Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Point of Service 11 SP3 and SUSE Linux Enterprise Point of Service 12 Image Server

11 The LDAP Directory on SUSE Linux Enterprise Point of Service

LDAP directory is a vital part of SUSE Linux Enterprise Point of Service, containing almost all configuration data, system structure description, user access rules, and more. Unlike LDAP directories in versions prior to SUSE Linux Enterprise Point of Service 11, the LDAP architecture now consists of more partially redundant LDAP databases.

The SUSE Linux Enterprise Point of Service LDAP directory runs on OpenLDAP 2.4. LDAP entries are managed using the posAdmin tool. For more information on posAdmin, see Section 11.2, “Using posAdmin to Manage the LDAP Directory”.

Note
Note: Using GQ to Browse LDAP Directory

The GQ LDAP browser may fail with a Cannot find last-resort schema server 'local host' alert message when used with the SUSE Linux Enterprise Point of Service LDAP database. If you want to use GQ, disable anonymous access to rootDSE in the /etc/openldap/slapd.conf configuration file. To disable anonymous access, put a # under the #enabling anonymous access to rootDSE for speeding up LDAP server start': section:

#access to dn="" by * read

Alternatively, you can grant anonymous read access to the subschema subentry (cn=subschema). After the line access to dn="" by * read in the /etc/openldap/slapd.conf file, add the following two lines:

access to dn.base="cn=Subschema"
        by * read

11.1 LDAP Architecture and Synchronization

The central database is located on the Administration Server and acts as the main LDAP database and LDAP replication provider. Since SUSE Linux Enterprise Point of Service 11, each Branch Server has its own LDAP replica for independent use, thus saving network bandwidth and maintaining all functionality if the connection to the Administration Server is lost.

For security and management reasons, only a part of the central LDAP database is replicated on each Branch Server: the section common to all Branch Servers (read-only access) and the organizational unit branch in which the current Branch Server is configured (read-write access).

11.1.1 Administration Server LDAP

In the Administration Server LDAP the SUSE Linux Enterprise Point of Service 11 system is configured. The LDAP directory must be initialized before any Branch Server installation or deployment. The Administration Server LDAP is managed by the posAdmin tool.

11.1.1.1 Administration Server Access Control List

SUSE Linux Enterprise Point of Service 11 introduces Access Control List (ACL) to:

  • protect the Administration Server LDAP directory against unauthorized access (credentials no longer distributed to Branch Servers),

  • grant write access for each Branch Server to its subtree and restrict other parts of the directory.

ACL is automatically managed by posAdmin when a new scLocation object is created or deleted. Default ACRs (Access Control Rules) restraining anonymous users are activated when Administration Server is initialized by the posInitAdminServer command.

ACL is stored in the LDAP dynamic cn=config database and in the /etc/openldap/acl.ldif file. The file is used to preserve ACL during the OpenLDAP server restart. This file should be kept secure.

Each Branch Server has only access to its respective LDAP subtree. For example, if the scLocation dn of the Branch Server is cn=mybranch,ou=myorgunit,o=myorg,c=us, the Branch Server only has read and write access to the cn=mybranch,ou=myorgunit,o=myorg,c=us subtree.

In previous versions, the Branch Server had read and write access to the whole organizational unit (ou). LDAP replication is directly affected by this change. Now only the relevant subtree is replicated (replication of general read-only items is preserved (for example cn=global,o=myorg,c=us and cn=standards,o=myorg,c=us). Branch Server may see other organizational units but sees them empty.

11.1.1.1.1 Manual Configuration of ACL

The Access Control List default is automatically generated during posInitAdminServer execution. The rule definition starts with:

#STARTACL-default

The following lines grant read access to the LDAP subtree cn=global,o=myorg,c=us for any authenthicated user and blocks others:

access to dn.subtree="cn=global,o=myorg,c=us"
 by users read
 by anonymous none

This grants read access to any LDAP scHardware object class for any authenthicated user and blocks others:

access to filter="(objectClass=scHardware)"
 by users read
 by anonymous none

This grants read access to LDAP root for authenthicated users and blocks others:

access to dn.base="o=myorg,c=us"
 by users read
 by anonymous none

posAdmin ends the ACR named "default" with:

#ENDACL-default

When the Branch Server scLocation LDAP object is added by posAdmin, the following ACR is added, with the appropriate marker starting the ACR definition for Branch Server located in the organizational unit ou=myorgunit,o=myorg,c=us:

#STARTACL-ou=myorgunit,o=myorg,c=us

The following lines grant write access to the LDAP subtree ou=myorgunit,o=myorg,c=us for Branch Servers authenthicated against the scLocation object cn=mybranch,ou=myorgunit,o=myorg,c=us and no access for other users (except the Administration Server root user). It allows LDAP the compare method for anonymous users so they can authenticate themselves.

access to dn.subtree="ou=myorgunit,o=myorg,c=us"
 by dn.base="cn=mybranch,ou=myorgunit,o=myorg,c=us" write
 by users none
 by anonymous auth

The ACR ends with the marker corresponding with the Branch Server:

#ENDACL-ou=myorgunit,o=myorg,c=us

A typical problem with ACL is that despite wrong settings LDAP Bind is successful, LDAP filter is valid, but the LDAP search returns an empty result.

To identify the problematic ACL, search for the access to keyword followed by your search base DN or the DN under which your base DN is located. Remove that entry.

Remember to restart the LDAP server after modifying the /etc/openldap/acl.ldif file.

Warning
Warning: Non-Persistent Changes

If you are configuring LDAP server via the cn=config configuration interface, remember these changes are not persistent in current configuration.

11.1.1.2 Synchronization Provider

The Administration Server LDAP performs a crucial role in the SUSE Linux Enterprise Point of Service central management. To support the Branch Server's independent opperation when a network connection to the Administration Server LDAP is unavailable, the Administration Server provides LDAP synchronization. The Administration Server LDAP provides each Branch Server LDAP with its respective content, according to the defined ACL, via the LDAP SyncProv protocol.

The synchronization provider is activated by the following statements in the slapd.conf file:

# sycnrepl provider configuration
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100

Provider activation is done by the overlay syncprov statement.

syncprov-checkpoint 100 5 forces the LDAP server to store the current contextCSN (value where the actual database state is stored) in the database after 100 operations or 5 minutes, whichever occurs first. This reduces the time and processing power needed to restart the LDAP server after a crash.

The syncprov-sessionlog 100 statement tells the LDAP server to store up to 100 write operations in the dedicated log, which is then used to simplify the determining LDAP control attributes. It is used primarily in refreshOnly synchronization mode, which is used while switching Branch Server from online to offline mode.

11.1.2 Branch Server LDAP

The Branch Server LDAP is an exact replica of cn=global and the Branch Server's organizational unit subtree. Its purpose is to lower the network bandwidth usage by LDAP search and read operations and to support the Branch Server's ability to work without a network connection to the Administration Server.

11.1.2.1 Branch Server Access Control List

The Branch Server ACL is simple. It restricts access to the database to the Branch Server root DN (as root DN can access everything anyway).

The Branch Server ACL is stored in OpenLDAP's slapd.conf (default path /etc/openldap/slapd.conf):

access to dn.subtree="o=myorg,c=us"
by dn.base="cn=mybranch,ou=myorgunit,o=myorg,c=us" write
by users none
by anonymous auth

This rule is applied to the main Branch Server database. There are two additional global rules to provide general compatibility with some LDAP browsers, mainly GQ, and speed up the start of the LDAP server:

access to dn="" by * read
access to dn.base="cn=Subschema" by * read

The Branch Server ACL should not require any maintenance and is only changed during Branch Server reinitialization.

Note
Note: Modifying the Global LDAP Section on Branch Server

Using the SUSE Linux Enterprise Point of Service administrator user name and password on the Branch Server is unsupported because of the nature of LDAP subsystem organization. The only way to modify the cn=global LDAP subtree from the Branch Server is to use remote SSH to the Administration Server.

11.1.2.2 Branch Server Synchronization

Compared to the Administration Server synchronization controls, the Branch Server synchronization settings are much more complex. Every synchronization issue should be solvable on the Branch Server side.

The Branch Server synchronization consists of two steps:

  • SyncRepl consumer,

  • LDAP chaining.

11.1.2.2.1 SyncRepl consumer

SyncRepl (Synchronized Replication) is the main database update mechanism. It continually asks the Administration Server LDAP for changes and updates the Branch Server LDAP accordingly as the "RefreshAndPersist" LDAP synchronization mode is used.

SyncRepl is usually controlled by the posASWatch script, but with the pos command, manual control is also possible: pos status displays current synchronization status, pos start starts synchronization, and pos stop stops synchronization.

