3.13 Configuring Open Enterprise Server

You can configure OES in two methods: Typical Configuration and Custom Configuration. The Typical Configuration is also called as Express Install. It helps to install OES with minimal user intervention and the Custom Configuration is the detailed usual method to configure OES.

3.13.1 Typical Configuration

In the OES Configuration screen, if you have chosen to configure OES using Typical Configuration, you only need to provide the following minimum configuration details:

  • SLP Server and SLP Scopes: In these fields, specify the host name or the IP address of the server where the SLP agent is running and the SLP scopes. If you don't enter any SLP details, multicast SLP mode is chosen by default.

    NOTE:If you would like to use the current server as the DA server, click Back and choose the custom configuration instead of typical configuration.

  • NTP Time Server: Specify the IP address or the host name of the Network Time Protocol (NTP) server.

  • New or Existing Tree: If you would like to configure OES using an existing eDirectory tree, choose Existing Tree else New Tree.

  • eDirectory Tree Name: Provide the eDirectory tree name.

  • IP Address of an existing eDirectory Server with a replica: If you have chosen to configure OES using an existing tree, this field is enabled to provide the IP address of an existing eDirectory server.

    IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.

  • FDN of the tree administrator: Specify the fully distinguished name of the administrative user.

  • Admin Password and Verify Admin Password: In these two fields, specify the eDirectory administrative passwords.

  • Enter Server Context: Specify the location of the server context in the eDirectory tree.

  • Directory Information Base (DIB) Location: Specify the location of the eDirectory DIB.

  • After providing all these details, click Next. OES will be installed and configured without any user intervention.

3.13.2 Custom Configuration

This is the normal method of installing and configuring OES by providing every configuration detail that OES requires instead of using the default configuration details. Custom configuration is explained in detailed in Section 3.13.3, Specifying eDirectory Configuration Settings, Section 3.13.4, Specifying LDAP Configuration Settings, Section 3.13.5, Configuring OES Services, and Section 3.13.6, Configuration Guidelines for OES Services.

3.13.3 Specifying eDirectory Configuration Settings

When you specify the eDirectory configuration settings, you can specify information to create a new tree and install the server in that new tree, or you can install the server into an existing tree by specifying the information for it. Use the following instructions as applicable:

Specifying SLP Configuration Options

  1. On the eDirectory Configuration - SLP page, specify the SLP options as desired.

    You have the following options for configuring SLP:

    • Use Multicast to Access SLP: This option allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure SLP to use an existing Directory Agent: This option configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

    • Configure as Directory Agent: This option configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • Synchronize Service Registrations with other Directory Agents: This option causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: This option causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: This specifies how often the list of registered services is backed up.

    • Service Location Protocols and Scopes: This option configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    • Configured SLP Directory Agents: This option lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.

  2. Click Next and confirm your selection if necessary.

Specifying Synchronizing Server Time Options

eDirectory requires that all OES servers are time-synchronized.

  1. On the eDirectory Configuration - NTP page, click Add.

  2. In the Time Servers text box, specify the IP address or DNS hostname of an NTP server, then click Add.

    For the first server in a tree, we recommend specifying a reliable external time source.

    When you install multiple servers into the same eDirectory tree, ensure that all servers point to the same time source and not to the server holding the master replica.

    For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it; otherwise, the time synchronization request for the installation fails.

  3. If you want to use the server’s hardware clock, select Use Local Clock.

    For servers joining a tree, the installation does not let you proceed if you select this option. You must specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree that has been running time services for 15 minutes or more.

For more information on time synchronization, see Implementing Time Synchronization in the Planning and Implementation Guide.

Creating a New eDirectory Tree and Installing the Server in It

  1. On the eDirectory Configuration - New or Existing Tree page, select New Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree that you want to create.

    On OES servers, services that provide HTTPS connectivity are configured to use one of the following certificates:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)

    • A third-party server certificate

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the server certificate and key files will be created.

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/serverkey.pem

    • Certificate file: /etc/ssl/servercerts/servercert.pem

    For more information, see Certificate Management in the Planning and Implementation Guide.

  3. On the eDirectory Configuration - New Tree Information page, specify the required information:

    • The fully distinguished name and context for the user Admin

    • The password for user Admin

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree

    • A location for the eDirectory database

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application

      The default ports are 8028 (non-secure) and 8030 (secure).

      NOTE:If there are non-default ports that are not added to the firewall, you can open the ports using the yast2 firewall after the installation is complete.

  6. Click Next.

Installing the Server into an Existing eDirectory Tree

  1. On the eDirectory Configuration - New or Existing Tree page, select Existing Tree.

  2. In the eDirectory Tree Name field, specify a name for the eDirectory tree you want to join.

    On OES servers, services that provide HTTPS connectivity are configured to use either of the following:

    • An eDirectory certificate issued by the Novell International Cryptographic Infrastructure (NICI)

    By default, the Use eDirectory Certificates for HTTPS Services check box is selected. This means that the existing YaST server certificate and key files will be replaced with eDirectory server certificate and key files.

    The eDirectory server certificate and key files are:

    • Key file: /etc/ssl/servercerts/serverkey.pem

    • Certificate file: /etc/ssl/servercerts/servercert.pem

    For more information on certificate management, see Certificate Management in the Planning and Implementation Guide.

    • By default, Enable NMAS-based login for LDAP authentication is selected to enforce the use of a single-secure password for all partner products. The Secure Password Manager of the NMAS module manages this universal password implementation.

  3. On the eDirectory Configuration - Existing Tree Information page, specify the required information:

    • The IP address or the host name of an existing eDirectory server with a replica.

      IMPORTANT:Ensure that you verify the status of the eDirectory tree using the Validate button. If the validation is unsuccessful, do not proceed further with the OES configuration until the eDirectory server is up and running.

