Environment
Products:
Novell eDirectory 8.8 for All Platforms
Novell Open Enterprise Server 2 (OES 2)
Configuration:
eDirectory services installed on OES2 server.
Novell eDirectory 8.8 for All Platforms
Novell Open Enterprise Server 2 (OES 2)
Configuration:
eDirectory services installed on OES2 server.
Situation
Situation:
Several user accounts are created in eDirectory during the installation of eDirectory on an OES2 server . Based on security policies within the organization, all user accounts must have a password expiration date set.
Several user accounts are created in eDirectory during the installation of eDirectory on an OES2 server . Based on security policies within the organization, all user accounts must have a password expiration date set.
Resolution
Based on the detrimental impact on the system services it is recommended that these accounts be excluded from password expiration policies.
Additional Information
1) The OES2 server installation creates the following system accounts in eDirectory during server installation:
Name (Service)
iFolderProxy (iFolder)
novlxregd (XTier Registry Daemon)
novlxsrvd (XTier service)
wwwrun (Apache)
server_nameadmin (Novell Storage Services)
server-name-SambaProxy (Samba)
If the passwords on these system accounts expire then the services that require them will fail to operate properly. The passwords for these accounts are set at account creation and there is no mechanism for an administrator to change the password. There is also no mechanism for alerting an administrator that the password has expired.
Name (Service)
iFolderProxy (iFolder)
novlxregd (XTier Registry Daemon)
novlxsrvd (XTier service)
wwwrun (Apache)
server_nameadmin (Novell Storage Services)
server-name-SambaProxy (Samba)
If the passwords on these system accounts expire then the services that require them will fail to operate properly. The passwords for these accounts are set at account creation and there is no mechanism for an administrator to change the password. There is also no mechanism for alerting an administrator that the password has expired.
2) OES2sp3 intruduces a new feature of a "Common Proxy User". This is a system generated account. The user object's password and password related attributes are maintained by the system and should not be manually manipulated. The password, by default, is changed to a random password every 30 days. If a password policy is assigned, careful care should be made regarding complex password policies. The default name for the user is OESCommonProxy_<server hostname>. There is one common proxy user created for every eDirectory Server object. The common proxy user can be associated to multiple services, minimizing administrative errors of having to manually maintain user objects for other services. Some of the services that can use the common proxy user are:
Novell CIFS
Novell Cluster Services
Novell DNS
Novell DHCP
Novell iFolder
Novell NetStorage
Please see the online documentation regarding any further information for the common proxy user. www.novell.com/documentation