For debugging purposes, the following command prints the current SyncRepl state:

ldapsearch -x -LLL -h localhost -D cn=admin,cn=config -w password -b cn=config '(objectClass=*)' 'olcSyncrepl'

The typical setup with SSL looks like this:

{0}rid=000 provider="ldaps://adminserver.mycompany.us"
    bindmethod=simple
    timeout=0
    network-timeout=0
    binddn="cn=mybranch,ou=myorgunit,o=myorg,c=us"
    credentials="secret"
    starttls=no
    tls_cacert=/etc/SLEPOS/keys/certs/ca.crt
    searchbase="o=myorg,c=us"
    scope=sub
    type=refreshAndPersist
    retry="2 +"

If SSL is not used, the tls_cacert=/etc/SLEPOS/keys/certs/ca.crt line is not present.

11.1.2.2.2 Chaining

Chaining with the updateRef directive is the second part of the Administration Server LDAP and the Branch Server LDAP collaboration. It handles updates in the opposite direction to that of the SyncRepl consumer when Branch Server is in online mode.

When a write request arrives on the Branch Server LDAP and the Branch Server is in online mode, the request is forwarded using LDAP updateRef and chaining the overlay to the Administration Server LDAP, where the actual request is executed. The UpdateRef directive is set up and maintained by the posASWatch daemon together with SyncRepl. Chaining settings are persistent and stored in the Branch Server's slapd.conf:

overlay                    chain
chain-uri                  "ldaps://adminserver.mycompany.us"
chain-idassert-bind        bindmethod="simple"
                           binddn="cn=mybranch,ou=myorgunit,o=myorg,c=us"
                           credentials="secret"
                           mode="self"
chain-return-error         TRUE

These settings reflect the typical SUSE Linux Enterprise Point of Service chain overlay setup.

When the Branch Server is in offline mode, updateRef and Syncrepl are deactivated by posASWatch.

11.2 Using posAdmin to Manage the LDAP Directory

In a SUSE® Linux Enterprise Point of Service system, posAdmin is a command line tool used to add, modify, remove, or query Branch Server and Point of Service terminal information in the LDAP directory. For an overview of the LDAP directory structure and a reference of all SUSE Linux Enterprise Point of Service elements represented in the LDAP directory, refer to Chapter 11, The LDAP Directory on SUSE Linux Enterprise Point of Service.

Starting with an overview of mandatory LDAP objects and general command line options for posAdmin, the following sections explain how to define objects for Branches and Point of Service terminals and how to manage image objects with posAdmin. Find out which posAdmin options to use for modifying, removing or querying LDAP entries and how to update hardware information for specific Point of Service terminals, if needed.

Note
Note: Must and May Attributes for LDAP Objects

Each LDAP object has two types of attributes: must and may attributes. The must attributes are the minimum requirements for an object. The may attributes are optional. This table lists only those may attributes that are relevant to SUSE Linux Enterprise Point of Service.

11.2.1 Mandatory LDAP Objects

When you run the posInitAdminserver command to configure the LDAP directory on the Administration Server, the following objects are automatically created:

With these objects in place, you must then use posAdmin to create the following mandatory objects in the LDAP tree:

Branch Objects:
scPosImage Objects:

Point of Service image objects for the system image files which the Branch Server should distribute to Point of Service terminals. See Section 4.6.2.6, “Adding an scPosImage Object” for more information.

Point of Service Terminal Objects

For example, scCashRegister objects (see Section 4.6.2.1, “Adding an scCashRegister Object”) and their associated configuration objects for each type of Point of Service terminal in your system:

Important
Important: LDAP Objects and Branch Server/Point of Service Terminals

Some administrative tasks in your SUSE Linux Enterprise Point of Service system depend on the existence of certain LDAP objects:

  • Before you can run posInitBranchserver and deploy the Branch Server, you must have created the scBranchServer object and its supporting organizational structure.

  • Before you boot the Point of Service terminals, you must create the scPosImage objects in the LDAP database. The images must be activated before you boot the Point of Service terminals. The terminals require an activated scPosImage object before they can download the corresponding physical image from the Branch Server. Activate either by setting the scPosImageVersion attribute of the relevant scPosImage object to active or by creating a non-disabled scImageVersion object. For more information on activating images, see Section 4.6.2.8, “Activating Images”.

When you boot the Point of Service terminals, posleases2ldap automatically creates a Workstation object (scWorkstation) in the LDAP directory for every Point of Service terminal that registers on the Branch Server. For information on this process, see Section 6.3.3, “The hwtype.MAC.HASH File”.

As soon as the scWorkstation objects exist in the directory, you can define attributes specific to particular workstations. For example, you can assign a specific system image (scPosImage) object to a workstation. For instructions on this procedure, see Section 4.6.2.9, “Assigning an Image to a Point of Service Terminal”.

11.2.2 General Command Options

Find an overview of general posAdmin command line options in Table 11.1, “posAdmin: General Command Line Options”.

Table 11.1: posAdmin: General Command Line Options

Option

Description

--user

Specifies a user name. Options --user and --password are not mandatory. If not used, user name and password are read from the configuration file.

--password

Specifies a password. Used primarily together with --user for user authentication. For example,

posAdmin --user cn=admin,o=myorg,c=us --password secret

If you use the --user option on the command line without password, you are prompted for a password.

--base

Specifies a base context in the LDAP directory. When you add a new location (branch), you specify an organization or organizational unit as a base. For example,

--base o=myorg,c=us --base ou=myorgunit,o=myorg,c=us

In some cases, you can use an abbreviation or a common name for the base. This is only possible if the common name is a unique value in the directory. For example:

--base myorgunit

If posAdmin cannot determine the base (no base or more than one base is found), it exits with an error message.

--help

Displays the basic command options.

11.2.3 Modifying LDAP Entries

The modify option enables you to modify, add, or delete attributes of existing LDAP objects. Only may attributes can be added or deleted.

To add or to modify attributes, specify the element, an attribute value pair, and a DN. The main difference between command arguments in add, remove, and modify operations is that the add operation specifies the base DN of the directory element below which the new entry should be created with the --base option. The modify and remove operations identify the target element with the --DN option.

If an operation is not finished successfully, posAdmin returns an error message.

Table 11.2, “posAdmin Options for Modifying LDAP Objects” summarizes the posAdmin command options for modifying LDAP objects.

Table 11.2: posAdmin Options for Modifying LDAP Objects

Attribute

Type

Explanation

--DN

must

Distinguished name of the element to modify.

-- object

must

Object with must or may attributes to be modified, for example: scWorkstation.

-- attribute

must

Attribute, for example: scPosImageVersion.

-- value

may

If a value is given, the attribute is modified; otherwise, the attribute entry is deleted.

The following command removes an image reference in terminal CR01 (scPosImageDn value under scWorkstation object):

posAdmin
--modify --scWorkstation --scPosImageDn --DN cn=CR01,cn=mybranch,ou=myorgunit,o=myorg,c=us

The following command removes both image reference and image version in terminal CR01 (scPosImageDn and scPosImageVersion values under scWorkstation object):

posAdmin
--modify --scWorkstation --scPosImageDn --scPosImageVersion
--DN cn=CR01,cn=mybranch,ou=myorgunit,o=myorg,c=us

The following command adds a new or modifies an existing image reference:

posAdmin
--modify --scWorkstation --scPosImageDn cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us
--DN cn=CR01,cn=mybranch,ou=myorgunit,o=myorg,c=us

The following command adds a new or modifies an existing image reference and image version:

posAdmin
--modify --scWorkstation --scPosImageDn cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us
--scPosImageVersion 2.1.0;active --DN cn=CR01,cn=mybranch,ou=myorgunit,o=myorg,c=us

The option --multival is used to add, remove, or modify values of attributes with multiple subvalues. Only one such subvalue can be modified by a single posAdmin command. Other subvalues are preserved.

The following command adds image version 2.1.1;active to the image myMinimal (scPosImageVersion value under scPosImage object):

posAdmin
--modify --multival --scPosImage --scPosImageVersion '=>2.1.1;active'
--DN cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us

The following command removes image version 2.0.4;active (if it exists):

posAdmin
--modify --multival --scPosImage --scPosImageVersion '2.0.4;active=>'
--DN cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us

The following command modifies image version 2.0.4;active to 2.0.4;passive (assuming it exists):

posAdmin
--modify --multival --scPosImage --scPosImageVersion '2.0.4;active=>2.0.4;passive'
--DN cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us

The following commands manipulate scIdPool values. For example, to add priId0 to a new subvalue, use:

posAdmin --DN cn=mybranch,ou=myorgunit,o=myorg,c=us --modify --multival
--scLocation --scIdPool '=>priId0'

To add secId1 and secId2 together to one new subvalue, use:

posAdmin --DN cn=mybranch,ou=myorgunit,o=myorg,c=us --modify --multival
--scLocation --scIdPool '=>secId1;secId2'

The scIdPool should then be represented as:

priId0
secId1;secId2

To remove secId1 and secId2, use:

posAdmin --DN cn=mybranch,ou=myorgunit,o=myorg,c=us --modify --multival
--scLocation --scIdPool 'secId1;secId2=>'

Because of the nature of multivalue attributes, it is not possible to manipulate IDs within the same subvalue separately. To only remove secId1, use:

posAdmin --DN cn=mybranch,ou=myorgunit,o=myorg,c=us --modify --multival
--scLocation --scIdPool 'secId1;secId2=>secId2'

To see what IDs are present and how they are inserted, use posAdmin:

 posAdmin --base ou=myorgunit,o=myorg,c=us \
--query --scLocation --scIdPool

11.2.4 Removing LDAP Entries

To remove an object from the LDAP directory, use the --remove option and the --DN attribute with the unique name of the object to delete. If the referred object has subentries, you must add the --recursive option.