    • The NCP port on the existing server

    • The LDAP and secure LDAP port on the existing server

    • The fully distinguished name and context for the user Admin on the existing server

    • The password for user Admin on the existing server

  4. Click Next.

  5. On the eDirectory Configuration - Local Server Configuration page, specify the following information:

    • The context for the server object in the eDirectory tree

    • A location for the eDirectory database

      The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect to have a large number of objects in your tree and if the current file system does not have sufficient space.

    • The ports to use for servicing LDAP requests

      The default ports are 389 (non-secure) and 636 (secure).

      IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    • The ports to use for providing access to the iMonitor application

      The default ports are 8028 (non-secure) and 8030 (secure).

      NOTE:If there are non-default ports that are not added to the firewall, you can open the ports using the yast2 firewall after the installation is complete.

  6. Click Next.

Selecting the NetIQ Modular Authentication Services (NMAS) Login Method

  1. On the NetIQ Modular Authentication Services page, select all of the login methods you want to install.

    IMPORTANT:The NMAS client software must be installed on each client workstation where you want to use the NMAS login methods. The NMAS client software is included with the Client for Open Enterprise Server software.

    The following methods are available:

    • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

    • Challenge Response: The Challenge Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

    • DIGEST-MD5: The Digest-MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

    • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method is installed by default and supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

    • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

    • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication. It uses the Simple Authentication and Security Layer (SASL), which enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

    For more information about installing and configuring eDirectory, see “Installing or Upgrading NetIQ eDirectory on Linux in the NetIQ eDirectory Installation Guide.

    For more information on these login methods, see the online help and Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.4 Administration Guide.

  2. Click Next.

Specifying OES Common Proxy User Information

For an OES service to run successfully, you need to use a separate proxy account to configure and manage each service. However, using multiple proxy user accounts means more overhead for the administrator. To avoid this overhead, the common proxy user has been introduced. Each node in a tree can have a common proxy user for all of its services. This enables administrators to configure and manage multiple services with just one proxy user.

NOTE:Two nodes in a tree cannot have the same common proxy user.

For information about this option, see Common Proxy User in the Planning and Implementation Guide.

  1. On the OES Common Proxy User Information page, specify the configuration settings for this user.

    • Use Common Proxy User as Default for OES Products: This option is disabled for the user and configures the common proxy user for the following services: CIFS, DNS, DHCP, and NCS. Optionally, you can specify that LUM uses it.

    • OES Common Proxy User Name: For a host, the common proxy user's name is OESCommonProxy_hostname. You cannot specify any other name than what is given by the system. This restriction prevents possible use of the same common proxy user name across two or more nodes in a tree. For more information, see Can I Change the Common Proxy User Name and Context? in the Planning and Implementation Guide.

    • OES Common Proxy User Context: Provide the FDN name of the container where the common proxy needs to be created. By default, this field is populated with the NCP server context. For example, ou=acap,o=mf. Where ou is the organization unit, acap is the organization unit name, o is the organization, and mf is the new organization name. For an existing tree, click Browse and select the container where the Common Proxy User must be created.

    • OES Common Proxy User Password: You can accept the default system-generated password or specify a new password for the common proxy user.

      NOTE:If you choose to provide your own password, it should conform to the policy that is in effect for the common proxy user. If the password contains single (') or double (") quotes, OES Configuration will fail. These characters have to be escaped by prefixing \. For example, to add a single quote, escape it as nove\'ll. The system-generated password will always be in conformance with the policy rules.

    • Verify OES Common Proxy User Password: If you specified a different password, type the same password in this field. Otherwise, the system-generated password is automatically included.

    • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. If desired, you can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, and so forth.

    IMPORTANT:We recommended against deselecting the Assign Common Proxy Password Policy to Proxy Useroption. If deselected, the common proxy user inherits the password policies of the container, which could lead to service failures.

  2. Click Next.

3.13.4 Specifying LDAP Configuration Settings

Many of the OES services require eDirectory. If eDirectory was not selected as a product to install on this server but other OES services that do require LDAP services were installed, the LDAP Configuration service displays, so that you can complete the required information.

To specify the required information on the Configured LDAP Server page:

  1. In the eDirectory Tree Name field, specify the name for the existing eDirectory tree that you are installing this server into.

  2. In the Admin Name and Context field, specify the name and context for user Admin in the existing tree.

  3. In the Admin Password field, specify a password for the Admin user in the existing tree.

  4. Add the LDAP servers that you want the services on this server to use. The servers that you add should hold the master or a read/write replica of eDirectory. Do the following for each server you want to add:

    1. Click Add.

    2. On the next page, specify the following information for the server to add, then click Add.

      • IP address

      • LDAP port and secure LDAP port

  5. When all of the LDAP servers that you want to specify are listed, click Next.

  6. Verify that the Open Enterprise Server Configuration page displays the settings that you expected, then click Next.

3.13.5 Configuring OES Services

After you complete the LDAP configuration or the eDirectory configuration, the Open Enterprise Server Configuration summary page is displayed, showing all of the OES components that you installed and their configuration settings.

  1. Review the setting for each component. Click the component heading to change any settings.

    For help with specifying the configuration information for OES services, see the information in Configuration Guidelines for OES Services.

  2. When you are finished reviewing the settings for each component, click Next.

  3. When you confirm the OES component configurations, you might receive the following error:

    The proposal contains an error that must be resolved before continuing.

    If this error is displayed, check the summary list of configured products for any messages immediately below each product heading. These messages indicate products or services that need to be configured. If you are running the YaST graphical interface, the messages are red text. If you are using the YaST text-based interface, they are not red.

    For example, if you selected Linux User Management in connection with other OES products or services, you might see a message similar to the following:

    Linux User Management needs to be configured before you can continue or disable the configuration.

    If you see a message like this, do the following:

    1. On the summary page, click the heading for the component.

    2. Supply the missing information in each configuration page.

      When you specify the configuration information for OES services, see the information in Configuration Guidelines for OES Services, or if you are reading online, click a link below:

      When you have finished the configuration of a component, you are returned to the Open Enterprise Server Configuration summary page.

