You can configure OES in two methods: Typical Configuration and Custom Configuration. The Typical Configuration is also called as Express Install. It helps to install OES with minimal user intervention and the Custom Configuration is the detailed usual method to configure OES.
In the OES Configuration screen, if you have chosen to configure OES using Typical Configuration, you only need to provide the following minimum configuration details:
SLP Server and SLP Scopes: In these fields, specify the host name or the IP address of the server where the SLP agent is running and the SLP scopes. If you don't enter any SLP details, multicast SLP mode is chosen by default.
NOTE:If you would like to use the current server as the DA server, click Back and choose the custom configuration instead of typical configuration.
NTP Time Server: Specify the IP address or the host name of the Network Time Protocol (NTP) server.
New or Existing Tree: If you would like to configure OES using an existing eDirectory tree, choose Existing Tree else New Tree.
eDirectory Tree Name: Provide the eDirectory tree name.
IP Address of an existing eDirectory Server with a replica: If you have chosen to configure OES using an existing tree, this field is enabled to provide the IP address of an existing eDirectory server.
IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.
FDN of the tree administrator: Specify the fully distinguished name of the administrative user.
Admin Password and Verify Admin Password: In these two fields, specify the eDirectory administrative passwords.
Enter Server Context: Specify the location of the server context in the eDirectory tree.
Directory Information Base (DIB) Location: Specify the location of the eDirectory DIB.
After providing all these details, click Next. OES will be installed and configured without any user intervention.
This is the normal method of installing and configuring OES by providing every configuration detail that OES requires instead of using the default configuration details. Custom configuration is explained in detailed in Section 3.13.3, Specifying eDirectory Configuration Settings, Section 3.13.4, Specifying LDAP Configuration Settings, Section 3.13.5, Configuring OES Services, and Section 3.13.6, Configuration Guidelines for OES Services.
When you specify the eDirectory configuration settings, you can specify information to create a new tree and install the server in that new tree, or you can install the server into an existing tree by specifying the information for it. Use the following instructions as applicable:
On the eDirectory Configuration - SLP page, specify the SLP options as desired.
You have the following options for configuring SLP:
Use Multicast to Access SLP: This option allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).
IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.
Configure SLP to use an existing Directory Agent: This option configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.
Configure as Directory Agent: This option configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.
Synchronize Service Registrations with other Directory Agents: This option causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.
Backup SLP Registrations: This option causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.
Backup Interval in Seconds: This specifies how often the list of registered services is backed up.
Service Location Protocols and Scopes: This option configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.
Configured SLP Directory Agents: This option lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.
Click Next and confirm your selection if necessary.
eDirectory requires that all OES servers are time-synchronized.
On the eDirectory Configuration - NTP page, click Add.
In the Time Servers text box, specify the IP address or DNS hostname of an NTP server, then click Add.
For the first server in a tree, we recommend specifying a reliable external time source.
When you install multiple servers into the same eDirectory tree, ensure that all servers point to the same time source and not to the server holding the master replica.
For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it; otherwise, the time synchronization request for the installation fails.
If you want to use the server’s hardware clock, select Use Local Clock.
For servers joining a tree, the installation does not let you proceed if you select this option. You must specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree that has been running time services for 15 minutes or more.
For more information on time synchronization, see Implementing Time Synchronization
in the OES 23.4: Planning and Implementation Guide.
On the eDirectory Configuration - New or Existing Tree page, select New Tree.
In the eDirectory Tree Name field, specify a name for the eDirectory tree that you want to create.
On OES servers, services that provide HTTPS connectivity are configured to use one of the following certificates:
An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)
A third-party server certificate
By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the server certificate and key files will be created.
The eDirectory server certificate and key files are:
Key file: /etc/ssl/servercerts/serverkey.pem
Certificate file: /etc/ssl/servercerts/servercert.pem
For more information, see Certificate Management
in the OES 23.4: Planning and Implementation Guide.
On the eDirectory Configuration - New Tree Information page, specify the required information:
The fully distinguished name and context for the user Admin
The password for user Admin
Click Next.
On the eDirectory Configuration - Local Server Configuration page, specify the following information:
The context for the server object in the eDirectory tree
A location for the eDirectory database
The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.