Table 11.3, “posAdmin Options for Deleting LDAP Objects” summarizes the posAdmin command options for deleting LDAP objects.

Table 11.3: posAdmin Options for Deleting LDAP Objects

Option

Type

Description

--DN

must

Distinguished name of the object to delete.

--recursive

may

Option to delete an object with all sub-objects.

The following command removes all images in the distribution container (scDistributionContainer object) myTestImages including the container itself:

posAdmin
--remove --recursive  --DN cn=myTestImages,cn=global,o=myorg,c=us

The following command removes the image (scPosImage object) myMinimal in the distribution container myTestImages:

posAdmin
--remove --DN cn=myMinimal,cn=myTestImages,cn=global,o=myorg,c=us

The following command removes registered terminal (scWorkstation object) CR01:

posAdmin
--remove --DN cn=CR01,cn=mybranch,ou=myorgunit,o=myorg,c=us

Terminals can be also removed according to the time of their last boot, which is stored in the scLastBootTime of the scWorkstation object. To delete workstations that were not booted in last T seconds, use: pos ws-remove --no-boot-in-last T. To delete workstations that were not booted since specified date, use: pos ws-remove --no-boot-since datetime, where datetime is a date/time string compatible with the Linux date command, for example 2013-08-13 15:21:14. If scLastBootTime is empty, the workstaton will never be deleted.

Under normal conditions, workstations are additionaly checked whether they are online or not, and deleted only if offline and older than specified. To override this check, use --force parameter. On the other hand, if you only want to test which workstations will be removed, use --dry-run parameter.

11.2.5 Querying LDAP Objects

To query LDAP, use the --query option, --DN path option, an object option such as --scLocation or --scBranchServer, and, if desired, an attribute value pair(s). Also, there are the --list and --full switches that control how and what data is displayed, with treeview and queried attributes only as default.

Table 11.4, “posAdmin 0ptions for Querying the LDAP Database” summarizes the posAdmin command options for querying the LDAP database.

Table 11.4: posAdmin 0ptions for Querying the LDAP Database

Option

Type

Description

--base base

may

The base option sets the base in which to search for objects. The default base is the organization (o=myorg,c=us).

--DN regexp

may

Regular expression for distinguished name of the queried element.

-- object

may

Object to be queried, e.g., --scLocation.

-- attribute regexp

may

Show only objects whose attribute value conforms to the regular expression.

The --attribute options can also be used without specified values. In such a case, all objects are shown, but only the specified attributes are printed in the output (other attributes are ommited).

--list

may

Displays the result as a list, not as a tree (useful for script processing).

--full

may

Displays all attributes and all their values (--attribute --value filtering still takes place). Also enables display of DN for each object.

--showDN

may

Displays all DNs of found objects also in the tree view.

For example, to list all locations in the ou=myorgunit,o=myorg,c=us organizational unit showing all data, use:

posAdmin --base ou=myorgunit,o=myorg,c=us \
--query --scLocation

To list all locations in the ou=myorgunit,o=myorg,c=us organizational unit showing only ipNetworkNumber, use:

posAdmin --base ou=myorgunit,o=myorg,c=us \
--query --scLocation --ipNetworkNumber

To list all locations in the ou=myorgunit,o=myorg,c=us organizational unit with the ipNetworkNumber 192.168.1.0, use:

posAdmin --base ou=myorgunit,o=myorg,c=us \
--query --scLocation --ipNetworkNumber 192.168.1.0

To list all IDs in all locations in the ou=myorgunit,o=myorg,c=us organizational unit, use:

posAdmin --base ou=myorgunit,o=myorg,c=us \
--query --scLocation --scIdPool

To find out if there is a workstation registered with ID equal to terminal1, use:

posAdmin --query --scWorkstation --cn terminal1

To find if there is any workstation registered with ID containing the terminal substring and ending with two or three digits and having mac address composed of digits only, use:

posAdmin --query --scWorkstation --cn '.*terminal.*\D*\d{2,3}' --macAddress '(\d\d:){5}\d\d'

To find all roles under role containers roles1 or roles2 and show all their attributes, use:

posAdmin --query --DN '.*,cn=(roles1|roles2),.*' --scRole --full

To get a plain list consisting only of DNs of all cash registers using a raid scheme, use:

posAdmin --query --scCashRegister --scRaidScheme '.*'  --list | grep DN: | cut -d ' ' -f2

11.2.6 posAdmin XML Interface

Adding SUSE Linux Enterprise Point of Service LDAP objects via posAdmin can be a time consuming and confusing process prone to errors. To address this inconvenience, SUSE Linux Enterprise Point of Service is introducing a new XML interface for posAdmin. With the XML interface, it is possible to export LDAP data to an XML file and import data from an XML file into the LDAP database.

The XML approach has the following advanages:

  • Ability to define more than one LDAP object at a time.

  • Improved readability of object definitions for human administrators and scripts.

  • Implementation of precise validation checks performed before actually writing to the LDAP database.

11.2.6.1 Exporting LDAP Database to XML

To export the complete LDAP database to an XML file, use:

posAdmin --export --type XML --file filename

You can also export a database subtree by using the --base option with the appropriate baseDN parameter:

posAdmin --export --type XML --file filename --base baseDN

11.2.6.2 Importing XML to LDAP Database

To import the SUSE Linux Enterprise Point of Service XML file into the LDAP database use:

posAdmin --import --type XML --file filename

The XML import is performed in three steps:

  1. Validation of the XML file (see Section 11.2.6.5, “SUSE Linux Enterprise Point of Service XML validation”).

  2. Validation of SUSE Linux Enterprise Point of Service data with imported data applied (see Section 11.3, “LDAP Validation and Checking”).

  3. If both checks are succesful, the LDAP database is updated. In case of any error, the import is interrupted and an explanatory message displayed.

11.2.6.3 Using XML to Modify LDAP Data

SUSE Linux Enterprise Point of Service XML supports four types of modification of LDAP data:

insert

Use to add new data if the existing LDAP data should not be modified.

If data being added already exist in the LDAP database, they are skipped and the import continues. This is the default modification type.

replace

Use to add new data or to replace existing LDAP data.

If data being added already exist in the LDAP database, LDAP data is overwritten. XML must specify all required attributes. If an element uses replace modifyType, all its children must also use replace modifyType.

update

Use update to modify existing LDAP data.

XML does not need to specify all required attributes. Attributes with nonempty tags are replaced in LDAP data. Attributes with empty tags are deleted from LDAP data. Unspecified attributes will not be changed.

delete

Use to delete LDAP data.

If data does not exist in the LDAP database, the operation is skipped. If an element uses delete modifyType, all its children must use delete modifyType.

The following example adds a new global role role2, deletes the description of role1, changes the global image name graphical to graphical-updated and deletes the global image testImage, all using one XML file:

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<slepos xmlversion="0.2" xmlns="http://www.suse.com/SLEPOS" xmlns:xi="http://www.w3.org/2001/XInclude">
    <!-- add scRole role2 as global role. Not specified modifyType defaults to insert -->
    <scRole dn="cn=role2,cn=global,o=myorg,c=us">
        <attributes>
            <scRoleName>ramdisk role</scRoleName>
            <scRoleDescription>use ramdisk</scRoleDescription>
        </attributes>
    </scRole>

    <!-- delete description of role1 -->
    <scRole dn="cn=role1,cn=global,o=myorg,c=us" modifyType="update">
        <attributes>
            <scRoleDescription />
        </attributes>
    </scRole>

    <!-- update image name graphical to graphical-updated -->
    <scPosImage dn="cn=graphical,cn=default,cn=global,o=myorg,c=us" modifyType="update">
        <attributes>
            <scImageName>graphical-updated</scImageName>
        </attributes>
    </scPosImage>

    <!-- delete testImage -->
    <scPosImage dn="cn=testImage,cn=default,cn=global,o=myorg,c=us" modifyType="delete">
        <attributes />
    </scPosImage>
</slepos>

11.2.6.4 SUSE Linux Enterprise Point of Service XML Format

Example of scLocation object in SUSE Linux Enterprise Point of Service XML:

  <?xml version="1.0" encoding="utf-8" standalone="no"?>

  <slepos xmlversion="0.2" xmlns:slepos="http://www.suse.com/SLEPOS" xmlns:xi="http://www.w3.org/2001/XInclude">
    <organization dn="o=myorg,c=us">
        <attributes />
      <organizationalUnit dn="ou=myorgunit">
        <attributes>
          <description>My organizational unit</description>
        </attributes>
        <scLocation dn="cn=mybranch">
          <attributes>
            <ipNetworkNumber>192.168.125.0</ipNetworkNumber>
            <ipNetmaskNumber>255.255.255.0</ipNetmaskNumber>
            <scDhcpRange>192.168.125.10,192.168.125.50</scDhcpRange>
            <scDhcpFixedRange>192.168.125.51,192.168.125.151</scDhcpFixedRange>
            <scDefaultGw>192.168.125.253</scDefaultGw>
            <scDynamicIp>TRUE</scDynamicIp>
            <scWorkstationBaseName>CR</scWorkstationBaseName>
            <scEnumerationMask>00</scEnumerationMask>
            <scDhcpExtern>FALSE</scDhcpExtern>
            <userPassword>password</userPassword>
            <scDnsMapFunc>direct</scDnsMapFunc>
            <scIpMapFunc>transform:([0-9.]+)</scIpMapFunc>
          </attributes>
        </scLocation>
      </organizationalUnit>
    </organization>
  </slepos>

SUSE Linux Enterprise Point of Service XML data is always encapsulated by the <slepos></slepos> tags specifying SUSE Linux Enterprise Point of Service and XInclude namespaces.