    3. If you want to skip the configuration of a specific component and configure it later, click Enabled in the Configure is enabled status to change the status to Reconfigure is disabled.

      If you change the status to Reconfigure is disabled, you need to configure the OES components after the installation is complete. See Installing or Configuring OES Services on an Existing OES Server.

  4. After resolving all product configuration issues, click Next to proceed with the configuration of all components.

  5. When the configuration is complete, continue with Section 3.15, Finishing the Installation.

3.13.6 Configuration Guidelines for OES Services

Service Configuration Caveats

Keep the following items in mind as you configure OES:

Table 3-3 Caveats for Configuring OES Services

Issue

Guideline

Software Selections When Using Text-Based YaST

Some older machines, such as a Dell 1300, use the text mode install by default when the video card does not meet SLES specifications. When you go to the Software Selection, and then to the details of the OES software selections, YaST doesn’t bring up the OES selections like it does when you use the graphical YaST (YaST2).

To view the Software Selection and System Task screen, select Filter > Pattern (or press Alt+F > Alt+I).

Specifying a State identifier for a Locality Class object

If you to specify a state identifier, such as California, Utah, or Karnataka, as a Locality Class object in your eDirectory tree hierarchy, ensure to use the correct abbreviation in your LDAP (comma-delimited) or NDAP (period-delimited) syntax.

When using LDAP syntax, use st to specify a state. For example:

ou=example_organization,o=example_company,st=utah,c=us

When using NDAP syntax, use s to specify a state. For example:

ou=example_organization.o=example_company.s=utah.c=us

Specifying Typeful Admin Names

When you install OES, you must specify a fully distinguished admin name by using the typeful, LDAP syntax that includes object type abbreviations (cn=, ou=, o=, etc.). For example, you might specify the following:

cn=admin,ou=example_organization,o=example_company

Using Dot-Delimited or Comma-Delimited Input for All Products

For all parameters requiring full contexts, you can separate the names by using comma-delimited syntax. Ensure that you are consistent in your usage within the field.

The OES installation routine displays all input in the comma-delimited (LDAP) format. However, it converts the name separators to dots when this is required by individual product components.

IMPORTANT:After the OES components are installed, be sure to follow the conventions specified in the documentation for each product. Some contexts must be specified using periods (.) and others using commas (,). However, eDirectory supports names like cn=juan\.garcia.ou=users.o=novell. The period (.) inside a name component must be escaped.

When using NDAP format (dot), you must escape all embedded dots. For example: cn=admin.o=mf\.provo

When using LDAP format (commas), you must escape all embedded commas. For example: cn=admin,o=mf\,provo

The installation disallows a backslash and period (\.) in the CN portion of the admin name.

For example, these names are supported:

cn=admin.o=mf
cn=admin.o=mf\.provo
cn=admin.ou=deployment\.linux.o=mf\.provo

These names are not supported:

cn=admin\.first.o=mf
cn=admin\.root.o=mf

Before LUM-enabling users whose cn contains a period (.), you must remove the backslash (\) from the unique_id field of the User object container.

For example, cn=juan.garcia has a unique_id attribute = juan\.garcia. Before such a user can be LUM-enabled, the backslash (\) must be removed from the unique_id attribute.

LDAP Configuration for Open Enterprise Services

Table 3-4 LDAP Configuration for Open Enterprise Services Values

Page and Parameters

Configured LDAP Servers

 

  • eDirectory Tree Name: The eDirectory tree name that you specified when configuring eDirectory. The tree that you are installing this server into.

 

  • Admin Name and Context: The eDirectory Admin name you specified when configuring eDirectory.

 

  • Admin Password: The password of the eDirectory Admin user.

 

  • Configured LDAP Servers: You can specify a list of servers that can be used to configure other OES services on this server.

    Each added server must have either the master or a read/write replica of the eDirectory tree. The first server added to the list becomes the default server for the installed and configured OES services to use.

    For each server you must specify an IP Address, LDAP Port, Secure LDAP Port, and Server Type.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the Linux User Management Administration Guide.

    Default: The eDirectory server you specified when configuring eDirectory.

OES Backup/Storage Management Services (SMS)

Table 3-5 OES Backup/Storage Management Services Parameters and Values

Page and Parameters

SMS Configuration

 

  • Directory Server Address: If you do not want to use the default shown, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server selected in the LDAP Configuration list of servers.

For additional configuration instructions, see Installing and Configuring SMS in the Installing and Configuring SMS guide.

OES Business Continuity Cluster (BCC)

For BCC configuration instructions, see Configuring BCC for Peer Clusters, Configuring BCC for Cluster Resources in the BCC Administration Guide for OES 2018 SP2.

OES CIFS Services

Table 3-6 OES CIFS Parameters and Values

Page and Parameters

OES CIFS Service Configuration

 

  • eDirectory server address or host name: Leave the default or select from the drop-down list to change to a different server.

 

  • LDAP port for CIFS Server: Displays the port value.

 

  • Local NCP Server context: Displays the NCP Server context.

 

  • CIFS Proxy User

    • Proxy User for CIFS Management: Proxy user is used for CIFS. This is disabled for the user and a common proxy user is assigned by the system.

      NOTE:This user is granted rights to read the passwords of any users, including non-CIFS users, that are governed by any of the password policies you select in the Novell CIFS Service Configuration page.

    • For more information on proxy user, see Planning Your Proxy Users in the Planning and Implementation Guide.

 

  • Credential Storage Location: Accept OCS or specify the Local File option.

    The CIFS proxy user password is encrypted and encoded in the credential storage location.

    Default: OCS

Novell CIFS Service Configuration (2)

 

  • eDirectory Contexts: Provide a list of contexts that are searched when the CIFS User enters a user name. The server searches each context in the list until it finds the correct user object.

For additional configuration instructions, see Installing and Setting Up CIFS in the OES CIFS for Linux Administration Guide.

Cloud Integrated Storage (CIS)

Table 3-7 Cloud Integrated Storage Services Parameters and Values

Page and Parameters

Cloud Integrated Storage Configuration

 

  • ZooKeeper URI: Specify ZooKeeper URI in the format IP:port or Hostname:Port.