The ports to use for servicing LDAP requests
The default ports are 389 (non-secure) and 636 (secure).
IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.
The ports to use for providing access to the iMonitor application
The default ports are 8028 (non-secure) and 8030 (secure).
NOTE:If there are non-default ports that are not added to the firewall, you can open the ports using the yast2 firewall after the installation is complete.
Click Next.
On the eDirectory Configuration - New or Existing Tree page, select Existing Tree.
In the eDirectory Tree Name field, specify a name for the eDirectory tree you want to join.
On OES servers, services that provide HTTPS connectivity are configured to use either of the following:
An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)
By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the existing YaST server certificate and key files will be replaced with eDirectory server certificate and key files.
The eDirectory server certificate and key files are:
Key file: /etc/ssl/servercerts/serverkey.pem
Certificate file: /etc/ssl/servercerts/servercert.pem
For more information on certificate management, see Certificate Management
in the OES 23.4: Planning and Implementation Guide.
By default, Enable NMAS-based login for LDAP authentication is selected to enforce the use of a single-secure password for all partner products. The Secure Password Manager of the NMAS module manages this universal password implementation.
On the eDirectory Configuration - Existing Tree Information page, specify the required information:
The IP address or the host name of an existing eDirectory server with a replica.
IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.
The NCP port on the existing server
The LDAP and secure LDAP port on the existing server
The fully distinguished name and context for the user Admin on the existing server
The password for user Admin on the existing server
Click Next.
On the eDirectory Configuration - Local Server Configuration page, specify the following information:
The context for the server object in the eDirectory tree
A location for the eDirectory database
The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.
The ports to use for servicing LDAP requests
The default ports are 389 (non-secure) and 636 (secure).
IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.
The ports to use for providing access to the iMonitor application
The default ports are 8028 (non-secure) and 8030 (secure).
NOTE:If there are non-default ports that are not added to the firewall, you can open the ports using the yast2 firewall after the installation is complete.
Click Next.
On the NetIQ Modular Authentication Services page, select all of the login methods you want to install.
IMPORTANT:The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods. The NMAS client software is included with the Client for Open Enterprise Server software.
The following methods are available:
CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.
Challenge Response: The Challenge Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.
DIGEST-MD5: The Digest-MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.
NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method is installed by default and supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.
Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.
SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication. It uses the Simple Authentication and Security Layer (SASL), which enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.
For more information about installing and configuring eDirectory, see “Installing or Upgrading NetIQ eDirectory on Linux in the NetIQ eDirectory Installation Guide.
For more information on these login methods, see the online help and Managing Login and Post-Login Methods and Sequences
in the Novell Modular Authentication Services 3.3.4 Administration Guide.
Click Next.
For an OES service to run successfully, you need to use a separate proxy account to configure and manage each service. However, using multiple proxy user accounts means more overhead for the administrator. To avoid this overhead, the common proxy user has been introduced. Each node in a tree can have a common proxy user for all of its services. This enables administrators to configure and manage multiple services with just one proxy user.
NOTE:Two nodes in a tree cannot have the same common proxy user.
For information about this option, see Common Proxy User
in the OES 23.4: Planning and Implementation Guide.
On the OES Common Proxy User Information page, specify the configuration settings for this user.
Use Common Proxy User as Default for OES Products: This option is disabled for the user and configures the common proxy user for the following services: CIFS, DNS, DHCP, and NCS. Optionally, you can specify that LUM uses it.
OES Common Proxy User Name:
For a host, the common proxy user's name is OESCommonProxy_hostname. You cannot specify any other name than what is given by the system. This restriction prevents possible use of the same common proxy user name across two or more nodes in a tree. For more information, see Can I Change the Common Proxy User Name and Context?
in the OES 23.4: Planning and Implementation Guide.
OES Common Proxy User Context: Provide the FDN name of the container where the common proxy needs to be created. By default, this field is populated with the NCP server context. For example, ou=acap,o=mf. Where ou is the organization unit, acap is the organization unit name, o is the organization, and mf is the new organization name. For an existing tree, click Browse and select the container where the Common Proxy User must be created.
OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.
NOTE:If you choose to provide your own password, it should conform to the policy that is in effect for the common proxy user. If the password contains single (') or double (") quotes, OES Configuration will fail. These characters have to be escaped by prefixing \. For example, to add a single quote, escape it as nove\'ll. The system-generated password will always be in conformance with the policy rules.
Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated password is automatically included.
Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. If desired, you can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, and so forth.
IMPORTANT:We recommended against deselecting the Assign Common Proxy Password Policy to Proxy Useroption. If deselected, the common proxy user inherits the password policies of the container, which could lead to service failures.
Click Next.
Many of the OES services require eDirectory. If eDirectory was not selected as a product to install on this server but other OES services that do require LDAP services were installed, the LDAP Configuration service displays, so that you can complete the required information.
To specify the required information on the Configured LDAP Server page:
In the eDirectory Tree Name field, specify the name for the existing eDirectory tree that you are installing this server into.
In the Admin Name and Context field, specify the name and context for user Admin in the existing tree.
In the Admin Password field, specify a password for the Admin user in the existing tree.
Add the LDAP servers that you want the services on this server to use. The servers that you add should hold the master or a read/write replica of eDirectory. Do the following for each server you want to add:
Click Add.
On the next page, specify the following information for the server to add, then click Add.
IP address
LDAP port and secure LDAP port
When all of the LDAP servers that you want to specify are listed, click Next.
Verify that the Open Enterprise Server Configuration page displays the settings that you expected, then click Next.
After you complete the LDAP configuration or the eDirectory configuration, the Open Enterprise Server Configuration summary page is displayed, showing all of the OES components that you installed and their configuration settings.
Review the setting for each component. Click the component heading to change any settings.
For help with specifying the configuration information for OES services, see the information in Configuration Guidelines for OES Services.
When you are finished reviewing the settings for each component, click Next.
When you confirm the OES component configurations, you might receive the following error:
The proposal contains an error that must be resolved before continuing.
If this error is displayed, check the summary list of configured products for any messages immediately below each product heading. These messages indicate products or services that need to be configured. If you are running the YaST graphical interface, the messages are red text. If you are using the YaST text-based interface, they are not red.
For example, if you selected Linux User Management in connection with other OES products or services, you might see a message similar to the following:
Linux User Management needs to be configured before you can continue or disable the configuration.
If you see a message like this, do the following:
On the summary page, click the heading for the component.
Supply the missing information in each configuration page.
When you specify the configuration information for OES services, see the information in Configuration Guidelines for OES Services, or if you are reading online, click a link below:
When you have finished the configuration of a component, you are returned to the Open Enterprise Server Configuration summary page.
If you want to skip the configuration of a specific component and configure it later, click Enabled in the Configure is enabled status to change the status to Reconfigure is disabled.
If you change the status to Reconfigure is disabled, you need to configure the OES components after the installation is complete. See Installing or Configuring OES Services on an Existing OES Server.
After resolving all product configuration issues, click Next to proceed with the configuration of all components.
When the configuration is complete, continue with Section 3.15, Finishing the Installation.
