Password Management And Proxy Users - Novell OPEN ENTERPRISE SERVER - PLANNING AND IMPLEMENTATION GUIDE 12-2010 Implementation Manual

Approach
Per Service
Per Tree
I.4.4 Password Management and Proxy Users
Proxy user passwords must be stored on the individual OES servers where the services are installed
because proxy users must be able to log in to eDirectory to perform their required functions.

"Auto-Generated vs. Specified Passwords" on page 276

"Passwords Are Stored on the Server" on page 276

"Avoid Password Expiration Problems" on page 277

"Changing Proxy Passwords Automatically" on page 278
Auto-Generated vs. Specified Passwords

Auto-Generated Passwords: Common Proxy User, CIFS, iFolder 3, NSS, and Samba use
auto-generated passwords by default.
This offers the highest security because the passwords are known only to the system, and with
the improvements in SP3, this option allows multiple usage of proxy users.

Manually Specified Passwords: This can be done for Archive and Versioning, DNS, DHCP,
LUM, and NetStorage. However, it is not recommended because it requires that someone keep
track of the proxy user names and passwords for installation purposes and can easily lead to
problems, such as service disruption. For a related example of the problems this can cause, see
"Avoid Assigning an Admin User As a Proxy User" on page
Passwords Are Stored on the Server
Of course all proxy user passwords are stored in eDirectory.
on the server and how they can be reset if needed.
276 OES 2 SP3: Planning and Implementation Guide
Security Considerations
This confines any security
vulnerabilities to individual
services.
It also ensures that proxy
user rights are not
overloaded but are
distributed so that there is a
single proxy user for each
type of service
This exposes all OES
services and servers in the
tree to any security
vulnerabilities.
Manageability Considerations
For example, you might have one proxy user for CIFS,
one for DNS/DHCP, one for iFolder, one for iPrint etc.
This is useful in trees where the users and servers are
not co-located, and different services are administered
by different administrators.
This requires that a proxy user for the service is created
before the service is installed in the tree.
The install admin must know the proxy user's password.
A proxy user for the tree must be created before any
OES services are installed in the tree.
This is suitable for organizations that have

Centralized eDirectory administration

Users that are not confined to the partition or
subtree where the OES servers reside, but instead
access different OES servers from all over the
tree.
The install admin must know the proxy user's password.
274.
Table I-7 explains where they are stored