    Default: Port 2181

Cloud Integrated Storage Configuration (2)

 

  • Directory Server URI: Specify LDAP URI of an eDirectory server that communicates with the CIS server in the format IP:port or Hostname:Port.

    Default: Port 636

  • CIS admin name with context: Specify the LDAP distinguished name (DN) of the user who can administer the CIS server.

  • Admin Password: Specify the password for the CIS administrator.

  • Server Certificate file path: Specify the server certificate file path issued by the eDirectory CA.

    Default: /etc/ssl/servercerts/servercert.pem

  • Server Key file path: Specify the server key file path associated with the server certificate.

    Default: /etc/ssl/servercerts/serverkey.pem

  • CA Certificate file path: Specify the eDirectory CA file path in the format .pem..

    Default: /etc/opt/novell/certs/SSCert.pem

  • Server Context: Specify the LDAP distinguished name (DN) of the container object under which the NCP server objects of the OES server reside that can connect to the CIS server.

  • Gateway Server Address: Specify the local host IP address where CIS server is configured.

  • Cluster Enable: Allows the CIS server to be part of a cluster resource.

    Default: disabled

Cloud Integrated Storage Configuration (3)

 

  • Database URI: Specify the MariaDB URI in the format IP:port or Hostname:Port.

    Default: Port 3306

  • Database User Name and Database Password: Specify the MariaDB user name and password.

  • Elasticsearch URI: Specify the Elasticsearch URI in the format IP:port or Hostname:Port.

    Default: Port 9400

  • Use Secure Mode: Enables or disables secure communication.

    Default: enabled

  • Server Key file path: Specify the server key file path associated with the server certificate.

    Default: /etc/ssl/servercerts/serverkey.pem

  • Kafka URI: Specify the Kafka URI in the format.IP:port or Hostname:Port.

    Default: Port 9092

For additional configuration instructions, see Installing and Configuring Cloud Integrated Storage (CIS) in the Cloud Integrated Storage Administration Guide.

OES Cluster Services

Table 3-8 OES Cluster Services Parameters and Values

Page and Parameters

Before you configure a node for a OES Cluster Services cluster, ensure that you have satisfied the prerequisites and have the necessary Administration rights described in Planning for OES Cluster Services in the OES Cluster Services for Linux Administration Guide.

OES Cluster Services (NCS) Configuration

 

  • New or Existing Cluster: Specify whether the server is part of a new cluster or is joining an existing cluster.

    Default: Existing Cluster

 

 

  • Cluster FDN: Browse to select an existing eDirectory context where the Cluster objects will be created. The fully distinguished name (FDN) of the cluster is automatically added to the field with a suggested cluster name. You can specify a different cluster name.

    You can also specify the typeful FDN for the cluster. Use the comma format illustrated in the example. Do not use dots.You must specify an existing context. Specifying a new context does not create a new context.

    Cluster names must be unique. You cannot create two clusters with the same name in the same eDirectory tree. Cluster names are case-sensitive on Linux.

 

  • Cluster IP Address: If you are creating a new cluster, specify a unique IP address for the cluster.

    The cluster IP address is separate from the server IP address and is required to be on the same IP subnet as the other servers in the cluster.

 

  • Select the Storage Device With Shared Media: If you are creating a new cluster, select the device where the Split Brain Detector (SBD) partition will be created.

    An SBD is required if you plan to use shared disks in the cluster. The drop-down menu shows only devices that have been initialized and shared. If a device is not available, accept the default (none). You must create the SBD manually before adding a second server to the cluster.

    Default: none

 

  • Select the Device where the Mirror Partition will be Created (Optional)": If you want to mirror the SBD partition for greater fault tolerance, select the device where you want the mirror to be. You can also mirror SBD partitions after installing OES Cluster Services.

    Default: none

 

  • Desired Partition Size of Shared Media (MB): Specify the size in MB (megabytes) of the SBD partition, or select Use Maximum Size to use the entire shared device. We recommend at least 20 MB for the SBD partition. If you specified a device to mirror the partition, the setting is also applied to the mirror.

    Default: 8

OES Cluster Services (NCS) Proxy User Configuration (2)

 

Specify the following user as the NCS Proxy user.

  • Proxy User for NCS Management: This is disabled for the user, and the system will choose a common proxy for the NCS service.

OES Cluster Services (NCS) Configuration (3)

 

  • Name of This Node: This is the hostname of the server.

 

  • IP Address of this Node: This field contains the IP address of this node. If this server has multiple IP addresses, you can change the default address to another value if desired.

 

  • Start Cluster Services Now: Select this box if you want clustering to start now. If you want clustering to start after rebooting, or if you want to manually start it later, deselect this box.

    This option applies only to installing Novell Cluster Services after the OES installation because it starts automatically when the server initializes during the installation.

    If you choose to not start Novell Cluster Services software, you need to either manually start it after the installation, or reboot the cluster server to automatically start it.You can manually start Novell Cluster Services by entering systemctl start novell-ncs.service at the server console of the cluster server.

    Default: Selected

For additional instructions, see the OES Cluster Services for Linux Administration Guide.

OES DHCP Services

Table 3-9 OES DHCP Services Parameters and Values

Page and Parameters

Novell DHCP Services Configuration

 

  • DHCP Server Context: Specify a context for the DHCP Server object.

    Default: o=example

 

  • DHCP Server Object Name: Specify the name of the Server object that these DHCP services will be running on.

    This is the DHCP server object that contains a list of DHCP Services (configuration) served by the DHCP Server.

    Default: DHCP_example_server

 

  • Common DHCP Configuration Object Contexts

    • Locator Object: Specify the context for the DHCP Locator object.

      The DHCP Locator object has references to dhcpServer and dhcpService objects.

    • Group Context: Specify the context for the DHCP Group object.

      This object is used to grant the necessary rights to the eDirectory user used by the DHCP server to access the DHCP objects.

