Handling Proxy User Accounts in OES2 SP1
What are the Services that need a proxy user account?
In OES2 SP1 multiple services use a proxy user account. The most common need from services is the ability to login to eDirectory and retrieve information from it.
Services that use (and hence possibly create) a proxy user include AFP, CIFS, DNS, DHCP, iFolder, NetStorage, Archive Versioning, and Novell Cluster Services.
There are multiple aspects that need to be understood for the various proxy users accounts The following sections cover in 2 parts what needs to be considered during the planning and how to avoid common issues with Proxy User accounts.
Why should you be aware of this?
By default, different services create their own proxy user accounts. This gives a high level of security and fine grain access control, since proxy user account will have access to only specific information that the service needs, On larger deployments it can turn out be a manageability issue. And if you are managing File Protocols (AFP, CIFS) with similar permissions, having two accounts will be an overhead.
In this part, we will address DNS, DHCP, AFP and CIFS.
1. What are the services that you intend to deploy?
2. Are they going to installed on the same server, container ?
3. Would the permissions and access control restrictions differ between these services.
4. Are the same set of users accessing both the services ?
5. Do you plan to deploy multiple servers in the same container or partition hosting the same service
6. Would the services be hosted on the same server ?
If you notice above, there are multiple factors to be accounted for before deciding what suits best.
What is the default behavior?
By Default, every service creates a proxy user account for itself. And hence as noted above, incase you are deploying DNS, DHCP, CIFS and AFP on the same server, there would be 4 proxy user accounts.
In the following sections we will discuss criteria on what is the proxy user account that needs to be used in various cases. As mentioned earlier, if you need fine grain control and if each of the services are disjoint in their needs on access to users, volumes, containers, it would be best to leave it with the default behaviour.
Single Proxy for the Server
If you have the same password policy that is enforced for both AFP and CIFS access to the machine (and hence the volumes) DNS, DHCP.
How to Configure in YAST?
During the Install or Post install of the component. Give the proxy user name as "CN=OESProxy,O=xyz".Note that "CN=OESProxy,O=novell" is an example, it can be any name in any context. For all the services, edit the service configuration screens and passed the same proxy and password(abc). All other options can be left with default values.
How to Reset the Password? a. eDirectory b. CASA
Discuss on iFolder, NetStorage, Archive Versioning, Novell Cluster Services.
Possible Caveats and some special cases to be aware of.