The implementation of a common proxy user in OES 2 SP3 addresses the following administrative needs:
Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree can quickly become quite large. And even though proxy users don’t consume user license connections, many administrators are disconcerted by the sheer number of objects to manage and track.
Common proxy users reduce the default number of proxy users from one per service to basically one per OES 2 SP3 server.
Accommodate Password Security Policies: Many organizations have security policies that require periodic password changes. Some administrators are overwhelmed by having to manually track all proxy users, change their passwords, and restart the affected services after every change.
Common proxy users can have their passwords automatically generated and changed at whatever interval is required. Services are restarted as needed with no manual intervention required.
Prevent Password Expiration: When proxy user passwords expire, OES 2 services are interrupted, leading to network user frustration and administrator headaches.
Automatic password management for common proxy users ensures that services are never disrupted because of an expired password.
For SP3 the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.
This aligns NCS functionality with other OES services that use proxy (system) users for similar functions. For more information, see OES Common Proxy User
in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux.
The following OES services are automatically configured at install time by default to use your Common Proxy User (if specified):
Novell CIFS
Novell Cluster Services
Novell DNS
Novell DHCP
Novell iFolder
Novell NetStorage
The following OES service can be configured at install time to use your Common Proxy User (if specified):
Linux User Management (having a proxy user is optional)
The following services that use proxy users do not leverage the Common Proxy user for the reasons listed:
|
Service |
Reason |
|---|---|
|
Archive and Version Services |
This service uses the installing administrator as in the past. |
|
Novell AFP |
The need for an AFP proxy user has been eliminated in OES 2 SP3 due to a new NMAS method used for client authentication. |
|
Novell Samba |
Samba proxy password requirements are not a good fit with the Common Proxy user. |
|
Novell Storage Services |
This requires full rights to administer NSS and continues to require a system-named user with a system-generated password. |
No.
The common proxy user is designed and configured to be the common proxy for the OES services on a single server. Each subsequent new server needs a separate and distinct proxy created for its services.
Yes.
However, best practice suggests that eDirectory object names and locations within the tree reflect the object purpose and scope of influence or function. For this reason, the default Common Proxy User name is OESCommonProxy_hostname, where hostname is the name of the OES server being installed, and the default eDirectory context is the same as for the server for which the common proxy is created.
IMPORTANT:If you specify a different context from the server, the Organizational Unit that you specify must already exist in eDirectory. Otherwise, the server installation will fail, and you’ll need to start over.
You can change the services running on an OES 2 server that has been upgraded to OES 2 SP3 to leverage a Common Proxy user. See Assigning the Common Proxy to Existing Services.
Yes.
iFolder must not be configured to use a Common Proxy on a cluster node.
Common proxy users are eDirectory objects and can therefore be managed via iManager. However, after the initial setup is complete, there should generally be no reason for OES administrators to directly manage Common Proxy users.
Use the information in the following sections to understand and implement common proxy user management.
The Common Proxy user management scripts communicate with eDirectory using port 636 only. See the instructions in Installing OES 2 SP3 as a New Installation
in the OES 2 SP3: Installation Guide).
You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User using the move_to_common_proxy.sh script on your OES 2 SP3 server. In fact, if you have upgraded from SP2 and the server doesn’t have a common proxy user associated with it, simply running the script will create and configure the proxy user and assign the services you specify.
In the /opt/novell/proxymgmt/bin folder, run the following command:
./move_to_common_proxy.sh service1,service2
where the service entries are OES service names.
Example scenario:
You have upgraded server myserver, which is located in o=novell and uses IP address 10.10.10.1, from SP2 to SP3.
The secure LDAP port for the server is 636.
You are installing the server as the eDirectory Admin user, and your LDAP user FQDN is cn=admin,o=novell.
Your Admin password is 123abc.
You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.
Therefore, you enter the following commands:
cd /opt/novell/proxymgmt/bin
./move_to_common_proxy.sh -d cn=admin,o=novell -w 123abc -i 10.10.10.1 -p 636 -s novell-dhcp,novell-dns
User cn=OESCommonProxy_myserver.o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user.
NOTE:Running the move_to_common_proxy.sh script automatically enables automatic changing of proxy user passwords. This feature is explained in the next section, Changing Proxy Passwords Automatically.
You can configure your server so that your proxy users are regularly assigned new system-generated passwords by doing the following:
Open the file /etc/opt/novell/proxymgmt/proxy_users.conf in a text editor.
List the FQDN of each proxy user on the server that you want to automatic password management set up for.
For example you might insert the following entries:
IMPORTANT:Users listed here must not be listed in the proxy_users.conf file on any other servers in the tree.
Save the file.
Enter the following commands:
cd /opt/novell/proxymgmt/bin
change_proxy_pwd.sh -A Yes
By default, the crontab job will run every 30 days.