    Default: o=example

 

  • Log File Location: Specify the path and file name for the DHCP server to dump the configurations it reads from eDirectory. Specify the path manually or click Browse to locate the log.

    Default: Usually /var/log/dhcp-ldap-startup.log

 

  • LDAP Method

    • Static: Select this option if you do not want the DHCP server to query the LDAP server for host details.

    • Dynamic: Select this option if you want the DHCP server to query for host details from the LDAP server for every request.

      Selecting the dynamic LDAP method ensures that the responses you receive to queries are accurate, but the server takes a longer time to respond.

    Default: Static

 

  • Referrals

    A referral is a message that the LDAP server sends to the LDAP client informing it that the server cannot provide complete results and that more data might be on another LDAP server.

    • Chase Referral: Select this option if you want the DHCP server to follow referrals.

    • Do Not Chase Referral: Select this option to ignore LDAP referrals.

      Default: Chase referral

OES DHCP LDAP and Secure Channel Configuration

 

  • eDirectory Server Address or Host Name: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default: The first server is selected in the LDAP Configuration list of servers.

 

  • Use Secure Channel for Configuration: This option is selected by default. When you are configuring DHCP services, it ensures that all configuration is transferred over a secure channel.

    Deselecting the option lets a user with fewer privileges configure LDAP services and allows configuration information to be transferred over a non-secure channel.

    Default: Selected

 

  • Proxy User for DHCP Management: Common proxy user is assigned by the system and can access the DHCP server.

 

  • LDAP Port for DHCP Server: Select a port for the LDAP operations to use.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 636

 

  • Use Secure channel for DHCP Server: Selecting this option ensures that the data transferred between the DHCP server and the LDAP server is secure and private.

    If you deselect this option, the data transferred is in clear text format.

    Default: Selected

 

  • Certificates (optional)

    • Request Certificate: Specifies what checks to perform on a server certificate in a SSL/TLS session. Select one of the following options:

      • Never: The server does not ask the client for a certificate. This is the default

      • Allow: The server requests a client certificate, but if a certificate is not provided or a wrong certificate is provided, the session still proceeds normally.

      • Try: The server requests the certificate. If none is provided, the session proceeds normally. If a certificate is provided and it cannot be verified, the session is immediately terminated

      • Hard: The server requests a certificate. A valid certificate must be provided, or the session is immediately terminated.

    • Paths to Certificate Files: Specify or browse the path for the certificate files.

      • The LDAP CA file contains CA certificates.

      • The LDAP client certificate contains the client certificate.

      • The LDAP client key file contains the key file for the client certificate.

OES DHCP Services Interface Selection

 

  • Network Boards for the OES DHCP Server: From the available interfaces, select the network interfaces that the Novell DHCP server should listen to.

For additional configuration instructions, see Installing and Configuring DHCP in the DNS/DHCP Services for Linux Administration Guide.

OES DNS Services

Table 3-10 OES DNS Services Parameters and Values

Page and Parameters

OES DNS Configuration

 

  • Directory server address: If you have specified multiple LDAP servers by using the LDAP Configuration for Open Enterprise Services dialog box, you can select a different LDAP server than the first one in the list.

    If you are installing into an existing tree, ensure that the selected server has a master or read/write replica of eDirectory.

    Default: The first LDAP server in the LDAP Server Configuration dialog box.

  • Local NCP Server Context: Specify a context for the local NCP Server object.

    Default: The eDirectory context specified for this OES server.

  • Use Secure LDAP Port: Selecting this option ensures that the data transferred by this service is secure and private.

    If you deselect this option, the transferred data is in clear text format.

    Default: Selected

  • Proxy User for DNS Management: By default, the common proxy user is assigned by the system and cannot be changed.

    An existing user must have eDirectory read, write, and browse rights under the specified context. If the user doesn’t exist, it is created in the context specified.

  • Credential Storage Location: Specify where the DNS proxy user’s credentials are to be stored.

    Default: For security reasons, the default and recommended method of credential storage is OCS.

 

  • Common DNS Configuration Object and User Contexts:

    • Get Context and Proxy User Information from Existing DNS Server: Select this option if you are configuring DNS in an existing tree where DNS is already configured, and you want to use the existing Locator, Root Server Info, Group and Proxy User contexts.

    • Existing OES DNS Server Address: If you have enabled the previous option, you can type the IP address of an NCP server (must be up and running) that is hosting the existing DNS server.

      To automatically retrieve the contexts of the objects that follow, click Retrieve.

      If you do not want to use the retrieved contexts, you can change them manually.

    • OES DNS Services Locator Object Context: Specify the context for the DNS Locator object.

      The Locator object contains global defaults, DHCP options, and a list of all DNS and DHCP servers, subnets, and zones in the tree.

      Default: The context you specified for the OES server you are installing.

    • OES DNS Services Root Server Info Context: Specify the context for the DNS Services root server.

      The RootSrvrInfo Zone is an eDirectory container object that contains resource records for the DNS root servers.

      Default: The context you specified for the OES server you are installing.

    • OES DNS Services Group Object Context: Specify the context for the DNS Group object.

      This object is used to grant DNS servers the necessary rights to other data within the eDirectory tree.

      Default: The context you specified for the OES server you are installing.

 

  • Create DNS Server Object: Select this check box if you want to create the DNS server object in the eDirectory tree associated with the NCP server.

  • Host Name: Type the unique host name for the DNS server object.

  • Domain Name for the DNS Server: Type the domain name for the server object.

For additional configuration instructions, see Installing and Configuring DNS in the DNS/DHCP Services for Linux Administration Guide.

OES Domain Services for Windows

There are multiple configuration scenarios, depending on your deployment. For information, see Installing Domain Services for Windows in the Domain Services for Windows Administration Guide.

OES eDirectory Services

IMPORTANT:You specified the eDirectory configuration for this server in either Specifying LDAP Configuration Settings or Specifying eDirectory Configuration Settings, and the settings you specified were extended to your OES service configurations by the OES install.

