The implementation of a common proxy user in OES addresses the following administrative needs:
Limit the Number of Proxy Users: By default, the number of proxy users in an eDirectory tree can quickly become quite large. And even though proxy users don’t consume user license connections, many administrators are disconcerted by the sheer number of objects to manage and track.
Common proxy users reduce the default number of proxy users from one per service to basically one per OES server.
Accommodate Password Security Policies: Many organizations have security policies that require periodic password changes. Some administrators are overwhelmed by having to manually track all proxy users, change their passwords, and restart the affected services after every change.
Common proxy users have their passwords automatically generated by default and changed at whatever interval is required. Services are restarted as needed with no manual intervention required.
Prevent Password Expiration: When proxy user passwords expire, OES services are interrupted, leading to network user frustration and administrator headaches.
Automatic password management for common proxy users ensures that services are never disrupted because of an expired password.
In OES 2 SP3 and later, the eDirectory communication functionality that was previously performed by the designated NCS administrator, has been separated out so that it can now be performed by a system user if so desired.
This aligns NCS functionality with other OES services that use proxy (system) users for similar functions. For more information, see OES Common Proxy User
in the OES 23.4: OES Cluster Services for Linux Administration Guide.
The following OES services are automatically configured at install time by default to use your Common Proxy User (if specified):
CIFS
Cluster Services
DNS
DHCP
The following OES service can be configured at install time to use your Common Proxy User (if specified):
Linux User Management (having a proxy user is optional)
The following service that use proxy users do not leverage the Common Proxy user for the reasons listed:
Service |
Reason |
---|---|
Storage Services |
This requires full rights to administer NSS and continues to require a system-named user with a system-generated password. |
No.
The common proxy user is designed and configured to be the common proxy for the OES services on a single server. Each subsequent new server needs a separate and distinct common proxy created for its services.
The Common Proxy User Name cannot be changed at install time and should not be manually changed later. Best practices dictate that each proxy user name reflect the name of the server it is associated with.
The context can be changed at install time. However, eDirectory best practices suggest that object locations within the tree reflect the object purpose and scope of influence or function. For this reason, the OES install proposes the same context that you specify for the server, for its associated common proxy as well.
You can change the services running on an upgraded OES server to leverage a Common Proxy user. See Assigning the Common Proxy to Existing Services.
Common proxy users are eDirectory objects and can therefore be managed via iManager. However, after the initial setup is complete, there should generally be no reason for OES administrators to directly manage Common Proxy users.
Use the information in the following sections to understand and implement common proxy user management.
The Common Proxy user management scripts communicate with eDirectory using port 636 only. See the instructions in Installing OES as a New Installation
in the OES 23.4: Installation Guide).
You can assign the common proxy user to any of the services listed in Services That Can Leverage the Common Proxy User using the move_to_common_proxy.sh script on your OES server. In fact, if you have upgraded from OES 11 SP2 and the server does not have a common proxy user associated with it, simply running the script will create and configure the proxy user and assign the services you specify.
In the /opt/novell/proxymgmt/bin folder, run the following command:
./move_to_common_proxy.sh service1,service2
where the service entries are OES service names: novell-cifs, novell-dns, novell-dhcp, novell-lum, and/or novell-nc.
Example scenario:
You have upgraded server myserver, which is located in o=novell and uses IP address 10.10.10.1, from OES 2 SP3 to latest OES server.
The secure LDAP port for the server is 636.
Your eDirectory Admin user FQDN is cn=admin,o=novell.
Your Admin password is 123abc.
You want to create a common proxy user and assign it as the common proxy for the Novell DNS and DHCP services running on the server.
Therefore, you enter the following commands:
cd /opt/novell/proxymgmt/bin
./move_to_common_proxy.sh -d cn=admin,o=novell -w 123abc -i 10.10.10.1 -p 636 -s novell-dhcp,novell-dns
User cn=OESCommonProxy_myserver,o=novell is created with a system-generated password and assigned the Common Proxy Policy password policy. The DNS and DHCP services are configured to be serviced by the Common Proxy user.
You can configure your server so that your proxy users are regularly assigned new system-generated passwords by doing the following:
Open the file /etc/opt/novell/proxymgmt/proxy_users.conf in a text editor.
List the FQDN of each proxy user on the server that you want to automatic password management set up for.
For example you might insert the following entries:
IMPORTANT:Users listed here must not be listed in the proxy_users.conf file on any other servers in the tree.
Save the file.
Enter the following commands:
cd /opt/novell/proxymgmt/bin
change_proxy_pwd.sh -A Yes
By default, the crontab job will run every 30 days.