H.3 Common Proxy User

H.3.1 Common Proxy User FAQ

Why Would I Want to Specify Common Proxy Users?

The implementation of a common proxy user in OES 2015 SP1 addresses the following administrative needs:

  • Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree can quickly become quite large. And even though proxy users don’t consume user license connections, many administrators are disconcerted by the sheer number of objects to manage and track.

    Common proxy users reduce the default number of proxy users from one per service to basically one per OES 2015 SP1 server.

  • Accommodate Password Security Policies: Many organizations have security policies that require periodic password changes. Some administrators are overwhelmed by having to manually track all proxy users, change their passwords, and restart the affected services after every change.

    Common proxy users have their passwords automatically generated by default and changed at whatever interval is required. Services are restarted as needed with no manual intervention required.

  • Prevent Password Expiration: When proxy user passwords expire, OES 2015 SP1 services are interrupted, leading to network user frustration and administrator headaches.

    Automatic password management for common proxy users ensures that services are never disrupted because of an expired password.

Why Was a Proxy User Added to Novell Cluster Services?

In OES 2 SP3 and later, the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.

This aligns NCS functionality with other OES services that use proxy (system) users for similar functions. For more information, see OES Common Proxy User in the OES 2015 SP1: Novell Cluster Services for Linux Administration Guide.

Which Services Can and Cannot Leverage the Common Proxy User?

Services That Can Leverage the Common Proxy User

The following OES services are automatically configured at install time by default to use your Common Proxy User (if specified):

  • Novell AFP

  • Novell CIFS

  • Novell Cluster Services

  • Novell DNS

  • Novell DHCP

  • Novell iFolder

  • Novell NetStorage

The following OES service can be configured at install time to use your Common Proxy User (if specified):

  • Linux User Management (having a proxy user is optional)

Services That Cannot Leverage the Common Proxy User

The following services that use proxy users do not leverage the Common Proxy user for the reasons listed:

Service

Reason

Novell Samba

Samba proxy password requirements are not a good fit with the Common Proxy user. The user’s credentials are written in the CASA/password files or databases.

Novell Storage Services

This requires full rights to administer NSS and continues to require a system-named user with a system-generated password.

Can a Common Proxy User Service Multiple Servers?

No.

The common proxy user is designed and configured to be the common proxy for the OES services on a single server. Each subsequent new server needs a separate and distinct common proxy created for its services.

Can I Change the Common Proxy User Name and Context?

The Common Proxy User Name cannot be changed at install time and should not be manually changed later. Best practices dictate that each proxy user name reflect the name of the server it is associated with.

The context can be changed at install time. However, eDirectory best practices suggest that object locations within the tree reflect the object purpose and scope of influence or function. For this reason, the OES install proposes the same context that you specify for the server, for its associated common proxy as well.

Can I Assign the Common Proxy User After Services Are Installed?

Yes. See Assigning the Common Proxy to Existing Services.

What About Upgraded Servers Using a Common Proxy?

You can change the services running on an upgraded OES 2015 SP1 server to leverage a Common Proxy user. See Assigning the Common Proxy to Existing Services.

Are There Important Limitations to Keep in Mind?

Yes.

iFolder must not be configured to use a Common Proxy on a cluster node.

H.3.2 Managing Common Proxy Users

Common proxy users are eDirectory objects and can therefore be managed via iManager. However, after the initial setup is complete, there should generally be no reason for OES administrators to directly manage Common Proxy users.

Use the information in the following sections to understand and implement common proxy user management.

Always Use LDAP Port 636 to Communicate with eDirectory

The Common Proxy user management scripts communicate with eDirectory using port 636 only. See the instructions in Installing OES 2015 SP1 as a New Installation in the OES 2015 SP1: Installation Guide).

Assigning the Common Proxy to Existing Services

You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User using the move_to_common_proxy.sh script on your OES 2015 SP1 server. In fact, if you have upgraded from SP2 and the server doesn’t have a common proxy user associated with it, simply running the script will create and configure the proxy user and assign the services you specify.

  1. In the /opt/novell/proxymgmt/bin folder, run the following command:

    ./move_to_common_proxy.sh service1,service2

    where the service entries are OES service names: novell-cifs, novell-dns, novell-dhcp, novell-iFolder, novell-netstorage, novell-lum, and/or novell-nc.

Example scenario:

  • You have upgraded server myserver, which is located in o=novell and uses IP address 10.10.10.1, from OES 2 SP3 to OES 2015 SP1.

  • The secure LDAP port for the server is 636.

  • Your eDirectory Admin user FQDN is cn=admin,o=novell.

  • Your Admin password is 123abc.

  • You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.

  • Therefore, you enter the following commands:

    cd /opt/novell/proxymgmt/bin

    ./move_to_common_proxy.sh -d cn=admin,o=novell -w 123abc -i 10.10.10.1 -p 636 -s novell-dhcp,novell-dns

User cn=OESCommonProxy_myserver,o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user.

Changing Proxy Passwords Automatically

You can configure your server so that your proxy users are regularly assigned new system-generated passwords by doing the following:

  1. Open the file /etc/opt/novell/proxymgmt/proxy_users.conf in a text editor.

  2. List the FQDN of each proxy user on the server that you want to automatic password management set up for.

    For example you might insert the following entries:

    • cn=OESCommonProxyUser_myserver,o=novell
    • cn=myproxy,o=novell

    IMPORTANT:Users listed here must not be listed in the proxy_users.conf file on any other servers in the tree.

  3. Save the file.

  4. Enter the following commands:

    cd /opt/novell/proxymgmt/bin

    change_proxy_pwd.sh -A Yes

    By default, the crontab job will run every 30 days.