Chapter 8
User Nobody
To configure user nobody on an iPlanet Portal Server 3.0 server, in the following examples, the server and gateway are installed on the same system. If installing the gateway on a separate system, perform the same steps on that system.
Specifying nobody as the owner of the iPlanet Portal Server files is a special case, as nobody has an impossible resultant (encrypted) password. The user must be root to manipulate and execute files nobody owns.
When the iPlanet Portal Server server is to run as nobody, the server can be configured to listen on port 8080, the default web server port. The LDAP server can also run on the default port 389, and the gateway on the default SSL port 443.
Note
|
The Netfile and Netfile Lite applications cannot use NFS protocol when running as nobody.
|
Note
|
Authentication helpers must be run as root.
When the server component is started or restarted, it must be done as root.
|
If user nobody was installed in a previous version, and is being upgraded to Service Pack 4, see the "Upgrading User Nobody to Service Pack 4" section.
The following information is included in this procedure:
Installation Examples
When installing the iPlanet Portal Server 3.0 server, select a non-default install. The following procedures are install examples for both the server and the gateway components.
Installing iPlanet Portal Server 3.0 Server
See the original iPlanet Portal Server 3.0 Installation Guide for more information on installing the iPlanet Portal Server server component.
Tip
|
Non-default entries are shown in bold text.
|
|
# ./ipsinstall
|
****************************************************************
|
iPlanet(TM) Portal Server (iPS) (3.0sp4 release)
|
****************************************************************
|
|
Installation log at
/var/sadm/install/logs/ipsinstall.18655/install.log
|
|
This product will run without a license. However, you must either
purchase a Binary Code License from, or accept the terms of a
Binary Software Evaluation license with, Sun Microsystems, to
legally use this product.
|
Do you accept? yes/[no] yes
|
|
Inspecting system.
|
|
|
|
Inspecting network.
|
What is the iPS hostname of this machine? [server1]
|
What is the subdomain ("." for none)? []
|
What is the domain? [sesta.com]
|
What is the ip address of server1.sesta.com? [192.168.01.01]
|
|
Inspecting iPS components.
|
|
Preparing to install.
|
|
Select which component to install:
|
1) iPlanet(TM) Portal Server
|
2) iPlanet(TM) Portal Server: Secure Remote Access Pack (Gateway)
|
3) Exit
|
Choice? [3] 1
|
|
What directory to install in? [/opt]
|
|
Will this be an open portal install? y/[n]
|
|
Are the servers using SSL protocol? y/[n]
|
|
Is this a multiple server install? y/[n]
|
|
The primary server will run on server1.sesta.com
|
On what port will the primary server run? [8080]
|
|
What is the root of the profile role tree? [sesta.com]
|
What is the user for the profile role tree? [root]
|
On what port will the directory server run? [389]
|
|
|
On what port will the gateways run? [443]
|
|
Is this a multiple gateway install? y/[n]
|
On what hostname will the gateway run? [MyGateway] server1
|
What is the sub-domain name for server1 ("." for none)? []
|
What is the domain name for server1? [sesta.com]
|
|
Should the gateway(s) use a web proxy? y/[n]
|
|
What is the administrator port for the web server? [8088]
|
|
A passphrase is needed to manage and install certificates on the
gateway
|
and the server, in the configuration of the web and LDAP servers
and to
|
allow secure communication between the gateways and servers. The
passphrase
|
must match between gateway and server installations.
|
What is the passphrase (8 chars minimum) :
|
Re-enter passphrase :
|
|
Start after installation completes? [y]/n
|
|
Server settings
|
Installation Directory : /opt
|
Server List : http://server1.sesta.com:8080
|
Gateway List : server1.sesta.com:443
|
Profile Server : http://server1.sesta.com:8080
|
Profile Role Tree Root : sesta.com
|
Profile Role Tree User : root
|
LDAP Port : 389
|
LDAP Admin Port : 8900
|
Web Server Admin Port : 8088
|
Start Server : y
|
Are these settings correct? [y]/n
|
|
Installing server.
|
Installing SUNWwtsdd...
|
Installing SUNWwtws...
|
Installing SUNWwtsvd...
|
Installing SUNWwtdt...
|
Installing SUNWwtnm...
|
Installing SUNWwtnf...
|
Installing SUNWwtrw...
|
Installing SUNWwtdoc...
|
Installing SUNWwtsam...
|
Installing SUNWwtds...
|
|
Starting server.
|
|
Installing iPlanet Portal Server 3.0 Gateway
See the original iPlanet Portal Server 3.0 Installation Guide for more information on installing the iPlanet Portal Server gateway.
