H.2 Understanding Proxy Users

The subject of OES proxy users is somewhat complex. Therefore, it’s a good idea to understand the basics before planning your implementation strategy.

IMPORTANT:The information in the following sections only answers security questions and provides general information. It is not intended to be used for the manual configuration of proxy users.

H.2.1 What Are Proxy Users?

As the name implies, proxy users are user objects that perform functions on behalf of OES services.

Proxy user accounts do not represent people, rather they are eDirectory objects that provide very specific and limited functionality to OES services. Generally, this includes only retrieving service-related information, such as user passwords and service attributes, but sometimes proxy users also write service information in eDirectory.

Many but not all OES services rely on proxy users to run on Linux (see Which Services Require Proxy Users and Why?). Proxy user creation and/or configuration is therefore an integral part of configuring OES.

None of the OES services require that you specify proxy user information during the OES installation, but some, such as AFP, DNS/DHCP, CIFS, and iFolder, give you the option to do so. Others, such as NCS and NSS create proxy users without user input.

H.2.2 Why Are Proxy Users Needed on OES?

OES provides the Novell services that were previously only available on NetWare.

To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux.

  • NetWare Services: The NetWare operating system and eDirectory are tightly integrated. This allows the services (NLMs) on NetWare to assume the identity of a server object in eDirectory, thus gaining access to the other objects and information in eDirectory that are needed for the services to run.

  • OES Services: eDirectory also runs very well on OES, and it provides the infrastructure on which OES services rely, but it is not integrated with the Linux operating system.

    On Linux servers there is no concept of a service, such as Apache or iFolder running as a server object. Instead, each service runs using a User ID (uid) and a Group ID (gid) that the Linux server recognizes as being valid.

H.2.3 Which Services Require Proxy Users and Why?

The following services utilize a proxy user.

Table H-3 Proxy Users Functions Listed by Service

Associated Service

Example Proxy User Name

Services That the User Provides

AFP

OESCommonProxy_hostname

Or

AfpProxyUser-servername

Retrieves AFP user information.

CIFS

OESCommonProxy_hostname

Or

CifsProxyUser-servername

Retrieves CIFS user information.

Clustering (NCS)

OESCommonProxy_hostname

Or

installing admin user

The clustering administrator and the proxy user can be two separate users. For more information, see OES Common Proxy User in the OES 2015 SP1: Novell Cluster Services for Linux Administration Guide.

DHCP

OESCommonProxy_hostname

Or

DHCP_LDAP_Proxy

Lets the service access DHCP objects in eDirectory.

DNS

OESCommonProxy_hostname

Or

DNS_Proxy

Lets the service access DNS objects in eDirectory.

iFolder 3

OESCommonProxy_hostname

Or

iFolderProxy

IMPORTANT:The Common Proxy user cannot be used if iFolder is running on a cluster node.

Connects to the eDirectory server and retrieves the following information:

  • modifytimestamp

  • cn

  • mail

  • sn

  • GUID

  • givenName

  • member

Linux User Management

OESCommonProxy_hostname

Or

LUM_proxy

Searches the tree for LUM users.

NetStorage

OESCommonProxy_hostname

Or

NetStorage_Proxy

Performs LDAP searches for users logging into NetStorage.

NSS

server_nameadmin

Reads user objects and maintains the volume, pool, and other storage system objects.

This user performs some of the same functions as proxy users do for other services. However, unlike other OES services that can share proxy users, NSS requires a unique proxy user for each server.

Samba (Novell)

server_name-SambaProxy

Searches the LDAP tree (eDirectory) for Samba users.

H.2.4 What Rights Do Proxy Users Have?

Each OES service’s YaST installation automatically adds the required rights to the proxy user specified for the service.

Unless otherwise specified, each of the following users has the standard set of user rights in eDirectory:

  • Self:

    Login Script:

      Read Write, Not inheritable

    Print Job Configuration:

      Read Write, Not inheritable

    [All Attribute Rights]:

      Read, Inheritable
  • [Public]

    Message Server:

      Read, Not inheritable
  • [Root]

    Group Membership

      Read, Not inheritable

    Network Address

      Read, Not inheritable

In addition, each proxy user is granted additional rights as summarized in Table H-4.

Table H-4 Proxy Users Rights

Associated Service

Example Proxy User Name

Default Rights Granted

AFP

AfpProxyUser-servername

  • This proxy user has Compare and Read rights to the specified AFP user search context.

CIFS

CifsProxyUser-servername

  • This proxy user has Compare and Read rights to the specified CIFS user search context.

Clustering (NCS)

OESCommonProxy_hostname

Or

installing admin user

  • The proxy user has rights (granted through membership in the NCS_Management group) to communicate with eDirectory on behalf of the clustering service.

DHCP

DHCP_LDAP_Proxy

  • No rights are assigned directly, but membership in the DHCPGroup, which does have assigned rights, provides the rights it needs.

DNS

DNS_Proxy

  • No rights are assigned directly, but membership in the DNS-DHCPGroup, which does have assigned rights, provides the rights it needs.

iFolder 3

iFolderProxy

  • Additional eDirectory rights include:

    [Entry Rights]

      Browse

    LDAP ACL representation:

      1#subtree#iFolderProxy#

    [All Attributes Rights]

      Read, Compare

    LDAP ACL representation:

      3#subtree#iFolderProxy#

Linux User Management

LUM_proxy

  • If created, this proxy user has Search rights on Unix Config & Unix Workstation Objects.

NetStorage

NetStorage_Proxy

  • Additional eDirectory rights:

    [Entry Rights]

      Browse

    LDAP ACL representation:

      1#subtree#NetStorage_Proxy#

    [All Attributes Rights]

      Read, Compare

    LDAP ACL representation:

      3#subtree#NetStorage_Proxy#

NSS

server_nameadmin

  • Additional eDirectory rights:

    Supervisor right to the container it was created in.

Samba (Novell)

server_name-SambaProxy

  • The Universal Password policy associated with the Samba users grants this proxy user the right to retrieve user passwords.

  • Additional eDirectory rights:

    Rights to itself – Supervisor attribute right

    Rights to the OU where it is located

    All Attribute rights – Read Write

    Entry rights – Browse Create

    samba* – Create Read Write