Ensuring Privilege Separation For The Ifolder Proxy User; Using Synchronize Now To Remove Users; Controlling Access To The Ifolder Data Store; Controlling Access To The Ifolder Server Configuration Files - Novell IFOLDER 3.7 - SECURITY ADMINISTRATION Manual

2.10 Ensuring Privilege Separation for the
iFolder Proxy User
The iFolder Proxy user is a proxy user identity used to access the LDAP server to retrieve a list of
authorized users. The proxy user is automatically created during the iFolder enterprise server
configuration in YaST. The username is predetermined (hard-coded) on the system. For most
deployments, this username should never change.
Make sure that the user account assigned as the iFolder Proxy user is different than the one used for
the iFolder Admin user and other system users. Separating the proxy user from the administrator
provides privilege separation.
The proxy user password is auto-generated and stored briefly in the /<data path>/simias/
.simias.ppf file of the iFolder server. This file is created during the configuration of the iFolder
enterprise server and is removed when the server starts for the first time. A restart of Apache is
forced at the end of the configuration process, which in turn starts the iFolder service. During the
initial startup, the iFolder process reads the file, stores and encrypts the password by using the public
key of the iFolder server in the server's Simias database, and then removes the password from the
file.

2.11 Using Synchronize Now to Remove Users

The iFolder user or group list is periodically updated based on the LDAP synchronization interval.
Whenever you remove users or groups from a LDAP Search DN, or remove contexts from the
Search DN list, you should synchronize the list immediately using the Synchronize now option in the
server details page in the Web iFolder Admin to enforce your changes.

2.12 Controlling Access to the iFolder Data Store

By default, the iFolder server stores the database and user files under the /<data path>/
simias directory. The Apache Server user wwwrun by default owns those files. You must use
every precaution to avoid inadvertently assign rights to unauthorized users.
2.13 Controlling Access to the iFolder Server
Configuration Files
The iFolder server stores the configuration files in the /<data path>/simias directory. The
Apache Server user wwwrun owns the configuration file. You must use every precaution to avoid
inadvertently assigning rights to unauthorized users.
2.14 Controlling Access to And Backing Up the
iFolder Audit Logs
By default, the iFolder server stores the audit logs in the /<data path>/simias/logs
directory. The iFolder server administrator should guarantee that rights are not inadvertently
assigned to unauthorized users. Administrators should also periodically back up the rolled-over logs
in case they are ever needed for forensic purposes. Audit logs should be monitored periodically.
For information, see "Managing the Simias Log and Simias Access Log" in the OES 2 SP1: Novell
iFolder 3.7 Administration Guide.
14 OES 2 SP1 Linux: Novell iFolder 3.7 Security Administration Guide