manualshive.com logo in svg

Novell OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION, Implementation Manual, Page: 225 / 288

Share
Download
Novell OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION Implementation Manual Download Page 225

Certificate Management

22

225

n

ov

do

cx (e

n)

  22
 Ju

n

e 20
09

22

Certificate Management

By default, all SUSE

®

 Linux Enterprise Server (SLES) 10 servers include self-generated server 

certificates to secure data communications with the servers. These certificates are self-signed and do 
not comply with the X.509 RFCs. They are provided only as a stop-gap and should be replaced as 
soon as possible by a certificate from a trusted Certificate Authority. 

Unfortunately, many organizations ignore the vulnerabilities to mischievous or even malicious 
attacks that are created by not replacing these temporary certificates. Some of the reasons for this are

Š

Many administrators lack the knowledge required.

Š

Certificate maintenance can require a significant investment of time and effort.

Š

Obtaining third-party certificates for each server is expensive. 

The problems are compounded by the fact that X.509 certificates are designed to expire regularly 
and should be replaced shortly before they do.

Open Enterprise Server 2 includes solutions that address each of these issues at no additional 
expense.

This section discusses the certificate management enhancements available in OES 2 and how simple 
and straightforward it is to take advantage of these.

Š

Section 22.1, “Overview,” on page 225

Š

Section 22.2, “Setting Up Certificate Management,” on page 228

Š

Section 22.3, “If You Don’t Want to Use eDirectory Certificates,” on page 230

22.1  Overview

The following sections outline how OES 2 lets you automate certificate management for OES 2 and 
all HTTPS services:

Š

Section 22.1.1, “SLES Default Certificates,” on page 225

Š

Section 22.1.2, “OES 2 Certificate Management,” on page 226

Š

Section 22.1.3, “Multiple Trees Sharing a Common Root,” on page 228

22.1.1  SLES Default Certificates

By default, HTTPS services on SLES 10 SP1 are configured to use two files that are located in 

/

etc/ssl/servercerts

 and are protected so that only 

root

 and some specific groups can read 

them:

Š

serverkey.pem: 

This contains the server’s raw private key.

Š

servercert.pem: 

This contains the server’s certificates.

OES 2 services, such as Apache, OpenWBEM, and Novell Remote Manager, are also configured to 
use these certificates.

Summary of Contents for OPEN ENTERPRISE SERVER 2 SP2 - ADMINISTRATION

Page 1: ...Novell www novell com novdocx en 22 June 2009 AUTHORIZED DOCUMENTATION OES 2 SP2 Planning and Implementation Guide Open Enterprise Server 2 SP2 November 10 2009 Planning and Implementation Guide...

Page 2: ...t or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuc...

Page 3: ...Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the prope...

Page 4: ...4 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 5: ...23 1 5 2 OES 2 Migration Tools 23 1 5 3 Xen Virtualization Technology 23 2 Welcome to Open Enterprise Server 2 25 3 Planning Your OES 2 Implementation 27 3 1 What Services Are Included in OES 2 27 3 2...

Page 6: ...Getting and Preparing OES 2 Software 53 4 1 Do You Have Upgrade Protection 53 4 2 Do You Want 32 Bit or 64 Bit OES 53 4 3 Do You Want to Purchase OES 2 or Evaluate It 54 4 4 Evaluating OES 2 Software...

Page 7: ...te Support 69 6 12 Novell tomcat Is for OES Use Only 70 6 13 NSS OES 2 70 6 13 1 Understanding Name Space Support 70 6 13 2 The Role of EVMS 70 6 14 OpenLDAP on OES 2 71 6 15 Samba 71 6 16 Virtualizat...

Page 8: ...nd Migration of Time Synchronization Services 108 12 3 4 Implementing Time Synchronization 110 12 3 5 Configuring and Administering Time Synchronization 111 12 3 6 Daylight Saving Time 112 12 4 Discov...

Page 9: ...4 3 Implementing DSfW on Your Network 146 15 Users and Groups 149 15 1 Creating Users and Groups 149 15 2 Linux User Management Access to Linux for eDirectory Users 149 15 2 1 Overview 150 15 2 2 Plan...

Page 10: ...uring FTP 199 17 5 2 Path Formats 199 17 5 3 SITE Command 200 17 6 NCP Implementation and Maintenance 200 17 6 1 The Default NCP Volume 201 17 6 2 Creating NCP Home and Data Volume Pointers 201 17 6 3...

Page 11: ...Auditing 217 21 1 3 Encryption NICI 218 21 1 4 General Security Issues 219 21 2 Planning for Security 219 21 2 1 Comparing the Linux and the Novell Trustee File Security Models 219 21 2 2 User Restric...

Page 12: ...pport 249 G Client Workstation OS Support 251 H OES 2 Service Scripts 253 I System User and Group Management in OES 2 SP2 257 I 1 About System Users and Groups 257 I 1 1 Types of OES System Users and...

Page 13: ...Tree with a Mix of File Access Services and Users from across the Tree 281 K 3 2 Example 2 Mutually Exclusive Users 282 K 4 Deployment Guidelines for Different Servers and Deployment Scenarios 283 K 4...

Page 14: ...14 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 15: ...ion or go to www novell com documentation feedback html and enter your comments there Documentation Updates Changes to this guide are summarized in a Documentation Updates appendix at the end of this...

Page 16: ...less otherwise indicated In this documentation a greater than symbol is used to separate actions within a step and items within a cross reference path A trademark symbol TM etc denotes a Novell tradem...

Page 17: ...es in This Guide and Elsewhere Because many organizations are transitioning their network services from NetWare to OES information to assist with upgrading from NetWare to OES 2 is included in this gu...

Page 18: ...sta Administration Guide Novell Cluster ServicesTM High Availability Administration Guide Novell iFolder 3 8 Administration Guide User Guide Novell Remote Manager Administration Guide Novell Storage S...

Page 19: ...20 1 3 1 Auditing OES 2 SP2 includes support for third party developers to create auditing products For more information see Section 21 1 2 Auditing on page 217 1 3 2 Base Platform Is SLES 10 SP3 With...

Page 20: ...ith an unmodified OES 2 SP2 node their CPL settings will conflict and one of the nodes must be modified For more information about cross protocol locking see Configuring Cross Protocol File Locks for...

Page 21: ...users no LUM required Cross protocol file locking with NCPTM Novell AFP also offers the following features not available for NetWare DHX authentication mechanism Provides a secure way to transport pa...

Page 22: ...sing Samba shares NTFS files on Windows servers that use CIFS shares Shares in trusted Active Directory forests For more information see the OES 2 SP2 Domain Services for Windows Administration Guide...

