This chapter provides information specific to Solaris and Linux operating systems.
To access the configuration data from the Configuration Manager, a desktop client requires the JavaTM Desktop System Configuration Agent. The Configuration Agent communicates with the remote configuration data repository and the adapters as well as integrates data into specific configuration systems. The configuration systems that are currently supported are GConf, Java Preferences, Mozilla Preferences, and StarOffice Registry.
The Configuration Agent is part of a number of different packages, which are listed in the following table:
Solaris Package Name |
Linux RPM Name |
Description |
---|---|---|
SUNWapbas |
apoc-base |
Configuration Shared libraries |
SUNWapmsc |
apoc-misc |
Configuration Agent miscellaneous files |
SUNWapoc |
apoc |
Configuration Agent |
SUNWapdc |
apoc-config |
Configuration Agent wizard |
When you install these packages, the files that are required for this API are installed. You can install the packages manually or through the Java Desktop System installation. After installation, you must configure and enable the Configuration Agent on your system.
To access the remote configuration data, the Configuration Agent requires some minimal bootstrap information, such as the host name and port of the LDAP server. This information is maintained in a set of properties files, such as policymgr.properties, apocd.properties, os.properties. These files are stored locally in the /etc/apoc directory. You can manually edit these properties files, or you can use the configuration wizard for the Configuration Agent.
The configuration wizard offers a graphical user interface that guides you through
the necessary settings of the Configuration Agent. For each page of the wizard,
a corresponding help screen is available. You can start the wizard as super user (root)
by means of the /usr/bin/apoc-config script. A corresponding
desktop menu entry is also available under Preferences/System Tools/Network Settings, or under system-settings:///Network Settings in the Nautilus
file manager.
The wizard can also be started without launching the graphical interface. For example, execute /usr/bin/apoc-config -nodisplay to start the wizard in console mode.
Associated property file keys are indicated in parentheses, where appropriate.
Server Identifier (Server): host name of the LDAP server.
Server Port (Port): port number of the LDAP server.
Suffix (BaseDn): base DN of the LDAP repository.
State: The status of the Configuration Agent. The check box can be used to either activate or deactivate the Configuration Agent. To make use of the configuration repository, the Configuration Agent must be active. The activation automatically includes the necessary registration with inetd.
To manually enable or disable the Configuration Agent, log in as root and type the command /usr/lib/apocd enable or /usr/lib/apocd disable, respectively.
Host Identifier (HostIdentifier): can be "HostName" or "IPAddress". The identifier must be set to match the contents of the LDAP attribute that is used to identify hosts. This attribute is defined in the mapping files as Host/UniqueIdAttribute.
Authentication Type for the Configuration Agent: can be "Anonymous" or "Simple". If "Anonymous" is selected, the Qualified User Name and Password fields are automatically disabled.
Qualified User Name (AuthDn): full DN of a user with read and search access rights on the repository.
Password (Password): password of a registered LDAP user
If anonymous access is enabled in the directory, the Qualified User Name and the Password settings can be left blank.
Authentication Type for applications (AuthType): can be “Anonymous” or “GSSAPI”, depending on how the LDAP server authenticates users.
For more information, see Data Access/User Authentication.
The Configuration Agent uses two ports:
Agent Port (DaemonPort): used by the agent to communicate with client applications (default is 38900).
Administration Port (DaemonAdminPort): used by the agent controller program, apocd, when communicating with the agent (default is 38901).
The Configuration Agent periodically checks for any changes in the configuration data using the following two intervals:
General Detection Interval (ChangeDetectionInterval): interval in minutes between the change detection cycles for the desktop application's (client's) configuration data.
Specifying -1 turns off change detection.
Interval for Agent Settings (DaemonChangeDetectionInterval): interval in minutes between the change detection cycles for the agent-specific configuration settings.
Specifying -1 turns off change detection.
You can use the general detection interval to tune the propagation of remote configuration data changes to client side applications. The value provided for this setting is the maximum length of time in minutes that elapses before remotely made changes are reflected in the client applications.
Smaller values result in increased Configuration Agent and LDAP server activity. As a result, use caution when you adjust the value of the settings. For example, in an initial deployment phase, you can set the value to one minute so that you can test the impact of remote configuration on client applications. After you complete the testing, return this setting to the initial value.
