eDirectory User-Related Objects


OES users are all stored as objects within eDirectory. In addition to replicating these objects across servers and providing basic account authentication services, eDirectory provides a solid security model that includes such things as trustee assignments, administrative roles, inherited rights, and rights filters. Understanding user-related objects, as well as the security model provided by eDirectory, is critical to implementing a secure user environment.

There are three main eDirectory objects that are used to organize your network users. You can use iManager to create and manage each of these types of objects (for more information on iManager, see Chapter 5, "OES Management Tools"):

  • User object

  • Group object

  • Organizational role

These objects form the foundation from which eDirectory-based network services and privileges are ultimately delivered. After all, user-related objects define the human elements of your network. Immediately after a new OES Linux and eDirectory installation, the only eDirectory User object that exists is Admin (the root user does exist, but is stored as a local Linux user, rather than stored within eDirectory). Although it might be comforting to think of a network of one, you are going to have to create user accounts for every one of your users. After user accounts have been created, your users can begin working on the network. In most cases, users on a network will notice very little difference from working on a standalone computer. They still use the applications they were using before. They still open, save, and delete files the same way. They can still play the same gamesbut only if you let them!

And that's the goal of network security: to prevent users from taking some action, either unintentionally or intentionally, that might compromise the integrity of the network or expose network resources in such a way that can cause harm to the network or the organization. There are several levels of network security in today's networks, and OES Linux gives you a great deal of control over each.

The User Object

To create an eDirectory User object, complete the following steps:

1.

Launch iManager. In the Navigation frame, open the Users group and select Create User (see Figure 8.1).

Figure 8.1. Creating a new user in iManager.


2.

Specify the desired information and click OK. You should pay particular attention to the following fields:

  • Username (Required) Enter the desired login name for this user. This is the name the user will enter when he or she authenticates to eDirectory.

  • Last Name (Required) Specify the last name of this user. This field is required so that you can perform name-based searches on eDirectory.

  • Context Specify the container in which the User object should be created.

  • Password Specify a password for the user.

    WARNING

    It is possible to create an eDirectory User object without a password, but it is highly discouraged due to the network security breach that results.

  • Create Home Directory If desired, specify a directory on an NSS volume to use as a home directory for the new user.

NOTE

The Create Home Directory option does not create a directory used as a home directory for LUM users. Home directories for LUM users will always be located beneath the /home directory.

3.

After creating the eDirectory user account, you are prompted to enable the newly created user as a LUM user. If you are planning on using Linux User Management (LUM) or Samba, you should fill out this screen properly. The following fields are available on this screen, as shown in Figure 8.2:

  • Primary Group (Required) Enter the primary LUM group for the user. All Linux users must be associated with a Linux group. By default, a Linux group called lumgroup is created for this purpose.

  • Desired Shell Type (Required) Enter the default Linux shell for the LUM user. This field defaults to /bin/bash, which is a good choice for most general purposes.

  • Enable This User for LDAP (eDirectory) Authentication to Samba If this user will also be accessing server resources via Samba, select this check box to enable Samba Authentication.

Figure 8.2. Adding LUM and Samba attributes to new users.


NOTE

More information on Samba and LUM is available in the "Provisioning Linux Users" section later in this chapter.


If you plan to assign certain identical properties to many of your users, you can use a User Template object. The Template object will automatically apply default properties to any new user you create using the template. However, it does not apply those properties to any users who existed before you created the user template. Network administrators often use a template to automatically grant default eDirectory and file-system rights to users.

To create a User Template object, complete these steps:

1.

From iManager, select the View Objects icon in the Header frame.

2.

In the Navigation frame, click any container object and choose Create Object from the task list.

3.

Select Template from the list of available objects and click OK.

4.

Specify the name of the Template object, and the context in which it should be created, and click OK.

After you have created the User Template object, you configure any of the common characteristics you want assigned to all users you create. To do this in iManager, browse to and select the object in the left frame. Modify the template by selecting the appropriate task and providing the desired information. You will specify most of the template information in the Modify Object and the Rights to Other Objects tasks.

NOTE

Template objects cannot be used to automatically create LUM and Samba accounts for new users.


The Group Object

Group objects are used to apply a common set of trustee rights to different User objects. User objects assigned to a group are made security equivalent to that group, meaning that any rights given to the Group object will also be applied to each of its member users.

When using LUM, groups are also used to provide a user's primary group for file ownership on the Linux filesystem. A primary group is required for all users within the LUM system.

Creating a group is very similar to creating a user. Complete the following steps to create a group and assign group membership to a user.

1.

Launch iManager and select the View Objects icon in the Header frame.

2.

In the Navigation frame, browse to and select a container object and choose Create Group from the task list.

3.

Specify the name of the Group object, and the context in which it should be created, and click OK.

4.

Click Modify to access the Group object properties pages. From there you can provide any object-specific information, and add members to the group by selecting the Members link. Click OK when finished to save the Group properties.

5.

After creating the eDirectory group, you are prompted to enable the newly created group as a LUM group. If you are planning on using LUM, you should fill out this screen properly. To create a LUM group one of the following fields must be filled out:

  • Linux Config Object To associate the group with all defined Linux Workstations, select this radio button and enter the Linux Config object in the corresponding field.

  • Linux Workstation Object(s) To associate the group with one or more specific Linux Workstations, select this radio button and enter the group or groups in the corresponding field.

NOTE

More information on the Linux Config object, Linux Workstations, and other LUM objects and attributes is available later in this chapter.


The Organizational Role

Organizational roles function like groups of one. (They can have multiple occupants for process redundancy.) They use explicit security equivalence to provide specific rights to a user who needs to be able to perform a specific task. Organizational roles are generally used to grant some degree of administrative capability for a tree or branch of the tree. Although similar in some respects, an organizational role should not be confused with the role-based services of iManager. The iManager roles are much more flexible in their application than organizational roles. For more information on iManager roles, see Chapter 5.

Complete the following steps to create an organizational role and assign occupancy to a user:

1.

Launch iManager and select the View Objects icon in the Header frame.

2.

In the Navigation frame, browse to and select a container object and choose Create Object from the task list.

3.

Select Organizational Role from the list of available objects and click OK.

4.

Specify the name of the Organizational Role object and the context in which it should be created, and click OK.

5.

Click Modify to access the Organizational Role object properties pages. From there you can provide any object-specific information, and specify the occupant of the Organizational Role. Click OK when finished to save the Organizational Role properties.

After you have created the organizational role, you can assign any User object to an organizational role to grant specific rights related to specific responsibilities within your organization.



    NovellR Open Enterprise Server Administrator's Handbook SUSE LINUX Edition
    Novell Open Enterprise Server Administrators Handbook, SUSE LINUX Edition
    ISBN: 067232749X
    EAN: 2147483647
    Year: 2005
    Pages: 178

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net