Page 23: ...Storage and File Systems on page 123 and the OES 2 SP2 Dynamic Storage Technology Administration Guide 1 5 2 OES 2 Migration Tools In addition to the legacy Server Consolidation and Migration Toolkit...

Page 24: ...24 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 25: ...1 OES 2 Overview NOTE For a list of OES 2 services see Table 3 1 Service Comparison Between NetWare 6 5 SP8 and OES 2 SP2 Linux on page 27 is running on OES 2 AFP Backup SMS Clustering High Availabili...

Page 26: ...26 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 27: ...Caveats to Consider Before You Install on page 36 Section 3 10 Consider Coexistence and Migration Issues on page 48 Section 3 11 Understand Your Installation Options on page 49 3 1 What Services Are...

Page 28: ...dows File Services Yes NFAP Yes Novell CIFS and Novell Samba Both NFAP and Novell CIFS are Novell proprietary and tightly integrated with eDirectory and Novell Storage Services NSS Samba is an open so...

Page 29: ...Yes DST runs on OES 2 An NSS volume on NetWare is supported only as the secondary volume in a shadow pair When using DST in a cluster each of the NSS volumes in a shadow pair must reside on OES 2 DST...

Page 30: ...does not support eDirectory access controls like the NetWare target does Nor is the iSCSI initiator or target in OES 2 integrated with NetWare Remote Manager management You use YaST management tools...

Page 31: ...NetWare Traditional File System to Linux NetWare Traditional Volumes Yes N A NFS Yes NFAP Yes native to Linux For NetWare see Working with UNIX Machines in the NW 6 5 SP8 AFP CIFS and NFS NFAP Adminis...

Page 32: ...ource product Linux includes the open source product itself See Functions Unique to the NetWare Platform in the NW 6 5 SP8 OpenSSH Administration Guide PAM Pluggable Authentication Modules No Yes PAM...

Page 33: ...ation edir87 edir87 data a2iiimc html NetWare uses Novell SLP which provides caching of Directory Agent scope information in eDirectory This provides for sharing of scope information among DAs Novell...

Page 34: ...nto the tree The first server is important for two reasons You create the basic eDirectory tree structure during the first installation The first server permanently hosts the Certificate Authority for...

Page 35: ...l as Group and User objects in eDirectory 3 5 Prepare Your Existing eDirectory Tree for OES 2 If you are installing OES 2 into an existing tree you must use Deployment Manager located on the NetWare 6...

Page 36: ...ection 3 9 2 AFP File Locking Requires Samba on page 37 Section 3 9 3 Always Double Check Service Configurations Before Installing on page 37 Section 3 9 4 Back Button Doesn t Reset Configuration Sett...

Page 37: ...e explained in Section 3 9 4 Back Button Doesn t Reset Configuration Settings on page 37 and 3 9 4 Back Button Doesn t Reset Configuration Settings During an installation after you configure eDirector...

Page 38: ...nly NSS pool cluster resources that are created on a NetWare cluster node can be failed over between Linux and NetWare nodes NetWare NSS to Linux NSS failover requires that the Linux node be configure...

Page 39: ...ystem User and Group Management in OES 2 SP2 on page 257 However as OES has evolved some initially defined conventions regarding system Users have needed adjustment Be sure to read the information and...

Page 40: ...ier UIDs and GID on subsequently installed servers didn t match the XTier UIDs and GID in eDirectory NetStorage couldn t access the NSS volumes on the server The OES 1 Solution The nssid sh Script To...

Page 41: ...ipt reads server myserver context This is the context of the XTier user and group objects Replace this variable with the fully distinguished name of the context where the objects reside For example if...

Page 42: ...ing iFolder Server This is especially critical if you plan to use NSS for your iFolder 3 8 data volume 3 9 11 Incompatible TLS Configurations Give No Warning When you install a new eDirectory tree the...

Page 43: ...already running eDirectory eDirectory must be installed in conjunction with the installation of OES services Be Sure That eDirectory Is Healthy Review and follow the guidelines in Keeping eDirectory...

Page 44: ...OES servers If you have configured Role Based Services you need to make sure the licensing plug in is installed and added to the RBS collection For more information see Upgrading iManager in the Novel...

Page 45: ...For example by default the tree Admin user and the server are installed in the same context Some administrators when they discover that the tree structure doesn t meet their needs assume they can rect...

Page 46: ...providing file services to CIFS or SMB clients Xen Virtual Machine Host Server Novell Archive and Version Services Novell Domain Services for Windows DSfW Xen Virtual Machine Host Server Novell Backup...

Page 47: ...ces for Windows Xen Virtual Machine Host Server Novell iManager Xen Virtual Machine Host Server Novell iPrint Print Server CUPS CUPS components are actually installed but CUPS printing is disabled For...

Page 48: ...ur approach to implementing OES 2 In some cases there are specific paths to follow so that the OES 2 integration process is as smooth as possible Novell Samba File Server Samba Novell CIFS Novell Doma...

Page 49: ...Installation Options Before installing OES you should be aware of the information in the following sections Section 3 11 1 OES 2 Installation Overview on page 49 Section 3 11 2 About Your Installatio...

Page 50: ...he ISO files or physical media from a Novell Authorized Reseller Decide whether to install from files on the network or directly from physical media Network install path Physical media install path Cr...

Page 51: ...options For more information see Installing Upgrading or Updating OES on a Xen based VM in the OES 2 SP2 Installation Guide Installing and Managing NetWare on a Xen based VM in the OES 2 SP2 Installa...

Page 52: ...NSS on a Single Drive Linux Server Many are interested in Novell Storage Services NSS running on Linux If you plan to experiment with NSS on a single drive server be sure to follow the instructions in...

Page 53: ...de protection expires After your protection expires the OES 2 upgrade link disappears from your account page For more information and to start the upgrade process do the following 1 Using your Novell...

Page 54: ...u haven t already done so be sure to review the information in Section 3 11 Understand Your Installation Options on page 49 and then skip to Chapter 5 Installing OES 2 on page 59 4 4 Evaluating OES 2...

Page 55: ...ave OES 2 SP2 product media CDs and DVDs skip to Section 4 4 4 Installing OES 2 for Evaluation Purposes on page 56 To download ISO image files from the Web 1 If you don t already have a Novell account...

Page 56: ...s against the list you printed in Step 15 For example on a Linux system you can enter the following command md5sum filename where filename is the name of the iso file you are verifying For a Windows s...

Page 57: ...ou will follow to fully leverage its network services 4 4 6 Installing Purchased Activation Codes after the Evaluation Period Expires After purchasing Open Enterprise Server use the instructions in Re...

