The subject of OES proxy users is somewhat complex. Therefore, it’s a good idea to understand the basics before planning your implementation strategy.
IMPORTANT:The information in the following sections only answers security questions and provides general information. It is not intended to be used for the manual configuration of proxy users.
As the name implies, proxy users are user objects that perform functions on behalf of OES services.
Proxy user accounts do not represent people, rather they are eDirectory objects that provide very specific and limited functionality to OES services. Generally, this includes only retrieving service-related information, such as user passwords and service attributes, but sometimes proxy users also write service information in eDirectory.
Many but not all OES services rely on proxy users to run on Linux (see Which Services Require Proxy Users and Why?). Proxy user creation and/or configuration is therefore an integral part of configuring OES.
None of the OES services require that you specify proxy user information during the OES installation, but some, such as DNS/DHCP, AFP, CIFS, and iFolder, give you the option to do so. Others, such as NCS and NSS create proxy users without user input, while Archive and Versioning Services always uses the install admin as its proxy user.
OES Linux provides the Novell services that were previously only available on NetWare.
To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux.
NetWare Services: The NetWare operating system and eDirectory are tightly integrated. This allows the services (NLMs) on NetWare to assume the identity of a server object in eDirectory, thus gaining access to the other objects and information in eDirectory that are needed for the services to run.
OES Linux Services: eDirectory also runs very well on OES Linux, and it provides the infrastructure on which OES services rely, but it is not integrated with the Linux operating system.
On Linux servers there is no concept of a service, such as Apache or iFolder running as a server object. Instead, each service runs using a User ID (uid) and a Group ID (gid) that the Linux server recognizes as being valid.
The following services utilize a proxy user.
Table I-3 Proxy Users Functions Listed by Service
Each OES service’s YaST installation automatically adds the required rights to the proxy user specified for the service.
Unless otherwise specified, each of the following users has the standard set of user rights in eDirectory:
Self:
Login Script:
Read Write, Not inheritable
Print Job Configuration:
Read Write, Not inheritable
[All Attribute Rights]:
Read, Inheritable
[Public]
Message Server:
Read, Not inheritable
[Root]
Group Membership
Read, Not inheritable
Network Address
Read, Not inheritable
In addition, each proxy user is granted additional rights as summarized in Table I-4.
Table I-4 Proxy Users Rights