Tip
|
Non-default entries are shown in bold text.
|
|
Select which component to install:
|
1) iPlanet(TM) Portal Server
|
2) iPlanet(TM) Portal Server: Secure Remote Access Pack (Gateway)
|
3) Exit
|
Choice? [3] 2
|
|
Is the primary server using SSL protocol? y/[n]
|
|
Should the local machine be the primary server? [y]/n
|
The primary server will run on server1.sesta.com
|
What is the port for the primary server? [8080]
|
|
What is the root of the profile role tree? [sesta.com]
|
What is the user for the root of the profile role tree? [root]
|
|
On what hostname will the gateway run? [server1]
|
What is the sub-domain name for server1 ("." for none)? []
|
What is the domain name for server1? [sesta.com]
|
On what port will the gateway run? [443]
|
|
Does this gateway have multiple network interfaces? y/[n]
|
|
Install firewall? y/[n]
|
|
A passphrase is needed to manage and install certificates on the gateway
|
and the server, in the configuration of the web and LDAP servers and to
|
allow secure communication between the gateways and servers. The passphrase
|
must match between gateway and server installations.
|
What is the passphrase (8 chars minimum) :
|
Re-enter passphrase :
|
|
Start after installation completes? [y]/n
|
|
Gateway settings
|
Installation Directory : /opt
|
Role Tree Root : sesta.com
|
Gateway : server1.sesta.com:443
|
Gateway IP Address : 192.168.01.03
|
Profile Server : http://server1.sesta.com:8080
|
Profile Role Tree Root : sesta.com
|
Profile Role Tree User : root
|
Install Firewall : n
|
Start Gateway : y
|
Are these settings correct? [y]/n
|
|
Self-signed certificate for a SSL connection.
|
What is the name of your organization? [MyCompany] sesta
|
What is the name of your organizational unit? [MyDivision] florizel
|
What is the name of your city or locality? [MyCity] santa clara
|
What is the name of your state or province? [MyState] california
|
What is the two-letter country code? [us]
|
|
Installing gateway.
|
Installing SUNWwtgwd...
|
|
Starting gateway.
|
|
Configuring User Nobody on the Server
Perform all steps as root, except as noted.
Note
|
Install the Service Pack 4 server, gateway, and the third-party products before starting execution of the procedure described below. Failure to do this will result in having to redo some of the install steps.
|
See the "Clean Installation" chapter for more information on installing Service Pack 4.
After installing the iPlanet Portal Server software do the following:
As root, in a terminal window, do the following:
Still as root, in a terminal window, change the owner:
|
# chown -R nobody:nobody /opt/netscape
# chown -R nobody:nobody /opt/SUNWips
# chown -R nobody:nobody /etc/opt/SUNWips
# chown -R nobody:nobody /var/opt/SUNWips
|
|
Stop all services for the iPlanet Portal Server 3.0 server and gateway.
Edit the following file, to change the localuser to nobody, as shown in bold text:
-
/opt/netscape/directory4/slapd-servername/config/slapd.conf
|
########################################################################
|
# /opt/netscape/directory4/slapd-server1/config/slapd.conf
|
# Netscape Directory Server global configuration file
|
# Do not modify this file while ns-slapd is running
|
########################################################################
|
instancedir "/opt/netscape/directory4/slapd-server1"
|
errorlog "/opt/netscape/directory4/slapd-server1/logs/errors"
|
errorlog-logging-enabled on
|
|
plugin syntax on "Telephone Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" tel_init
|
|
plugin matchingRule on "Internationalization Plugin"
|
"/opt/netscape/directory4/lib/liblcoll.so" orderingRule_init
"/opt/netscape/directory4/slapd-server1/config/slapd-collations.conf"
|
|
plugin syntax on "Integer Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" int_init
|
|