Page 58: ...ensing eula oes oes_2_english pdf on the Web After installing OES 2 you can use Novell iManager to install and manage license certificates in your eDirectory tree and to monitor NetWare usage You can...

Page 59: ...aring to Install OES 2 SP2 Installing OES 2 SP2 3 Make sure you always download the latest patches as part of the Customer Center configuration during the install This ensures the most stable configur...

Page 60: ...ver SLES 10 SP3 VM host server creating a VM and then installing an OES 2 server NetWare or Linux in the VM To get started with Xen virtualization in OES 2 see the following Introduction to Xen Virtua...

Page 61: ...ge 64 Section 6 6 eDirectory on page 64 Section 6 7 iFolder 3 8 on page 66 Section 6 8 iPrint on page 66 Section 6 9 LDAP Preventing Bad XML Errors on page 67 Section 6 10 Management on page 68 Sectio...

Page 62: ...as well Unless you are aware of the users and groups in both systems especially those that are system created you might easily create an invalid configuration on an OES 2 server 6 2 2 Three Examples...

Page 63: ...other creates a LUM enabled group in eDirectory with the same name Again the LUM enabled users who are members of the eDirectory group won t have access through POSIX This is why we recommend that as...

Page 64: ...ause JClient Errors ConsoleOne support is now limited to management of GroupWise and ZENworks for Desktops 7 If you need to use ConsoleOne to manage either of these supported products on OES 2 make su...

Page 65: ...f your OES services will break If you need to rename a container or tree make sure that you 1 Identify all of the configuration files for your OES services 2 Assess whether the changes that you are pl...

Page 66: ...e you can either escape the character or place single quotes around the value For example cn admin name o container or cn admin name o container 6 7 iFolder 3 8 Implementation caveats for iFolder 3 8...

Page 67: ...ins are different for each server platform Therefore if you have both OES 2 and NetWare 6 5 SP8 servers running iPrint services you need two instances of iManager to manage iPrint one on each platfor...

Page 68: ...nefits from having an index present The subtree search performance issue is resolved in the eDirectory 8 8 x release with the addition of the AncestorID feature 6 10 Management Section 6 10 1 iManager...

Page 69: ...inal Prompt Use the actual filenames instead of names such as filena 1 txt during file operations from the command prompt 6 11 NCP Doesn t Equal NSS File Attribute Support NSS file attributes and NCPT...

Page 70: ...ding Name Space Support on page 70 Section 6 13 2 The Role of EVMS on page 70 6 13 1 Understanding Name Space Support NSS stores LONG UNIX DOS and AFP name spaces for all files The default name space...

Page 71: ...nes are not affected Leaving VMM open can affect the system resources available to the VMs 6 16 2 Always Use Timesync Rather Than NTP Time synchronization problems have been observed when virtualized...

Page 72: ...ines for using NSS volumes in connection with OES 2 servers running in Xen VMs Both Linux and NetWare Platforms NSS pools and volumes must be created on only SCSI or Fibre Channel devices You cannot u...

Page 73: ...ve installed are treated differently by default when you upgrade an OES server depending on the version of the server you are upgrading OES 1 Applications are deleted by default during an upgrade OES...

Page 74: ...and virtual to virtual upgrades are supported For complete upgrade instructions see Upgrading to OES 2 SP2 in the OES 2 SP2 Installation Guide In addition to upgrading the server itself data and serv...

Page 75: ...SP2 Migration Tool The OES 2 SP2 Migration Tool lets you migrate and or consolidate data and services from one or more NetWare OES 1 or OES 2 source servers to an OES 2 SP2 target server The source s...

Page 76: ...76 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 77: ...ailable only to OES 2 registered customers 9 1 Graphical Overview of Virtualization in OES 2 Figure 9 1 illustrates how a single VM host server can support multiple VM guest servers that in turn provi...

Page 78: ...nning on the VM host NetWare Response File Utility Lets you pre answer the same questions as you would during a physical NetWare installation When the time comes to run the NetWare Install program the...

Page 79: ...prior to adding the services See the instructions in the Important note in Installing or Configuring OES Services on an Existing Server in the OES 2 SP2 Installation Guide NCP Server Dynamic Storage T...

Page 80: ...80 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 81: ...eparate purchase is a multinode clustering product that Can include up to 32 servers Is supported for both NetWare and Linux Is eDirectoryTM enabled for single point ease of management Supports failov...

Page 82: ...82 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 83: ...d interfaces that help you implement and maintain your network Access to most of these management interfaces is controlled through eDirectoryTM However a few interfaces such as YaST on SUSE Linux Ente...

Page 84: ...te Requires JavaScript Apache and Tomcat Browsers accessing the Welcome site must have JavaScript enabled to function correctly Additionally it is possible to install OES 2 on either supported platfor...

Page 85: ...For additional information see Verifying That the Installation Was Successful in the OES 2 SP2 Installation Guide 11 2 3 The Welcome Web Site Is Available to All Users Although the Welcome Web site i...

Page 86: ...d prompt on the Linux server For more information or help understanding and using bash search the Web for any of the numerous articles and tutorials on using the shell Health Monitoring Services Monit...

Page 87: ...ager Workstation iManager Workstation formerly Mobile iManager Manage eDirectory Create and manage users groups and other objects Manage OES 2 services Access various other management tools and plug i...

Page 88: ...4 in the Novell eDirectory 8 8 Administration Guide iPrint Map Designer Create a printer map to aid in printer selection installation Edit an existing printer map 1 In a supported Web browser enter th...

Page 89: ...volumes And you can salvage and purge deleted files For more information see Managing File Security and Passwords in the Novell Client 4 91 SP5 for Windows XP 2003 Installation and Administration Gui...

Page 90: ...e and password or a Linux POSIX username and password Functionality is limited for non Admin or non root users on both platforms NRM on Linux doesn t include all the functionality of NRM on NetWare Fo...

Page 91: ...firewall must allow for SSH access eDirectory users must be enabled for SSH access For more information see Section 11 4 SSH Services on OES 2 on page 93 OpenWBEM Perform tasks instrumented by specif...

Page 92: ...ion Guide Remote Manager See Novell Remote Manager SNMP for eDirectory Lets you use standard SNMP tools to Monitor an eDirectory server Track the status of eDirectory to verify normal operations Spot...

Page 93: ...ng Utilities Manage the Linux server and standard Linux services from the command prompt Enter the desired command at the command prompt For more information see System Monitoring Utilities http www n...

Page 94: ...r provides Web access to directories and files on other servers or on itself Typically either an NCP or a CIFS connection is used for connecting the NetStorage server with storage targets However an S...

