Changes between Version 1 and Version 2 of ALL__security_account_admin


Ignore:
Timestamp:
11/20/14 15:58:10 (10 years ago)
Author:
lttoth@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ALL__security_account_admin

    v1 v2  
    1 20081103 elm          Directory Account Administration 
     1= Directory Account Administration = 
     2    Original Author:  Beth Mercer - 20081103  
    23 
    34See also: 
    45 
    5         https://donnelly.alaska.edu/docs/LDAP/ALL__security 
    6         https://donnelly.alaska.edu/docs/LDAP/ALL__security_access_control 
     6        [[ALL__security| Directory Related Security]] 
     7        [[ALL__security_access_control| EDIR/AUTHSERV Access Control]] 
    78 
    89The Enterprise Directory is utilized not just as an electronic white pages, it  
    910is also utilized to authentication and in some cases authorize user access to  
    10 external applications.  The EDIR and AUTHSERV web gateways, MyUA and OnBase are  
    11 examples of external applications relying on directory authentication and  
    12 authorization. 
     11external applications.  The EDIR and AUTHSERV web gateways are examples of applications relying on directory authentication while OnBase and Shibboleth exemplify relying on directory attributes. 
    1312 
    1413Directory records that can be used for authentication/authorization are those  
     
    1615differ from other directory records in that they have passwords used in binding  
    1716to the directory (the ability to bind successfully to the directory results in  
    18 successful authentication).  People and application records reside in branches  
     17successful authentication).   
     18 
     19People and application records reside in branches  
    1920of the directory clearly identifiable ou= in the RDN: 
    2021 
    21         uid=*,ou=people,dc=alaska,dc=edu 
    22         uid=*,ou=resource,dc=alaska,dc=edu 
     22        * uid=*,ou=people,dc=alaska,dc=edu 
     23        * uid=*,ou=resource,dc=alaska,dc=edu 
    2324 
    2425Because ou=people and ou=resource directory records can be used for directory  
     
    2930bind to the directory: 
    3031 
    31         uid=*,ou=routing,dc=alaska,dc=edu 
    32         uid=*,ou=departments,dc=alaska,dc=edu 
    33         uid=*,ou=group,dc=alaska,dc=edu 
     32        * uid=*,ou=routing,dc=alaska,dc=edu 
     33        * uid=*,ou=departments,dc=alaska,dc=edu 
     34        * uid=*,ou=group,dc=alaska,dc=edu 
    3435 
    3536 
    36 ###################### 
    37 ## Account Creation ## 
    38 ###################### 
     37== Account Creation == 
    3938 
    40 # ou=people 
    41  
     39=== ou=people === 
    4240Accounts for people are created via one of two mechanisms; the EDIR Banner Extract  
    4341process and the AUTHSERV sponsor_account CGI script/web page.  The vast majority  
     
    5048entitled to sponsor accounts. 
    5149 
    52 # ou=resource 
    53  
     50=== ou=resource === 
    5451Accounts utilized by applications are created only via the AUTHSERV seed_resource CGI 
    5552script/web page.  Ultimately it is the update back-end which generates the resource  
     
    5855 
    5956 
    60 ##################################### 
    61 ## Account Activation/Inactivation ## 
    62 ##################################### 
    6357 
    64 # ou=people 
     58== Account Activation/Inactivation == 
    6559 
     60=== ou=people === 
    6661The presence of a password signifies that an account is active.  Prior to the advent 
    6762of ELMO, a directory account could not be claimed, and user known password established, 
     
    7166dependent on prior account activation. 
    7267 
     68==== Banner Generated Account Activation ==== 
    7369Accounts for people generated via the EDIR Banner Extract are created inactive.   
    7470Those accounts are claimed and given a user known password via the UAS written and  
     
    7773        https://elmo.alaska.edu 
    7874 
     75==== Sponsored Account Activation ==== 
    7976Accounts for people generated via the AUTHSERV sponsor_account page are activated on  
    8077creation (i.e. given a default password).  The reason is based on the historical need  
     
    8582        https://authserv.alaska.edu/cgi-bin/sponsor_account 
    8683 
    87 For the most part, these accounts too can be claimed via ELMO.  However, there are known  
    88 issues with claiming guest accounts via ELMO and those users are directed to use the old  
    89 AUTHSERV first_time page as an alternate method of account claiming: 
     84For the most part, these accounts too can be claimed via ELMO. 
     85 
     86If there is an issue with claiming the sponsored account for any reason using ELMO, a backup plan includes using the AUTHSERV first_time page as an alternate method of account claiming: 
    9087 
    9188        https://authserv.alaska.edu/cgi-bin/first_time 
    9289 
     90==== Using AUTHSERV scripts for Activation ==== 
    9391Accounts can be activated/inactivated by authorized staff using the AUTHSERV activate  
    9492CGI script/web page. 
     
    10199        ~iplanet/local/ldap/scripts/account_managementProd.ksh 
    102100 
    103 # ou=resource 
     101=== ou=resource === 
    104102 
    105103Application accounts are created inactive via the AUTHSERV seed resource CGI script/ 
     
    117115See ~iplanet/local/ldap/schema/RESET/ for examples of those scripts. 
    118116 
    119 NOTE: Application account passwords are set initially to expire in 2020.   
     117''NOTE:'' Application account passwords are set initially to expire in 2020.   
    120118 
     119== Password Changes & Resets == 
    121120 
    122 ############################# 
    123 ## Password Changes/Resets ## 
    124 ############################# 
    125  
    126 # ou=people 
     121=== ou=people === 
    127122 
    128123Account passwords for most people can be changed via the ELMO interface.  This is  
     
    142137new password. 
    143138 
    144 # ou=resource 
     139=== ou=resource === 
    145140 
    146141Application account passwords can be changed by the account holder only by using the old  
     
    155150scripts are maintained. 
    156151 
     152== Account Locking ==  
    157153 
    158 ##################### 
    159 ## Account Locking ##  
    160 ##################### 
    161  
    162 # ou=people  
     154=== ou=people === 
    163155 
    164156Accounts for either people or applications can be locked via the AUTHSERV lock and  
     
    174166attribute: 
    175167 
    176         accountStatusFlag=L     (regular lock, writable by HelpDesk or EDIRadmin EDIRrole) 
    177         accountStatusFlag=AL    (administrative lock, writable by EDIRadmin EDIRrole) 
     168        accountStatusFlag=L      : regular lock, writable by HelpDesk or EDIRadmin EDIRrole 
     169        accountStatusFlag=AL : administrative lock, writable by EDIRadmin EDIRrole 
    178170 
    179171Administrative locks are most likely placed on an account in the advent of a security action  
    180172which results in the immediate suspension of account access. 
    181173 
    182 # ou=resource 
     174=== ou=resource === 
    183175 
    184176Existing forms for locking accounts were designed to support locking of people accounts  
    185177and do not currently support the locking of application accounts. 
    186178 
    187 ####################### 
    188 DOCUMENT CHANGE HISTORY 
     179########################################################[[br]] 
     180LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki 
     181########################################################[[br]] 
    189182 
    19018320081031 elm    corrected typos 
    19118420081103 elm    added "See also:" section with links to other security related docs 
    192185 
    193 # eof