Environment
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Cluster Services
CommonProxyUser
Situation
CommonProxyUser account would get locked by intruder detection. Preventing Novell Cluster Services Node from joining the cluster.
Resolution
For updating common proxy credentials, cp_update_proxy_cred.sh would
prompt for proxy DN and password. So, exporting it not must if it's
executed manually.
I. To make it simpler to handle the intruder lock out case here, follow the below steps.
Step 1: Let admin manually change the password of proxy user in eDirectory.
Step 2: Update the common proxy password in CASA using /opt/novell/proxymgmt/bin/cp_update_proxy_cred.sh.
Step 3: Run /opt/novell/proxymgmt/bin/change_proxy_pwd.sh -A yes. This step will automatically change the common proxy password and also update the credentials of all services(on the system) using common proxy.
After above steps, all services will be in sync.
For analysis, please ask customer to get /var/opt/novell/log/proxymgt/pxymgmt.log to look into automatic password changes triggered and if they were any failures for any service.
II. For configuring any service to use common proxy:
Follow the below steps to directly configure a service to use common proxy.
Step1: Ensure that common proxy is already configured for the system. This can be verified by the commands '/opt/novell/proxymgmt/bin/cp_retrieve_proxy_cred username' and '/opt/novell/proxymgmt/bin/cp_retrieve_proxy_cred password'. These two commands retrieve common proxy user name and password
Step 2: Export the common proxy password using service specific environment variables, OES_LUM_DATA(for LUM), OES_NCS_DATA(for NCS), OES_CIFS_DATA(for CIFS), etc., using the commands like export OES_LUM_DATA="novell" (assuming common proxy password is novell)
Step 3: Run service specific script to store the common proxy credentials for the service.
For LUM it's ' /var/lib/novell-lum/lum_update_proxy_cred.sh "proxy DN". For NCS, it's /opt/novell/ncs/bin/ncs_update_proxy_cred.sh "Proxy FDN".
Right now, move_to_common_proxy.sh moves services to common proxy if they are already using some other proxy. There is no way to directly configure a service to use common proxy.
I. To make it simpler to handle the intruder lock out case here, follow the below steps.
Step 1: Let admin manually change the password of proxy user in eDirectory.
Step 2: Update the common proxy password in CASA using /opt/novell/proxymgmt/bin/cp_update_proxy_cred.sh.
Step 3: Run /opt/novell/proxymgmt/bin/change_proxy_pwd.sh -A yes. This step will automatically change the common proxy password and also update the credentials of all services(on the system) using common proxy.
After above steps, all services will be in sync.
For analysis, please ask customer to get /var/opt/novell/log/proxymgt/pxymgmt.log to look into automatic password changes triggered and if they were any failures for any service.
II. For configuring any service to use common proxy:
Follow the below steps to directly configure a service to use common proxy.
Step1: Ensure that common proxy is already configured for the system. This can be verified by the commands '/opt/novell/proxymgmt/bin/cp_retrieve_proxy_cred username' and '/opt/novell/proxymgmt/bin/cp_retrieve_proxy_cred password'. These two commands retrieve common proxy user name and password
Step 2: Export the common proxy password using service specific environment variables, OES_LUM_DATA(for LUM), OES_NCS_DATA(for NCS), OES_CIFS_DATA(for CIFS), etc., using the commands like export OES_LUM_DATA="novell" (assuming common proxy password is novell)
Step 3: Run service specific script to store the common proxy credentials for the service.
For LUM it's ' /var/lib/novell-lum/lum_update_proxy_cred.sh "proxy DN". For NCS, it's /opt/novell/ncs/bin/ncs_update_proxy_cred.sh "Proxy FDN".
Right now, move_to_common_proxy.sh moves services to common proxy if they are already using some other proxy. There is no way to directly configure a service to use common proxy.
Cause
edir was not syncing correctly.
In this case, we also had to change ldap to authenticate to a server with a master replica.