If you change the eDirectory configuration at this point in the install, your modifications might or might not extend to the other OES services. For example, if you change the server context from o=example to ou=servers.o=example, the other service configurations might or might not reflect the change.

Be sure to carefully check all of the service configuration summaries on the Open Enterprise Server Configuration summary screen. If any of the services don’t show the eDirectory change you made, click the service link and modify the configuration manually. Otherwise, your installation will fail.

Table 3-11 OES eDirectory Parameters and Values

Page and Parameters

eDirectory Configuration - New or Existing Tree

 

  • New or Existing Tree

    • New Tree: Creates a new tree.

      Use this option if this is the first server to go into the tree or if this server requires a separate tree. Keep in mind that this server will have the master replica for the new tree, and that users must log in to this new tree to access its resources.

    Default: New Tree

 

  • eDirectory Tree Name: Specify a unique name for the eDirectory tree you want to create or the name of the tree you want to install this server into.

    • Use eDirectory Certificates for HTTPS Services: Selecting this option causes eDirectory to automatically back up the currently installed certificate and key files and replace them with files created by the eDirectory Organizational CA (or Tree CA).

      Most OES services that provide HTTPS connectivity are configured by default to use the self-signed common server certificate created by YaST. Self-signed certificates provide minimal security and limited trust, so you should consider using eDirectory certificates instead.

      For all server installations, this option is enabled by default and is recommended for the increased security it provides.

      To prevent third-party CA certificates from being accidentally backed up and overwritten, deselect this option.

      For more information on certificate management and this option, see Security in the Planning and Implementation Guide.

    • Require TLS for Simple Binds with Password: Select this option to make connections encrypted in the Session layer.

    • Install SecretStore: Select this option to install Novell SecretStore (SS), an eDirectory-based security product.

eDirectory Configuration - New/Existing Tree Information

 

  • IP Address / Host Name of an Existing eDirectory Server with a Replica: Specify the IP address of a server with an eDirectory replica.

    This option appears only if you are joining an existing tree.

 

  • NCP Port on the Existing Server: Specify the NCP port used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    Default: 524

 

  • LDAP and Secure LDAP Ports on the Existing Server: Specify the LDAP ports used by the eDirectory server you specified.

    This option appears only if you are joining an existing tree.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 389 (LDAP), 636 (Secure LDAP)

 

  • FDN Admin Name with Context: Specify the name of the administrative user for the new tree.

    This is the fully distinguished name of a User object that will be created with full administrative rights in the new directory.

    Default: The eDirectory Admin name and context that you specified when initially configuring eDirectory.

 

  • Admin Password: Specify the eDirectory administrator's password.

    This is the password of the user specified in the prior field.

 

  • Verify Admin Password: Retype the password to verify it.

    This option only appears if you are creating a new tree.

eDirectory Configuration - Local Server Configuration

 

  • Enter Server Context: Specify the location of the new server object in the eDirectory tree.

 

  • Directory Information Base (DIB) Location: Specify a location for the eDirectory database.

    Default: The default path is /var/opt/novell/eDirectory/data/dib, but you can use this option to change the location if you expect the number of objects in your tree to be large and the current file system does not have sufficient space.

 

  • Enter LDAP Port: Specify the LDAP port number this server will use to service LDAP requests.

    Default: 389

 

  • Enter Secure LDAP Port: Specify secure LDAP port number this server will use to service LDAP requests.

    IMPORTANT:The scripts that manage the common proxy user require port 636 for secure LDAP communications.

    Default: 636

 

  • Enter iMonitor Port: Specify the port this server will use to provide access to the iMonitor application.

    iMonitor lets you monitor and diagnose all servers in your eDirectory tree from any location on your network where a web browser is available.

    Default: 8028

 

  • Enter Secure iMonitor Port: Specify the secure port this server will use to provide access to the iMonitor application.

    Default: 8030

eDirectory Configuration - NTP and SLP

 

  • Network Time Protocol (NTP) Server: Specify the IP address or DNS hostname of an NTP server.

    • For the first server in a tree, we recommend specifying a reliable external time source.

    • For servers joining a tree, specify the same external NTP time source that the tree is using, or specify the IP address of a configured time source in the tree. A time source in the tree should be running time services for 15 minutes or more before connecting to it; otherwise, the time synchronization request for the installation fails.

      If the time source server is NetWare 5.0 or earlier, you must specify an alternate NTP time source, or the time synchronization request fails. For more information, see Time Services in the Planning and Implementation Guide.

  • Use Local Clock: Alternatively, you can select Use Local Clock to designate the server’s hardware clock as the time source for your eDirectory tree.

    This is not recommended if there is a reliable external time source available.

 

  • (SLP Options)

    • Use Multicast to Access SLP: Allows the server to request SLP information by using multicast packets. Use this in environments that have not established SLP DAs (Directory Agents).

      IMPORTANT:If you select this option, you must disable the firewall for SLP to work correctly. Multicast creates a significant amount of network traffic and can reduce network throughput.

    • Configure as Directory Agent: Configures this server as a Directory Agent (DA). This is useful if you plan to have more than three servers in the tree and want to set up SLP during the installation.

      • Synchronize Service Registrations with other Directory Agents: Causes SLP, when it starts, to query the Directory Agents listed under Configured SLP Directory Agents for their current lists of registered services. It also causes the DA to share service registrations that it receives with the other DAs in the SLP Directory Agent list.

      • Backup SLP Registrations: Causes SLP to back up the list of services that are registered with this Directory Agent on the local disk.

      • Backup Interval in Seconds: Specifies how often the list of registered services is backed up.

    • Configure SLP to use an existing Directory Agent: Configures SLP to use an existing Directory Agent (DA) in your network. Use this in environments that have established SLP DAs. When you select this option, you configure the servers to use by adding or removing them from the SLP Directory Agent list.