The <attributes> element must always be present even if it defines no attributes.

Each objectClass element (for example <scLocation>) has an optional parameter modifyType with the following possible values: insert, replace, update, and delete. If not specified, modifyType defaults to insert.

You can find an example of a SUSE Linux Enterprise Point of Service XML configuration for a combined server (Administration Server and Branch Server on a single machine) in /usr/share/doc/packages/POS_Contrib/SLEPOS-XML/.

11.2.6.4.1 Specifying LDAP Distinguished Names (DNs)

In SUSE Linux Enterprise Point of Service XML, each element representing an LDAP object class has a mandatory attribute DN. The content of the DN attribute depends on the position of the element:

  • If the element is directly under the <slepos:slepos> element, the DN attribute must contain the full DN of the entry this element is representing. The only exception is when the <slepos:slepos> element specifies its baseDN attribute. In such a case, the DN attribute is specified in relation to the baseDN attribute.

  • In all other cases, the DN attribute must be specified relative to its parent.

In the provided example, the DN of organization is o=myorg,c=us and because it is the direct child of <slepos:slepos>, the complete DN is specified. In comparison, the scLocation's complete DN is cn=mybranch,ou=myorgunit,o=myorg,c=us, but we specify only the first part of its DN, so attribute dn is cn=mybranch.

11.2.6.4.2 Handling scConfigFileTemplate objects

The scConfigFileTemplate objects in LDAP contain actual data of given configuration files. SUSE Linux Enterprise Point of Service XML files do not include this data directly. The respective configuration files are created during the export in the same directory as the SUSE Linux Enterprise Point of Service XML file. Their file names are in the following format: xml_file_name-entry_dn.conf and are written as scConfigFileData attribute to XML.

During import, it is checked if the scConfigFileData attributes link to existing files. If yes, the given files are loaded and inserted as scConfigFileData objects, otherwise scConfigFileData are left intact.

11.2.6.5 SUSE Linux Enterprise Point of Service XML validation

Validation of SUSE Linux Enterprise Point of Service XML is done via the command:

posAdmin --validateXML --file filename [--schema <filename>]

It performs XML validation against the SUSE Linux Enterprise Point of Service XML RelaxNG schema. If the --schema parameter is not specified, the validation schema is generated from the SUSE Linux Enterprise Point of Service LDAP schema.

11.2.6.6 Evaluation of Modifications and Limitations

Modifications are evaluated in the order of the elements in the XML file. This is important when the same data is modified multiple times in one XML file. The same rules apply as for adding to LDAP. For example, it is allowed to insert and delete the very same data in one XML file, which results in no change in LDAP. Inserting two or more elements with the same DN means that the first element is written to LDAP but others are skipped. Because of this way of evaluation, it is not possible to change the delete or replace modification types in children elements.

SUSE Linux Enterprise Point of Service XML modification currently does not allow moving or renaming of entries (the moddn/modrdn LDAP operation).

11.2.6.7 Compatibility and Converting of Different XML Versions

In SUSE Linux Enterprise Point of Service, both versions 0.1 and 0.2 of SUSE Linux Enterprise Point of Service XML are supported. Note that the posAdmin XML export produces SUSE Linux Enterprise Point of Service XML version 0.2. SUSE Linux Enterprise Point of Service ships with XSL template for converting SUSE Linux Enterprise Point of Service XML 0.1 to 0.2. This template is stored in /etc/SLEPOS/template/XML/SLEPOSxml0.1to0.2.xslt.

Use the following command to convert the XML file:

xsltproc -o newXMLFile /etc/SLEPOS/template/XML/SLEPOSxml0.1to0.2.xslt oldXMLFile

11.2.7 SUSE Linux Enterprise Point of Service posAdmin Graphical User Interface

The SUSE Linux Enterprise Point of Service posAdmin-GUI is a graphical tool to simplify the configuration of branch servers, images and cash registers. posAdmin-GUI uses the YaST graphical library to provide a familiar look and feel. posAdmin GUI is included in the additional SUSE Linux Enterprise Point of Service package POS_Server-AdminGUI.

The posAdmin-GUI command can be started if the POS_Server-AdminGUI package and its requirements are installed. The initialized SUSE Linux Enterprise Point of Service environment is not a requirement. GUI is started by the posAdmin-GUI command (specifically /usr/sbin/posAdmin-GUI.pl). The posAdmin-GUI command accepts one optional parameter containing the file name of the XML file generated by posAdmin-GUI or the XML file exported from LDAP. However, posAdmin-GUI works only with one BranchServer (scLocation) object, using the exported XML file with more scLocations results in no BranchServer (scLocation) data loaded. Only global images (scPosImage), cash registers (scCashRegister) and roles (scRole) are loaded.

The posAdmin GUI work flow is divided into 4 stages: BranchServer specific configuration, Images, Cash Registers and Final stage.

11.2.7.1 BranchServer configuration

The first stage covers the Branch Server (scLocation, scNetworkcard, scService, ...) and roles configuration. This stage is further divided into several parts:

Company details and its organizational structure

Organization, country, organizational units and location details together create the LDAP Distinguished Name (DN) for the Branch Server's scLocation object. To add organizational units, click Add nested OU. The DN is created by concatenating entered data "from the bottom" — location as the first up to the organization and the country.

Enablement of the external DHCP, local and global roles

The External DHCP check box sets scDhcpExtern attribute to TRUE to disable the SUSE Linux Enterprise Point of Service managed DHCP service.

To enable the role-based approach, Use roles must be activated. Activating only Use global roles does not enable roles. If Use global roles and Use roles are activated, the role-based mode and all roles (defined under global and location) are enabled. If Use roles is activated and Use global roles is not activated, the role-based mode is enabled, but only the roles defined under the location are used. If Use roles is not activated, roles are not enabled.

Roles configuration

Individual roles can be configured in the roles configuration window accessible after clicking the Roles configuration button. The roles configuration window presents option to configure the ID pool (the scIdPool attribute). Individual IDs are separated by semi-colon ';'. Then you can add, edit or remove roles.

To add a role ensure you have selected <add new role> in the list of roles, select local or global role, enter the role name and click Add role.

To modify a role, select the role in the role list, update any role attributes and click Update role.

To remove a role, select the role in the role list and click Remove role.

For each role, the file templates can be managed by clicking Manage file templates. When done editing, click Return to BS configuration to return.

File templates configuration

Static file templates (scConfigFileTemplate), dynamic file templates (scConfigFileSyncTemplate) and PXE file templates (scPxeFileTemplate) can be configured here.

To add a template, ensure you have selected <add new template> in list of templates, then select the type of template and fill in required information. The Source file points to the file on the server to load, the Target file is the path where to put the loaded file in the deployed workstation.

To modify a template, select the template in template list, update any attributes and click Update template.

To remove a template, select the template in the template list and click Remove template.

When you are done, click Return to return to the previous configuration window.

Configuration of the Branch Server services and network

The Branch Server services configuration usually needs little adjusting. It preloads services default configurations which should suit almost all use cases. Note: service specific parameters cannot contain arbitrary settings. They refer to LDAP attributes, so only attributes present in the SUSE Linux Enterprise Point of Service LDAP schema can be entered. The usage model is similar to the Roles and File templates configuration.

The Branch Server network configuration covers the configuration of the network to which the workstations are connected (branch internal network). There is no need to define network cards facing WAN, VPN, etc. The Branch Server host name refers to the common name (cn) attribute of the scBranchServer object in LDAP and means the host name of the Branch Server in the branch internal network. The Branch Server network address refers to ipNetworkNumber, the network mask refers to ipNetmaskNumber, the default gateway refers to scDefaultGw, the DHCP fixed IP range refers to scDhcpFixedRange, the DHCP dynamic IP range refers to scDhcpRangeattribute of the scLocation object class.

