= Accounts, Roles, and Groups Utilized by UPDATE, EDIR, and AUTHSERV = Original Author: Beth Mercer - 20081114 The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing or the web gateway(s). They are grouped by category: directory or registry. == IPLANET ACCOUNTS/ROLES/ACIS == === iPlanet Accounts === * uid=edirbatch03,ou=resource,dc=alaska,dc=edu credentials utilized by UPDATE interface for batch processing * uid=edirgw03,ou=resource,dc=alaska,dc=edu credentials utilized by EDIR web gateway for "anonymous" access * uid=edirpriv03,ou=resource,dc=alaska,dc=edu credentials utilized by EDIR web gateway to access privileged information not expected to be visible to "anonymous" access but need for functions like the "This is me! Log In" link. * uid=authserv03,ou=resource,dc=alaska,dc=edu credentials utilized by the AUTHSERV web gateway * uid=authpriv03,ou=resource,dc=alaska,dc=edu credentials utilized by AUTHSERV web gateway to access privileged information * uid=updategw03,ou=resource,dc=alaska,dc=edu credentials utilized by UPDATE back end to access privileged information and perform privileged tasks Note: Most likely, AUTHSERV needs only one set of credentials. === iPlanet Roles === cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to non-privileged information cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to privileged information cn=authserviceRole,ou=people,dc=alaska,dc=edu cn=authserviceRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to non-privileged information cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to privileged information (future) cn=superUserRole,ou=resource,dc=alaska,dc=edu role associated with ACIs allowing the update back end access to privileged information === iPlanet ACIs === * EDIRGWANYCOMPARE * EDIRGWANYREAD * EDIRGWEMPREAD * EDIRGWSTUREAD ACIs that provide the non-privileged gateway role with read access to non-privileged information * EDIRGWCOMPARE * EDIRGWEMPCOMPARE * EDIRGWSTUCOMPARE ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible * EDIRGWPRIVREAD ACIs that provide the privileged gateway role with read access to privileged information * AUTHSERVICEREAD ACIs that provide the non-privileged authservice role with read access to non-privileged information * AUTHSERVICEPRIVCOMPARE ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible * AUTHSERVICEPRIVREAD ACIs that provide the privileged authservice role with read access to privileged information (future) SUADDDEL (future) SUDENYREADSEARCHCOMPARE (future) SUDENYWRITE (future) SUREADWRITE ACIs that provide (or deny) the privileged superuser role with read/write access to privileged information == UNIX ACCOUNT/GROUPS == === Directory Servers === ==== account: ldapgw ==== UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways. * member of group ldapgw (primary group) * member of group edirgw (used to expose password files to nobody during CGI script execution) * any files opened during execution of CGI scripts * /logs directory where output is written * member of group other * member of group UA_Korn (on toklat only) * .shosts file must allow access by * <> iplanet * ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV ==== account: sxldap ==== UNIX account owning CGI scripts representing the UPDATE back end gateway. * Group Membership member of group updategw (primary group) member of group edirgw (used to expose password files to nobody during CGI script execution) any files opened during execution of CGI scripts /logs directory where output is written member of group other member of group UA_Korn (on toklat and summit only) .shosts file must allow access by <> iplanet account: iplanet UNIX account owning iPlanet directory and web update processes. * Directory Locations ~iplanet/EDIR[TEST|PREP|PROD]/ ~iplanet/AUTH[TEST|PREP|PROD]/ *All directory maintenance related source code is stored under this account ~iplanet/local/ldap/ *.shosts file must allow access by <> sxldap * Group membership * iplanet (primary group) * other * edirgw (associated with files visible to all parties supporting gateways) * updategw (associated with password files read by CGI scripts) any files opened during execution of CGI scripts /ldap/web/log directory where output is written account: nobody UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web. * member of group nobody (primary group) * member of group edirgw (facilitate reading of password files read by CGI scripts) * member of group updategw (facilitate reading of password files read by CGI scripts) account: ua?synch UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR/AUTHSERV. ~ua?synch/[TEST|PREP]/ Note: Production "style" elements are copied from preproduction to the gateway directories; no reliance on links. .shosts file must allow access by <> iplanet # may become obsolete with gw ownership change <> ldapgw <> member of group other (primary group) member of group edirsynch (facilitate transfer of LDIF to uaasynch account) group: iplanet default group of iplanet account group: ldapgw default group of ldapgw account group: updategw group used by iplanet to expose files that must be visible to 'nobody' (future) group used by sxldap to expose files that must be visible to 'nobody' (owner of Apache processes) when executing update process CGI scripts group: edirgw group used by ldapgw to expose files that must be visible to 'nobody' (owner of Apache processes) when executing gateway CGI scripts Registry Servers: account: oracle UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation. oracle owns resulting files and must change the file permissions before files can be copied by the registry account. member of group SWLDAP (facilitate change owner on EDIR LDIF) <> account: sxldap UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates. All EDIR registry related source code is stored under this account summit:~sxldap/local/ldap/ sxldap must be listed in ~iplanet/.shosts file to facilitate transfer and application of registry generated LDIF member of group SWLDAP (primary group) member of group UA_Korn group: SWLDAP group used to share output of registry database batch processes where output is owned by oracle and written to /tmp ORACLE ACCOUNTS/ROLES ===================== account: OPS$SXLDAP Oracle schema owning EDIR registry and performing EDIR Banner Extract processing. granted role CONNECT granted role LDAP_ROLE (role to which oracle SYS privs are granted) Note: Table grants are made directly to the OPS$SXLDAP account which in turn creates objects referencing those accounts. See the following files on toklat: /ODS/product/PROD/bin/grant_*_to_sxldap.sql account: EDIR_GATEWAY Oracle schema granted execute and select privilege on OPS$SXLDAP owned registry procedures and views. granted role EDIR_ROLE role: EDIR_ROLE Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY has access. Note: Historically, all grants on OPS$SXLDAP objects are made to the EDIR_GATEWAY via the SQL source scripts for creating the objects. We haven't been utilizing the role. See summit:~sxldap/local/ldap/registry/*.sql ############## CHANGE HISTORY ############## 20071031 elm added section about oracle_[en|dis]able_updates.ksh scripts 20081114 elm added reference to credentials, roles, ACIs soon to be associated with update back end under sxldap ownership rather than iplanet ownership (eof)