Context Navigation

Changes between Version 5 and Version 6 of ALL__security_account_admin

Timestamp:: 11/24/14 14:45:40 (10 years ago)
Author:: lttoth@…
Comment:: Revised based on preliminary discussions with Support Services. Account administration will probably need to be revisited once more details are provided by senior Support Center staff.

Legend:

: Unmodified
: Added
: Removed
: Modified

ALL__security_account_admin

-                      v5
+                      v6
+== Account Creation ==
+== Account Management ==
+Legacy AUTHSERV functions are in some cases still in place, but rarely, if ever used.  Account creation functions have been shifted to Banner and an automated feed to EDIR LDAP.  Account Claiming, activation, and password management has shifted to ELMO.  De-activation of accounts has been replaced by removing permissions and roles, effectively prohibiting users from accessing those functions and systems for which they should no longer have access.
+=== ou=people ===
+Each AUTHSERV function and its corresponding script or URL invocation is discussed below.
+=== Account Creation ===
+==== ou=people ====
 Accounts for people are created via one of two mechanisms; the EDIR Banner Extract
 process and the AUTHSERV sponsor_account CGI script/web page.  The vast majority
 …
 entitled to sponsor accounts.
 === ou=resource ===
+==== ou=resource ====
 Accounts utilized by applications are created only via the AUTHSERV seed_resource CGI
 script/web page.  Ultimately it is the update back-end which generates the resource
 account after first confirming that the requesting party is entitled to request
 resource account creation..
+resource account creation.
+=== Account Activation & Inactivation ===
+== Account Activation & Inactivation ==
+=== ou=people ===
+==== ou=people ====
 The presence of a password signifies that an account is active.  Prior to the advent
 of ELMO, a directory account could not be claimed, and user known password established,
 unless the account had first been activated (given a default password).  With the
+advent of ELMO, an account need no longer be activated prior to claiming.  However, it
+is still true that the old AUTHSERV form for account claiming - first_time - is
+dependent on prior account activation.
+advent of ELMO, an account need no longer be activated prior to claiming.  The act of claiming an account through ELMO activates the account.
 ==== Banner Generated Account Activation ====
 …
 creation (i.e. given a default password).  The reason is based on the historical need
 for an account to be activated before it could be claimed and the fact that accounts
 being sponsored were expected to be claimed for the purpose of accessing external
 applications.
+being sponsored are expected to be claimed for the purpose of accessing external
+applications.  Sponsored accounts are managed via the following link:
         https://authserv.alaska.edu/cgi-bin/sponsor_account
 …
 For the most part, these accounts too can be claimed via ELMO.
 If there is an issue with claiming the sponsored account for any reason using ELMO, a backup plan includes using the AUTHSERV first_time page as an alternate method of account claiming:
+If there is an issue with claiming the sponsored account for any reason using ELMO, a backup plan may still include using the AUTHSERV first_time page as an alternate method of account claiming via the following URL:
         https://authserv.alaska.edu/cgi-bin/first_time
 ==== Using AUTHSERV scripts for Activation ====
+Accounts can be activated/inactivated by authorized staff using the AUTHSERV activate
+CGI script/web page.
+===== ou=people =====
+In a review of the AUTH<instance> source code, it appears that accounts can still be activated/inactivated by authorized staff using the AUTHSERV activate
+CGI script/web page.  In practice, that procedure is not used by Help Desk Staff.  The corresponding URL is:
         https://authserv.alaska.edu/cgi-bin/activate
 In addition, a nightly batch process looks for an inactivates directory accounts
 previously activated but still unclaimed after 14 days.
+previously activated but still unclaimed after 14 days by executing the following script;
         ~iplanet/local/ldap/scripts/account_managementProd.ksh
 === ou=resource ===
+===== ou=resource =====
 Application accounts are created inactive via the AUTHSERV seed resource CGI script/
 web page.
+web page:
         https://authserv.alaska.edu/cgi-bin/seed_resource
 An individual with shell access to the "e" boxes must activate application accounts
+In the past, an individual with shell access to the "e" boxes activated application accounts
 by generating and running a script that establishes a known password (using Directory
+Manager credentials) and then changes that known password using the application account
+credentials.  The same scripts are used to reset an application account password
+Manager credentials) and then changed that known password using the application account