Advanced options after enabling "Advanced mode"

The advanced mode is enabled by checking the Advanced mode check box. The following attributes are available in the advanced mode: the IP mapping function (scIpMapFunc), the DNS mapping function (scDnsMapFunc), the associated domain (associatedDomain), the enumeration mask (scEnumerationMask), the workstation base name (scWorkstationBaseName) and the server container (the common name of the scServerContainer object).

All values are either imported from the provided XML or filled with SUSE Linux Enterprise Point of Service defaults.

11.2.7.2 Images configuration

Images configuration lists all registered local and global images. To add a new image, make sure <add new image> is selected in the image list.

All fields corresponds to LDAP attributes of the scPosImage LDAP object: the image name (scImageName), the image version (scImageVersion), the image file (scImageFile). The password for encrypted images can be entered after enabling the advanced mode, which also reveals DHCP options for the remote boot (scDhcpOptionsRemote), the DHCP options for local boot (scDhcpOptionsLocal) and block size (scBsize). The configuration of file templates is also available for every image.

11.2.7.3 Cash register configuration

Cash register configuration lists all registered local, global and role based (if enabled) cash registers. To add a new cash register, make sure that <add new image> is selected in the list of cash registers.

In the default mode, there is only one editable field, the CashRegister name, which corresponds to the scCashRegisterName attribute of the scCashRegister LDAP object. The associated image field is dynamically filled from the list of registered images.

An important part of the cash register configuration is disk management, which is done in the Manage disks window. The disk configuration differs for hard disks and RAM disks. The posAdmin-GUI adapts itself according to the disk type. The RAM disk configuration is simple by filling the device ID (scDevice attribute of scRamDisk object). The hard disk configuration needs partitioning to be set up. The needed partitioning related fields are the partition number (scPartNum), the partition type (scPartType), the partition mount point (scPartMount), the partition size (scPartSize) and the partition password (scPassword). After filling these information (see Section 4.6.2.3, “Adding an scHarddisk Object”) click Add partition. After all partitions are added, click Add disk or Update disk.

11.2.7.4 Finalize

If posAdmin-GUI is running on a configured Administration Server, the Update LDAP database button is enabled together with the Create Offline Initialization File after LDAP is updated check box. Using this you can directly update the SUSE Linux Enterprise Point of Service LDAP with the new configured data and create the package for offline/automated Branch Server configuration. If posAdmin-GUI is not running on the Administration Server or you do not want to update LDAP immediately, you can export the configured data as a SUSE Linux Enterprise Point of Service XML file by using the Create XML configuration button. This XML file can be edited and imported to SUSE Linux Enterprise Point of Service LDAP using the posAdmin --import --type XML --file <filename> command and/or used as a base for another Branch Server and provided as a start argument to posAdmin-GUI.

11.2.8 Editing LDAP Database Using External Tools

SUSE Linux Enterprise Point of Service LDAP database entries are variously interconnected and sometimes contain automatically computed values. The posAdmin tool is aware of that and it updates all related parts of the database when necessary. However, when other tools are used, for example LDAP editors like GQ or JXplorer, they are not aware of such dependencies. posAdmin provides an LDAP refresh feature which recomputes and updates all dependencies for every entry in the LDAP tree:

posAdmin --refresh

The posAdmin --refresh command should be called after each modification of the LDAP database using 3rd party tools. This feature can be safely called on a regular basis e.g. by using cron daemon.

11.3 LDAP Validation and Checking

SUSE Linux Enterprise Point of Service contains LDAP validation and checking tools. Simple validation and checking is automatically performed during each posAdmin addition or modification call. Full validation is performed during SUSE Linux Enterprise Point of Service XML import or on demand via the following command:

posAdmin --validate

There is an important difference between LDAP validation during the XML import and validation invoked by the posAdmin --validate command. If important LDAP objects are found missing during the XML import, the missing objects are reported, but the import continues without a failure. In contrast, calling posAdmin --validate returns an error the first time a file is missing and stops validation.

Additionally, XML and LDIF files can be validated against the SUSE Linux Enterprise Point of Service database. LDIF files can be validated using the following command:

posAdmin --validateLDIF --file filename

XML can be validated using the following command:

posAdmin --validateXML --file filename

11.4 Logical Structure of the LDAP Directory

The LDAP directory is designed with multiple, hierarchical object classes so it can accommodate large corporate structures. The following list describes the standard object classes represented in the SUSE Linux Enterprise Point of Service LDAP directory tree. For a complete listing of SUSE Linux Enterprise Point of Service object classes and their attributes, see Section 11.5, “LDAP Objects Reference” or refer to the OpenLDAP schemata specific to SUSE Linux Enterprise Point of Service that are located under /etc/openldap/schema/sc-pos-attr.schema and /etc/openldap/schema/sc-pos-pos-obj.schema, respectively.

Root

The top level in the LDAP tree. The root represents the world. The next level is represented by Country.

Country

The country in which the organization is located. The next level is represented by Organization.

Organization (organization)

The name of the organization represented in the LDAP tree. The next level is represented by:

Locator Object (scHardware)

posInitAdminserver initially creates an object of the type scHardware, for example cn=standards,o=myorg,c=us. The purpose of this object is to contain the default PXE boot file name (in the scDhcpOptionsRemote, being /boot/pxelinux.0, by default).

Global (scRefObjectContainer)

This initial reference object container is created automatically.

All globally valid information for a chain or company—that is server hardware, Point of Service hardware, or client images—is stored in the global container in the form of reference objects. These reference objects are linked to the actual entries for the Point of Service terminals and servers in the branches using distinguished names.

The initial LDAP structure after installation includes only one scRefObjectContainer named global under the directory root. Other scRefObjectContainer objects can be added as needed. However, the scRefObjectContainer container objects should always have cn=global and appear only once per directory level. This provides great flexibility. For example, each server can be assigned its own reference objects and therefore its own hardware types. On the other hand, if all servers have the same hardware, a unified standard can be defined in the global container on the regional or organizational level. The next level is represented by:

Distribution Container (scDistributionContainer)

A container for the distribution of sets of images.

A distribution set is a collection of images designed for Point of Service terminals on a given version of the Linux kernel. The Default distribution container references the current kernel version included in SUSE Linux Enterprise Point of Service. The next level is represented by the Image Reference object.

Image Reference Object (scPosImage)

The Image Reference object stores information about an image stored on the Administration Server.

By default, an Image Reference object is created for the minimal client image. For information on adding this object class to the LDAP directory, see Section 4.6.2.6, “Adding an scPosImage Object”. The next level is represented by:

File-Based Configuration Template (scConfigFileSyncTemplate)

scConfigFileSyncTemplate objects are used when running services, such as an X Window System, which require hardware-dependent configuration files. The scConfigFileSyncTemplate object points to the configuration file that a Point of Service terminal needs to run a given service. This object differs from scConfigFileTemplate objects because the configuration data is not stored in the object; rather, the object points to a configuration file outside the LDAP directory.

This element can also exist under scCashRegister objects.

For information on adding this object class to the LDAP directory, see Section 4.6.2.5, “Adding an scConfigFileSyncTemplate Object”.

LDAP-Based Configuration Template (scConfigFileTemplate)

scConfigFileTemplate objects are used when running services, such as the X Window service, which require hardware-dependent configuration files. An scConfigFileTemplate object contains the configuration file data that a Point of Service terminal needs to run a given service.

This element can also exist under scCashRegister objects.

For information on adding this object class to the LDAP directory, see Section 4.6.2.4, “Adding an scConfigFileTemplate Object”.

Hardware Reference Object (scCashRegister)

The Hardware Reference object stores information about the Point of Service hardware.

Typically, you should define an scCashRegister object for each type of terminal used on the SUSE Linux Enterprise Point of Service system; however, if a Point of Service terminal does not have an scCashRegister object for its specific hardware type, it will use the configuration defined in the default scCashRegister object. For information on adding this object class to the LDAP directory, see Section 4.6.2.1, “Adding an scCashRegister Object”. The next level is represented by:

Hard Disk (scHarddisk)

The configuration for a Point of Service terminal hard disk.

For information on adding this object class to the LDAP directory, see Section 4.6.2.3, “Adding an scHarddisk Object”.

RAM Disk (scRamDisk)

The configuration for a Point of Service terminal RAM disk.

For information on adding this object class to the LDAP directory, see Section 4.6.2.2, “Adding an scRamDisk Object”.

Organizational Units (organizationalUnit)

Organizational units were introduced to improve organizational coherence. They typically represent organizational structures such as regions, branches or divisions.

For information on adding this object class to the LDAP directory, see Section 4.6.1.1, “Creating organizationalUnit Objects”. The next level is represented by Location.

Location (scLocation)

A branch office; this is a site where a Branch Server and Point of Service terminals are located. Location containers are used to store information about the deployed Point of Service terminals and the Branch Servers. This and all other information that can be modified at the Branch Server should be stored or referenced in the Location containers to limit the need to grant write privileges to subtrees.