Keep the following items in mind as you configure OES:
Table 3-3 Caveats for Configuring OES Services
Issue |
Guideline |
---|---|
Software Selections When Using Text-Based YaST |
Some older machines, such as a Dell 1300, use the text mode install by default when the video card does not meet SLES specifications. When you go to the Software Selection, and then to the details of the OES software selections, YaST doesn’t bring up the OES selections like it does when you use the graphical YaST (YaST2). To view the Software Selection and System Task screen, select Filter > Pattern (or press Alt+F > Alt+I). |
Specifying a State identifier for a Locality Class object |
If you to specify a state identifier, such as California, Utah, or Karnataka, as a Locality Class object in your eDirectory tree hierarchy, ensure to use the correct abbreviation in your LDAP (comma-delimited) or NDAP (period-delimited) syntax. When using LDAP syntax, use ou=example_organization,o=example_company,st=utah,c=us When using NDAP syntax, use ou=example_organization.o=example_company.s=utah.c=us |
Specifying Typeful Admin Names |
When you install OES, you must specify a fully distinguished admin name by using the typeful, LDAP syntax that includes object type abbreviations (cn=, ou=, o=, etc.). For example, you might specify the following: cn=admin,ou=example_organization,o=example_company |
Using Dot-Delimited or Comma-Delimited Input for All Products |
For all parameters requiring full contexts, you can separate the names by using comma-delimited syntax. Ensure that you are consistent in your usage within the field. The OES installation routine displays all input in the comma-delimited (LDAP) format. However, it converts the name separators to dots when this is required by individual product components. IMPORTANT:After the OES components are installed, be sure to follow the conventions specified in the documentation for each product. Some contexts must be specified using periods (.) and others using commas (,). However, eDirectory supports names like cn=juan\.garcia.ou=users.o=novell. The period (.) inside a name component must be escaped. When using NDAP format (dot), you must escape all embedded dots. For example: cn=admin.o=mf\.provo When using LDAP format (commas), you must escape all embedded commas. For example: cn=admin,o=mf\,provo The installation disallows a backslash and period (\.) in the CN portion of the admin name. For example, these names are supported: cn=admin.o=mf cn=admin.o=mf\.provo cn=admin.ou=deployment\.linux.o=mf\.provo These names are not supported: cn=admin\.first.o=mf cn=admin\.root.o=mf Before LUM-enabling users whose cn contains a period (.), you must remove the backslash (\) from the unique_id field of the User object container. For example, cn=juan.garcia has a unique_id attribute = juan\.garcia. Before such a user can be LUM-enabled, the backslash (\) must be removed from the unique_id attribute. |
Table 3-4 LDAP Configuration for Open Enterprise Services Values
Page and Parameters |
|
---|---|
Configured LDAP Servers |
|
|
|
|
|
|
|
|
|
Table 3-5 OES Backup/Storage Management Services Parameters and Values
Page and Parameters |
|
---|---|
SMS Configuration |
|
|
|
For additional configuration instructions, see Installing and Configuring SMS
in the Installing and Configuring SMS guide.
For BCC configuration instructions, see Configuring BCC for Peer Clusters, Configuring BCC for Cluster Resources in the BCC Administration Guide for OES 2018 SP2.
Table 3-6 OES CIFS Parameters and Values
Page and Parameters |
|
---|---|
OES CIFS Service Configuration |
|
|
|
|
|
|
|
|
|
|
|
Novell CIFS Service Configuration (2) |
|
|
|
For additional configuration instructions, see Installing and Setting Up CIFS
in the OES 23.4: OES CIFS for Linux Administration Guide.
Table 3-7 Cloud Integrated Storage Services Parameters and Values
Page and Parameters |
|
---|---|
Cloud Integrated Storage Configuration |
|
|
|
Cloud Integrated Storage Configuration (2) |
|
|
|
Cloud Integrated Storage Configuration (3) |
|
|
|
For additional configuration instructions, see Installing and Configuring Cloud Integrated Storage (CIS)
in the OES 23.4: CIS Administration Guide.
Table 3-8 OES Cluster Services Parameters and Values
Page and Parameters Before you configure a node for a OES Cluster Services cluster, ensure that you have satisfied the prerequisites and have the necessary Administration rights described in |
|
---|---|
OES Cluster Services (NCS) Configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
OES Cluster Services (NCS) Proxy User Configuration (2) |
|
|
Specify the following user as the NCS Proxy user.
|
OES Cluster Services (NCS) Configuration (3) |
|
|
|
|
|
|
|
For additional instructions, see the OES 23.4: OES Cluster Services for Linux Administration Guide.
Table 3-9 OES DHCP Services Parameters and Values
Page and Parameters |
|
---|---|
Novell DHCP Services Configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
OES DHCP LDAP and Secure Channel Configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
OES DHCP Services Interface Selection |
|
|
|
For additional configuration instructions, see Installing and Configuring DHCP
in the OES 23.4: DNS/DHCP Services for Linux Administration Guide.
Table 3-10 OES DNS Services Parameters and Values
Page and Parameters |
|
---|---|
OES DNS Configuration |
|
|
|
|
|
|
|
For additional configuration instructions, see Installing and Configuring DNS
in the OES 23.4: DNS/DHCP Services for Linux Administration Guide.