plugin syntax on "Distinguished Name Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" dn_init
|
|
plugin syntax on "Case Ignore String Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" cis_init
|
|
plugin syntax on "Case Exact String Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" ces_init
|
|
plugin syntax on "Binary Syntax"
|
"/opt/netscape/directory4/lib/syntax-plugin.so" bin_init
|
return_exact_case on
|
include "/opt/netscape/directory4/slapd-server1/config/slapd.at.conf"
|
include "/opt/netscape/directory4/slapd-server1/config/slapd.oc.conf"
|
include "/opt/netscape/directory4/slapd-server1/config/ns-schema.conf"
|
readonly off
|
timelimit 3600
|
sizelimit 2000
|
lastmod on
|
idletimeout 0
|
ntsynch off
|
ntsynch-port 5009
|
ntsynchusessl on
|
port 389
|
secure-port 636
|
maxdescriptors 1024
|
schemacheck off
|
enquote_sup_oc on
|
security off
|
localuser nobody
|
userat "/opt/netscape/directory4/slapd-server1/config/slapd.user_at.conf"
|
useroc "/opt/netscape/directory4/slapd-server1/config/slapd.user_oc.conf"
|
accesslog "/opt/netscape/directory4/slapd-server1/logs/access"
|
|
Edit the following files to change the User to nobody, as shown in bold text:
-
/opt/netscape/server4/https-servername/config/magnus.conf
-
/opt/netscape/server4/https-admserv/config/magnus.conf
|
|
ServerID https-server1.sesta.com
|
ServerName server1.sesta.com
|
Port 8080
|
LoadObjects obj.conf
|
RootObject default
|
ErrorLog /opt/netscape/server4/https-server1.sesta.com/logs/errors
|
PidLog /opt/netscape/server4/https-server1.sesta.com/logs/pid
|
User nobody
|
MtaHost localhost
|
DNS off
|
Security on
|
Ciphers +rc4,+rc4export,+rc2,+rc2export,+des,+desede3
|
SSL3Ciphers
+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_rc4_40_md5,+rsa_rc2
|
_40_md5,-rsa_null_md5,+rsa_des_56_sha,+rsa_rc4_56_sha
|
ACLFile /opt/netscape/server4/httpacl/generated.https-server1.sesta.com.acl
|
ClientLanguage en
|
AdminLanguage en
|
DefaultLanguage en
|
AcceptLanguage off
|
RqThrottle 1024
|
StackSize 131072
|
CGIWaitPid on
|
CGIWaitPid on
|
|
If the LDAP Server process is also to run as a user other than root, edit the following file to change the configuration.nsSuiteSpotUser to nobody, as shown in bold text:
-
/opt/netscape/directory4/admin-serv/config/local.conf
|
userPassword: {SHA}/mZi7HWjvvYwFqgGkIRTOg79/Cc=
|
serverRoot: /opt/netscape/directory4
|
serverProductName: Administration Server
|
serverHostName: server1.sesta.com
|
uniqueMember: cn=admin-serv-server1, cn=Netscape Administration Server,
cn=Server
|
Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot
|
installationTimeStamp: 20000914220659Z
|
configuration.nsServerPort: 8900
|
configuration.nsSuiteSpotUser: nobody
|
configuration.nsServerAddress: 192.168.178.52
|
configuration.nsAdminEnableEnduser: on
|
configuration.nsAdminEnableDSGW: on
|
configuration.nsDirectoryInfoRef: cn=Server Group, cn=server1.sesta.com, ou
|
=sesta.com, o=NetscapeRoot
|
configuration.nsAdminUsers: admin-serv/config/admpw
|
configuration.nsErrorLog: admin-serv/logs/error
|
configuration.nsPidLog: admin-serv/logs/pid
|
configuration.nsAccessLog: admin-serv/logs/access
|
configuration.nsAdminCacheLifetime: 600
|
configuration.nsAdminAccessHosts: *.sesta.com
|
configuration.nsAdminAccessAddresses: 192.168.178.52
|
configuration.nsAdminOneACLDir: adminacl
|
configuration.nsDefaultAcceptLanguage: en
|
configuration.nsClassname:
com.netscape.management.admserv.AdminServer@admserv42
|
.jar@cn=admin-serv-server1, cn=Netscape Administration Server, cn=Server
Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot
|
|
|
To set the http and netlet proxies on the server to run as nobody, edit the /etc/opt/SUNWips/platform.conf file, as shown in bold text:
ips.httpproxy.user=nobody
ips.netletproxy.user=nobody
Note
|
Instructions for configuring the Netlet Proxy are found in the Release Notes for the iPlanet Portal Server.
