The subject of OES proxy users is somewhat complex. Therefore, it’s a good idea to understand the basics before planning your implementation strategy.
IMPORTANT:The information in the following sections only answers security questions and provides general information. It is not intended to be used for the manual configuration of proxy users.
As the name implies, proxy users are user objects that perform functions on behalf of OES services.
Proxy user accounts do not represent people, rather they are eDirectory objects that provide very specific and limited functionality to OES services. Generally, this includes only retrieving service-related information, such as user passwords and service attributes, but sometimes proxy users also write service information in eDirectory.
Many but not all OES services rely on proxy users to run on Linux (see Which Services Require Proxy Users and Why?). Proxy user creation and/or configuration is therefore an integral part of configuring OES.
None of the OES services require that you specify proxy user information during the OES installation, but some, such as DNS/DHCP, CIFS, and iFolder, give you the option to do so. Others, such as NCS and NSS create proxy users without user input, while Archive and Versioning Services always uses the install admin as its proxy user.
OES provides the Novell services that were previously only available on NetWare.
To make its services available on Linux, Novell had to accommodate a fundamental difference between the way services run on NetWare and the way they run on Linux.
NetWare Services: The NetWare operating system and eDirectory are tightly integrated. This allows the services (NLMs) on NetWare to assume the identity of a server object in eDirectory, thus gaining access to the other objects and information in eDirectory that are needed for the services to run.
OES Services: eDirectory also runs very well on OES, and it provides the infrastructure on which OES services rely, but it is not integrated with the Linux operating system.
On Linux servers there is no concept of a service, such as Apache or iFolder running as a server object. Instead, each service runs using a User ID (uid) and a Group ID (gid) that the Linux server recognizes as being valid.
The following services utilize a proxy user.
Table I-3 Proxy Users Functions Listed by Service
Associated Service |
Example Proxy User Name |
Services That the User Provides |
---|---|---|
AFP |
n/a |
Starting with SP3, AFP no longer requires a proxy user. |
Archive Versioning |
admin The install admin is always specified. |
The service runs as this user. |
CIFS |
OESCommonProxy_hostname Or CifsProxyUser-servername |
Retrieves CIFS user information. |
Clustering (NCS) |
OESCommonProxy_hostname Or installing admin user |
For SP3, NCS has separated out the proxy user (eDirectory communication) functionality so that the clustering administrator and the proxy user can be two separate users. For more information, see |
DHCP |
OESCommonProxy_hostname Or DHCP_LDAP_Proxy |
Lets the service access DHCP objects in eDirectory. |
DNS |
OESCommonProxy_hostname Or DNS_Proxy |
Lets the service access DNS objects in eDirectory. |
iFolder 3 |
OESCommonProxy_hostname Or iFolderProxy IMPORTANT:The Common Proxy user cannot be used if iFolder is running on a cluster node. |
Connects to the eDirectory server and retrieves the following information:
|
Linux User Management |
OESCommonProxy_hostname Or LUM_proxy |
Searches the tree for LUM users. |
NetStorage |
OESCommonProxy_hostname Or NetStorage_Proxy The LDAP Admin user is specified by default, but another user can be created prior to installing and then specified. |
Performs LDAP searches for users logging into NetStorage. |
NSS |
server_nameadmin |
Reads user objects and maintains the volume, pool, and other storage system objects. This user performs some of the same functions as proxy users do for other services. However, unlike other OES services that can share proxy users, NSS requires a unique proxy user for each server. |
Samba (Novell) |
server_name-SambaProxy |
Searches the LDAP tree (eDirectory) for Samba users. |
Each OES service’s YaST installation automatically adds the required rights to the proxy user specified for the service.
Unless otherwise specified, each of the following users has the standard set of user rights in eDirectory:
Self:
Login Script:
Read Write, Not inheritable
Print Job Configuration:
Read Write, Not inheritable
[All Attribute Rights]:
Read, Inheritable
[Public]
Message Server:
Read, Not inheritable
[Root]
Group Membership
Read, Not inheritable
Network Address
Read, Not inheritable
In addition, each proxy user is granted additional rights as summarized in Table I-4.
Table I-4 Proxy Users Rights
Associated Service |
Example Proxy User Name |
Default Rights Granted |
---|---|---|
AFP |
n/a |
Starting with SP3, AFP no longer requires a proxy user. |
Archive Versioning |
Archive Versioning Proxy |
|
CIFS |
CifsProxyUser-servername |
|
Clustering (NCS) |
OESCommonProxy_hostname Or installing admin user |
|
DHCP |
DHCP_LDAP_Proxy |
|
DNS |
DNS_Proxy |
|
iFolder 3 |
iFolderProxy |
|
Linux User Management |
LUM_proxy |
|
NetStorage |
NetStorage_Proxy |
|
NSS |
server_nameadmin |
|
Samba (Novell) |
server_name-SambaProxy |
|