Page 95: ...95 Enabling Users for LUM on page 96 Restricting SSH Access to Only Certain LUM Enabled Users on page 96 Providing SSH Access for Samba Users on page 97 Allowing SSH Access Through the Firewall 1 On...

Page 96: ...ss to the server On the other hand if you have installed Samba on the server or if you install Samba in the future the users who are configured for Samba access will have SSH access disabled To restor...

Page 97: ...ns for providing SSH access to users who have been enabled for Samba access You can remove the user from the server_name W SambaUserGroup IMPORTANT This presupposes that the user is a member of a diff...

Page 98: ...98 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 99: ...establish point to point connections so that nodes can send messages to each other and have the packets arrive intact and in the correct order The transport protocol also specifies how nodes are iden...

Page 100: ...DNSMaint Yes No Fault Tolerance Yes Yes Filenames and paths Server binary sys system named nlm opt novell named bin novell named db jnl file sys etc dns etc opt novell named named conf Stat file info...

Page 101: ...Section 12 3 4 Implementing Time Synchronization on page 110 Feature or Command NetWare 6 5 SP8 OES 2 Auditing Yes No Filenames and paths Conf file N A etc dhcpd conf Leases Stored in eDirectory var l...

Page 102: ...ization modules that each operating system uses and how these modules can interact with each other OES 2 vs NetWare 6 5 on page 102 OES 2 Servers Use the Network Time Protocol NTP to Communicate on pa...

Page 103: ...me Synchronization Modules Compatibility with Earlier Versions of NetWare Earlier versions of NetWare version 4 2 through version 6 0 do not include an NTP time module Their time synchronization optio...

Page 104: ...a NetWare 6 5 server IMPORTANT As shown in Figure 12 4 we recommend that NetWare 4 2 servers not be used as a time source OES 2 Servers as Time Providers Figure 12 5 shows how OES 2 servers can funct...

Page 105: ...ore detailed planning information refer to the following resources How Timesync Works in the NW 6 5 SP8 Network Time Synchronization Administration Guide Network Time Protocol in the NW 6 5 SP8 NTP Ad...

Page 106: ...ommunicate with other servers in peer to peer relationships to ensure that they are synchronized Basic planning steps are summarized in Planning a Time Synchronization Hierarchy before Installing OES...

Page 107: ...t should ultimately obtain time from a public NTP server If your network doesn t currently employ time synchronization refer to the list of public NTP servers published on the ntp org Web site http nt...

Page 108: ...OES 2 servers can be introduced into an existing network environment without disrupting any of the products and services that are in place This section discusses the issues involved in the coexistence...

Page 109: ...tWare on page 103 Upgrading from NetWare to OES 2 The OES 2 SP21 Migration Tool can migrate time synchronization services from NetWare to Linux For more information see Migrating Timesync NTP from Net...

Page 110: ...2 install prompts you for the IP address or DNS name of an NTP v3 compatible time server If you are installing the first server in a new eDirectory tree you have two choices You can enter the IP addre...

Page 111: ...al time sources to ensure fault tolerance For more information see Changing Time Synchronization Settings on a SLES 10 Server on page 112 NetWare 6 5 SP8 If you are installing into an existing tree th...

Page 112: ...rmation about daylight saving time DST see the DST Master TID on the Novell Support site http www novell com support php search do cmd displayKC docType kc externalId 3094409 12 4 Discovery Services V...

Page 113: ...as open source software and is available for download on the Novell Forge Web site http forge novell com modules xfmod project showfiles php group_id 1025 12 4 4 CIMOM and Discovery The current OpenW...

Page 114: ...ncluding RFC 2614 SLP version 2 0 It is the default SLP service installed on SLES 10 In OES 2 OpenSLP is available for those applications that require it The default discovery mechanism is actually DN...

Page 115: ...That way you can point to the SLP service during the installation Setting up SLP services on every OES 2 server is recommended Setting Up an OpenSLP DA Server If you need OpenSLP and you don t already...

Page 116: ...lp conf Scopes group and organize the services on your network into logical categories For example the services that the Accounting group needs might be grouped into an Accounting scope More informati...

Page 117: ...rver you defined in Setting Up an OpenSLP DA Server on page 115 You can also list additional DA addresses separated by commas 4 Return to the Novell eDirectory Services instructions in the OES 2 SP2 I...

Page 118: ...DA Access During the NetWare Server Installation 1 In the dialog box where you set up IP addresses for network boards click Advanced 2 Click the SLP tab 3 Specify the IP address of the OES 2 DA serve...

Page 119: ...hould complete one of the following procedures as it applies to your situation Configuring for DA Access During the OES 2 Installation on page 119 Configuring for DA Access Before or After Installing...

Page 120: ...This is a problem especially if one of the later names becomes the first name in a subsequent SLP configuration and the leading space is ignored If you use the scope names given in the example remove...

Page 121: ...the DA IP addresses are listed If you know the scope names check for the proper scope name configuration by using the SET SLP SCOPE LIST command Use the DISPLAY SLP SERVICES command to list all of the...

Page 122: ...122 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 123: ...plementing storage services in OES Section 13 1 Overview of OES 2 Storage on page 123 Section 13 2 Planning OES File Storage on page 128 Section 13 3 Coexistence and Migration of Storage Services on p...

Page 124: ...mary Link for More Information Linux POSIX File Systems SLES 10 includes a number of different file systems the most common of which are Ext3 and ReiserFS OES 2 services are supported on Ext3 ReiserFS...

Page 125: ...uide NSS Linux vs NSS NetWare Comparison of NSS on NetWare and NSS on Linux NSS Linux vs Linux POSIX Comparison of NSS on Linux and NCP Volumes on Linux POSIX File Systems NSS Netware vs NetWare Tradi...

Page 126: ...folders to organize data NetWare file systems support directory paths fake root directories Directory Map objects and drive mappings For more information see Understanding Directory Structures for the...

Page 127: ...As shown in Figure 13 1 on page 124 you can install traditional volumes and Novell Storage System NSS volumes on both OES platforms These devices can be installed within the server or attached directl...

Page 128: ...OES 2 SP2 Novell Cluster Services 1 8 7 for Linux Administration Guide 13 1 6 NetWare Core Protocol Support Novell Client Support on Linux Many organizations rely on Novell ClientTM software and the N...

Page 129: ...ild efficient scalable and cost effective solutions This section discusses issues to consider when planning your file systems on OES 2 servers and includes the following topics The Workgroup Environme...

Page 130: ...ing new models of protecting and storing employee generated data that is in LAN systems It is important to apply correct regulatory requirements only on those users to which they must be applied and t...

Page 131: ...lability with one important exception If the server is running as a Xen VM guest you should format the boot partition with Ext2 as explained in Paravitual Mode and Journaling File Systems http www nov...

