3.13 Configuring Open Enterprise Server

You can configure OES in two methods: Typical Configuration and Custom Configuration. The Typical Configuration is also called as Express Install. It helps to install OES with minimal user intervention and the Custom Configuration is the detailed usual method to configure OES.

3.13.1 Typical Configuration

In the OES Configuration screen, if you have chosen to configure OES using Typical Configuration, you only need to provide the following minimum configuration details:

  • SLP Server and SLP Scopes: In these fields, specify the host name or the IP address of the server where the SLP agent is running and the SLP scopes. If you don't enter any SLP details, multicast SLP mode is chosen by default.

    NOTE:If you would like to use the current server as the DA server, click Back and choose the custom configuration instead of typical configuration.

  • NTP Time Server: Specify the IP address or the host name of the Network Time Protocol (NTP) server.

  • New or Existing Tree: If you would like to configure OES using an existing eDirectory tree, choose Existing Tree else New Tree.

  • eDirectory Tree Name: Provide the eDirectory tree name.

  • IP Address of an existing eDirectory Server with a replica: If you have chosen to configure OES using an existing tree, this field is enabled to provide the IP address of an existing eDirectory serer.

    IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.

  • FDN of the tree administrator: Specify the fully distinguished name of the administrative user.

  • Admin Password and Verify Admin Password: In these two fields, specify the eDirectory administrative passwords.

  • Enter Server Context: Specify the location of the server context in the eDirectory tree.

  • Directory Information Base (DIB) Location: Specify the location of the eDirectory DIB.

  • After providing all these details, click Next. OES will be installed and configured without any user intervention.

3.13.2 Custom Configuration

This is the normal method of installing and configuring OES by providing every configuration detail that OES requires instead of using the default configuration details. Custom configuration is explained in detailed in Section 3.13.3, Specifying eDirectory Configuration Settings, Section 3.13.4, Specifying LDAP Configuration Settings, Section 3.13.5, Configuring OES Services, and Section 3.13.6, Configuration Guidelines for OES Services.

3.13.3 Specifying eDirectory Configuration Settings

When you specify the eDirectory configuration settings, you can specify information to create a new tree and install the server in that new tree, or you can install the server into an existing tree by specifying the information for it. Use the following instructions as applicable:

Specifying SLP Configuration Options

  1. On the eDirectory Configuration - SLP page, specify the SLP options as desired.

    You have the following options for configuring SLP:

    • Use Multicast to Access SLP: This option allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure SLP to use an existing Directory Agent: This option configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

    • Configure as Directory Agent: This option configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • DASyncReg: This option causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: This option causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: This specifies how often the list of registered services is backed up.

    • Service Location Protocols and Scope: This option configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    • Configured SLP Directory Agents: This option lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.

  2. Click Next and confirm your selection if necessary.

Specifying Synchronizing Server Time Options

eDirectory requires that all OES servers are time-synchronized.

  1. On the eDirectory Configuration - NTP page, click Add.

  2. In the Time Server text box, specify the IP address or DNS hostname of an NTP server, then click Add.

    For the first server in a tree, we recommend specifying a reliable external time source.

    When you install multiple servers into the same eDirectory tree, ensure that all servers point to the same time source and not to the server holding the master replica.

    For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it; otherwise, the time synchronization request for the installation fails.

  3. If you want to use the server’s hardware clock, select Use Local Clock.

    For servers joining a tree, the installation does not let you proceed if you select this option. You must specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree that has been running time services for 15 minutes or more.

For more information on time synchronization, see Implementing Time Synchronization in the OES 2018 SP3: Planning and Implementation Guide.

Creating a New eDirectory Tree and Installing the Server in It

  1. On the eDirectory Configuration - New or Existing Tree page, select New Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree that you want to create.

    On OES servers, services that provide HTTPS connectivity are configured to use one of the following certificates:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)

    • A third-party server certificate

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the server certificate and key files will be created.

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/serverkey.pem

    • Certificate file: /etc/ssl/servercerts/servercert.pem

    For more information, see Certificate Management in the OES 2018 SP3: Planning and Implementation Guide.

  3. On the eDirectory Configuration - New Tree Information page, specify the required information:

    • The fully distinguished name and context for the user Admin

    • The password for user Admin

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree

    • A location for the eDirectory database

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application

      The default ports are 8028 (non-secure) and 8030 (secure).

  6. Click Next.

Installing the Server into an Existing eDirectory Tree

  1. On the eDirectory Configuration - New or Existing Tree page, select Existing Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree you want to join.

    On OES servers, services that provide HTTPS connectivity are configured to use either of the following:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the existing YaST server certificate and key files will be replaced with eDirectory server certificate and key files.

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/eDirkey.pem

    • Certificate file: /etc/ssl/servercerts/eDircert.pem

    For more information on certificate management, see Certificate Management in the OES 2018 SP3: Planning and Implementation Guide.

    • By default, Enable NMAS-based login for LDAP authentication is selected to enforce the use of a single-secure password for all Micro Focus and partner products. The Secure Password Manager of the NMAS module manages this universal password implementation.

  3. On the eDirectory Configuration - Existing Tree Information page, specify the required information:

    • The IP address or the host name of an existing eDirectory server with a replica.

      IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.

    • The NCP port on the existing server

    • The LDAP and secure LDAP port on the existing server

    • The fully distinguished name and context for the user Admin on the existing server

    • The password for user Admin on the existing server

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree

    • A location for the eDirectory database

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application

      The default ports are 8028 (non-secure) and 8030 (secure).

  6. Click Next.

Selecting the NetIQ Modular Authentication Services (NMAS) Login Method

  1. On the NetIQ Modular Authentication Services page, select all of the login methods you want to install.

    IMPORTANT:The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods. The NMAS client software is included with the Client for Open Enterprise Server software.