 

  • Service Location Protocols and Scope: Configures the scopes that a user agent (UA) or service agent (SA) is allowed when making requests or when registering services, or specifies the scopes that a directory agent (DA) must support. The default value is DEFAULT. Use commas to separate each scope. For example, net.slp.useScopes = myScope1,myScope2,myScope3.

    This information is required when selecting the Use Multicast to Access SLP or Configure SLP to Use an Existing Directory Agent option.

    Default: Default

 

  • Configured SLP Directory Agents: Lets you manage the list of hostname or IP addresses of one or more external servers on which an SLP Directory Agent is running.

    It is enabled for input only when you configure SLP to use an existing Directory Agent.

NetIQ Modular Authentication Services

 

IMPORTANT:NMAS client software (included with Client for Open Enterprise Server software) must be installed on each client workstation where you want to use the NMAS login methods.

  • CertMutual: The Certificate Mutual login method implements the Simple Authentication and Security Layer (SASL) EXTERNAL mechanism, which uses SSL certificates to provide client authentication to eDirectory through LDAP.

  • Challenge Response: The Challenge-Response login method works with the Identity Manager password self-service process. This method allows either an administrator or a user to define a password challenge question and a response, which are saved in the password policy. Then, when users forget their passwords, they can reset their own passwords by providing the correct response to the challenge question.

  • DIGEST-MD5: The Digest MD5 login method implements the Simple Authentication and Security Layer (SASL) DIGEST-MD5 mechanism as a means of authenticating the user to eDirectory through LDAP.

  • NDS: The NDS login method provides secure password challenge-response user authentication to eDirectory. This method supports the traditional NDS password when the NMAS client is in use. Reinstallation is necessary only if the NDS login method object has been removed from the directory.

  • Simple Password: The Simple Password NMAS login method provides password authentication to eDirectory. The Simple Password is a more flexible but less secure alternative to the NDS password. Simple Passwords are stored in a secret store on the user object.

  • SASL GSSAPI: The SASL GSSAPI login method implements the Generic Security Services Application Program Interface (GSSAPI) authentication by using the Simple Authentication and Security Layer (SASL) that enables users to authenticate to eDirectory through LDAP by using a Kerberos ticket.

If you want to install all of the login methods into eDirectory, click Select All.

If you want to clear all selections, click Deselect All.

For more information on these login methods, see Managing Login and Post-Login Methods and Sequences in the Novell Modular Authentication Services 3.3.4 Administration Guide.

Defaults: Challenge Response and NDS

OES Common Proxy User Information

 

  • Use Common Proxy User as Default for OES Products: This option is disabled for the user and configures the common proxy user for the following services: CIFS, DNS, DHCP, and NCS. Optionally, you can specify that LUM use it.

  • OES Common Proxy User Name: By default, the common proxy user is created in the container that you specify for the server object.

    You can specify a different container, but it must meet one of the following qualifications:

    • New Tree Installation: The container must be included in either the path specified for the eDirectory Admin user or the path for Server object.

    • Existing Tree Installation: The container must already exist in eDirectory.

    IMPORTANT:You cannot create a new container by specifying a non-qualifying path. If you attempt this, the installation program will appear to proceed normally until the eDirectory Configuration (ndsconfig) runs. At that point the installation will fail with an Error creating Common Proxy User: 32 error, and you will need to install the server again.

  • OES Common Proxy User Password: This is disabled for the user, and password will be generated by system.

  • Verify OES Common Proxy User Password: This is disabled for the user.

  • Assign Common Proxy Password Policy to Proxy User: The initial common proxy password policy is a simple password policy created with default rules. You can modify this policy after the installation to enforce stricter rules regarding password length, characters supported, expiration intervals, and so forth.

For additional configuration instructions, see Installing or Upgrading NetIQ eDirectory on Linux in the NetIQ eDirectory Installation Guide.

OES FTP Services

No additional configuration is required.

OES iManager

Table 3-12 NetIQ iManager Parameters and Values

Page and Parameters

iManager Configuration

 

  • eDirectory Tree: Shows the name of a valid eDirectory tree that you specified when configuring eDirectory.

    To change this configuration, you must change the eDirectory configuration.

 

  • FDN Admin Name with Context Shows the eDirectory Admin name and context that you specified when configuring eDirectory. This is the user that has full administrative rights to perform operations in iManager.

    To change this configuration, you must change the eDirectory configuration.

NOTE:Beginning with OES 23.4, iManager is deprecated and will not be available from OES 25.4. Unified Management Console (UMC) provides customized access to network administration utilities and content from virtually anywhere using the Internet and a web browser similar to iManager. For more information about UMC, see Unified Management Console.

For additional configuration instructions, see Installing iManager Server and Workstation in the NetIQ iManager Installation Guide.

OES iPrint Advanced

Table 3-13 OES iPrint Advanced Parameters and Values

Page and Parameters

iPrint Advanced Configuration

 

  • Directory server address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

 

  • eDirectory Search Context: iPrint Advanced uses LDAP to verify rights to perform various iPrint operations, including authenticating users for printing and performing management tasks such as uploading drivers.

    During the installation of the iPrint Advanced software attempts to identify the topmost container of the eDirectory tree and sets the base dn to this container for the AuthLDAPURL entry in /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf.

    For most installations, this is adequate because users are often distributed across containers.

    IMPORTANT:If you have multiple peer containers at the top of your eDirectory tree, leave this field blank so that the LDAP search begins at the root of the tree.

For more information, see OES iPrint Advanced Administration Guide.

OES Linux User Management

Table 3-14 OES Linux User Management Parameters and Values

Page and Parameters

Linux User Management Configuration

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    For information about specifying multiple LDAP servers for Linux User Management (LUM), see Configuring a Failover Mechanism in the Linux User Management Administration Guide.

    Default: The first server selected in the LDAP Configuration list of servers

 

  • Unix Config Context: The UNIX Config object holds a list of the locations (contexts) of UNIX Workstation objects in eDirectory. It also controls the range of numbers to be assigned as UIDs and GIDs when User objects and Group objects are created.