Page 132: ...ba The Common Internet File Services CIFS protocol is the protocol for Windows networking and file services Novell CIFS is a ported version of the CIFS file service traditionally available only on Net...

Page 133: ...ood choices in this environment For file serving to end user workstations the access control and security management capabilities of the NSS file systems with CIFS and NCP file access protocols are im...

Page 134: ...file systems from node to node For example if you are using NSS on one node you need to use NSS on the failover node as well Dynamic Storage Technology Dynamic Storage Technology does not depend on a...

Page 135: ...on such as boot for Grub and system partition such as for the swap and system volumes are managed by Logical Volume Manager 2 LVM2 Any disk managed by LVM2 cannot be managed by EVMS which makes the di...

Page 136: ...ditional volumes with NetWare 6 5 SP8 you will want to consider upgrading them to NSS to support a data migration to OES 2 NSS Volumes NSS volumes are cross compatible between NetWare and Linux server...

Page 137: ...stration Guide Distributed File Services DFS Use DFS junctions to transparently redirect data requests split volumes while maintaining transparent access and quickly move volume data to another volume...

Page 138: ...g and Purging Deleted Volumes Directories and Files in the OES 2 SP2 NSS File System Administration Guide Tools Learn about the various tools available to manage NSS volumes the tool capabilities and...

Page 139: ...ies in directory services is a fundamental expectation for networking In the simplest terms Novell eDirectoryTM is a tree structure containing a list of objects or identities that represent network re...

Page 140: ...4 2 3 eDirectory Coexistence and Migration on page 141 14 2 1 Installing and Managing eDirectory on OES The tools you can use to install and manage eDirectory on OES are outlined in the following sect...

Page 141: ...Directory see Designing Your Novell eDirectory Network in the Novell eDirectory 8 8 Installation Guide To learn what s new in eDirectory 8 8 see the Novell eDirectory 8 8 Whats New Guide 14 2 3 eDirec...

Page 142: ...vell eDirectory Management Utilities in the Novell eDirectory 8 8 Administration Guide 14 3 4 eDirectory LDAP Implementation Suggestions For help with setting up and using LDAP for eDirectory refer to...

Page 143: ...ment on page 145 File Access Figure 14 2 DSfW File Access Overview Could be on a seperate OES 2 server in or out of the domain Could be on a separate Windows server eDirectory DSfW server eDirectory U...

Page 144: ...users can also access files through a normal NCPTM connection For eDirectory users file service access is controlled by authentication through the eDirectory server using common Windows authentication...

Page 145: ...nages DSfW users like other eDirectory users MMC manages both AD users and DSfW users as though they were AD users DSfW users must have the Default Domain Password policy assigned and a valid Universa...

Page 146: ...Password policy assigned they won t be able to log in without the Novell Client until the Universal Password has been set Therefore you should consider implementing Universal Password and giving users...

Page 147: ...ng the First DSfW Server in a New eDirectory Tree in the OES 2 SP2 Domain Services for Windows Administration Guide Install DSfW on a New OES 2 Server When Possible Because of the service limitations...

Page 148: ...148 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 149: ...ganization resources you can manage through eDirectory The Lab Guide for OES 2 provides basic instructions for creating container objects as well as Group and User objects in eDirectory For more infor...

Page 150: ...OES 2 That Require LUM Enabled Access on page 152 Services That Do Not Require LUM Enabled Access But Have Some LUM Requirements on page 154 Services That Do Not Require LUM enabled Access on page 154...

Page 151: ...directory services Remote user access is enabled through the Pluggable Authentication Module PAM architecture on Linux The Linux POSIX compliant interfaces can authenticate both kinds of users indepen...

Page 152: ...tory users who are configured to access the server This is because Samba requires POSIX identification for access By extension NetStorage users who need access to Samba CIFS Storage Location objects t...

Page 153: ...can access SMS utilities as The root user with rights to see everything on the Linux server A local Linux user with access governed by POSIX access rights Having local users in addition to root is no...

Page 154: ...tory access is always controlled by POSIX The Novell Trustee Model doesn t apply to Samba Both Novell trustee assignments and POSIX file ownership are tracked correctly after users are LUM enabled Alt...

Page 155: ...s eDirectory Admin User Is Automatically Enabled for Linux Access on page 155 Planning Which Users to Enable for Access on page 155 Be Aware of System Created Users and Groups on page 155 eDirectory A...

Page 156: ...iple OES 2 Servers on page 156 Samba users are also enabled for Linux access as part of the Samba enabling process nambulkadd If you have eDirectory users and groups that need to be enabled for Linux...

Page 157: ...User Management includes utilities for creating new LUM enabled groups and for enabling existing eDirectory groups for Linux access The nambulkadd utility lets you use a text editor to create a list o...

Page 158: ...Management Services Providing network users with a network identity is a fundamental expectation for networking but it can also become confusing when users need to track multiple identities to use net...

Page 159: ...ty Manager Driver for Active Directory Other Identity Manager Integration Modules drivers are included in the software distribution You can install and use these additional Integration Modules for 90...

Page 160: ...w novell com documentation idm35 idm_log data bookinfo html For information about customizing your implementation Policy Builder and Driver Customization Guide http www novell com documentation idm35...

Page 161: ...et on that server I installed the Bundle Edition on Linux or NetWare but it s not activated Why is this You must install the Bundle Edition on the server where OES exists If you install it on a non OE...

Page 162: ...r OES purchase you are entitled to use the Bundle Edition products If you want to add new Integration Modules you also need to purchase Novell Identity Manager The Integration Module cannot activate u...

Page 163: ...services you offer and the ways your configure those services This section can help you understand access control at a high level so that you can plan implement and control access to services More det...

Page 164: ...pport for the HTTP protocol Each workstation type has file access protocols associated with it Linux uses NFS as its native protocol for file services access Macintosh workstations communicate using A...

Page 165: ...ttp www novell com documentation sles10 sles_admin data sles_admin html Aligning NCP and POSIX access rights How to approximate the NCP or NetWare access control model on POSIX file systems Section 17...

Page 166: ...roup can do with a directory or file provided that the directory or file attributes allow the action This is illustrated in Figure 16 2 Figure 16 2 Directory and File Access under the NetWare Access C...

Page 167: ...Attributes can be set by any trustee that has the Modify trustee right to the directory or file The possible actions by the eDirectory users and group shown in this example are as follows Nancy has t...

Page 168: ...l Client Right for Your Network Although Novell offers services that don t require Novell Client such as NetStorage Novell iFolder 3 8 and iPrint many network administrators continue to prefer the Nov...