    The following methods are available:

    • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

    • Challenge Response: The Challenge Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

    • DIGEST-MD5: The Digest-MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

    • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method is installed by default and supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

    • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

    • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication. It uses the Simple Authentication and Security Layer (SASL), which enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

    For more information about installing and configuring eDirectory, see “Installing or Upgrading NetIQ eDirectory on Linux in the NetIQ eDirectory Installation Guide.

    For more information on these login methods, see the online help and Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.4 Administration Guide.

  2. Click Next.

Specifying OES Common Proxy User Information

For an OES service to run successfully, you need to use a separate proxy account to configure and manage each service. However, using multiple proxy user accounts means more overhead for the administrator. To avoid this overhead, the common proxy user has been introduced. Each node in a tree can have a common proxy user for all of its services. This enables administrators to configure and manage multiple services with just one proxy user.

NOTE:Two nodes in a tree cannot have the same common proxy user.

For information about this option, see Common Proxy User in the OES 2018 SP3: Planning and Implementation Guide.

  1. On the OES Common Proxy User Information page, specify the configuration settings for this user.

    • Use Common Proxy User as Default for OES Products: Selecting this option configures the common proxy user for the following services: CIFS, DNS, DHCP, NetStorage, and NCS. Optionally, you can specify that LUM uses it.

    • OES Common Proxy User Name: For a host, the common proxy user's name is OESCommonProxy_hostname. You cannot specify any other name than what is given by the system. This restriction prevents possible use of the same common proxy user name across two or more nodes in a tree. For more information, see Can I Change the Common Proxy User Name and Context? in the OES 2018 SP3: Planning and Implementation Guide.

    • OES Common Proxy User Context: Provide the FDN name of the container where the common proxy needs to be created. By default, this field is populated with the NCP server context. For example, ou=acap,o=novell. Where ou is the organization unit, acap is the organization unit name, o is the organization, and novell is the new organization name. For an existing tree, click Browse and select the container where the Common Proxy User must be created.

    • OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.

      NOTE:If you choose to provide your own password, it should conform to the policy that is in effect for the common proxy user. If the password contains single (') or double (") quotes, OES Configuration will fail. These characters have to be escaped by prefixing \. For example, to add a single quote, escape it as nove\'ll. The system-generated password will always be in conformance with the policy rules.

    • Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated password is automatically included.

    • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. If desired, you can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, and so forth.

    IMPORTANT:We recommended against deselecting the Assign Common Proxy Password Policy to Proxy Useroption. If deselected, the common proxy user inherits the password policies of the container, which could lead to service failures.

  2. Click Next.

3.13.4 Specifying LDAP Configuration Settings

Many of the OES services require eDirectory. If eDirectory was not selected as a product to install on this server but other OES services that do require LDAP services were installed, the LDAP Configuration service displays, so that you can complete the required information.

To specify the required information on the Configured LDAP Server page:

  1. In the eDirectory Tree Name field, specify the name for the existing eDirectory tree that you are installing this server into.

  2. In the Admin Name and Context field, specify the name and context for user Admin in the existing tree.

  3. In the Admin Password Name field, specify a password for the Admin user in the existing tree.

  4. Add the LDAP servers that you want the services on this server to use. The servers that you add should hold the master or a read/write replica of eDirectory. Do the following for each server you want to add:

    1. Click Add.

    2. On the next page, specify the following information for the server to add, then click Add.

      • IP address

      • LDAP port and secure LDAP port

  5. When all of the LDAP servers that you want to specify are listed, click Next.

  6. Verify that the Micro Focus Open Enterprise Server Configuration page displays the settings that you expected, then click Next.

3.13.5 Configuring OES Services

After you complete the LDAP configuration or the eDirectory configuration, the Micro Focus Open Enterprise Server Configuration summary page is displayed, showing all of the OES components that you installed and their configuration settings.

  1. Review the setting for each component. Click the component heading to change any settings.

    For help with specifying the configuration information for OES services, see the information in Configuration Guidelines for OES Services.

  2. When you are finished reviewing the settings for each component, click Next.

  3. When you confirm the OES component configurations, you might receive the following error:

    The proposal contains an error that must be resolved before continuing.

    If this error is displayed, check the summary list of configured products for any messages immediately below each product heading. These messages indicate products or services that need to be configured. If you are running the YaST graphical interface, the messages are red text. If you are using the YaST text-based interface, they are not red.

    For example, if you selected Linux User Management in connection with other OES products or services, you might see a message similar to the following:

    Linux User Management needs to be configured before you can continue or disable the configuration.

    If you see a message like this, do the following:

    1. On the summary page, click the heading for the component.

    2. Supply the missing information in each configuration page.

      When you specify the configuration information for OES services, see the information in Configuration Guidelines for OES Services, or if you are reading online, click a link below:

      When you have finished the configuration of a component, you are returned to the Micro Focus Open Enterprise Server Configuration summary page.

    3. If you want to skip the configuration of a specific component and configure it later, click Enabled in the Configure is enabled status to change the status to Reconfigure is disabled.

      If you change the status to Reconfigure is disabled, you need to configure the OES components after the installation is complete. See Installing or Configuring OES Services on an Existing OES 2018 SP3 Server.

  4. After resolving all product configuration issues, click Next to proceed with the configuration of all components.

  5. When the configuration is complete, continue with Section 3.15, Finishing the Installation.

3.13.6 Configuration Guidelines for OES Services

Service Configuration Caveats

Keep the following items in mind as you configure OES:

Table 3-3 Caveats for Configuring OES Services

Issue

Guideline

Software Selections When Using Text-Based YaST

Some older machines, such as a Dell 1300, use the text mode install by default when the video card does not meet SLES specifications. When you go to the Software Selection, and then to the details of the OES software selections, YaST doesn’t bring up the OES selections like it does when you use the graphical YaST (YaST2).

To view the Software Selection and System Task screen, select Filter > Pattern (or press Alt+F > Alt+I).