Instructions for "Configuring Restart of the HTTP Proxy" are found in this document.
|
|
# Copyright 03/22/00 Sun Microsystems, Inc. All Rights Reserved.
|
# "@(#)platform.conf 1.29 00/03/22 Sun Microsystems"
|
#
|
|
ips.defaultDomain=sesta.com
|
ips.server.protocol=http
|
ips.server.host=server1.sesta.com
|
ips.server.port=8080
|
ips.profile.host=server1.sesta.com
|
ips.gateway.protocol=https
|
ips.gateway.host=server1.sesta.com
|
ips.gateway.port=443
|
ips.virtualhost=server1.sesta.com 192.168.01.01
|
ips.naming.url=http://server1.sesta.com:8080/namingservice
|
ips.notification.url=http://server1.sesta.com:8080/notificationservice
|
ips.daemons=securid radius safeword unix skey
|
securidHelper.port=8943
|
radiusHelper.port=8944
|
safewordHelper.port=8945
|
unixHelper.port=8946
|
skeyHelper.port=8947
|
|
|
ips.httpproxy.user=nobody
|
ips.netletproxy.user=nobody
|
|
ips.cookie.name=iPlanetPortalServer
|
ips.locale=en_US
|
ips.debug=error
|
ips.version=3.0
|
ips.basedir=/opt
|
ips.logdelimiter=&&
|
|
Start the iPlanet Portal Proxy server. From a terminal window, as root, do the following:
|
# /opt/SUNWips/bin/ipshttpd stop
# /opt/SUNWips/bin/ipsnetletd stop
# /opt/SUNWips/bin/ipshttpd start
# /opt/SUNWips/bin/ipsnetletd start
|
|
Configuring User Nobody on the Gateway
The following steps are for configuring user nobody on the gateway, when the gateway is not installed on the same system as the server.
Note
|
Install the Service Pack 4 server, gateway, and the third-party products before starting execution of the procedure described below. Failure to do this will result in having to redo some of the install steps.
|
Note
|
When the gateway component is started or restarted, it must be done as root.
|
See the "Clean Installation" chapter for more information on installing Service Pack 4.
After installing the iPlanet Portal Server software do the following on the gateway:
As root, in a terminal window, do the following:
|
# chmod 666 /dev/random
# chown -R nobody:nobody /etc/opt/SUNWips
# chown -R nobody:nobody /var/opt/SUNWips
# chown -R nobody:nobody /opt/SUNWips
|
|
Edit the /etc/opt/SUNWips/platform.conf file, as shown in bold text:
-
ips.gateway.user=nobody
|
# Copyright 03/22/00 Sun Microsystems, Inc. All Rights Reserved.
|
# "@(#)platform.conf 1.29 00/03/22 Sun Microsystems"
|
#
|
|
ips.defaultDomain=sesta.com
|
ips.server.protocol=http
|
ips.server.host=server1.sesta.com
|
ips.server.port=8080
|
ips.profile.host=server1.sesta.com
|
ips.gateway.protocol=https
|
ips.gateway.host=server1.sesta.com
|
ips.gateway.port=443
|
ips.virtualhost=server1.sesta.com 192.168.01.01
|
ips.naming.url=http://server1.sesta.com:8080/namingservice
|
ips.notification.url=http://server1.sesta.com:8080/notificationservice
|
ips.daemons=securid radius safeword unix skey
|
securidHelper.port=8943
|
radiusHelper.port=8944
|
safewordHelper.port=8945
|
unixHelper.port=8946
|
skeyHelper.port=8947
|
|
|
ips.gateway.user=nobody
|
|
ips.cookie.name=iPlanetPortalServer
|
ips.locale=en_US
|
ips.debug=error
|
ips.version=3.0
|
ips.basedir=/opt
|
ips.logdelimiter=&&
|
|
When the gateway is configured as user nobody, do the following to workaround an invalid session condition when the gateway does a restart:
|
# chmod 4555 /etc/init.d/ipsgateway
|
|
Special Case Configurations
When the iPlanet Portal Server server and gateway are installed on the same system, both the server and gateway must be configured to run as user nobody.
Caution
|
If you have configured a system to run as user nobody, then later add other packages with the installer, check the ownership of the Portal Server directories to make sure it is still user nobody.
|
Upgrading User Nobody to Service Pack 4
To upgrade an installation using user nobody from a previous version of the iPlanet Portal Server product to Service Pack 4 requires that all the user names be reset to root for the upgrade to work. Once Service Pack 4 has been installed the user will have to re-configure the server and gateway to run as nobody. Failure to do all these steps may result in loss of data.
The following list is a brief summary of the steps required to upgrade to Service Pack 4:
Stop all services for the iPlanet Portal Server 3.0 server and gateway.