Page 169: ...gy The impact of this on you as the network administrator is that these users and groups must be enabled for eDirectory LDAP authentication to the local server For more information see Linux User Mana...

Page 170: ...to your printing resources You can also use iPrint to set up print services that don t require authentication NOTE Access control for printers is supported only on the Windows iPrint Client For more...

Page 171: ...protocols each interface supports 3 In the right column view the services available to the interfaces via the protocols Figure 16 3 Access Interfaces and Services and the Protocols That Connect Them...

Page 172: ...e clear access instructions to your network users For a summary of access methods see Appendix E Quick Reference to OES 2 User Services on page 247 16 1 5 Configuring and Administering Access to Servi...

Page 173: ...tees for directories and files on NSS volumes but you can t change them by using a WebDAV connection to NetStorage Using the Novell Client to Change File and Directory Attributes and Trustee Rights Yo...

Page 174: ...and is also documented in Trustee Rights Utility for Linux in the OES 2 SP2 File Systems Management Guide 16 2 Authentication Services This section briefly discusses the following topics Section 16 2...

Page 175: ...log in through a password a fingerprint scan a token a smart card a certificate a proximity card etc You can have users log in through a combination of methods to provide a higher level of security S...

Page 176: ...by default The same policy can be used for both services as shown in Creating a UP Policy to Support Both AFP and CIFS in the OES 2 SP2 Lab Guide for Linux and Virtualized NetWare More information abo...

Page 177: ...n iManager by the Secure Password Manager SPM a component of the NMAS module installed on OES 2 servers All password restrictions and policies expiration minimum length etc are supported All the exist...

Page 178: ...178 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 179: ...transfer files to and from OES 2 servers NetWare Core Protocol page 180 Provides NetWare Core ProtocolTM NCPTM access to NCP volumes including NSS volumes that you define on OES 2 server partitions Ne...

Page 180: ...use You can also migrate an existing FTP server configuration from a NetWare server to OES 2 For migration instructions and a brief FAQ see Migrating FTP from NetWare to OES 2 Linux in the OES 2 SP2 M...

Page 181: ...ms Network file access is often confusing and frustrating to users as illustrated in Figure 17 2 Access Methods Authentication NCP Services Access is through an NCP client specifically the Novell Clie...

Page 182: ...cess is critical to those who must travel However access method support varies widely among file service providers Authentication helps protect information assets but having diverse authentication met...

Page 183: ...on illustrated in Figure 17 3 Windows Explorer Browser PDA Access Methods Authentication NetStorage Server eDirectory LDAP OES 2 NetStorage on OES 2 NSS volume NCP volume NetWare Traditional volume CI...

Page 184: ...anted through login script drive mapping NCP server required or through Storage Location Objects File service access is controlled by LDAP based authentication through the eDirectory LDAP server Altho...

Page 185: ...cess to the OES 2 server All file service access is controlled by LDAP based authentication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 serv...

Page 186: ...options CIFS Client Access Windows Explorer users can access and modify files on the OES 2 server just as they would on any workgroup server share Web Folder Users can create Web Folders in Windows E...

Page 187: ...led by LDAP based authentication through the eDirectory LDAP server Although shown separately eDirectory could be installed on the OES 2 server Files can be encrypted for transport using SSL connectio...

Page 188: ...e Figure 17 7 Figure 17 7 How Samba on OES Works The following table explains the information illustrated in Figure 17 7 eDirectory LDAP server Samba users are enabled for Linux User Management LUM An...

Page 189: ...kdown Access Methods Authentication File Storage Services eDirectory users on Windows workstations have two native Windows file access options if their eDirectory accounts have been enabled for LUM an...

Page 190: ...sh Chooser NSS volumes Secure LDAP Authentication Novell CIFS Any CIFS client Remote access Web Folders in the Internet Explorer browser Windows Explorer NSS volumes Secure LDAP Authentication Novell...

Page 191: ...r iManager or the nssmu utility to create an NSS volume on an OES 2 server For instructions on how to set up an NSS volume see Managing NSS Volumes in the OES 2 SP2 File Systems Management Guide LUM a...

Page 192: ...nly to other file storage services Novell AFP Allocate enough disk space for the partition containing the home directories to meet your users file storage needs Novell CIFS Allocate enough disk space...

Page 193: ...ss the full range of Novell services such as authentication to eDirectory network browsing and service resolution and secure file system access It supports traditional Novell protocols such as NCP RSA...

Page 194: ...the same basic CIFS connectivity that was previously available only on NetWare No Novell Client softward is required For information on migrating CIFS services from NetWare to OES 2 see Migrating CIF...

Page 195: ...atically navigate to the assigned area and exercise whatever access privileges you have assigned at that level and below You can assign as many trustees with different access privileges as you need On...

Page 196: ...rivate work area on a Linux POSIX volume 1 Make the user is the directory owner For example you could use the chown command to change the owner user chown R user path user_dir where user is the eDirec...

Page 197: ...you could enter chmod R 770 path group_dir where path is the file path to the work area and group_dir is the group work directory The second 7 grants rwx to the group The example assumes that the owne...

Page 198: ...se areas inherit the same permissions as their parent directory For instructions see Configuring Inherit POSIX Permissions for an NCP Volume in the OES 2 SP2 NCP Server for Linux Administration Guide...

Page 199: ...erver navigation for the Pure FTPd server disallow_list_oes_server yes Disables SITE SLIST command for listing OES machines edir_ldap_port 389 eDirectory LDAP port Entry Value Reason Why ChrootEveryon...

Page 200: ...e description Table 17 11 Linux FTP SITE command NOTE All the FTP users needs to be LUM enabled on the FTP server 17 6 NCP Implementation and Maintenance If you have installed the NCP server for OES e...

Page 201: ...hen a Novell Client attaches to the OES 2 server the HOME volume appears along with the SYS volume created by the installation For new eDirectory users If you create an NCP or NSS volume on the server...

Page 202: ...and file systems Some connections are created automatically depending on the OES platform where NetStorage is installed Other connections must be created by the network administrator In summary NetSt...

Page 203: ...le systems is often controlled by other authentication domains For example you might create a storage location on the OES 2 server that points to a legacy NetWare server that resides in a different eD...

Page 204: ...SP2 Lab Guide for Linux and Virtualized NetWare for an introduction to creating and working with eDirectory objects and OES 2 file services including Novell AFP All eDirectory users can access the AFP...

Page 205: ...205 Section 17 10 4 Novell iFolder 3 8 Maintenance on page 206 17 10 1 Managing Novell iFolder 3 8 You manage Novell iFolder through the iFolder Management Console which you can access directly or thr...