Specifying a State identifier for a Locality Class object

If you to specify a state identifier, such as California, Utah, or Karnataka, as a Locality Class object in your eDirectory tree hierarchy, ensure to use the correct abbreviation in your LDAP (comma-delimited) or NDAP (period-delimited) syntax.

When using LDAP syntax, use st to specify a state. For example:

ou=example_organization,o=example_company,st=utah,c=us

When using NDAP syntax, use s to specify a state. For example:

ou=example_organization.o=example_company.s=utah.c=us

Specifying Typeful Admin Names

When you install OES, you must specify a fully distinguished admin name by using the typeful, LDAP syntax that includes object type abbreviations (cn=, ou=, o=, etc.). For example, you might specify the following:

cn=admin,ou=example_organization,o=example_company

Using Dot-Delimited or Comma-Delimited Input for All Products

For all parameters requiring full contexts, you can separate the names by using comma-delimited syntax. Ensure that you are consistent in your usage within the field.

The OES installation routine displays all input in the comma-delimited (LDAP) format. However, it converts the name separators to dots when this is required by individual product components.

IMPORTANT:After the OES components are installed, be sure to follow the conventions specified in the documentation for each product. Some contexts must be specified using periods (.) and others using commas (,). However, eDirectory supports names like cn=juan\.garcia.ou=users.o=novell. The period (.) inside a name component must be escaped.

When using NDAP format (dot), you must escape all embedded dots. For example: cn=admin.o=novell\.provo

When using LDAP format (commas), you must escape all embedded commas. For example: cn=admin,o=novell\,provo

The installation disallows a backslash and period (\.) in the CN portion of the admin name.

For example, these names are supported:

cn=admin.o=novell
cn=admin.o=novell\.provo
cn=admin.ou=deployment\.linux.o=novell\.provo

These names are not supported:

cn=admin\.first.o=novell
cn=admin\.root.o=novell

Before LUM-enabling users whose cn contains a period (.), you must remove the backslash (\) from the unique_id field of the User object container.

For example, cn=juan.garcia has a unique_id attribute = juan\.garcia. Before such a user can be LUM-enabled, the backslash (\) must be removed from the unique_id attribute.

LDAP Configuration for Open Enterprise Services

Table 3-4 LDAP Configuration for Open Enterprise Services Values

Page and Parameters

Configured LDAP Servers

 

  • eDirectory Tree Name: The eDirectory tree name that you specified when configuring eDirectory. The tree that you are installing this server into.

 

  • Admin Name and Context: The eDirectory Admin name you specified when configuring eDirectory.

 

  • Admin Password: The password of the eDirectory Admin user.

 

  • Configured LDAP Servers: You can specify a list of servers that can be used to configure other OES services on this server.

    Each added server must have either the master or a read/write replica of the eDirectory tree. The first server added to the list becomes the default server for the installed and configured OES services to use.

    For each server you must specify an IP Address, LDAP Port, Secure LDAP Port, and Server Type.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the OES 2018 SP3: Linux User Management Administration Guide.

    Default: The eDirectory server you specified when configuring eDirectory.

OES AFP Services

Table 3-5 OES Apple Filing Protocol Parameters and Values

Page and Parameters

AFP Configuration - Mac Client Access to NSS Volumes

 

  • Directory Server Address: The IP address of the eDirectory server.

  • Proxy user name with context: Specify the FQDN of the eDirectory containers that contain AFP users, for example ou=afp_users.o=novell. In an existing tree, you can select the context using Browse.

For additional configuration instructions, see Installing and Setting Up AFP in the OES 2018 SP3: OES AFP for Linux Administration Guide.

OES Backup/Storage Management Services (SMS)

Table 3-6 OES Backup/Storage Management Services Parameters and Values

Page and Parameters

SMS Configuration

 

  • Directory Server Address: If you do not want to use the default shown, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server selected in the LDAP Configuration list of servers.

For additional configuration instructions, see Installing and Configuring SMS in the Installing and Configuring SMS guide.

OES Business Continuity Cluster (BCC)

For BCC configuration instructions, see Configuring BCC for Peer Clusters, Configuring BCC for Cluster Resources in the BCC Administration Guide for OES 2018 SP2.

OES CIFS for Linux

Table 3-7 OES CIFS Parameters and Values

Page and Parameters

OES CIFS Service Configuration

 

  • eDirectory server address or host name: Leave the default or select from the drop-down list to change to a different server.

 

  • LDAP port for CIFS Server: Displays the port value.

 

  • Local NCP Server context: Displays the NCP Server context.

 

  • CIFS Proxy User

    • Use existing user as CIFS Proxy User: Select this option to use an existing proxy user for the CIFS service.

      If you specified the server’s common proxy user, this option is selected.

    • Create a new CIFS Proxy User: Select this option to create a new proxy user for the CIFS service.

    • CIFS Proxy User Name: Specify the FQDN (fully qualified distinguished name) of the CIFS proxy user.

      For example: cn=user, o=novell

      NOTE:This user is granted rights to read the passwords of any users, including non-CIFS users, that are governed by any of the password policies you select in the Novell CIFS Service Configuration page.

    • CIFS Proxy User Password: Specify a password for the CIFS proxy user to use when authenticating to the CIFS server, and verify the password if you are specifying an existing proxy user.

      For more information on proxy user and password management, see Planning Your Proxy Users in the OES 2018 SP3: Planning and Implementation Guide.

 

  • Credential Storage Location: Accept OCS or specify the Local File option.

    The CIFS proxy user password is encrypted and encoded in the credential storage location.

    Default: OCS

Novell CIFS Service Configuration (2)

 

  • eDirectory Contexts: Provide a list of contexts that are searched when the CIFS User enters a user name. The server searches each context in the list until it finds the correct user object.

