wiki:ALL__accounts_roles

Version 8 (modified by lttoth@…, 10 years ago) (diff)

--

Accounts, Roles, and Groups Utilized by UPDATE, EDIR, and AUTHSERV

Original Author: Beth Mercer - 20081114

The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing or the web gateway(s). They are grouped by category: directory or registry.

IPLANET ACCOUNTS/ROLES/ACIS

iPlanet Accounts

  • uid=edirbatch03,ou=resource,dc=alaska,dc=edu

credentials utilized by UPDATE interface for batch processing

  • uid=edirgw03,ou=resource,dc=alaska,dc=edu

credentials utilized by EDIR web gateway for "anonymous" access

  • uid=edirpriv03,ou=resource,dc=alaska,dc=edu

credentials utilized by EDIR web gateway to access privileged information not expected to be visible to "anonymous" access but need for functions like the "This is me! Log In" link.

  • uid=authserv03,ou=resource,dc=alaska,dc=edu

credentials utilized by the AUTHSERV web gateway

  • uid=authpriv03,ou=resource,dc=alaska,dc=edu

credentials utilized by AUTHSERV web gateway to access privileged information

  • uid=updategw03,ou=resource,dc=alaska,dc=edu

credentials utilized by UPDATE back end to access privileged information and perform privileged tasks

Note: Most likely, AUTHSERV needs only one set of credentials.

iPlanet Roles

  • cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu
  • cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu

roles associated with ACIs allowing gateway access to non-privileged information

  • cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu
  • cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu

roles associated with ACIs allowing gateway access to privileged information

  • cn=authserviceRole,ou=people,dc=alaska,dc=edu
  • cn=authserviceRole,ou=resource,dc=alaska,dc=edu

roles associated with ACIs allowing gateway access to non-privileged information

  • cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu
  • cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu

roles associated with ACIs allowing gateway access to privileged information

  • (future) cn=superUserRole,ou=resource,dc=alaska,dc=edu

role associated with ACIs allowing the update back end access to privileged information

iPlanet ACIs

  • EDIRGWANYCOMPARE
  • EDIRGWANYREAD
  • EDIRGWEMPREAD
  • EDIRGWSTUREAD

ACIs that provide the non-privileged gateway role with read access to non-privileged information

  • EDIRGWCOMPARE
  • EDIRGWEMPCOMPARE
  • EDIRGWSTUCOMPARE

ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible

  • EDIRGWPRIVREAD

ACIs that provide the privileged gateway role with read access to privileged information

  • AUTHSERVICEREAD

ACIs that provide the non-privileged authservice role with read access to non-privileged information

  • AUTHSERVICEPRIVCOMPARE

ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible

  • AUTHSERVICEPRIVREAD

ACIs that provide the privileged authservice role with read access to privileged information

(future) SUADDDEL (future) SUDENYREADSEARCHCOMPARE (future) SUDENYWRITE (future) SUREADWRITE

ACIs that provide (or deny) the privileged superuser role with read/write access to privileged information

UNIX GROUPS AND MEMBER ACCOUNTS

Directory Server Groups

Accounts associated with these groups are italicized.

group: iplanet

Default group of iplanet account

group: ldapgw

Default group of ldapgw account

group: updategw

  • Group used by iplanet to expose files that must be visible to 'nobody'
  • Group used by sxldap to expose files that must be visible to 'nobody'
  • Owner of Apache processes when executing update process CGI scripts

group: edirgw

  • Group used by ldapgw to expose files that must be visible to 'nobody'
  • Owner of Apache processes when executing gateway CGI scripts

Directory Server Accounts

account: ldapgw

UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.

  • Group Membership
    • ldapgw - primary group
    • edirgw
      • exposes password files to nobody during CGI script execution via group membership
      • any files opened during execution of CGI scripts
      • <GW>/logs directory where output is written
    • other
    • UA_Korn (on toklat only)
  • .shosts file must allow access by
    • <<directory servers>> iplanet
  • ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV

account: sxldap

UNIX account owning CGI script representing the UPDATE back end gateway.

  • Group Membership
    • updategw - primary group
    • edirgw
      • exposes password files to nobody during CGI script execution via group membership
      • affects any files opened during execution of CGI scripts
      • affects <GW>/logs directory where output is written
    • other
    • UA_Korn (on toklat and summit only)
    • .shosts file must allow access by
      • <<directory servers>> iplanet

account: iplanet

UNIX account owning iPlanet directory and web update processes.

  • Directory Locations
    • ~iplanet/EDIR[TEST|PREP|PROD]/
    • ~iplanet/AUTH[TEST|PREP|PROD]/
  • All directory maintenance related source code is stored under this account
    • ~iplanet/local/ldap/
  • .shosts file must allow access by
    • <<registry servers>> sxldap
  • Group membership
    • iplanet - primary group
    • other
    • edirgw
      • associated with files visible to all parties supporting gateways
    • updategw
      • associated with password files read by CGI scripts
      • any files opened during execution of CGI scripts
      • <GW>/ldap/web/log directory where output is written

account: nobody

UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.

  • Group membership
    • nobody - primary group
    • edirgw
      • facilitate reading of password files read by CGI scripts
    • updategw
      • facilitate reading of password files read by CGI scripts

account: ua?synch

UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR or AUTHSERV.

  • for test and preproduction EDIR or AUTHSERV.
    • ~ua?synch/[TEST|PREP]/
  • .shosts file must allow access by
    • <<directory servers>> iplanet # may become obsolete with gw ownership change
    • <<directory servers>> ldapgw
    • <<ua? entities>>
  • Group Membership
    • other - primary group
    • edirsynch
      • facilitate transfer of LDIF to uaasynch account

Note: Production "style" elements are copied from preproduction to the gateway directories; no reliance on links.

Registry Servers - Groups and Accounts

group: SWLDAP

Group used to share output of registry database batch processes where output is owned by oracle and written to /tmp

account: oracle

UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation. oracle owns resulting files and must change the file permissions before files can be copied by the registry account.

  • Group Membership
    • group SWLDAP
      • facilitate change owner on EDIR LDIF
    • many other groups not applicable to EDIR processing

account: sxldap

UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates. All EDIR registry related source code is stored under this account.

  • Master - eklutna:~sxldap/local/ldap/

  • sxldap must be listed in ~iplanet/.shosts file to facilitate transfer and application of registry generated LDIF
  • Group Membership
    • group SWLDAP (primary group)
    • group UA_Korn

ORACLE ACCOUNTS AND ROLES

account: OPS$SXLDAP

Oracle schema owning EDIR registry and performing EDIR Banner Extract processing.

  • Roles
    • Granted role CONNECT
    • Granted role LDAP_ROLE (role to which oracle SYS privs are granted)

Note: Table grants are made directly to the OPS$SXLDAP account which in turn creates objects referencing those accounts. See the following files on toklat:

/ODS/product/PROD/bin/grant_*_to_sxldap.sql

account: EDIR_GATEWAY

Oracle schema granted execute and select privilege on OPS$SXLDAP owned registry procedures and views.

granted role EDIR_ROLE

role: EDIR_ROLE

Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY has access.

Note: Historically, all grants on OPS$SXLDAP objects are made to the EDIR_GATEWAY via the SQL source scripts for creating the objects. We haven't been utilizing the role. See eklutnat:~sxldap/local/ldap/registry/*.sql

########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20071031 elm added section about oracle_[en|dis]able_updates.ksh scripts
20081114 elm added reference to credentials, roles, ACIs soon to be associated with update back end under sxldap ownership rather than iplanet ownership