= Accounts, Roles, and Groups Utilized by UPDATE, EDIR, and AUTHSERV = Original Author: Beth Mercer - 20081114 The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing or the web gateway(s). They are grouped by category: directory or registry. == IPLANET ACCOUNTS/ROLES/ACIS == === iPlanet Accounts === * uid=edirbatch03,ou=resource,dc=alaska,dc=edu credentials utilized by UPDATE interface for batch processing * uid=edirgw03,ou=resource,dc=alaska,dc=edu credentials utilized by EDIR web gateway for "anonymous" access * uid=edirpriv03,ou=resource,dc=alaska,dc=edu credentials utilized by EDIR web gateway to access privileged information not expected to be visible to "anonymous" access but need for functions like the "This is me! Log In" link. * uid=authserv03,ou=resource,dc=alaska,dc=edu credentials utilized by the AUTHSERV web gateway * uid=authpriv03,ou=resource,dc=alaska,dc=edu credentials utilized by AUTHSERV web gateway to access privileged information * uid=updategw03,ou=resource,dc=alaska,dc=edu credentials utilized by UPDATE back end to access privileged information and perform privileged tasks Note: Most likely, AUTHSERV needs only one set of credentials. === iPlanet Roles === cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to non-privileged information cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to privileged information cn=authserviceRole,ou=people,dc=alaska,dc=edu cn=authserviceRole,ou=resource,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to non-privileged information cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu roles associated with ACIs allowing gateway access to privileged information (future) cn=superUserRole,ou=resource,dc=alaska,dc=edu role associated with ACIs allowing the update back end access to privileged information === iPlanet ACIs === * EDIRGWANYCOMPARE * EDIRGWANYREAD * EDIRGWEMPREAD * EDIRGWSTUREAD ACIs that provide the non-privileged gateway role with read access to non-privileged information * EDIRGWCOMPARE * EDIRGWEMPCOMPARE * EDIRGWSTUCOMPARE ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible * EDIRGWPRIVREAD ACIs that provide the privileged gateway role with read access to privileged information * AUTHSERVICEREAD ACIs that provide the non-privileged authservice role with read access to non-privileged information * AUTHSERVICEPRIVCOMPARE ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible * AUTHSERVICEPRIVREAD ACIs that provide the privileged authservice role with read access to privileged information (future) SUADDDEL (future) SUDENYREADSEARCHCOMPARE (future) SUDENYWRITE (future) SUREADWRITE ACIs that provide (or deny) the privileged superuser role with read/write access to privileged information == UNIX GROUPS AND MEMBER ACCOUNTS == === Directory Server Groups === Accounts associated with these groups are italicized. ==== group: iplanet ==== Default group of //iplanet// account ==== group: ldapgw ==== Default group of //ldapgw// account ==== group: updategw ==== * Group used by //iplanet// to expose files that must be visible to //'nobody'// * Group used by //sxldap// to expose files that must be visible to //'nobody'// * Owner of Apache processes when executing update process CGI scripts ==== group: edirgw ==== * Group used by //ldapgw// to expose files that must be visible to //'nobody'// * Owner of Apache processes when executing gateway CGI scripts === Directory Server Accounts === ==== account: //ldapgw// ==== UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways. * Group Membership * ldapgw - primary group * edirgw * exposes password files to //nobody// during CGI script execution via group membership * any files opened during execution of CGI scripts * /logs directory where output is written * other * UA_Korn (on toklat only) * .shosts file must allow access by * <> iplanet * ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV ==== account: //sxldap// ==== UNIX account owning CGI script representing the UPDATE back end gateway. * Group Membership * updategw - primary group * edirgw * exposes password files to //nobody// during CGI script execution via group membership * affects any files opened during execution of CGI scripts * affects /logs directory where output is written * other * UA_Korn (on toklat and summit only) * .shosts file must allow access by * <> iplanet ==== account: //iplanet// ==== UNIX account owning iPlanet directory and web update processes. * Directory Locations * ~iplanet/EDIR[TEST|PREP|PROD]/ * ~iplanet/AUTH[TEST|PREP|PROD]/ * All directory maintenance related source code is stored under this account * ~iplanet/local/ldap/ * .shosts file must allow access by * <> sxldap * Group membership * iplanet - primary group * other * edirgw * associated with files visible to all parties supporting gateways * updategw * associated with password files read by CGI scripts * any files opened during execution of CGI scripts * /ldap/web/log directory where output is written ==== account: //nobody// ==== UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web. * Group membership * nobody - primary group * edirgw * facilitate reading of password files read by CGI scripts * updategw * facilitate reading of password files read by CGI scripts ==== account: //ua?synch// ==== UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR or AUTHSERV. * for test and preproduction EDIR or AUTHSERV. * ~ua?synch/[TEST|PREP]/ * .shosts file must allow access by * <> iplanet # may become obsolete with gw ownership change * <> ldapgw * <> * Group Membership * other - primary group * edirsynch * facilitate transfer of LDIF to uaasynch account '''Note:''' Production "style" elements are copied from preproduction to the gateway directories; no reliance on links. === Registry Servers - Groups and Accounts === ==== group: SWLDAP ==== Group used to share output of registry database batch processes where output is owned by oracle and written to /tmp ==== account: //oracle// ==== UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation. oracle owns resulting files and must change the file permissions before files can be copied by the registry account. * Group Membership * group SWLDAP * facilitate change owner on EDIR LDIF * many other groups not applicable to EDIR processing ==== account: //sxldap// ==== UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates. All EDIR registry related source code is stored under this account. * Master - eklutna:~sxldap/local/ldap/ * sxldap must be listed in ~iplanet/.shosts file to facilitate transfer and application of registry generated LDIF * Group Membership * group SWLDAP (primary group) * group UA_Korn == ORACLE ACCOUNTS AND ROLES == === account: //OPS$SXLDAP// === Oracle schema owning EDIR registry and performing EDIR Banner Extract processing. * Roles * Granted role CONNECT * Granted role LDAP_ROLE (role to which oracle SYS privs are granted) '''Note:''' Table grants are made directly to the OPS$SXLDAP account which in turn creates objects referencing those accounts. See the following files on toklat: /ODS/product/PROD/bin/grant_*_to_sxldap.sql === account: //EDIR_GATEWAY// === Oracle schema granted execute and select privilege on OPS$SXLDAP owned registry procedures and views. granted role EDIR_ROLE === role: EDIR_ROLE === Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY has access. '''Note:''' Historically, all grants on OPS$SXLDAP objects are made to the EDIR_GATEWAY via the SQL source scripts for creating the objects. We haven't been utilizing the role. See eklutnat:~sxldap/local/ldap/registry/*.sql ########################################################[[br]] LEGACY CHANGE HISTORY - '''NOTE:''' All subsequent changes are recorded in TracWiki[[br]] ########################################################[[br]] 20071031 elm added section about oracle_[en|dis]able_updates.ksh scripts[[br]] 20081114 elm added reference to credentials, roles, ACIs soon to be associated with update back end under sxldap ownership rather than iplanet ownership