For additional configuration instructions, see Installing and Setting Up CIFS in the OES 2018 SP3: OES CIFS for Linux Administration Guide and the OES 2018 SP3: OES AFP for Linux Administration Guide

Cloud Integrated Storage (CIS)

Table 3-8 Cloud Integrated Storage Services Parameters and Values

Page and Parameters

Cloud Integrated Storage Configuration

 

  • ZooKeeper URI: Specify ZooKeeper URI in the format IP:port or Hostname:Port.

    Default: Port 2181

Cloud Integrated Storage Configuration (2)

 

  • Directory Server URI: Specify LDAP URI of an eDirectory server that communicates with the CIS server in the format IP:port or Hostname:Port.

    Default: Port 636

  • CIS admin name with context: Specify the LDAP distinguished name (DN) of the user who can administer the CIS server.

  • Admin Password: Specify the password for the CIS administrator.

  • Server Certificate file path: Specify the server certificate file path issued by the eDirectory CA.

    Default: /etc/ssl/servercerts/servercert.pem

  • Server Key file path: Specify the server key file path associated with the server certificate.

    Default: /etc/ssl/servercerts/serverkey.pem

  • CA Certificate file path: Specify the eDirectory CA file path in the format .pem..

    Default: /etc/opt/novell/certs/SSCert.pem

  • Server Context: Specify the LDAP distinguished name (DN) of the container object under which the NCP server objects of the OES server reside that can connect to the CIS server.

  • Gateway Server Address: Specify the local host IP address where CIS server is configured.

  • Cluster Enable: Allows the CIS server to be part of a cluster resource.

    Default: disabled

Cloud Integrated Storage Configuration (3)

 

  • Database URI: Specify the MariaDB URI in the format IP:port or Hostname:Port.

    Default: Port 3306

  • Database User Name and Database Password: Specify the MariaDB user name and password.

  • Elasticsearch URI: Specify the Elasticsearch URI in the format IP:port or Hostname:Port.

    Default: Port 9400

  • Use Secure Mode: Enables or disables secure communication.

    Default: enabled

  • Server Key file path: Specify the server key file path associated with the server certificate.

    Default: /etc/ssl/servercerts/serverkey.pem

  • Kafka URI: Specify the Kafka URI in the format.IP:port or Hostname:Port.

    Default: Port 9092

For additional configuration instructions, see Installing and Setting Up Cloud Integrated Storage in the OES 2018 SP3: CIS Administration Guide.

OES Cluster Services

Table 3-9 OES Cluster Services Parameters and Values

Page and Parameters

Before you configure a node for a OES Cluster Services cluster, ensure that you have satisfied the prerequisites and have the necessary Administration rights described in Planning for OES Cluster Services in the OES 2018 SP3: OES Cluster Services for Linux Administration Guide.

OES Cluster Services (NCS) Configuration

 

  • New or Existing Cluster: Specify whether the server is part of a new cluster or is joining an existing cluster.

    Default: Existing Cluster

 

 

  • Cluster FDN: Browse to select an existing eDirectory context where the Cluster objects will be created. The fully distinguished name (FDN) of the cluster is automatically added to the field with a suggested cluster name. You can specify a different cluster name.

    You can also specify the typeful FDN for the cluster. Use the comma format illustrated in the example. Do not use dots.You must specify an existing context. Specifying a new context does not create a new context.

    Cluster names must be unique. You cannot create two clusters with the same name in the same eDirectory tree. Cluster names are case-sensitive on Linux.

 

  • Cluster IP Address: If you are creating a new cluster, specify a unique IP address for the cluster.

    The cluster IP address is separate from the server IP address and is required to be on the same IP subnet as the other servers in the cluster.

 

  • Storage Device With Shared Media: If you are creating a new cluster, select the device where the Split Brain Detector (SBD) partition will be created.

    An SBD is required if you plan to use shared disks in the cluster. The drop-down menu shows only devices that have been initialized and shared. If a device is not available, accept the default (none). You must create the SBD manually before adding a second server to the cluster.

    Default: none

 

  • Optional Device for Mirrored Partitions: If you want to mirror the SBD partition for greater fault tolerance, select the device where you want the mirror to be. You can also mirror SBD partitions after installing OES Cluster Services.

    Default: none

 

  • Desired Partition Size of the Shared Media: Specify the size in MB (megabytes) of the SBD partition, or select Use Maximum Size to use the entire shared device. We recommend at least 20 MB for the SBD partition. If you specified a device to mirror the partition, the setting is also applied to the mirror.

    Default: 8

OES Cluster Services (NCS) Proxy User Configuration (2)

 

Specify one of the following users as the NCS Proxy user.

  • OES Common Proxy User: If the OES common proxy User is enabled in eDirectory, the Use OES Common Proxy User check box is automatically selected and the NCS Proxy User Name and Specify NCS Proxy User Password fields are populated with the credentials of the OES common proxy User.

  • LDAP Admin User: If the OES common proxy User is disabled in eDirectory, the Use OES Common Proxy User check box is automatically deselected and the NCS Proxy User Name and Specify NCS Proxy User Password fields are populated with the credentials of the LDAP Admin user. The fields are also automatically populated with the LDAP Admin credentials if you deselect the Use OES Common Proxy User check box.

  • Another Administrator User: Deselect the Use OES Common Proxy User check box, then specify the credentials of an administrator user.

OES Cluster Services (NCS) Configuration (3)

 

  • Name of This Node: This is the hostname of the server.

 

  • IP Address of this Node: This field contains the IP address of this node. If this server has multiple IP addresses, you can change the default address to another value if desired.

 

  • Start Cluster Services Now: Select this box if you want clustering to start now. If you want clustering to start after rebooting, or if you want to manually start it later, deselect this box.

    This option applies only to installing Novell Cluster Services after the OES installation because it starts automatically when the server initializes during the installation.

    If you choose to not start Novell Cluster Services software, you need to either manually start it after the installation, or reboot the cluster server to automatically start it.You can manually start Novell Cluster Services by entering systemctl start novell-ncs.service at the server console of the cluster server.

    Default: Selected

For additional instructions, see the OES 2018 SP3: OES Cluster Services for Linux Administration Guide.

