4.1 Cluster Administration Requirements

You use different credentials to install and set up the cluster and to manage the cluster. This section describes the tasks performed and rights needed for those roles.

4.1.1 Cluster Installation Administrator

Typically, a tree administrator user installs and sets up the first cluster in a tree, which allows the schema to be extended. However, the tree administrator can extend the schema separately, and then set up the necessary permissions for a container administrator to install and configure the cluster.

NOTE:If the eDirectory administrator user name or password contains special characters (such as $, #, and so on), some interfaces in iManager and YaST might not handle the special characters. If you encounter problems, try escaping each special character by preceding it with a backslash (\) when you enter credentials.

eDirectory Schema Administrator

A tree administrator user with credentials to do so can extend the eDirectory schema before a cluster is installed anywhere in a tree. Extending the schema separately allows a container administrator to install a cluster in a container in that same tree without needing full administrator rights for the tree.

For instructions, see Section 5.2, Extending the eDirectory Schema to Add Cluster Objects.

IMPORTANT:It is not necessary to extend the schema separately if the installer of the first cluster server in the tree has the eDirectory rights necessary to extend the schema.

Container Administrator

After the schema has been extended, the container administrator (or non-administrator user) needs the following eDirectory rights to install Novell Cluster Services:

  • Attribute Modify rights on the NCP Server object of each node in the cluster.

  • Object Create rights on the container where the NCP Server objects are.

  • Object Create rights where the cluster container will be.

For instructions, see Section 5.3, Assigning Install Rights for Container Administrators (or Non-Administrator Users)

4.1.2 NCS Proxy User

During the cluster configuration, you must specify an NCS Proxy User. This is the user name and password that Novell Cluster Services uses when the cluster management tools exchange information with Novell eDirectory.

In OES 2 SP2 Linux and earlier, the NCS Proxy User was typically the LDAP administrator user name that was specified when setting up the server. You could alternately specify a user with sufficient rights to perform the installation and configuration tasks as specified in Container Administrator. You used this identity until the cluster and resources were configured, then set up a different user identity to use as the NCS Proxy User instead of continuing to use the LDAP administrator identity.

Beginning in OES 2 SP3, Novell Cluster Services supports the OES Common Proxy User enablement feature of Novell eDirectory 8.8.6. If the Common Proxy user is enabled in eDirectory when you configure the cluster, you can specify whether to use the Common Proxy user, the LDAP Admin user, or another administrator user. The specified user is automatically assigned to the NCS_Management group that resides in the Cluster object container. This accommodates the server-specific common user for each of the nodes. As a group member, the assigned user has the necessary rights for configuring the cluster and cluster resources and for exchanging information with eDirectory.

You can modify this default administrator user name or password for the user identity that is assigned as the NCS Proxy User after the install by following the procedure in Section 8.9, Moving a Cluster, or Changing IP Addresses, LDAP Server, or Administrator Credentials for a Cluster.

Consider the following caveats for the three proxy user options:

OES Common Proxy User

If you specify the OES Common Proxy user for a cluster and later disable the Common Proxy user in eDirectory, the LDAP Admin user is automatically assigned to the NCS_Management group and the Common Proxy user is automatically removed from the group.

If a proxy user is renamed, moved, or deleted in eDirectory, eDirectory takes care of the changes needed to modify the user information in the NCS_Management group.

If a cluster node is removed from the tree, the proxy user for that server is among the group of cluster objects that needs to be deleted from the eDirectory tree.

For information about enabling or disabling the OES Common Proxy User, see the OES 2 SP3: Installation Guide. For caveats and troubleshooting information for the OES Common Proxy user, see the OES 2 SP3: Planning and Implementation Guide.

LDAP Admin User

If you specify the LDAP Admin user as the NCS Proxy User, you typically continue using this identity while you set up the cluster and cluster resources. After the cluster configuration is completed, you create another user identity to use for this purpose, and grant that user sufficient adminstrator rights as specified in Cluster Administrator or Administrator-Equivalent User.

Another Administrator User

You can specify an existing user name and password to use for the NCS Proxy user. Novell Cluster Services adds this user name to the NCS_Management group.

4.1.3 Cluster Administrator or Administrator-Equivalent User

After the install, you can add other users (such as the tree administrator) as administrator equivalent accounts for the cluster by configuring the following for the user account:

  • Give the user the Supervisor right to the Server object of each of the servers in the cluster.

  • Linux-enable the user account with Linux User Management.

  • Make the user a member of a LUM-enabled administrator group that is associated with the servers in the cluster.