Shared User

Overview

LeasePak by default implements a "dedicated user" architecture in which each LeasePak user is required to have three distinct though related user accounts: a LeasePak user account in the rsc Security table, a Unix user account on the application server, and a DBMS user account on the database server. Furthermore, the user name of each of the three accounts must be the same, and the passwords of the Unix user and DBMS user must be derived from the LeasePak user's client password.

LeasePak also supports a "shared user" architecture, which is available if the Shared User module is purchased. This architecture reduces the number of Unix users and DBMS users that need to be created and maintained. With shared user, each LeasePak user needs only one account: a LeasePak user account in the rsc Security table. There is one Proxy Unix user account and one Proxy DBMS user account, and all of the LeasePak users in the rsc Security table can share these "proxy" accounts. The user names of the Proxy Unix user and Proxy DBMS user do not have to be the same. The passwords of the Proxy Unix user and Proxy DBMS user are not derived from LeasePak user client passwords.

NOTE: The user who runs EOP Suite must be able to connect as a dedicated user.

LeasePak Users and Run Modes

Each LeasePak user has a unique LeasePak user name. The LeasePak user name is entered by the user when logging on to LeasePak. Since each LeasePak user name is a unique user of the LeasePak software, it will therefore be counted as one licensed user, whether the user name is used as a shared user, a dedicated user, or both.

Each LeasePak user:

Has a unique LeasePak user name.
Has a record in the rsc Security table.
Can run LeasePak in dedicated mode or shared mode.
Runs in dedicated mode by specifying the dedicated port on the LeasePak Setup screen or in the leasepak.ini file.
Runs in shared mode by specifying the shared port on the LeasePak Setup screen or in the leasepak.ini file.

For a LeasePak user to run in dedicated mode, the requirements are:

A LeasePak user record in the rsc Security table.
A Unix user account on the application server with the same user name as the LeasePak user, and a password that is derived from (and is the same length as) the LeasePak user's client password. The LeasePak user's client password can be from 6 to 18 characters in length.
A DBMS user account on the database server with the same user name as the LeasePak user, and a password that is derived from (and is the same length as) the LeasePak user's client password. The LeasePak user's client password can be from 6 to 18 characters in length.

For a LeasePak user to run in shared mode, the requirements are:

A LeasePak user record in the rsc Security table.
Column rsc.credent_user_pwd_s in the LeasePak user's rsc record must be set to the LeasePak user's shared password. The LeasePak user's shared password is derived from the LeasePak user's client password.
A Proxy Unix user account on the application server with a user name that is NOT in the rsc Security table. The Proxy Unix user is shared by all LeasePak users who are running in shared mode. The HOME directory of the Proxy Unix user must NOT contain any LeasePak login files (such as .lpprofile). The password of the Proxy Unix user account can be up to 30 characters in length.
A Proxy DBMS user account on the database server with a user name that is NOT in the rsc Security table. The Proxy DBMS user is shared by all LeasePak users who are running in shared mode. The name of the Proxy DBMS user does not have to be the same as the name of the Proxy Unix user, although it can be. The password of the Proxy DBMS user account can be up to 30 characters in length.
A hidden file named .netsol_proxy in the Proxy Unix user's HOME directory. This file contains the Proxy DBMS user's encrypted username and password.
In the Proxy Unix user's HOME directory: a sub-directory named lphome.
In the lphome sub-directory: a sub-directory with the same name as the LeasePak user name. This sub-directory will be used as the HOME directory when the LeasePak user is running in shared mode. It is not used as the HOME directory when the LeasePak user is running in dedicated mode.

Shared User Module Administrative Setup

To setup the Shared User module for operation, the following items need to be created by a system administrator.

Proxy Unix user account
Create a Unix user account on the LeasePak application server for the Proxy Unix user. The Proxy Unix user is shared by the LeasePak users who are running in shared mode, for all releases and environments. Do NOT put LeasePak login files (.lpprofile, etc.) in the Proxy Unix user's HOME directory.
Parent directory of shared user home directories
Create a Unix directory named lphome in the Proxy Unix user's HOME directory. The lphome directory is the parent directory of the shared user home directories, and can be either an actual directory or a symbolic link to another directory. The Proxy Unix user must have full permissions (rwx) on the lphome directory.
Shared user home directories
For each LeasePak user that will run in shared mode, create a directory within the lphome directory, and give the directory the same name as the LeasePak user name. These directories will be used as the HOME directories for LeasePak users running in shared mode. The owner of the directories should be the Proxy Unix user.