For information on adding this object class to the LDAP directory, see Section 4.6.1.2, “Adding an scLocation Object”. The next level is represented by:

Workstation (scWorkstation)

The Workstation object stores information for a specific Point of Service terminal. Using information from the Hardware Reference object (scCashRegister) and Image Reference object (scPosImage), posleases2ldap automatically creates a Workstation object in the LDAP directory for every Point of Service terminal that registers on the Branch Server. For information on this process, see Section 6.3.3, “The hwtype.MAC.HASH File”.

Server Container (scServerContainer)

A container for all the Branch Server objects for a given site. The information pertaining to the Branch Servers is stored in the Server container.

To provide system redundancy and failover, there can be multiple Branch Servers for each site.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”. The next level is represented by: Branch Server.

Branch Server (scBranchServer)

The Branch Server object stores configuration information that is specific to each Branch Server. There must be a Branch Server object for every Branch Server in the SUSE Linux Enterprise Point of Service system.

Important
Important: Defining the Branch Server Host Name

The location of the scBranchServer object in the LDAP directory must correspond to the host name defined for the Admin/Branch Server during installation. For example, if the host name is bs.mybranch.myorgunit.myorg.us, the DN of the scBranchServer object needs to be cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us. You must create the scBranchServer object and its supporting organizational structure before you can run posInitBranchserver and deploy the Branch Server. For information on creating the Branch Server objects, see Section 4.6.1, “Creating Branch Server Objects in LDAP”.

The Administration Server does not have an associated object in the LDAP tree structure.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”. The next level is represented by:

Service (scService)

The configuration for Branch Server services like DNS, TFTP, or DHCP.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”.

Network Card (scNetworkcard)

The configuration for a Branch Server network interface card.

For information on adding this object class to the LDAP directory, see Step 3.

Hard Disk (scHarddisk)

The configuration for the Branch Server's boot hard disk.

For information on adding this object class to the LDAP directory, see Section 4.6.2.3, “Adding an scHarddisk Object”.

Role (scRole)

The definition of a role.

For information on adding this object class to the LDAP directory, see Section 10.2, “Using Terminals with Roles”.

To illustrate how the directory structure is used, here is a sample query procedure using objects from the example LDAP structure described above.

  1. A search is performed for an object of object class scLocation with cn=eastbay.

    Note
    Note: Search Scope of the Core Scripts

    The core scripts only search for the names of the object classes. The common name for an entry is not used.

  2. Below scLocation a search for an object of object class scServerContainer (server) is carried out.

  3. Below this scServerContainer, we search for an object of object class scBranchServer with cn=bs.

  4. Data specific to this server is located below this scBranchServer object, such as objects of object class scNetworkcard, in which the IP addresses are indicated.

  5. All the data that generally applies to this hardware type, such as partitioning, is read from a reference object of object class scRefServer in which this hardware is described. These reference objects are always organized as containers of an object of object class scRefObjectContainer.

  6. Next, the reference objects that are valid for this Branch Server are located. First the attribute scRefServerDn in the scBranchServer object that represents this server is read. If a DN is included here, the target is used as the reference object for the Branch Server.

  7. If the entry is empty, the search for an object of the object class scHardware moves upward in the directory structure, one level at a time. If the attribute scRefServerDn is set for this type of object, this DN is taken as the target; if not, the search continues upward in the directory structure. If no appropriate object with this attribute is found all the way up to the root level, the process aborts with an error.

The procedure is similar for Point of Service terminal hardware. In this example, in addition to the referenced hardware type (through attribute scRefPcDn to a scCashRegister object), scPosImageDn points to the reference image scPosImage object.

11.5 LDAP Objects Reference

This section provides an alphabetical list of all SUSE Linux Enterprise Point of Service elements represented in the LDAP directory. The must attributes for each element must be defined when creating the element with posAdmin. The may attributes are optional. All elements are structural.

11.5.1 organizationalUnit

Organizational Unit (organizationalUnit) objects are containers that typically represent regions, divisions, or branches within a company. These objects can be nested to visually represent the structure and organization of your company. Branch location objects are created in organizationalUnit containers within the LDAP directory.

Table 11.5: organizationalUnit

Name

Type

Description

ou

must

name of organizational unit

description

may

description of the organizational unit

11.5.2 scBranchServer

The Branch Server object stores configuration information that is specific to each Branch Server. There must be a Branch Server object for every Branch Server in the SUSE Linux Enterprise Point of Service system. Note that the Administration Server does not have an associated object in the LDAP tree structure.

Important
Important: Defining the Branch Server Host Name

The location of the scBranchServer object in the LDAP directory must correspond to the host name defined for the Branch Server during installation. For example, if the host name is bs.mybranch.myorgunit.myorg.us, the dn of the scBranchServer object is cn=bs,cn=server,cn=mybranch,ou=myorgunit,o=myorg,c=us. You must create the scBranchServer object and its supporting organizational structure before you can run posInitBranchserver and deploy the Branch Server. For information on creating the Branch Server objects, see Section 4.6.1, “Creating Branch Server Objects in LDAP”.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”.

Table 11.6: scBranchServer

Name

Type

Description

cn

must

host name of the server

scPubKey

may,singlevalue

Public key stored at server for the SSH client

scRefServerDn

may,singlevalue

DN of a scRefServer

11.5.3 scCashRegister

The scCashRegister objects (also called hardware reference objects) store information about specific Point of Service hardware.

Typically, you should define an scCashRegister object for each type of terminal used on the SUSE Linux Enterprise Point of Service system. However, if a Point of Service terminal does not have a specific scCashRegister object for its specific hardware type, it will use the configuration defined in the default scCashRegister object. For information on adding this object class to the LDAP directory, see Section 4.6.2.1, “Adding an scCashRegister Object”.

Table 11.7: scCashRegister

Name

Type

Description

cn

must

Common name of this object, from first part of DN

scCashRegisterName

must,multivalue

The model type of the Point of Service terminal. If this field is set to "default", the current scCashRegister object is used as the default Point of Service configuration. If a Point of Service terminal does not have an scCashRegister object for its specific hardware type, it will use the configuration defined in the default scCashRegister object

scDiskJournal

may,singlevalue

Turn on disk journaling. This will only occur on diskfull systems. (TRUE or FALSE)

scPosDeltaImageDn

may,multivalue,deprecated

DN of delta image for a Point Of Service terminal

scPosImageDn

may,singlevalue

The DN of the default system image defined for this Point of Service terminal type

scRaidScheme

may,singlevalue

Definition of RAID. Only RAID type 1 is supported. The format of the entry is: 1 disk1 disk2. The disks can be specified by name (/dev/sda) or by id (/dev/disk/by-id/ata-ST3160815AS_Z4A1ATWL). The values are separated by spaces

11.5.4 scConfigFileSyncTemplate

scConfigFileSyncTemplate objects are used when running services, such as an X Window System, which require hardware-dependent configuration files. The scConfigFileSyncTemplate object points to the configuration file that a Point of Service terminal needs to run a given service. This object differs from scConfigFileTemplate objects, because the configuration data is not stored in the object; rather, the object points to a configuration file outside the LDAP directory.

This element exists under Image Reference objects (class scPosImage), but it can also exist under scCashRegister objects.

For information on adding this object class to the LDAP directory, see Section 4.6.2.5, “Adding an scConfigFileSyncTemplate Object”.

Table 11.8: scConfigFileSyncTemplate

Name

Type

Description

cn

must

Name of configuration file

scBsize

must,singlevalue

Block size for the TFTP download of the system image. Minimum 4096 for image size up to 128MB, maximum 65464 for image size up to 2GB

scConfigFile

must,multivalue

File name of configuration file

scConfigFileLocalPath

must,singlevalue

The local source path of the configuration file on the Administration Server. For example, /srv/SLEPOS/config/X11/xorg.conf.mydata. This path must be located in the rsync directory

scMust

must,singlevalue

Enable or disable the configuration file. (TRUE or FALSE)

description

may

scConfigMd5

may,singlevalue

The MD5 checksum value of the configuration file, automatically generated by posAdmin

11.5.5 scConfigFileTemplate

scConfigFileTemplate objects are used when running services, such as the X Window service, that require hardware-dependent configuration files. An scConfigFileTemplate object contains the configuration file data that a Point of Service terminal needs to run a given service. This element can also exist under scCashRegister objects.

For information on adding this object class to the LDAP directory, see Section 4.6.2.4, “Adding an scConfigFileTemplate Object”.