Page 206: ...ice by using the instructions in the OES 2 SP2 Installation Guide for a new installation or install it after the initial OES installation as explained in Installing Samba for OES 2 in the OES2 SP2 Sam...

Page 207: ...was available in NetWare 6 5 SP3 and earlier When you upgrade a NetWare server running NetWare Web Search Server to NetWare 6 5 Web Search Server is automatically upgraded to QuickFinder The upgrade...

Page 208: ...208 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 209: ...nt Services Novell iPrint lets Linux Macintosh and Windows users Quickly locate network printers through a Web browser Easily install and configure a located printer through a native printer installat...

Page 210: ...the Driver Store and Broker and are not represented by objects in eDirectory Printer Objects These are eDirectory objects you create that store information about the printers available through iPrint...

Page 211: ...thentication for Windows users if needed The option to require authentication is not available for Linux and Macintosh users Although shown separately eDirectory could be installed on the OES 2 server...

Page 212: ...alling and Setting Up iPrint on Your Server in the OES 2 SP2 iPrint for Linux Administration Guide In OES SP2 migrating iPrint services from a NetWare server to an OES 2 server is supported by the OES...

Page 213: ...Creating a Printer in the OES 2 SP2 iPrint for Linux Administration Guide 5 Optional Create location based customized printing Web pages By default each iPrint installation includes the creation of a...

Page 214: ...pdate your iPrint installation to reflect these changes After your installation is completed and users are printing you can monitor print performance by using the information located in Using the Prin...

Page 215: ...so run any of the hundreds of free Web applications that can be downloaded from the Internet Web and application services make it easy to build your own dynamic Web content and create customized Web d...

Page 216: ...216 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 217: ...ine documentation 21 1 1 Application Security AppArmor Novell AppArmor provides easy to use application security for both servers and workstations You specify which files a program can read write and...

Page 218: ...vell partners are currently developing applications for use with the NSS Auditing Engine Blue Lance NetVision Symantec Nsure Audit Starter Pack The Novell Audit 2 0 Starter Pack is supported on OES 2...

Page 219: ...ever delete the NICI configuration files unless they are directly told to do so by a member of the NICI development team And in that rare case they should be sure to back up the files before doing so...

Page 220: ...s and files for which they are trustees or members of a group that is a trustee Home directories an example of default accessibility By default all users can see the names of directories and files in...

Page 221: ...h other access protocols for example HTTP or CIFS have no concurrent connection or address restrictions imposed For this reason you probably want to consider not enabling services such as SSH and FTP...

Page 222: ...x Administration Guide Domain Services for Windows Novell DSfW Security Guide Dynamic Storage Technology Security Considerations in the OES 2 SP2 Dynamic Storage Technology Administration Guide eDirec...

Page 223: ...and Security Considerations in the OES 2 SP2 NSS File System Administration Guide Novell iFolder 3 8 Novell iFolder 3 8 Administration Guide OES 2 Installation Security Considerations in the OES 2 SP...

Page 224: ...224 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 225: ...o Open Enterprise Server 2 includes solutions that address each of these issues at no additional expense This section discusses the certificate management enhancements available in OES 2 and how simpl...

Page 226: ...What Is Installed Where Key and certificate files are installed in the following locations Table 22 1 File Locations Location Details etc ssl certs This is the default location of trusted root certif...

Page 227: ...rtificate Self Provisioning in the Novell Certificate Server 3 3 2 Administration Guide PKI Health Check The PKI health check runs whenever the certificate server starts If you have enabled Server Sel...

Page 228: ...er Self Provisioning be enabled as follows 1 On the server you are configuring in iManager Roles and Tasks click the Novell Certificate Access Configure Certificate Authority option 2 Click Enable ser...

Page 229: ...7 Click Next 8 Click Save the Exported Certificate and save the file to the local disk noting the filename and location if they are indicated 9 Click Close OK 10 Find the file you just saved By defau...

Page 230: ...rusts certificates from the servers in the tree 22 3 If You Don t Want to Use eDirectory Certificates For most organizations the eDirectory certificate solution in OES 2 is an ideal way to eliminate t...

Page 231: ...l HTTPS services are configured to use eDirectory certificates The current service certificates and configurations are retained Upgrade from OES 2 or OES 2 SP1 The same option is used as when OES 2 wa...

Page 232: ...232 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 233: ...ed OES 2 is a set of services that can be either added to an existing server or installed at the same time as SUSE Linux Enterprise Server 10 SP1 After OES 2 services are added we refer to the server...

Page 234: ...234 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 235: ...sume that only the IP address of the server is changing They do not cover changing the DNS hostname of the server B 2 Prerequisites Section B 2 1 General on page 235 Section B 2 2 iPrint on page 236 S...

Page 236: ...he root partition of the server you are reconfiguring 3 Open the YaST Control Center 4 In Network Devices select Network Card 5 Confirm that the Old IP address you listed in Section B 2 1 General on p...

Page 237: ...ll OES services 3 Type the Admin password when prompted You might need to wait a few minutes for the LDAP server to restart 4 When the script finishes restart the server by entering the following comm...

Page 238: ...de 2 Regenerate the QuickFinderTM index by completing the instructions in see Creating Indexes in the OES 2 Novell QuickFinder Server 5 0 Administration Guide B 6 2 DHCP 1 Make sure the DHCP configura...

Page 239: ...rch This is the domain name whose IP address is to be changed In this example it is the A record 2a Specify the Host Name using the search feature 2b Select the record and click Modify to change the I...

Page 240: ...136 the new name of the Reverse Lookup object will be 136_103_92_100_in addr_arpa OESSystemObjects nmfrd 3c Click iManager Directory Administration Modify Object Search and select the Reverse Lookup...

Page 241: ...torage 1 At a terminal prompt enter the following commands opt novell xtier bin xsrvcfg D opt novell xtier bin xsrvcfg d newip c AuthenticationContext where newip is the new IP address used throughout...

Page 242: ...242 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 243: ...software up to date on all servers and workstations You can install product updates as they are made available through the ZENworks Linux Management update channel For instructions on setting up the Z...

Page 244: ...244 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 245: ...t group of users Users control who can participate in an iFolder and their access rights to the files in it Users can also participate in iFolders that others share with them Salvage and Purge By defa...

Page 246: ...ew functionality for OES Most of the SMS coexistence and migration issues are of concern only to backup application developers However administrators should be aware that SMS based applications must b...

Page 247: ...ge The WebDAV URL is case sensitive Novell ClientTM 1 Install the Novell Client on a supported Windows workstation 2 Log in to eDirectoryTM 3 Access NCPTM volumes on NetWare or Linux that you have the...