The shared user home directories can be created manually by a Unix system administrator. Alternatively, if you wish to allow the creation of shared user home directories by the LeasePak Security update [U0706], create a zero-byte hidden file named .netsol_allow_create_home in the Proxy Unix user's HOME directory. Assign ownership of the file to the Proxy Unix user, and make the group of the file the same as the Proxy Unix user's primary group. Set the file's Unix access permissions to 644 (which is rw access for the owner, and r access for the group and world). Then, a LeasePak administrative user who is logged into LeasePak in shared mode will have the ability to create shared user home directories by selecting the "Create Users Home Directory" check box on the Limits/Password tab of the Security update [U0706].
Proxy DBMS user account
Create a DBMS user account on the database server for the Proxy DBMS user by running the db_add_login Unix script. Refer to the LeasePak System Administration Guide for more information on running the db_add_login script. The Proxy DBMS user name does not have to be the same as the Proxy Unix user name, although it can be. The Proxy DBMS user is shared by the LeasePak users who are running in shared mode, for all releases and environments.

For each LeasePak database that users will be connecting to in shared mode, run the db_add_user Unix script to add the Proxy DBMS user as a user of that database. The Proxy DBMS user may be added as a user to multiple LeasePak databases. Refer to the LeasePak System Administration Guide for more information on running the db_add_user script.
File containing Proxy DBMS user's encrypted username and password
Run lease/util 110 to create a hidden file named .netsol_proxy in the current working directory. This file contains the Proxy DBMS user's encrypted username and password. Move the file from the current working directory to the Proxy Unix user's HOME directory. Assign ownership of the file to the Proxy Unix user, and make the group of the file the same as the Proxy Unix user's primary group. Set the file's Unix access permissions to 600 (which is rw access for the owner, and no access of any kind for the group and world).
Utility Unix user account
If you wish to allow the lease/util command line program to be runnable in shared mode, create at least one Utility Unix user account on the LeasePak application server. LeasePak users can then log on to Unix as the Utility Unix user when they want to run lease/util in shared mode. Do NOT put LeasePak login files (.lpprofile, etc.) in the Utility Unix user's HOME directory.
Sudoers entry for the Utility Unix user
If you wish to allow the lease/util command line program to be runnable in shared mode, use "visudo -f" to create or edit (if it already exists) file /etc/sudoers.d/nstsudoers, with ownership root:root and permissions 440. Add an entry to nstsudoers which grants to the Utility Unix user the ability to run the lputil_shared Unix script as the Proxy Unix user. The entry format is:
```
utility-unix-user ALL = (proxy-unix-user) NOPASSWD: path-to-lputil_shared
```
There are various ways to specify the sudoers entry. For example, if the Utility Unix user name were 'lputil' and the Proxy Unix user name were 'lpshared', then this entry would grant to lputil the ability to run the lputil_shared script in non-ADFS mode for all environments in all versions of LeasePak:
```
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v*/env/*/bin/lputil_shared
```
This entry would grant to lputil the ability to run the lputil_shared script in non-ADFS mode for only the 'prod' environment in version 7.4a of LeasePak:
```
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v74a/env/prod/bin/lputil_shared
```
This entry would grant to lputil the ability to run the lputil_shared script in non-ADFS mode for all versions of LeasePak, but only for environments named 'test':
```
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v*/env/test/bin/lputil_shared
```
These entries would grant to lputil the ability to run the lputil_shared script in ADFS mode (or non-ADFS mode) for all environments in all versions of LeasePak:
```
Defaults!/opt/nst/v*/env/*/bin/lputil_shared env_keep=LEASEPAK_ADFS_TOKEN
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v*/env/*/bin/lputil_shared
```
These entries would grant to lputil the ability to run the lputil_shared script in ADFS mode (or non-ADFS mode) for only the 'prod' environment in version 7.4a of LeasePak:
```
Defaults!/opt/nst/v74a/env/prod/bin/lputil_shared env_keep=LEASEPAK_ADFS_TOKEN
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v74a/env/prod/bin/lputil_shared
```
These entries would grant to lputil the ability to run the lputil_shared script in ADFS mode (or non-ADFS mode) for all versions of LeasePak, but only for environments named 'test':
```
Defaults!/opt/nst/v*/env/test/bin/lputil_shared env_keep=LEASEPAK_ADFS_TOKEN
lputil ALL = (lpshared) NOPASSWD: /opt/nst/v*/env/test/bin/lputil_shared
```
Shared Port
LeasePak uses a service port to listen for and accept connection requests to the host computer on which the LeasePak server software is installed. For users running LeasePak in dedicated mode, there is a port configured to run as the root Unix user. This port is referred to as the "dedicated port". For users running LeasePak in shared mode, there is a different port configured to run as the Proxy Unix user. This port is referred to as the "shared port".

To setup the shared port, do the following:
1. Add a service entry for the shared port to the /etc/services file.
  
  For example: (if the current version of LeasePak were 7.4a)
```
nst_lp74ashrd_7420  7420/tcp  # LeasePak v74a leasepakd shared /opt/nst/v74a
```
2. Define an xinetd service for the shared port by creating a configuration file for the service in directory /etc/xinted.d/. The configuration file should be given the same name as the name of the service added to /etc/services for the shared port.
  