OES DHCP Services

Table 3-10 OES DHCP Services Parameters and Values

Page and Parameters

Novell DHCP Services Configuration

 

  • DHCP Server Context: Specify a context for the DHCP Server object.

    Default: o=example

 

  • DHCP Server Object Name: Specify the name of the Server object that these DHCP services will be running on.

    This is the DHCP server object that contains a list of DHCP Services (configuration) served by the DHCP Server.

    Default: DHCP_example_server

 

  • Common DHCP Configuration Object Contexts

    • Locator Object: Specify the context for the DHCP Locator object.

      The DHCP Locator object has references to dhcpServer and dhcpService objects.

    • Group Context: Specify the context for the DHCP Group object.

      This object is used to grant the necessary rights to the eDirectory user used by the DHCP server to access the DHCP objects.

    Default: o=example

 

  • Log File Location: Specify the path and file name for the DHCP server to dump the configurations it reads from eDirectory. Specify the path manually or click Browse to locate the log.

    Default: Usually /var/log/dhcp-ldap-startup.log

 

  • LDAP Method

    • Static: Select this option if you do not want the DHCP server to query the LDAP server for host details.

    • Dynamic: Select this option if you want the DHCP server to query for host details from the LDAP server for every request.

      Selecting the dynamic LDAP method ensures that the responses you receive to queries are accurate, but the server takes a longer time to respond.

    Default: Static

 

  • Referrals

    A referral is a message that the LDAP server sends to the LDAP client informing it that the server cannot provide complete results and that more data might be on another LDAP server.

    • Chase Referral: Select this option if you want the DHCP server to follow referrals.

    • Do Not Chase Referral: Select this option to ignore LDAP referrals.

      Default: Chase referral

OES DHCP LDAP and Secure Channel Configuration

 

  • eDirectory Server Address or Host Name: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server is selected in the LDAP Configuration list of servers.

 

  • Use Secure Channel for Configuration: This option is selected by default. When you are configuring DHCP services, it ensures that all configuration is transferred over a secure channel.

    Deselecting the option lets a user with fewer privileges configure LDAP services and allows configuration information to be transferred over a non-secure channel.

    Default: Selected

 

  • LDAP User Name with Context: Specify a distinguished name and context for an LDAP user. For example: cn=joe, o=novell. This user should be an eDirectory user that can access the DHCP server.

    During eDirectory configuration, if you have selected the Use Common Proxy User as default for OES Products check box, then the proxy user and password fields are populated with common proxy user name and password.

    Default: cn=OESCommonProxy_host name, o=novell

  • LDAP User Password: Type a password for the LDAP user.

 

  • LDAP Port for DHCP Server: Select a port for the LDAP operations to use.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 636

 

  • Use Secure channel for DHCP Server: Selecting this option ensures that the data transferred between the DHCP server and the LDAP server is secure and private.

    If you deselect this option, the data transferred is in clear text format.

    Default: Selected

 

  • Certificates (optional)

    • Request Certificate: Specifies what checks to perform on a server certificate in a SSL/TLS session. Select one of the following options:

      • Never: The server does not ask the client for a certificate. This is the default

      • Allow: The server requests a client certificate, but if a certificate is not provided or a wrong certificate is provided, the session still proceeds normally.

      • Try: The server requests the certificate. If none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated

      • Hard: The server requests a certificate. A valid certificate must be provided, or the session is immediately terminated.

    • Paths to Certificate Files: Specify or browse the path for the certificate files.

      • The LDAP CA file contains CA certificates.

      • The LDAP client certificate contains the client certificate.

      • The LDAP client key file contains the key file for the client certificate.

OES DHCP Services Interface Selection

 

  • Network Boards for the OES DHCP Server: From the available interfaces, select the network interfaces that the Novell DHCP server should listen to.

For additional configuration instructions, see Installing and Configuring DHCP in the OES 2018 SP3: DNS/DHCP Services for Linux Administration Guide.

OES DNS Services

Table 3-11 OES DNS Services Parameters and Values

Page and Parameters

OES DNS Configuration

 

  • Directory server address: If you have specified multiple LDAP servers by using the LDAP Configuration for Open Enterprise Services dialog box, you can select a different LDAP server than the first one in the list.

    If you are installing into an existing tree, ensure that the selected server has a master or read/write replica of eDirectory.

    Default: The first LDAP server in the LDAP Server Configuration dialog box.

  • Local NCP Server Context: Specify a context for the local NCP Server object.

    Default: The eDirectory context specified for this OES server.

  • Use Secure LDAP Port: Selecting this option ensures that the data transferred by this service is secure and private.

    If you deselect this option, the transferred data is in clear text format.

    Default: Selected

  • Proxy User for DNS Management: Specify the FDN of the DNS proxy user.

    An existing user must have eDirectory read, write, and browse rights under the specified context. If the user doesn’t exist, it is created in the context specified.

    Default: If you specified a common proxy user, it is used by default. If you didn’t specify a common proxy user, the eDirectory Admin name and context that you specified when configuring eDirectory is specified.

  • Specify Password for Proxy User: Specify the password for the DNS proxy user.

    For more information on proxy user and password management, see Planning Your Proxy Users in the OES 2018 SP3: Planning and Implementation Guide.

    Default: The password that you specified for the OES server you are installing.

  • Credential Storage Location: Specify where the DNS proxy user’s credentials are to be stored.

    Default: For security reasons, the default and recommended method of credential storage is OCS.

 

  • Common DNS Configuration Object and User Contexts:

    • Get Context and Proxy User Information from Existing DNS Server: Select this option if you are configuring DNS in an existing tree where DNS is already configured, and you want to use the existing Locator, Root Server Info, Group and Proxy User contexts.

    • Existing OES DNS Server Address: If you have enabled the previous option, you can type the IP address of an NCP server (must be up and running) that is hosting the existing DNS server.