Page 248: ...248 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 249: ...rop down lists in Firefox Also iManager plug ins might not work properly if the highest priority Language setting for your Web browser is set to a language other than one of iManager s support languag...

Page 250: ...SP2 Planning and Implementation Guide novdocx en 22 June 2009 Tomcat Manager Managing Tomcat with Tomcat Admin in the NW 6 5 SP8 Tomcat Administration Guide Management Tool Supported Browser Informat...

Page 251: ...iness SP1 Microsoft Windows Vista Business 64 bit SP1 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Ultimate 64 bit SP1 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista En...

Page 252: ...252 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 253: ...d restart the Apache Web Server rather than referencing the init script directly Archive and Version Services novell ark This lets you to start stop restart and display the status of the Archive and V...

Page 254: ...e runs inside the novell xsrvd XTier Web Services daemon and also utilizes Tomcat services for certain other functions novell xregd is the init script for starting and stopping XTier s registry daemon...

Page 255: ...ications as configured NTP ntp This is the SLES 10 Network Time Protocol daemon OpenWBEM CIMOM owcimomd This is used to start the OpenWBEM CIMOM daemon which is an integral part of the iManager plug i...

Page 256: ...256 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 257: ...s on page 272 Section I 7 System Groups on page 274 Section I 8 Auditing System Users on page 275 I 1 About System Users and Groups Regular network users rely on network services System users and grou...

Page 258: ...servername LUM_Proxy_user System Group Facilitate the management of system users Provide access rights to service data on the server or in the eDirectory tree DHCP DNSDHCP System User The daemons ass...

Page 259: ...ection I 2 3 Which Services Require Proxy Users and Why on page 260 Section I 2 4 What Rights Do Proxy Users Have on page 261 Iprint POSIX iprintgrp eDirectory System Group iPrint LUM proxy optional P...

Page 260: ...l services that were previously only available on NetWare To make its services available on Linux Novell had to accommodate a fundamental difference between the way services run on NetWare and the way...

Page 261: ...nName member Linux User Management LUM_proxy Searches the tree for LUM users NetStorage NetStorage_Proxy The LDAP Admin user is specified by default but another user can be created prior to installing...

Page 262: ...d Service Example Proxy User Name Default Rights Granted AFP AfpProxyUser servername The Universal Password policy associated with the AFP users grants this proxy user the right to retrieve AFP user p...

Page 263: ...hts Browse LDAP ACL representation 1 subtree NetStorage_Proxy All Attributes Rights Read Compare LDAP ACL representation 3 subtree NetStorage_Proxy NSS server_nameadmin Additional eDirectory rights Su...

Page 264: ...Proxy User on page 266 Creation Options Table I 2 presents information about the creation options for each OES proxy user Table I 5 Proxy User Creation Options Associated Service Default Proxy User Na...

Page 265: ...ult the admin account that installs the server is assigned as the DNS proxy user If you want to assign an alternate user account it must already exist in the tree and have Read Write and Browse rights...

Page 266: ...s are assigned as proxy users Novell Support received a call from an administrator who was getting locked out due to intruder detection after changing the administrator password The lockout happened s...

Page 267: ...consumed by default installations would be substantial Therefore large organizations are especially interested in methods for limiting the number of proxy users on their network I 3 3 Limiting the Num...

Page 268: ...ers in a single partition and cross partition access of users to services is rare This is a good approach for organizations where eDirectory administration is done at a partition level This requires t...

Page 269: ...ve and Versioning DNS DHCP LUM and NetStorage this is the only available option and it applies to the other OES services in all but the default per service per server installation scenario It requires...

Page 270: ...se the script provided by Archive and Versioning Services to change the password on the server CIFS This password is stored in either CASA or in an encrypted file depending on the configuration option...

Page 271: ...nding on your needs IMPORTANT The brief instructions that follow assume that you are installing into an existing tree For new trees you will need to install and configure eDirectory on the first serve...

Page 272: ...r Wide Proxy User Do the following 1 Create one proxy user object per OES server preferably in the same container as the server and set the password 2 Use this proxy user and password as the proxy use...

Page 273: ...luster Heartbeat This user is created by Heartbeat but it not used by Heartbeat nor by Novell Cluster Services iprint iPrint The iPrint daemons run as this user If iPrint is moved to NSS this user is...

Page 274: ...SIX iprintgrp eDirectory iPrint The iPrint daemons use the group ID gid of this group to run If iPrint is moved to NSS the iprintgrp group is created in eDirectory ncsgroup NCS ncsclient is a member o...

Page 275: ...mentation sentinel6 for further instructions Privileged User Manager This product lets you monitor root user activities on the OES server by collecting data analyzing keystrokes and creating indelible...

Page 276: ...276 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 277: ...the Tree The default is Admin Container Admin eDirectory Admin User These administrators are usually responsible for administering within a partition or subtree They might be assigned only enough righ...

Page 278: ...278 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Page 279: ...ssword policies that govern the users to ensure that they can access the different file services K 2 Concepts and Prerequisites Prerequisites for AFP CIFS and Samba access are explained in the followi...

Page 280: ...These are the contexts under which the user objects will be searched for during an authentication In a name mapped existing tree install if the context resides in a DSfW domain the context can be spe...

Page 281: ...ers on page 281 File Services on page 282 User Access to Services on page 282 Rights Required for Installation and Administration on page 282 Figure K 1 Example 1 Tree Setup The WIDGETS_INC tree has t...

Page 282: ...ces Users from all over the tree can access services running on S1 S9 In order for users to be able to access AFP CIFS services the search contexts eDirectory contexts for these services should be con...

Page 283: ...o widget and is expected to access CIFS services on S8 and S9 K 4 Deployment Guidelines for Different Servers and Deployment Scenarios Section K 4 1 Deployment Scenario 1 Complex Mixed Scenario with a...

Page 284: ...kstation object that represents the domain controller Winbind translates user principles to UIDs for non NSS volumes LUM enabling is not required for non NSS volume access Non DSFW Server If the first...

Page 285: ...ct from the AFP Samba users S7 Use the same procedure as for S5 and S6 To avoid confusion do not use the AFP or CIFS default policy as the Password policy for your common AFP CIFS users If the users a...

Page 286: ...he default password policy provided by CIFS for all the users in this subtree You can create and use a single proxy user password under ou prv o widgets for all the services providing CIFS K 4 3 Deplo...

Page 287: ...enabled to access NSS file services through Samba For a user to access a DSfW server in a different domain the user needs to be a LUM enabled user on the other server DSfW provisioning establishes sh...

Page 288: ...288 OES 2 SP2 Planning and Implementation Guide novdocx en 22 June 2009...

Reviews:

No comments