  For example: Create a configuration file named nst_lp74ashrd_7420 and enter the following service definition into the file:
```
service nst_lp74ashrd_7420 
{
    disable     = no
    id          = nst_lp74adev_7420
    socket_type = stream
    user        = lpshared
    server      = /opt/nst/v74a/live/bin/leasepakd
    wait        = no
    protocol    = tcp
    port        = 7420
    server_args = -d /opt/nst/v74a -l log-file-path -f init-file-path -u 0
}
```
  where log-file-path is: /opt/nst/v74a/log/leasepakd_shared.log
  and init-file-path is: /opt/nst/v74a/etc/machine-name_v74a_rt.lpkd
3. If users will be running mPower in shared mode, then add an additional shared port service entry in /etc/services and xinetd service definition in directory /etc/xinted.d/ for mPower.

Allowing an Existing Dedicated User to Run in Shared Mode

To allow an existing dedicated user to run in shared mode:

Create a shared user home directory for the user.
Change the user's LeasePak client password. The act of changing the client password will automatically set the shared password in the user's rsc Security record. The shared password must be set in order for the user to run LeasePak in shared mode. You can either change the user's client password yourself (if you have been granted the privilege in U0706 to change the passwords of other users), or you can force the user to change their own client password the next time they log in to LeasePak. To force the user to change their password, select the Force Password Change on next login check box on the Limits/Password tab of the Security update [U0706].
The user can then log in to LeasePak in shared mode by entering the shared port on the client LeasePak Setup screen or in the leasepak.ini file.
(Optional) To revoke the ability of the user to run LeasePak in dedicated mode, delete the user's Unix account from the application server and DBMS account from the database server. The user will still be able to run LeasePak, but only in shared mode.

Creating a New LeasePak User That Can Run Only In Shared Mode

Creating a new LeasePak user that can run only in shared mode is quite simple. Most of what needs to be done can be accomplished through the Security update [U0706].

Log on to the LeasePak client. You will need to log on in shared mode if you intend to create the shared user's home directory via U0706. If you log on in dedicated mode, a Unix system administartor will need to manually create the shared user's home directory.
Run the Security update [U0706] to Add a new user.
On the U0706 screens, configure the security of the user as you normally would.
Navigate to the Limits/Password tab.
Select the check box for "Force Password Change on next login" if you want the shared user to set their own LeasePak client password when they log in for the first time.
Select the check box for "Create Users Home Directory" if you want U0706 to create a home directory for the shared user. If you do not select this check box, a Unix system administartor will need to manually create a shared user home directory for the user. This check box is available in U0706 Add (and also Change) only if the .netsol_allow_create_home file exists in the Proxy Unix user's HOME directory and the user running U0706 is logged in as a shared user.
Save the new user in U0706.
After adding the new user with U0706, open Change Password on the Options menu and set an initial LeasePak client password for the shared user.
The user can then log in to LeasePak in shared mode by entering the shared port on the client LeasePak Setup screen or in the leasepak.ini file.

Running lease/util in Shared Mode

The LeasePak command line program lease/util can be run in shared mode, provided that an administrator has previously created a Utility Unix user account and added the required sudoers entry for that account. To run lease/util in shared mode, log on to Unix as the Utility Unix user and use sudo to run the lputil_shared script. In the sudo command, specify the Proxy Unix user name with the -u option, and specify the LeasePak user name as the final parameter to the lputil_shared script. (In order to run shared mode lease/util in ADFS mode, environment variable LEASEPAK_ADFS_TOKEN must contain a valid, encrypted, base64'd single sign-on token.)

The format of the sudo command is:

% sudo -u proxy-unix-user path-to-lputil_shared top-directory environment leasepak-user

In the following example, the Proxy Unix user name is 'lpshared', the version is 7.4a, the environment name is 'prod', and the LeasePak user name is 'user1':

% sudo -u lpshared /opt/nst/v74a/env/prod/bin/lputil_shared /opt/nst/v74a prod user1

The information contained in this document is the property of NetSol Technologies Inc. Use of the information contained herein is restricted. Conditions of use are subject to change without notice. NetSol Technologies Inc. assumes no liability for any inaccuracy that may appear in this document; the contents of this document do not constitute a promise or warranty. The software described in this document is furnished under license and may be used or copied only in accordance with the terms of said license. Unauthorized use, alteration, or reproduction of this document without the written consent of NetSol Technologies Inc. is prohibited.

Your document is loading...

This message should disappear within 5-15 seconds, depending on the size of the document and the speed of your connection to the Documentation Suite.

If you can still see this message after 20 seconds, try clicking the Refresh or Reload button on your Web browser.

If your document still does not load, refer to Document Load Troubleshooting for instructions on how to fix possible problems with either your Documentation Suite installation or Web browser setup.

If you do not have read access to the parent docsuite directory, you will not be able to load the Document Load Troubleshooting document. In this case, contact your network administrator for assistance.