There Are No Proxy User Impacts On User Connection Licenses; Limiting The Number Of Proxy Users In Your Tree - Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual

If manually created, proxy users should be configured for OES-rootservice use only by the YaST
based install, not manually.
The information in these sections only answers security questions and provides general information.
It is not intended to be used for the manual configuration of proxy users.
Avoid Assigning an Admin User As a Proxy User
We recommend that you always use the special-purpose proxy user accounts described in this and
the accompanying sections rather than specifying admin users as proxy users. Best practice dictates
that proxy users have strictly limited functionality that supports only their specific system-level
responsibilities. Proxy users should not be used for any other purposes.
Although specifying an admin user as the proxy user appears to be an easy way of setting up OES
services (and is the install default in some cases if the Common Proxy user option isn't selected),
there are potential problems. Mixing actual users with system-level functionality always creates
some risk.
The following is a real-life example of risks that can occur when admin users are assigned as proxy
users:
Novell Support received a call from an administrator who was getting locked out due to intruder
detection after changing the administrator password. The lockout happened several times each day
and seemed to be coming from the OES 2 servers. The support technician checked LUM and all of
the services he could think of, and didn't see the admin credentials anywhere.
Further investigation revealed that the administrator credentials had been used to install OES 2 on
multiple servers, and the credentials were also used as the proxy user credentials for some of the
OES services. Consequently, the credentials were stored in CASA for use when the OES services
came up.
Because the Admin password had changed, the CASA credentials had expired and service
authentication requests were failing, resulting in the intruder detection lockout.
I.4.2 There Are No Proxy User Impacts on User Connection
Licenses
Novell policy dictates that proxy users that function only as proxy users, are simply system users.
Therefore, proxy users do not consume user connection licenses.
I.4.3 Limiting the Number of Proxy Users in Your Tree
Table I-6 outlines various options for limiting the number of proxy users in your tree and
summarizes the security and manageability considerations of each approach.
274 OES 2 SP3: Planning and Implementation Guide