    Specify the eDirectory context (existing or created here) where the UNIX Config object will be created. An LDAP search for a LUM User, a LUM Group, or a LUM Workstation object begins here, so the context must be at the same level or higher than the LUM objects searched for.

    If the UNIX Config Object is placed below the location of the User objects, the /etc/nam.conf file on the target computer must include the support-outside-base-context=yes parameter.

    Geographically dispersed networks might require multiple UNIX Config objects in a single tree, but most networks need only one UNIX Config object in eDirectory.

    Default: The server context specified in the eDirectory configuration

 

  • Unix Workstation Context: Computers running Linux User Management (LUM) are represented by UNIX Workstation objects in eDirectory. The object holds the set of properties and information associated with the target computer, such as the target workstation name or a list of eDirectory groups that have access to the target workstation.

    Specify the eDirectory context (existing or created here) for the UNIX Workstation object created by the install for this server. The context should be the same as or below the UNIX Config Context specified above.

    Default: The context you specified for this OES server in the eDirectory configuration

 

  • Proxy User for LUM Management (Optional): The system will assign a common proxy for the LUM service if the user selects the "User OES Common Proxy User" option. The user cannot modify this.

 

  • Use OES Common Proxy User: Check this option if you specified a common proxy user and want to use it as the proxy user for LUM.

 

  • Restrict Access to the Home Directories of Other Users: This option is selected by default to restrict read and write access for users other than the owner to home directories.

    Using the default selection changes the umask setting in /etc/login.defs from 022 to 077.

    Default: Selected

Linux User Management Configuration (2)

 

IMPORTANT:Before you change the PAM-enabled service settings, ensure that you understand the security implications explained in User Restrictions: Some OES Limitations in the Planning and Implementation Guide.

  • Click to LUM-Enable the Services: Select the services to LUM-enable on this server. The services marked yes are available to authenticated LUM users.

    • login: no

    • ftp: no

    • sshd: no

    • su: no

    • sfcbd: yes

      This is selected by default because it is used by many of the OES services such as NSS, SMS, and Novell Remote Manager. To access iManager and NRM, you must enable SFCB.

    • gdm: no

    • gnome-screensaver: no

    • gnomesu-pam: no

For additional configuration instructions, see Setting Up Linux User Management in the Linux User Management Administration Guide.

NetWare Core Protocol (NCP) Server

Table 3-15 OES NCP Server Parameters and Values

Page and Parameters

NCP Server Configuration

 

  • Admin Name with Context: The eDirectory Admin user you specified in the eDirectory configuration.

For additional configuration instructions, see Installing and Configuring NCP Server for Linux in the NCP Server for Linux Administration Guide.

OES Pre-Migration Server

No additional configuration is required. For information, see Preparing the Source Server for Migration the Migration Tool Administration Guide.

OES Remote Manager

No additional configuration for the installation is required. To change the configuration after the installation, see Changing the HTTPSTKD Configuration in the OES Remote Manager Administration Guide.

OES Storage Services (NSS)

Table 3-16 OES Storage Services Parameters and Values

Page and Parameters

NSS Unique Admin Object

 

  • Directory Server Address: The IP address shown is the default LDAP server for this service. If you do not want to use the default, select a different LDAP server in the list.

    If you are installing into an existing tree, ensure that the server you select has a master replica or read/write replica of eDirectory. If you need to add another LDAP server to the list, add it by using the LDAP Configuration for Open Enterprise Services dialog box.

    Default The first server selected in the LDAP Configuration list of servers.

 

  • Unique object Name for NSS Admin of This: Specify the NSS Admin name and context or accept the default.

    This is the fully distinguished name of a User object with administrative rights to NSS. You must have a unique NSS admin name for each server that uses NSS.

    For more information, see Planning Your Proxy Users in the Planning and Implementation Guide.

    Default: The server hostname concatenated with the LDAP Admin Name you entered for this server,. cn=myserveradmin,o=organization.

For additional configuration instructions, see Installing and Configuring OES Storage Services in the Storage Services File System (NSS) Administration Guide for Linux.

NSS Active Directory Support

Table 3-17 NSS Active Directory Support Parameters and Values

Page and Parameters

  • AD Domain Name: Specify the appropriate AD domain name.

  • AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to thisgroup will have supervisory rights for all the volumes associated with that OES server.

  • AD User Name: Specify the user name that can be used for the domain join operation. Thisuser requires to have the following privileges: rights to reset password, create computerobjects, delete computer objects, and read and write the msDssupportedEncryptionTypes attribute.

  • Password: Specify the appropriate password of the user who is used for the domain joinoperation.

  • Container to Create Computer Object: You can specify the container under which the OEScomputer object will be created. The default container is CN=Computers. If you havealready created an OES computer object in Active Directory, select Use pre-createdcomputer object, then specify the container name where the pre-created OES computerobject exists.

  • Novell Identity Translator (NIT) Configuration: NIT is used to manage the eDirectory andActive Directory user identities such as UID, GUID, SID, and user name. It maps those useridentities and translates from one identity to another. For more information on NIT, see“About Novell Identity Translator (NIT)”.If you want NIT to generate UIDs for AD users, select Generate UID for AD users, thenspecify the UID range. The default range is from 100000 to 200000. If you want NIT to fetchUIDs, do not select the Generate UID for AD users option.

For additional configuration instructions, see Section 7.0, Installing and Configuring NSS Active Directory Support.

OES Database

Table 3-18 OES Database

Page and Parameters

  • Hostname: Specify the host name of the database server.

  • Port: Specify the port for the server. By default, the port number is 5432.

  • Username:Specify the user name of the database server.

  • Password and Verify Password: Specify the password for the database.

  • Name: Specify the name of the database.

  • Open port in the firewall: By default, it is selected to open the port for the database in firewall.

Unified Management Console (UMC)

Table 3-19 Unified Management Console Parameters and Values

Page and Parameters

  • eDirectory API Port: Specify the eDirectory API port for UMC. By default, the eDirectory API port is 9010.