      To automatically retrieve the contexts of the objects that follow, click Retrieve.

      If you do not want to use the retrieved contexts, you can change them manually.

    • OES DNS Services Locator Object Context: Specify the context for the DNS Locator object.

      The Locator object contains global defaults, DHCP options, and a list of all DNS and DHCP servers, subnets, and zones in the tree.

      Default: The context you specified for the OES server you are installing.

    • OES DNS Services Root Server Info Context: Specify the context for the DNS Services root server.

      The RootSrvrInfo Zone is an eDirectory container object that contains resource records for the DNS root servers.

      Default: The context you specified for the OES server you are installing.

    • OES DNS Services Group Object Context: Specify the context for the DNS Group object.

      This object is used to grant DNS servers the necessary rights to other data within the eDirectory tree.

      Default: The context you specified for the OES server you are installing.

 

  • Create DNS Server Object: Select this check box if you want to create the DNS server object in the eDirectory tree associated with the NCP server.

  • Host Name: Type the unique host name for the DNS server object.

  • Domain Name for the DNS Server: Type the domain name for the server object.

For additional configuration instructions, see Installing and Configuring DNS in the OES 2018 SP3: DNS/DHCP Services for Linux Administration Guide.

OES Domain Services for Windows

There are multiple configuration scenarios, depending on your deployment. For information, see Installing Domain Services for Windows in the OES 2018 SP3: Domain Services for Windows Administration Guide.

OES eDirectory Services

IMPORTANT:You specified the eDirectory configuration for this server in either Specifying LDAP Configuration Settings or Specifying eDirectory Configuration Settings, and the settings you specified were extended to your OES service configurations by the OES install.

If you change the eDirectory configuration at this point in the install, your modifications might or might not extend to the other OES services. For example, if you change the server context from o=example to ou=servers.o=example, the other service configurations might or might not reflect the change.

Be sure to carefully check all of the service configuration summaries on the Micro Focus Open Enterprise Server Configuration summary screen. If any of the services don’t show the eDirectory change you made, click the service link and modify the configuration manually. Otherwise, your installation will fail.

Table 3-12 OES eDirectory Parameters and Values

Page and Parameters

eDirectory Configuration - New or Existing Tree

 

  • New or Existing Tree

    • New Tree: Creates a new tree.

      Use this option if this is the first server to go into the tree or if this server requires a separate tree. Keep in mind that this server will have the master replica for the new tree, and that users must log in to this new tree to access its resources.

    Default: New Tree

 

  • eDirectory Tree Name: Specify a unique name for the eDirectory tree you want to create or the name of the tree you want to install this server into.

    • Use eDirectory Certificates for HTTPS Services: Selecting this option causes eDirectory to automatically back up the currently installed certificate and key files and replace them with files created by the eDirectory Organizational CA (or Tree CA).

      Most OES services that provide HTTPS connectivity are configured by default to use the self-signed common server certificate created by YaST. Self-signed certificates provide minimal security and limited trust, so you should consider using eDirectory certificates instead.

      For all server installations, this option is enabled by default and is recommended for the increased security it provides.

      To prevent third-party CA certificates from being accidentally backed up and overwritten, deselect this option.

      For more information on certificate management and this option, see Security in the OES 2018 SP3: Planning and Implementation Guide.

    • Require TLS for Simple Binds with Password: Select this option to make connections encrypted in the Session layer.

    • Install SecretStore: Select this option to install Novell SecretStore (SS), an eDirectory-based security product.

eDirectory Configuration - New/Existing Tree Information

 

  • IP Address of an Existing eDirectory Server with a Replica: Specify the IP address of a server with an eDirectory replica.

    This option appears only if you are joining an existing tree.

 

  • NCP Port on the Existing Server: Specify the NCP port used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    Default: 524

 

  • LDAP and Secure LDAP Ports on the Existing Server: Specify the LDAP ports used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 389 (LDAP), 636 (Secure LDAP)

 

  • FDN Admin Name with Context: Specify the name of the administrative user for the new tree.

    This is the fully distinguished name of a User object that will be created with full administrative rights in the new directory.

    Default: The eDirectory Admin name and context that you specified when initially configuring eDirectory.

 

  • Admin Password: Specify the eDirectory administrator's password.

    This is the password of the user specified in the prior field.

 

  • Verify Admin Password: Retype the password to verify it.

    This option only appears if you are creating a new tree.

eDirectory Configuration - Local Server Configuration

 

  • Enter Server Context: Specify the location of the new server object in the eDirectory tree.

 

  • Enter Directory Information Base (DIB) Location: Specify a location for the eDirectory database.

    Default: The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect the number of objects in your tree to be large and the current file system does not have sufficient space.

 

  • Enter LDAP Port: Specify the LDAP port number this server will use to service LDAP requests.

    Default: 389

 

  • Enter Secure LDAP Port: Specify secure LDAP port number this server will use to service LDAP requests.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 636

 

  • Enter iMonitor Port: Specify the port this server will use to provide access to the iMonitor application.

    iMonitor lets you monitor and diagnose all servers in your eDirectory tree from any location on your network where a web browser is available.

    Default: 8028

 

  • Enter Secure iMonitor Port: Specify the secure port this server will use to provide access to the iMonitor application.

    Default: 8030

eDirectory Configuration - NTP and SLP

 

  • Network Time Protocol (NTP) Server: Specify the IP address or DNS hostname of an NTP server.

    • For the first server in a tree, we recommend specifying a reliable external time source.

    • For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it; otherwise, the time synchronization request for the installation fails.

      If the time source server is NetWare 5.0 or earlier, you must specify an alternate NTP time source, or the time synchronization request fails. For more information, see Time Services in the OES 2018 SP3: Planning and Implementation Guide.

  • Use Local Clock: Alternatively, you can select Use Local Clock to designate the server’s hardware clock as the time source for your eDirectory tree.

    This is not recommended if there is a reliable external time source available.