Table 11.9: scConfigFileTemplate

Name

Type

Description

cn

must

Name of configuration file

scBsize

must,singlevalue

Block size for the TFTP download of the system image. Minimum 4096 for image size up to 128MB, maximum 65464 for image size up to 2GB

scConfigFile

must,multivalue

File name of configuration file

scConfigFileData

must,singlevalue

Content of the configuration file, automatically filled by posAdmin

scMust

must,singlevalue

Enable or disable the configuration file. (TRUE or FALSE)

description

may

scConfigFileParser

may,singlevalue

Name of parserFunction to apply

scConfigMd5

may,singlevalue

The MD5 checksum value of the configuration file, automatically generated by posAdmin

11.5.6 scPxeFileTemplate

The scPxeFileTemplate object is used to specify command line options for selected terminals. This object can be placed in the same position as scConfigFileTemplate and scConfigFileSyncTemplate (typically under the scCashRegister object). It has the following attributes:

Table 11.10: scPxeFileTemplate

Name

Type

Description

cn

must

Name of PXE template

scKernelParameters

must,singlevalue

Kernel parameters to append, to use in a custom PXE boot file

scMust

must,singlevalue

Enable or disable the configuration file. (TRUE or FALSE)

description

may

11.5.7 scDistributionContainer

An scDistributionContainer is a container for the distribution of sets of images. A distribution set is a collection of images designed for Point of Service terminals on a given version of the Linux kernel. The Default distribution container references the current version of the kernel included in SUSE Linux Enterprise Point of Service.

Table 11.11: scDistributionContainer

Name

Type

Description

cn

must

Common name of this object, from first part of DN

scInitrdName

must,singlevalue

File name of the initrd.gz placed in the /boot directory

scKernelName

must,singlevalue

File name of the kernel placed in the /boot directory

scKernelExpression

may,singlevalue

Expression used to match the scKernelVersion string against uname

scKernelMatch

may,singlevalue

Rule for matching scKernelVersion with the uname result. Valid are MATCH_VERSION, MATCH_ALL, MATCH_EXPRESSION

scKernelVersion

may,singlevalue

Version string written to configuration file to indicate the version of this kernel

The default scDistributionContainer has scKernelName=linux and scInitrdName=initrd.gz. If a distribution container is created with either one of those two names different, a specific PXE file is then created under /srv/tftpboot/boot/pxelinux.cfg when a terminal registers. (See also Section 10.6, “Specifying Kernel Command Line Options for Selected Terminals”.) This ensures that the specific kernel and initrd get properly loaded.

11.5.8 scHarddisk

An scHarddisk object describes the configuration of the hard disk of a Point of Service terminal. For information on adding this object class, refer to Section 4.6.2.3, “Adding an scHarddisk Object”.

Table 11.12: scHarddisk

Name

Type

Description

cn

must

Common Name

scDevice

must,multivalue

The name of the device. E.g. eth0 /dev/hda /dev/hda1 ...

scHdSize

may,singlevalue

Size of the hard disk in MB

scPartitionsTable

may,singlevalue,deprecated in favor of scPartition

A semicolon-separated (;) list of partition entries. Each entry consists of three space-separated parameters: the size in megabytes, the partition type ID (82 or S for swap, 83 or L for a Linux partition), and the mount point. If the mount point equals /, the partition is assumed to be the root partition, and x means no mount point (for example for swap). For the last partition, size can be specified as x which results in all remaining available space to be used.

11.5.9 scHardware

Reference standard PC hardware type and server hardware.

Table 11.13: scHardware

Name

Type

Description

cn

must

Common name of this object, first part of DN

scDhcpOptionsRemote

may,singlevalue

The boot option of the Point of Service terminal. The mandatory value is /boot/pxelinux.0

scPosDeltaImageDn

may,multivalue,deprecated

DN of delta image for a Point Of Service terminal

scPosImageDn

may,singlevalue

The DN of the default system image defined for this Point of Service terminal type

scRefMonitorDn

may,singlevalue

DN of monitor type

scRefPcDn

may,singlevalue

DN to PC hardware type

scRefServerDn

may,singlevalue

DN of a scRefServer

scSUSEManager

may,singlevalue

SUSE Manager address (FQDN/ip address)

11.5.10 scLocation

An scLocation object represents a branch office, which is a site where a Branch Server and Point of Service terminals are located. Location containers are used to store information about the deployed Point of Service terminals and the Branch Servers. This and all other information that can be modified at the Branch Server should be stored or referenced in the Location containers to limit the need to grant write privileges to subtrees.

For information on adding this object class to the LDAP directory, see Section 4.6.1.2, “Adding an scLocation Object”.

Table 11.14: scLocation

Name

Type

Description

cn

must

Name of the Location or Branch

ipNetmaskNumber

must

Local network mask

ipNetworkNumber

must

Local network number

scDefaultGw

must,multivalue

IP address of default gateway for location. This is normally a router to the corporate wide area network.

scDhcpExtern

must,singlevalue

Allow an external DHCP server to be used instead of setting up own on the Branch Server (TRUE or FALSE, default FALSE)

scDhcpFixedRange

must,singlevalue

The fixed IP address range of the DHCP server reserved for the Point of Service terminals. Comma-separated value pair, e.g. 192.168.1.55, 192.168.1.88.

scDhcpRange

must,singlevalue

The dynamic IP address range of the DHCP server. This is needed to register the Point of Service terminals. Comma-separated value pair, e.g. 192.168.1.10, 192.168.1.54.

scDynamicIp

must,singlevalue

Enable or disable registration of new terminals on the Branch Server when scDhcpExtern is set to FALSE. (TRUE or FALSE, default TRUE)

scEnumerationMask

must,singlevalue

Enumaration mask for Point Of Service terminals and printers, e.g. 000 or 00 (default 000)

scWorkstationBaseName

must,singlevalue

The base name of the Point of Service terminals to create a unique name for each terminal. Used in combination with the scDhcpFixedRange attribute and scEnumerationMask (default CR)

userPassword

must

Branch access password to central LDAP database and/or SUSE Manager

associatedDomain

may

DNS domain name

scAllowGlobalRoles

may,singlevalue

Allow roles outside of this branch. (TRUE or FALSE, default FALSE)

scAllowRoles

may,singlevalue

If TRUE and scAllowGlobalRoles is TRUE, the role-based mode and all roles are enabled. If TRUE and scAllowGlobalRoles is FALSE, the role-based mode is enabled, but only roles under this branch are used. If FALSE, roles are not enabled. (TRUE or FALSE, FALSE)

scDnsDn

may,multivalue

DN of a scRefServer

scDnsMapFunc

may,multivalue

DNS mapping function (NONE | DIRECT | TRANSFORM:regexp)

scIdPool

may,multivalue

Set of possible Point Of Service terminal IDs

scIpMapFunc

may,multivalue

IP mapping function (NONE | DIRECT | TRANSFORM:regexp)

scLdapDn

may,multivalue

DN of a scRefServer

scLocked

may,singlevalue,deprecated

0 or time when DB was locked, is set by SUSE Linux Enterprise Point of Service tools, DO NOT set manually

scPrinterBaseName

may,singlevalue,deprecated

The base name of the Point of Service printers to create a unique name for each printer. It is used in combination with the scDhcpFixedRange attribute and scEnumerationMask.

scSynchronizedImagesDn

may,multivalue

Images and CashRegister DN to be automatically synchronized from the Administration Server

Table 11.15: Attributes for scLocation elements

Name

Type

Description

--scDnsMapFunc

may

If it contains NONE or is empty, the terminal DNS name is independent of the ID, the old scheme is used (CR01, CR02...).

If it contains DIRECT, the ID is used as the DNS name (unsupported characters are removed).

If it contains TRANSFORM:regexp, the regexp is applied on ID and the $ result is used as DNS name.

--scIpMapFunc

may

If it contains NONE or is empty, the terminal IP is independent of the ID, a value from a fixed range is used.

If it contains DIRECT, the first numeric value contained in the ID is extracted and used to compute the terminal IP address. The value can be a 32bit numeric value, which is then OR-ed with the network address to get a terminal IP. For example, if the network address is 192.168.0.0/16 and the value is 257, the result is 192.168.1.1. It is also possible to extract either the complete IP address (in the 192.168.0.1 format) or the IP without the network address (1.1).

If it contains TRANSFORM:perl_regexp, the regexp is used to extract a numeric value used to compute the terminal IP address. It does not have to be the first number contained in the ID. The value can be a 32bit numeric value, which is then OR-ed with the network address to get a terminal IP. For example, if the network address is 192.168.0.0/16 and the value is 257, the result is 192.168.1.1. It is also possible to use the regexp to extract either a complete IP address (in the 192.168.0.1 format) or an IP without the network address (1.1).

For example, transform:IP([0-9.]+) extracts the IP part from ID workplace17-IP192.168.20.30. The resulting IP address is 192.168.20.30. It can be added to LDAP with this posAdmin argument:

--scIpMapFunc 'transform:IP([0-9.]+)'

The IDs in the pool must be selected so they don't conflict with Branch Server address, static (scDhcpFixedRange) and dynamic ranges (scDhcpRange), etc.

11.5.11 scNetworkcard

An scNetworkcard object stores the configuration for a Branch Server network interface card.

Table 11.16: scNetworkcard

Name

Type

Description

ipHostNumber

must

IP-Address

scDevice

must,multivalue

The name of the device. E.g. eth0 /dev/hda /dev/hda1 ...

ipNetmaskNumber

may

Netmask

macAddress

may,multivalue

MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:EE:F2

scModul

may,singlevalue,deprecated

The name of the Linux kernel module for the network interface card.

scModulOption

may,singlevalue,deprecated

The module options for the network interface card to be passed to the kernel

11.5.12 scPosImage

The Image Reference object stores information about an image stored on the Administration Server. By default, an Image Reference object is created for the Minimal client image. For information on adding this object class to the LDAP directory, see Section 4.6.2.6, “Adding an scPosImage Object”.

