|
OES users are all stored as objects within eDirectory. In addition to replicating these objects across servers and providing basic account authentication services, eDirectory provides a solid security model that includes such things as trustee assignments, administrative roles, inherited rights, and rights filters. Understanding user-related objects, as well as the security model provided by eDirectory, is critical to implementing a secure user environment. There are three main eDirectory objects that are used to organize your network users. You can use iManager to create and manage each of these types of objects (for more information on iManager, see Chapter 5, "OES Management Tools"):
These objects form the foundation from which eDirectory-based network services and privileges are ultimately delivered. After all, user-related objects define the human elements of your network. Immediately after a new OES Linux and eDirectory installation, the only eDirectory User object that exists is Admin (the root user does exist, but is stored as a local Linux user, rather than stored within eDirectory). Although it might be comforting to think of a network of one, you are going to have to create user accounts for every one of your users. After user accounts have been created, your users can begin working on the network. In most cases, users on a network will notice very little difference from working on a standalone computer. They still use the applications they were using before. They still open, save, and delete files the same way. They can still play the same gamesbut only if you let them! And that's the goal of network security: to prevent users from taking some action, either unintentionally or intentionally, that might compromise the integrity of the network or expose network resources in such a way that can cause harm to the network or the organization. There are several levels of network security in today's networks, and OES Linux gives you a great deal of control over each. The User ObjectTo create an eDirectory User object, complete the following steps:
NOTE More information on Samba and LUM is available in the "Provisioning Linux Users" section later in this chapter. If you plan to assign certain identical properties to many of your users, you can use a User Template object. The Template object will automatically apply default properties to any new user you create using the template. However, it does not apply those properties to any users who existed before you created the user template. Network administrators often use a template to automatically grant default eDirectory and file-system rights to users. To create a User Template object, complete these steps:
After you have created the User Template object, you configure any of the common characteristics you want assigned to all users you create. To do this in iManager, browse to and select the object in the left frame. Modify the template by selecting the appropriate task and providing the desired information. You will specify most of the template information in the Modify Object and the Rights to Other Objects tasks. NOTE Template objects cannot be used to automatically create LUM and Samba accounts for new users. The Group ObjectGroup objects are used to apply a common set of trustee rights to different User objects. User objects assigned to a group are made security equivalent to that group, meaning that any rights given to the Group object will also be applied to each of its member users. When using LUM, groups are also used to provide a user's primary group for file ownership on the Linux filesystem. A primary group is required for all users within the LUM system. Creating a group is very similar to creating a user. Complete the following steps to create a group and assign group membership to a user.
NOTE More information on the Linux Config object, Linux Workstations, and other LUM objects and attributes is available later in this chapter. The Organizational RoleOrganizational roles function like groups of one. (They can have multiple occupants for process redundancy.) They use explicit security equivalence to provide specific rights to a user who needs to be able to perform a specific task. Organizational roles are generally used to grant some degree of administrative capability for a tree or branch of the tree. Although similar in some respects, an organizational role should not be confused with the role-based services of iManager. The iManager roles are much more flexible in their application than organizational roles. For more information on iManager roles, see Chapter 5. Complete the following steps to create an organizational role and assign occupancy to a user:
After you have created the organizational role, you can assign any User object to an organizational role to grant specific rights related to specific responsibilities within your organization. |
|