There are multiple configuration scenarios, depending on your deployment. For information, see Installing Domain Services for Windows
in the OES 23.4: Domain Services for Windows Administration Guide.
IMPORTANT:You specified the eDirectory configuration for this server in either Specifying LDAP Configuration Settings or Specifying eDirectory Configuration Settings, and the settings you specified were extended to your OES service configurations by the OES install.
If you change the eDirectory configuration at this point in the install, your modifications might or might not extend to the other OES services. For example, if you change the server context from o=example to ou=servers.o=example, the other service configurations might or might not reflect the change.
Be sure to carefully check all of the service configuration summaries on the Open Enterprise Server Configuration summary screen. If any of the services don’t show the eDirectory change you made, click the service link and modify the configuration manually. Otherwise, your installation will fail.
Table 3-11 OES eDirectory Parameters and Values
Page and Parameters |
|
---|---|
eDirectory Configuration - New or Existing Tree |
|
|
|
|
|
eDirectory Configuration - New/Existing Tree Information |
|
|
|
|
|
|
|
|
|
|
|
|
|
eDirectory Configuration - Local Server Configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
eDirectory Configuration - NTP and SLP |
|
|
|
|
|
|
|
|
|
NetIQ Modular Authentication Services |
|
|
IMPORTANT:NMAS client software (included with Client for Open Enterprise Server software) must be installed on each client workstation where you want to use the NMAS login methods.
If you want to install all of the login methods into eDirectory, click Select All. If you want to clear all selections, click Deselect All. For more information on these login methods, see Defaults: Challenge Response and NDS |
OES Common Proxy User Information |
|
|
|
For additional configuration instructions, see Installing or Upgrading NetIQ eDirectory on Linux
in the NetIQ eDirectory Installation Guide.
No additional configuration is required.
Table 3-12 NetIQ iManager Parameters and Values
Page and Parameters |
|
---|---|
iManager Configuration |
|
|
|
|
|
For additional configuration instructions, see Installing iManager Server and Workstation
in the NetIQ iManager Installation Guide.
Table 3-13 OES iPrint Parameters and Values
Page and Parameters |
|
---|---|
iPrint Configuration |
|
|
|
|
|
For additional configuration instructions, see Installing and Setting Up OES iPrint on Your Server
in the OES 23.4: OES iPrint Administration Guide.
If you have selected iPrint Advanced pattern, refer to the OES 23.4: iPrint Advanced Administration Guide for more information.
Table 3-14 OES Linux User Management Parameters and Values
Page and Parameters |
|
---|---|
Linux User Management Configuration |
|
|
|
|
|
|
|
|
|
|
|
|
|
Linux User Management Configuration (2) |
|
|
IMPORTANT:Before you change the PAM-enabled service settings, ensure that you understand the security implications explained in
|
For additional configuration instructions, see Setting Up Linux User Management
in the OES 23.4: Linux User Management Administration Guide.
Table 3-15 OES NCP Server Parameters and Values
Page and Parameters |
|
---|---|
NCP Server Configuration |
|
|
|
For additional configuration instructions, see Installing and Configuring NCP Server for Linux
in the OES 23.4: NCP Server for Linux Administration Guide.
No additional configuration is required. For information, see Preparing the Source Server for Migration
the OES 23.4: Migration Tool Administration Guide.
No additional configuration for the installation is required. To change the configuration after the installation, see Changing the HTTPSTKD Configuration
in the OES 23.4: OES Remote Manager Administration Guide.
Table 3-16 OES Storage Services Parameters and Values
Page and Parameters |
|
---|---|
NSS Unique Admin Object |
|
|
|
|
|
For additional configuration instructions, see Installing and Configuring OES Storage Services
in the OES 23.4: NSS File System Administration Guide for Linux.
Table 3-17 NSS Active Directory Support Parameters and Values
Page and Parameters |
---|
|
|
|
|
|
|
For additional configuration instructions, see Section 7.0, Installing and Configuring NSS Active Directory Support.
Table 3-18 Unified Management Console Parameters and Values
Page and Parameters |
---|
|
|
|
|