Table 11.17: scPosImage

Name

Type

Description

cn

must

Common name of this object, from first part of DN

scBsize

must,singlevalue

Block size for the TFTP download of the system image. Minimum 4096 for image size up to 128MB, maximum 65464 for image size up to 2GB

scDhcpOptionsLocal

must,singlevalue

Additional DHCP options for local boot

scDhcpOptionsRemote

must,singlevalue

The boot option of the Point of Service terminal. The mandatory value is /boot/pxelinux.0

scImageFile

must,singlevalue

File name of the image. e.g. mydesktop.arch

scImageName

must,singlevalue

The name of the system image; for example, mydesktop

scConfigFile

may,multivalue

File name of configuration file

scPosImageVersion

may,multivalue,deprecated in favor of scImageVersion

The version number of the system image, followed by the flag passive or active; that is, 2.0.4; active. The version number and the flag are semicolon-separated (;)

11.5.13 scRamDisk

An scRamDisk object represents the configuration of a Point of Service terminal RAM disk.

For information on adding this object class to the LDAP directory, see Section 4.6.2.2, “Adding an scRamDisk Object”.

Table 11.18: scRamDisk

Name

Type

Description

cn

must

Common Name

scDevice

must,multivalue

The name of the device. E.g. eth0 /dev/hda /dev/hda1 ...

11.5.14 scRefObjectContainer

Global (scRefObjectContainer, cn=global): All globally valid information for a chain or company—that is server hardware, Point of Service hardware, or client images—is stored in the Global container of the class scRefObjectContainer in the form of reference objects. These reference objects are linked to the actual entries for the Point of Service terminals and servers in the branches using unique names.

The initial LDAP structure after installation includes only one scRefObjectContainer named global under the directory root. Other scRefObjectContainer objects can be added as needed. However, the scRefObjectContainer container objects should always have cn=global and appear only once per directory level. This provides great flexibility. For example, each server can be assigned by its own reference objects and therefore by its own hardware types. On the other hand, if all the servers have the same hardware, a unified standard can be defined in the global container on the regional or organizational level.

Table 11.19: scRefObjectContainer

Name

Type

Description

cn

must

Name for scRefObjectContainer

description

may

container description

11.5.15 scServerContainer

Server Container (scServerContainer): A container for all the Branch Server objects for a given site. The information pertaining to the Branch Servers is stored in the Server container.

To provide system redundancy and failover, there can be multiple Branch Servers for each site.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”.

Table 11.20: scServerContainer

Name

Type

Description

cn

must

name of server container

11.5.16 scService

scService contains the configuration for Branch Server services like DNS, TFTP, or DHCP.

For information on adding this object class to the LDAP directory, see Section 4.6.1.3, “Adding an scServerContainer and scBranchServer Objects”.

Table 11.21: scService

Name

Type

Description

cn

must

name of the service

scDnsName

must,multivalue

The name of entry in the DNS table under which the service is available.

scServiceName

must,multivalue

Name of the service. Supported services are DNS, DHCP, TFTP, FTP and posleases.

scServiceStartScript

must,singlevalue

File name of the init script in /etc/init.d

scServiceStatus

must,singlevalue

Enable service (TRUE or FALSE, default TRUE)

ipHostNumber

may

listening IP address for the service

scDhcpDynLeaseTime

may,singlevalue

DHCP service specific. Lease time for dynamic leases (first boot) (default 300)

scDhcpFixedLeaseTime

may,singlevalue

DHCP service specific. Lease time for fixed leases (final registration) (default 14400)

scPosleasesChecktime

may,singlevalue

posleases service specific. For how long should posleases2ldap pause before checking uploads. (seconds)

scPosleasesMaxNotify

may,singlevalue

posleases service specific. Maximum number of booted image notifications (maximum of scNotifiedImage entries)

scPosleasesTimeout

may,singlevalue

posleases service specific. How often should posleases2ldap update internal cache. (seconds)

scServiceEmail

may,multivalue

Where should the service send an e-mail to

Note
Note: IP address of TFTP service

During Branch Server initialization, the TFTP configuration file (/etc/sysconfig/atftpd) correctly assumes IP address of the TFTP service from the ipHostNumber of the TFTPscService object), and not simply the IP address of the Branch Server.

11.5.17 scWorkstation

The Workstation object stores information for a specific Point of Service terminal. Using information from the Hardware Reference object (scCashRegister) and Image Reference object (scPosImage), posleases2ldap automatically creates a Workstation object in the LDAP directory for every Point of Service terminal that registers on the Branch Server. For information on this process, see Section 6.3.3, “The hwtype.MAC.HASH File”.

Table 11.22: scWorkstation

Name

Type

Description

cn

must

name of the workstation

ipHostNumber

may

assigned IP address

macAddress

may,multivalue

MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:EE:F2

scAllowedRolesDn

may,multivalue

DNs of allowed roles. If empty, all roles are permitted

scConfigFileDn

may,multivalue

Reference for a configuration type object (scConfigFileTemplate, scConfigFileSyncTemplate, scPxeFileTemplate)

scConfigUpdate

may,singlevalue

Indicate configuration files should be updated on the next boot. (TRUE or FALSE)

scDiskJournal

may,singlevalue

Turn on disk journaling. This will only occur on diskfull systems. (TRUE or FALSE)

scId

may,multivalue

Contains ID assigned to the Point Of Service terminal

scImageVersion

may,singlevalue

Image version in format yyyymmddserial

scLastBootTime

may,singlevalue

Linux time of last time when terminal boot was detected by Branch Server

scNotifiedImage

may,multivalue

Contains image and version, the time of notification, and md5sum of the associated config.MAC file separated by semicolons

scPosDeltaImageDn

may,multivalue,deprecated

DN of delta image for a Point Of Service terminal

scPosGroupDn

may,multivalue,deprecated

DN of a CR group.

scPosImageDn

may,singlevalue

The DN of the default system image defined for this Point Of Service terminal type

scPosImageVersion

may,multivalue,deprecated in favor of scImageVersion

The version number of the system image, followed by the flag passive or active; that is, 2.0.4; active. The version number and the flag are semicolon-separated (;)

scPosRegisterBiosVersion

may,singlevalue

BIOS version of a Point Of Service terminal

scPosRegisterType

may,singlevalue

Cash Register type associated with Point Of Service terminal

scRefPcDn

may,singlevalue

DN to PC hardware type

scRoleBased

may,singlevalue

The Point Of Service terminal use roles. (TRUE or FALSE)

scRoleDn

may,multivalue

DN of the role assigned to the Point Of Service terminal

scSerialNumber

may,singlevalue,deprecated

Serial number of the used workstation

scStandardPrinter

may,multivalue,deprecated

Name of the standard printer

scStandardPrinterDn

may,singlevalue,deprecated

DN of the standard printer for a location or workstation

userPassword

may

11.5.18 scRole

The scRole object stores information about specific roles.

Table 11.23: scRole

Name

Type

Description

cn

must

Common name of this object, from first part of DN

scRoleName

must,singlevalue

Name of the role. Displayed in the list on the Point Of Service terminal

scAllowedHwTypes

may,multivalue

Allow role to be used only with given hardware types

scDiskJournal

may,singlevalue

Turn on disk journaling. This will only occur on diskfull systems. (TRUE or FALSE)

scRoleDescription

may,multivalue

Description of the role. Displayed in the list on the Point Of Service terminal

11.5.19 scImageVersion

The scImageVersion object replaces the scPosImageVersion attribute of the scPosImage object. The scImageVersion supports more features, such as encrypted images.

Table 11.24: scImageVersion

Name

Type

Description

scVersion

must,singlevalue

Image version number (x.y.z format)

scDisabled

may,singlevalue

Enables or disables this version for registration. (TRUE or FALSE)

scPassword

may,singlevalue

Image or partition password. In case of partition password * means random password will be generated each boot. Userful for swap partitions

11.5.20 scPartition

The scPartition replaces the scPartitionsTable attribute of the scHarddisk object. The scPartition supports more features, such as encrypted partitions.

Table 11.25: scPartition

Name

Type

Description

scPartNum

must,singlevalue

Defines the order of partitions (not the partition number shown by fdisk, the real partiton number is determined by KIWI during terminal boot)

scPartType

must,singlevalue

The type of partition (82 or S for swap, 83 or L for a Linux partition)

description

may

partition description

scPartMount

may,singlevalue

The mount point of the partition. Use / for the root partition. Use x for a partition without a mount point (for example a swap partition)

scPartSize

may,singlevalue

Size of partition in (binary) megabytes. For the last partition, size can be specified as x, which results in all remaining available space to be used

scPassword

may,singlevalue

Image or partition password. In case of partition password * means random password will be generated each boot. Userful for swap partitions

Print this page