+credentials.  Today, the resource account is created without setting a password when seeded.
+However, the legacy script remain and the same scripts are used to reset an application account password
 should the password expire or be forgotten.  For that reason, the scripts are named
 with a reset_ prefix.
 …
 ''NOTE:'' Application account passwords are set initially to expire in 2020.
 == Password Changes & Resets ==
+=== Account Locking == =
+=== ou=people ===
+Account passwords for most people can be changed via the ELMO interface.  This is
+true whether the password is active or has expired, is known or is unknown.  As
+stated earlier about account claiming, some guest accounts will be unsuccessful
+utilizing ELMO and will be directed to the old AUTHSERV password change or self
+reset CGI scripts/web pages:
+        * https://authservtest.alaska.edu/cgi-bin/passwd_chg
+        * https://authservtest.alaska.edu/cgi-bin/self_reset
+        * https://authservtest.alaska.edu/cgi-bin/post_reset
+When using the old AUTHSERV pages, the user either changes a known password or resets an
+unknown/expired password.  When reset, passwords are set to a default value based on a
+number and date (generally SSN and birthdate) supplied to the account creation process.
+The post reset page prompts for that number and date and allows the user to establish a
+new password.
+=== ou=resource ===
+Application account passwords can be changed by the account holder only by using the old
+EDIR change_passwd CGI script/web page.  Application account password changes result in a
+standard 400 day expiration, not the 2020 expiration established when the account is first
+activated.  It is the application account holder's responsibility to insure the password
+is changed before expiration.
+There is currently no mechanism by which an application accounts can perform a self reset
+should a password expire or become forgotten.  Expired application account passwords must
+be reset/changed by an individual with shell access to the "e" boxes where the "reset_"
+scripts are maintained.
+== Account Locking ==
+=== ou=people ===
+==== ou=people ====
 Accounts for either people or applications can be locked via the AUTHSERV lock and
 …
 which results in the immediate suspension of account access.
 === ou=resource ===
+==== ou=resource ====
 Existing forms for locking accounts were designed to support locking of people accounts
 and do not currently support the locking of application accounts.
+== Password Management ==
+Although the password management scripts are still present on "E" boxes, they only change the EDIR LDAP password.  All authentication to University of Alaska applications and services is managed through ELMO and validated by both AD and EDIR.  Their is one case where passwords are reset local to EDIR only.  There are times when inexplicably the Active Directory password and the EDIR password become out of sync (even if they ar ethe same password) and users can not access servers to set up EDUROAM, e.g.  At that time, the reset capability is used so that synchronization is flagged as needed.  This triggers the synchronization.
+Otherwise, these scripts and URLs are not used.
+==== ou=people ====
+Account passwords for most people can be changed via the ELMO interface.  This is
+true whether the password is active or has expired, is known or is unknown.  As
+stated earlier about account claiming, some guest accounts will be unsuccessful
+utilizing ELMO and may be directed to the old AUTHSERV password change or self
+reset CGI scripts/web pages:
+        * https://authservtest.alaska.edu/cgi-bin/passwd_chg
+        * https://authservtest.alaska.edu/cgi-bin/self_reset
+        * https://authservtest.alaska.edu/cgi-bin/post_reset
+However, these will only trigger the need for password synchronization  Generally, these functions are exercised now by the Help Desk to assist users.
+In the past, when using the old AUTHSERV pages, the user either changed a known password or reset an unknown/expired password.  When reset, passwords were set to a default value based on a number and date (generally SSN and birthdate) supplied to the account creation process.  The post reset page prompted for that number and date and allowed the user to establish a
+new password.
+==== ou=resource ====
+Application account passwords can be changed by the account holder only by using the old
+EDIR change_passwd CGI script/web page.  Application account password changes result in a
+standard 400 day expiration, not the 2020 expiration established when the account is first
+activated.  It is the application account holder's responsibility to insure the password
+is changed before expiration.
+There is currently no mechanism by which an application accounts can perform a self reset
+should a password expire or become forgotten.  Expired application account passwords must
+be reset/changed by an individual with shell access to the "e" boxes where the "reset_"
+scripts are maintained.
 ########################################################[[br]]