 

  • (SLP Options)

    • Use Multicast to Access SLP: Allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure as Directory Agent: Configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • DASyncReg: Causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: Causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: Specifies how often the list of registered services is backed up.

    • Configure SLP to use an existing Directory Agent: Configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

 

  • Service Location Protocols and Scope: Configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes that a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    This information is required when selecting the Use Multicast to Access SLP or Configure SLP to Use an Existing Directory Agent option.

    Default: Default

 

  • Configured SLP Directory Agents: Lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.

    It is enabled for input only when you configure SLP to use an existing Directory Agent.

NetIQ Modular Authentication Services

 

IMPORTANT:NMAS client software (included with Client for Open Enterprise Server software) must be installed on each client workstation where you want to use the NMAS login methods.

  • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

  • Challenge Response: The Challenge-Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

  • DIGEST-MD5: The Digest MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

  • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

  • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

  • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication by using the Simple Authentication and Security Layer (SASL) that enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

If you want to install all of the login methods into eDirectory, click Select All.

If you want to clear all selections, click Deselect All.

For more information on these login methods, see Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.4 Administration Guide.

Defaults: Challenge Response and NDS

OES Common Proxy User Information

 

  • Use Common Proxy User as Default for OES Products: Selecting this option configures the specified common proxy user for the following services: CIFS, DNS, DHCP, NetStorage, and NCS. Optionally, you can specify that LUM use it.

  • OES Common Proxy User Name: By default, the common proxy user’s name is OESCommonProxy_hostname, but you can specify any name that fits your naming methodology.

    By default, the common proxy user is created in the container that you specify for the server object.

    You can specify a different container, but it must meet one of the following qualifications:

    • New Tree Installation: The container must be included in either the path specified for the eDirectory Admin user or the path for Server object.

    • Existing Tree Installation: The container must already exist in eDirectory.

    IMPORTANT:You cannot create a new container by specifying a non-qualifying path. If you attempt this, the installation program will appear to proceed normally until the eDirectory Configuration (ndsconfig) runs. At that point the installation will fail with an Error creating Common Proxy User: 32 error, and you will need to install the server again.

  • OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.

  • Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated password is automatically included.

  • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. You can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, and so forth.

For additional configuration instructions, see Installing or Upgrading NetIQ eDirectory on Linux in the NetIQ eDirectory Installation Guide.

OES FTP Services

No additional configuration is required.

NetIQ iManager

Table 3-13 NetIQ iManager Parameters and Values

Page and Parameters

iManager Configuration

 

  • eDirectory Tree: Shows the name of a valid eDirectory tree that you specified when configuring eDirectory.

    To change this configuration, you must change the eDirectory configuration.

 

  • FDN Admin Name with Context Shows the eDirectory Admin name and context that you specified when configuring eDirectory. This is the user that has full administrative rights to perform operations in iManager.

    To change this configuration, you must change the eDirectory configuration.

For additional configuration instructions, see Installing iManager Server and Workstation in the NetIQ iManager Installation Guide.

OES iPrint

Table 3-14 OES iPrint Parameters and Values

Page and Parameters

iPrint Configuration

 

  • Directory server address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

 

  • Top-Most Container of eDirectory Tree: iPrint uses LDAP to verify rights to perform various iPrint operations, including authenticating users for printing and performing management tasks such as uploading drivers.

    During the installation of the iPrint software, iPrint attempts to identify the topmost container of the eDirectory tree and sets the base dn to this container for the AuthLDAPURL entry in /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf.

    For most installations, this is adequate because users are often distributed across containers.

    IMPORTANT:If you have multiple peer containers at the top of your eDirectory tree, leave this field blank so that the LDAP search begins at the root of the tree.

For additional configuration instructions, see Installing and Setting Up iPrint on Your Server in the OES 2018 SP3: iPrint Administration Guide.

iPrint Advanced

If you have selected iPrint Advanced pattern, refer to the OES 2018 SP3: iPrint Advanced Administration Guide for more information.

OES Linux User Management

Table 3-15 OES Linux User Management Parameters and Values

Page and Parameters

Linux User Management Configuration

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the OES 2018 SP3: Linux User Management Administration Guide.

    Default: The first server selected in the LDAP Configuration list of servers

 

  • Unix Config Context: The UNIX Config object holds a list of the locations (contexts) of UNIX Workstation objects in eDirectory. It also controls the range of numbers to be assigned as UIDs and GIDs when User objects and Group objects are created.

    Specify the eDirectory context (existing or created here) where the UNIX Config object will be created. An LDAP search for a LUM User, a LUM Group, or a LUM Workstation object begins here, so the context must be at the same level or higher than the LUM objects searched for.

    If the UNIX Config Object is placed below the location of the User objects, the /etc/nam.conf file on the target computer must include the support-outside-base-context=yes parameter.

    Geographically dispersed networks might require multiple UNIX Config objects in a single tree, but most networks need only one UNIX Config object in eDirectory.

    Default: The server context specified in the eDirectory configuration

 

  • Unix Workstation Context: Computers running Linux User Management (LUM) are represented by UNIX Workstation objects in eDirectory. The object holds the set of properties and information associated with the target computer, such as the target workstation name or a list of eDirectory groups that have access to the target workstation.

    Specify the eDirectory context (existing or created here) for the UNIX Workstation object created by the install for this server. The context should be the same as or below the UNIX Config Context specified above.

    Default: The context you specified for this OES server in the eDirectory configuration

 

  • Proxy User Name with Context (Optional): If you specified a common proxy user, and you select the Use OES Common Proxy User option (below) it is used by default. If you didn’t specify a common proxy user, you can specify a user (existing or created here) with rights to search the LDAP tree for LUM objects.

 

 

  • Use OES Common Proxy User: Check this option if you specified a common proxy user and want to use it as the proxy user for LUM.

 

  • Restrict Access to the Home Directories of Other Users: This option is selected by default to restrict read and write access for users other than the owner to home directories.

