next to volume name drop-down box, which allows users to view the rights information dynamically.

3.3.6 Troubleshooting NURM

Volumes are not Listed in the View Rights and Map Rights Pages

NURM uses CIFS to fetch the volume information. Hence, when a user who is not universal password enabled accesses NURM, the volumes do not get listed under the View Rights and Map Rights pages. In addition to this, the user should also have sufficient rights on /_admin/Manage_NSS/manage.cmd. To resolve this issue, ensure to set the Universal Password Policy for the user who is accessing NURM. For more information on enabling Universal Password Policy, see CIFS and Universal Password in the OES 2015: Novell CIFS for Linux Administration Guide.

Migrate ID Displays Error Even After all the ACL Migration is Completed

If any file contains an extended attribute set, it generates additional task for the same file and does not complete the operation because the parent node where the attribute is set is already migrated.

When extended attribute is set on a file, additional ZIDs are created for the same file. When Migrate ID operation is performed, it considers the parent ZID that is already migrated; hence you might find an error while assigning the rights, while the ACLs are migrated properly.