If the gateway is installed and running as nobody, do the following:
-
Edit the gateway /etc/opt/SUNWips/platform.conf file, as shown in bold text:
-
Remove ips.gateway.user=nobody
|
# Copyright 03/22/00 Sun Microsystems, Inc. All Rights Reserved.
|
# "@(#)platform.conf 1.29 00/03/22 Sun Microsystems"
|
#
|
|
ips.defaultDomain=sesta.com
|
ips.server.protocol=http
|
ips.server.host=server1.sesta.com
|
ips.server.port=8080
|
ips.profile.host=server1.sesta.com
|
ips.gateway.protocol=https
|
ips.gateway.host=server1.sesta.com
|
ips.gateway.port=443
|
ips.virtualhost=server1.sesta.com 192.168.01.01
|
ips.naming.url=http://server1.sesta.com:8080/namingservice
|
ips.notification.url=http://server1.sesta.com:8080/notificationservice
|
ips.daemons=securid radius safeword unix skey
|
securidHelper.port=8943
|
radiusHelper.port=8944
|
safewordHelper.port=8945
|
unixHelper.port=8946
|
skeyHelper.port=8947
|
|
|
ips.gateway.user=nobody
|
|
ips.cookie.name=iPlanetPortalServer
|
ips.locale=en_US
|
ips.debug=error
|
ips.version=3.0
|
ips.basedir=/opt
|
ips.logdelimiter=&&
|
|
Edit the following file to change the configuration.nsSuiteSpotUser to root, as shown in bold text:
-
/opt/netscape/directory4/admin-serv/config/local.conf
|
nsServerID: admin-serv
|
userPassword: {SHA}/mZi7HWjvvYwFqgGkIRTOg79/Cc=
|
serverRoot: /opt/netscape/directory4
|
serverProductName: Administration Server
|
serverHostName: server1.sesta.com
|
uniqueMember: cn=admin-serv-server1, cn=Netscape Administration Server,
cn=Server
|
Group, cn=server1.sesta.com, ou=sesta.com, o=NetscapeRoot
|
installationTimeStamp: 20000914220659Z
|
configuration.nsServerPort: 8900
|
configuration.nsSuiteSpotUser: root
|
configuration.nsServerAddress: 192.168.178.52
|
configuration.nsAdminEnableEnduser: on
|
configuration.nsAdminEnableDSGW: on
|
|
|
In a terminal window:
|
# chown -R root:root /etc/opt/SUNWips
# chown -R root:root /var/opt/SUNWips
# chown -R root:root /opt/netscape
# chown -R root:root /opt/SUNWips
|
|
Edit the following files:
-
/opt/netscape/server4/http-servername/config/magnus.conf
-
/opt/netscape/server4/https-admserv/config/magnus.conf
-
Change the user nobody to the name of the user root, as shown in bold text.
|
ServerID https-server1.sesta.com
|
ServerName server1.sesta.com
|
Port 8080
|
LoadObjects obj.conf
|
RootObject default
|
ErrorLog /opt/netscape/server4/https-server1.sesta.com/logs/errors
|
PidLog /opt/netscape/server4/https-server1.sesta.com/logs/pid
|
User root
|
MtaHost localhost
|
DNS off
|
Security off
|
|
|
Edit the following files to change the localuser to root, as shown in bold text:
-
/opt/netscape/directory4/slapd-servername/config/slapd.conf
|
return_exact_case on
|
include "/opt/netscape/directory4/slapd-server1/config/slapd.at.conf"
|
include "/opt/netscape/directory4/slapd-server1/config/slapd.oc.conf"
|
include "/opt/netscape/directory4/slapd-server1/config/ns-schema.conf"
|
readonly off
|
timelimit 3600
|
sizelimit 2000
|
lastmod on
|
idletimeout 0
|
ntsynch off
|
ntsynch-port 5009
|
ntsynchusessl on
|
port 389
|
secure-port 636
|
maxdescriptors 1024
|
schemacheck off
|
enquote_sup_oc on
|
security off
|
localuser root
|
userat "/opt/netscape/directory4/slapd-server1/config/slapd.user_at.conf"
|
useroc "/opt/netscape/directory4/slapd-server1/config/slapd.user_oc.conf"
|
accesslog "/opt/netscape/directory4/slapd-server1/logs/access"
|
|
Install the Service Pack 4 upgrade. See "Upgrading to Service Pack 4" for the iPlanet Portal Server 3.0.
Reconfigure both the server and gateway to run as nobody. See the "Configuring User Nobody on the Server" and "Configuring User Nobody on the Gateway" sections.
Restore all backed up data, create all server instances, and all special configurations.