The following settings can be configured:
Data Directory (DataDir): the directory used to store runtime data. The default is /var/opt/apoc.
Cached Data Storage Life (TimeToLive): interval in minutes that non-offline configuration data remains in the local database.
Garbage Collection Cycle (GarbageCollectionInterval): interval in minutes between the garbage collection cycles in the local configuration database.
Maximum Client Threads (MaxClientThreads): maximum number of client requests that can be processed simultaneously.
Maximum Client Connections (MaxClientConnections): maximum number of client connections.
Maximum Request Size (MaxRequestSize): maximum size of client requests.
Connection Timeout (ConnectTimeout): denotes the allowed interval of the LDAP server to answer a connection request. The default is one second.
Log Level (LogLevel): level of detail in the agent log files. The logging level is consistent with the Java Logger levels. In order of decreasing severity, these levels are as follows:
SEVERE
WARNING
INFO
CONFIG
FINE
FINER
FINEST
Most of the operational settings, with the exception of the Data Directory and Connection Timeout settings, can also be maintained centrally through corresponding policies stored in the LDAP server. If you want to use this feature, do not adapt the corresponding settings by means of the wizard. Instead, use the Configuration Agent policies within the Configuration Manager to centrally specify operational settings.
With the exception of "Data Directory" and "Connection Timeout", operational settings that have been stored on the LDAP server by means of the Configuration Manager take effect automatically at the next change detection cycle for the agent configuration (see DaemonChangeDetectionInterval).
All other settings changed locally require a reload or restart of the Configuration Agent. The reload or restart is performed automatically if you use the configuration wizard.
To manually restart the Configuration Agent, ensure that no related client applications are running, log in as root, and type the command /usr/lib/apoc/apocd restart.
The Configuration Agent retrieves information from the LDAP server based on the login ID of a desktop user. The User/UniqueIdAttribute setting of the organizational mapping file maps the login ID to a user entity in the LDAP server. The Configuration Agent also retrieves information about the host, such as the name or the IP address of the host. This information is mapped to a host entity in the LDAP server through the Host/UniqueIdAttribute setting of the organizational mapping file.
There are two methods to access the LDAP server, namely anonymously or with GSSAPI. For anonymous access, no action is required on the desktop. For the GSSAPI method, Kerberos credentials must be acquired on the desktop. To integrate Kerberos credential acquisition with the user login, the pam_krb5 module must be installed and configured on the Java Desktop System host.
You can use gdm to integrate Kerberos with the user login, for example, by using the following /etc/pam.d/gdm file:
#%PAM-1.0 auth required pam_unix2.so nullok #set_secrpc auth optional pam_krb5.so use_first_pass missing_keytab_ok ccache=SAFE putenv_direct account required pam_unix2.so password required pam_unix2.so #strict=false session required pam_unix2.so # trace or none session required pam_devperm.so session optional pam_console.so |
If you integrate Kerberos with user login in this way, you should enable the screensaver's Kerberos support. For example, by using the following /etc/pam.d/xscreensaver file:
auth required pamkrb5.so use_first_pass missing_keytab_ok ccache=SAFE putenv_direct |
The GConf adapter is part of the SUNWapoc-adapter-gconf package for Solaris and the apoc-adapter-gconf RPM for Linux. When you install the adapter from the corresponding package or RPM, the GConf data sources path in /etc/gconf/2/path is updated to include the Configuration Manager sources. The two data sources that are provided by the adapter are:
"apoc:readonly:": provides access to non-protected settings from the policies. Insert this data source after the user settings and before the local defaults.
"apoc:readonly:mandatory@": provides access to protected settings from the policies. Insert this data source after the local mandatory settings and before the user settings.
The Java Preferences adapter is part of the SUNWapcj package for Solaris and the apoc-adapter-java RPM for Linux. When you install the adapter from the corresponding package or RPM, the required files are added in the /opt/SUNWapcj directory on Solaris, or /opt/apocjava on Linux.
The Mozilla adapter is part of the SUNWmozapoc-adapter package for Solaris and the mozilla-apoc-integration RPM for Linux. When you install the adapter from the corresponding package or RPM, the required files are added to an existing installation of Mozilla. The files are automatically registered.
The StarOffice adapter is included in a standard StarOffice installation and allows you to access the policy configuration data without any special modifications.