2.4 Installing and Configuring OES as a Subcontainer Administrator

2.4.1 Rights Required for Subcontainer Administrators

For security reasons, you might want to create one or more subcontainer administrators (administrators that are in a container that is subordinate to the container that user Admin is in) with sufficient rights to install additional OES servers, without granting them full rights to the entire tree.

A subcontainer administrator needs the rights listed in Table 2-2 to install an OES server into the tree. These rights are typically granted by placing all administrative users in a Group or Role in eDirectory, and then assigning the rights to the Group or Role. Sample steps for assigning the rights to a single subcontainer administrator are provided as a general guide.

Table 2-2 Subcontainer Administrator Rights Needed to Install

Rights Needed

Sample Steps to Follow

Supervisor right to itself

  1. In iManager, click View Objects > the Browse tab, then browse to and select the subcontainer administrator.

  2. Click the administrator object, then select Modify Trustees.

  3. Click the Assigned Rights link for the administrator object.

  4. For the [All Attributes Rights] property, select Supervisor, then click Done > OK.

Supervisor right to the container where the server will be installed

  1. Browse to the container where the subcontainer administrator will install the server.

  2. Click the container object and select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Supervisor right to the W0 object located inside the KAP object in the Security container

  1. Browse to Security > KAP.

  2. In KAP, click W0 and select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Supervisor right to the Security container when installing the NMAS login methods

If the subcontainer administrator will install the NMAS login methods:

  1. Browse to and select Security.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] and [Entry rights] properties, select Supervisor, then click Done > OK > OK.

Create right to its own container (context)

  1. Browse to and select the container where you created the subcontainer administrator.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [Entry Rights] property, select Create, then click Done > OK > OK.

Create right to the container where the UNIX Config object is located

  1. Browse to and select the container where the UNIX Config object is located. By default, this is the Organization object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [Entry Rights] property, select Create, then click Done > OK > OK.

Read right to the Security container object for the eDirectory tree

This is not needed if the Supervisor right was assigned because of NMAS.

If the subcontainer administrator won’t install the NMAS login methods, do the following:

  1. Browse to and select Security.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Read, then click Done > OK > OK.

Read right to the NDSPKI:Private Key attribute on the Organizational CA object (located in the Security container)

  1. Browse to Security and select the Organizational CA object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. Click the Add Property button.

  6. Select NDSPKI:Private Key, then click OK.

    The Read right should be automatically assigned.

  7. Click Done > OK > OK.

Read and Write rights to the UNIX Config object

  1. Browse to and select the UNIX Config object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Write (Read is already selected), then click Done > OK > OK.

Write right to the [All Attribute Rights] property for the admingroup object

  1. Browse to and select the admingroup object.

  2. Select Modify Trustees.

  3. Click Add Trustee, browse to and select the subcontainer administrator, then click OK.

  4. Click the Assigned Rights link for the administrator object.

  5. For the [All Attributes Rights] property, select Write (Compare and Read are already selected), then click Done > OK > OK.

When you install DNS/DHCP into an existing tree with DNS/DHCP, see the following additional guidelines:

2.4.2 Providing Required Rights to the Subcontainer Administrator for Installing and Managing Samba

Prior to installing any new OES Samba server in a tree, ensure that you provide supervisor rights to the subcontainer administrator for the location mentioned in Table 2-3.

Table 2-3 Subcontainer Administrator Rights Needed to Manage Samba

Rights Needed

Sample Steps to Follow

Supervisor rights to the container where the Linux workstation object will be located

  1. In iManager, click View Objects, then browse and select the container where the OES Samba server will be installed.

  2. Click Actions > Modify Trustees.

  3. On the Modify Trustees page, click Assigned Rights next to the trustee name for which you want to modify rights.

  4. Click the desired container admin object to add it to the Selected Objects section.

  5. Click OK.

  6. Select Property Name rights (All Attribute Rights and Entry Rights) and assign Supervisor rights, then click Done.

Supervisor rights to the container where the Unix config object will be located

  1. On the Novell iManager, click View Objects, then in the Tree, browse and select the container where Unix Config object is located.

  2. Select the Unix Config object, then click Actions > Modify trustees.

  3. On the Modify Trustees page, click Assigned Rights next to the trustee name for which you want to modify rights.

  4. Click the desired container admin object to add it to the Selected Objects section.

  5. Click OK.

  6. Select Property Name rights (All Attribute Rights and Entry Rights) and assign Supervisor rights, then click Done.

Supervisor rights to the container where the Samba/LDAP base context will be located

  1. On the Novell iManager, click View Objects, then in the Tree, browse and select the container where the Samba/LDAP base context will reside.

  2. Select the Current Level tree object, then click Actions > Modify trustees.

  3. On the Modify Trustees page, click Assigned Rights next to the trustee name for which you want to modify rights.

  4. Click the desired container admin object to add it to the Selected Objects section.

  5. Click OK.

  6. Select Property Name rights (All Attribute Rights and Entry Rights) and assign Supervisor rights, then click Done.

Supervisor rights to the container where the Samba proxy user will be installed

  1. On the Novell iManager, click View Objects, then in the Tree, browse and select the container where the Samba proxy user context will be installed.

  2. Select the Samba proxy object, then click Actions > Modify trustees.

  3. On the Modify Trustees page, click Assigned Rights next to the trustee name for which you want to modify rights.

  4. Click the desired container admin object to add it to the Selected Objects section.

  5. Click OK.

  6. Select Property Name rights (All Attribute Rights and Entry Rights) and assign Supervisor rights, then click Done.

2.4.3 Starting a New Installation as a Subcontainer Administrator

You can install a new OES server into an existing tree as a subcontainer administrator if you have the following:

When you reach the eDirectory Configuration - Existing Tree page, enter your fully distinguished name (FDN) and password. After verifying your credentials, the installation proceeds normally.

2.4.4 Adding/Configuring OES Services as a Different Administrator

To add or configure OES services on an OES server that another administrator installed, see Adding/Configuring OES Services on a Server That Another Administrator Installed.