    Using the default selection changes the umask setting in /etc/login.defs from 022 to 077.

    Default: Selected

Linux User Management Configuration (2)

 

IMPORTANT:Before you change the PAM-enabled service settings, ensure that you understand the security implications explained in User Restrictions: Some OES Limitations in the OES 2018 SP3: Planning and Implementation Guide.

  • Services to LUM-enable for authentication via eDirectory: Select the services to LUM-enable on this server. The services marked yes are available to authenticated LUM users.

    • login: no

    • ftp: no

    • sshd: no

      If you want to use the SSH protocol to define a NetStorage storage location object, you must select SSHD as a LUM-enabled service.

      If you do not select SSHD, users cannot to log in to NetStorage through SSH to access their files.

    • su: no

    • sfcbd: yes

      This is selected by default because it is used by many of the OES services such as NSS, SMS, and Novell Remote Manager. To access iManager and NRM, you must enable SFCB.

    • gdm: no

    • gnome-screensaver: no

    • gnomesu-pam: no

For additional configuration instructions, see Setting Up Linux User Management in the OES 2018 SP3: Linux User Management Administration Guide.

OES NCP Server / Dynamic Storage Technology

Table 3-16 OES NCP Server Parameters and Values

Page and Parameters

NCP Server Configuration

 

  • Admin Name with Context: The eDirectory Admin user you specified in the eDirectory configuration.

For additional configuration instructions, see Installing and Configuring NCP Server for Linux in the OES 2018 SP3: NCP Server for Linux Administration Guide.

OES NetStorage

Table 3-17 OES NetStorage Parameters and Values

Page and Parameters

NetStorage Configuration

 

  • Authentication Domain Host: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services page.

    Default: The first server selected in the LDAP Configuration list of servers.

 

  • Proxy User Name with Context: Specify the proxy user name including the context, or accept the default.

    This user performs LDAP searches for users logging into NetStorage.

    Default: If you specified a common proxy user, it is used by default. If you didn’t specify a common proxy user, the eDirectory Admin name and context that you specified when configuring eDirectory is specified.

 

 

  • User Context: Specify the NetStorage user context, or accept the default.

    This is the eDirectory context for the users that will use NetStorage. NetStorage searches the eDirectory tree down from the specified context for User objects. If you want NetStorage to search the entire eDirectory tree, specify the root context.

    Default: The Organization object you specified while configuring eDirectory

For additional configuration instructions, see Installing NetStorage in the OES 2018 SP3: NetStorage Administration Guide for Linux.

OES Pre-Migration Server

No additional configuration is required. For information, see Preparing the Source Server for Migration the OES 2018 SP3: Migration Tool Administration Guide.

OES Remote Manager

No additional configuration for the installation is required. To change the configuration after the installation, see Changing the HTTPSTKD Configuration in the OES 2018 SP3: OES Remote Manager Administration Guide.

OES Storage Services (NSS)

Table 3-18 OES Storage Services Parameters and Values

Page and Parameters

NSS Unique Admin Object

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default The first server selected in the LDAP Configuration list of servers.

 

  • Unique object Name for NSS Admin of This: Specify the NSS Admin name and context or accept the default.

    This is the fully distinguished name of a User object with administrative rights to NSS. You must have a unique NSS admin name for each server that uses NSS.

    For more information, see Planning Your Proxy Users in the OES 2018 SP3: Planning and Implementation Guide.

    Default: The server hostname concatenated with the LDAP Admin Name you entered for this server,. cn=myserveradmin,o=organization.

For additional configuration instructions, see Installing and Configuring OES Storage Services in the OES 2018 SP3: NSS File System Administration Guide for Linux.

NSS Active Directory Support

Table 3-19 NSS Active Directory Support Parameters and Values

Page and Parameters

 

  • AD Domain Name: Specify the appropriate AD domain name.

  • AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to this group will have supervisory rights for all the volumes associated with that OES server.

  • AD User Name: Specify the user name that can be used for the domain join operation. This user requires to have the following privileges: rights to reset password, create computer objects, delete computer objects, and read and write the msDs-supportedEncryptionTypes attribute.

  • Password: Specify the appropriate password of the user who is used for the domain join operation.

  • Container to Create Computer Object: You can specify the container under which the OES computer object will be created. The default container is CN=Computers. If you have already created an OES computer object in Active Directory, select Use pre-created computer object, then specify the container name where the pre-created OES computer object exists.

  • Novell Identity Translator (NIT) Configuration: NIT is used to manage the eDirectory and Active Directory user identities such as UID, GUID, SID, and user name. It maps those user identities and translates from one identity to another. For more information on NIT, see Section 7.5, About Novell Identity Translator (NIT).

    If you want NIT to generate UIDs for AD users, select Generate UID for AD users, then specify the UID range. The default range is from 100000 to 200000. If you want NIT to fetch UIDs, do not select the Generate UID for AD users option.

For additional configuration instructions, see Section 7.0, Installing and Configuring NSS Active Directory Support.

Deprecated Services:

New installations of OES 2018 SP1 or later will not include patterns to install the deprecated services.

Table 3-20 Deprecated Services in OES

Deprecated Service

From OES Release

Novell Samba

OES 2018 SP1

iFolder

OES 2018

Archive and Version

OES 2015

QuickFinder

OES 2015

If you are upgrading to OES 2018 SP1 or later from an earlier OES server (one that includes these packages), the deprecated services and the associated data will not be accessible on the OES 2018 SP1 or later server. However, the iManager plug-ins for these services are still available in the OES package but not installed by default. You can install these plug-ins from iManager to manage servers prior to OES 2018 SP1.

  1. In iManager, select Configure > Plug-in Installation > Available Novell Plug-in Modules.

  2. Select the plug-ins.

  3. Click Install to install the selected plug-ins.

  4. Restart tomcat for the changes to take effect.

    rcnovell-tomcat restart

    Or

    systemctl restart novell-tomcat.service