The implementation of a common proxy user in OES 11 SP3 addresses the following administrative needs:
Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree can quickly become quite large. And even though proxy users don’t consume user license connections, many administrators are disconcerted by the sheer number of objects to manage and track.
Common proxy users reduce the default number of proxy users from one per service to basically one per OES 11 SP3 server.
Accommodate Password Security Policies: Many organizations have security policies that require periodic password changes. Some administrators are overwhelmed by having to manually track all proxy users, change their passwords, and restart the affected services after every change.
Common proxy users have their passwords automatically generated by default and changed at whatever interval is required. Services are restarted as needed with no manual intervention required.
Prevent Password Expiration: When proxy user passwords expire, OES 11 SP3 services are interrupted, leading to network user frustration and administrator headaches.
Automatic password management for common proxy users ensures that services are never disrupted because of an expired password.
In OES 2 SP3 and later, the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.
This aligns NCS functionality with other OES services that use proxy (system) users for similar functions. For more information, see OES 11 SP3: Novell Cluster Services for Linux Administration Guide.
The following OES services are automatically configured at install time by default to use your Common Proxy User (if specified):
Novell Cluster Services
The following OES service can be configured at install time to use your Common Proxy User (if specified):
Linux User Management (having a proxy user is optional)
The following services that use proxy users do not leverage the Common Proxy user for the reasons listed:
Archive and Version Services
This service uses the installing administrator as in the past. The user’s credentials are written in the CASA/password files or databases.
Samba proxy password requirements are not a good fit with the Common Proxy user. The user’s credentials are written in the CASA/password files or databases.
Novell Storage Services
This requires full rights to administer NSS and continues to require a system-named user with a system-generated password.
The common proxy user is designed and configured to be the common proxy for the OES services on a single server. Each subsequent new server needs a separate and distinct common proxy created for its services.
The Common Proxy User Name cannot be changed at install time and should not be manually changed later. Best practices dictate that each proxy user name reflect the name of the server it is associated with.
The context can be changed at install time. However, eDirectory best practices suggest that object locations within the tree reflect the object purpose and scope of influence or function. For this reason, the OES install proposes the same context that you specify for the server, for its associated common proxy as well.
You can change the services running on an upgraded OES 11 SP3 server to leverage a Common Proxy user. See Assigning the Common Proxy to Existing Services.
iFolder must not be configured to use a Common Proxy on a cluster node.
Common proxy users are eDirectory objects and can therefore be managed via iManager. However, after the initial setup is complete, there should generally be no reason for OES administrators to directly manage Common Proxy users.
Use the information in the following sections to understand and implement common proxy user management.
You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User using the move_to_common_proxy.sh script on your OES 11 SP3 server. In fact, if you have upgraded from SP2 and the server doesn’t have a common proxy user associated with it, simply running the script will create and configure the proxy user and assign the services you specify.
In the /opt/novell/proxymgmt/bin folder, run the following command:
where the service entries are OES service names: novell-cifs, novell-dns, novell-dhcp, novell-iFolder, novell-netstorage, novell-lum, and/or novell-nc.
You have upgraded server myserver, which is located in o=novell and uses IP address 10.10.10.1, from OES 2 SP3 to OES 11 SP3.
The secure LDAP port for the server is 636.
Your eDirectory Admin user FQDN is cn=admin,o=novell.
Your Admin password is 123abc.
You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.
Therefore, you enter the following commands:
./move_to_common_proxy.sh -d cn=admin,o=novell -w 123abc -i 10.10.10.1 -p 636 -s novell-dhcp,novell-dns
User cn=OESCommonProxy_myserver,o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user.
You can configure your server so that your proxy users are regularly assigned new system-generated passwords by doing the following:
Open the file /etc/opt/novell/proxymgmt/proxy_users.conf in a text editor.
List the FQDN of each proxy user on the server that you want to automatic password management set up for.
For example you might insert the following entries:
IMPORTANT:Users listed here must not be listed in the proxy_users.conf file on any other servers in the tree.
Save the file.
Enter the following commands:
change_proxy_pwd.sh -A Yes
By default, the crontab job will run every 30 days.