| | 1 | = EDIRrole and Associated iPlanet Roles = |
| | 2 | Original author: Beth Mercer - 20081103 |
| | 3 | |
| | 4 | ''Note:'' Though out this document are references to ldap_*<Inst> commands. Those are |
| | 5 | simply scripted invocations of the associated ldap* utilities that make it possible |
| | 6 | to search the directory, and to add, modify and delete directory data using the |
| | 7 | Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" |
| | 8 | boxes under ~iplanet/local/ldap/scripts. |
| | 9 | |
| | 10 | EDIRrole is a locally defined attribute used to make attribute based authorization |
| | 11 | decisions within EDIR, AUTHSERV, their UPDATE back end and at the directory |
| | 12 | level itself. Within the web gateways, the presence or absense of an EDIRrole |
| | 13 | value determines whether or not a user is allowed to interact with an administrative |
| | 14 | form. At the UPDATE back end, the presence or absense of an EDIRrole value |
| | 15 | determines whether or not a restricted function relying on agent credentials rather |
| | 16 | than user credentials will be performed at the request of a particular user. At the |
| | 17 | directory level, EDIRrole values are referenced by iPlanet roles which are associated |
| | 18 | with ACIs that provide update access to groups of directory records. |
| | 19 | |
| | 20 | EDIRroles are given meaning by the web gateways, backend and directory roles |
| | 21 | that reference them. |
| | 22 | |
| | 23 | There are currently 2900+ distinct EDIRrole values but most are flavors of the |
| | 24 | following: |
| | 25 | |
| | 26 | ADadmin # the ability to administer AD related attributes |
| | 27 | EDIRadmin # the ability to administer any self service attribute |
| | 28 | abideByFERPA # the ability to see FERPA protected student records |
| | 29 | deptAdmin<unitUIDpattern> # the ability to update unit records |
| | 30 | emailAdmin # the ability to administer email related attributes |
| | 31 | emplAdmin<unitUIDpattern> # the ability to update people records associated with unit |
| | 32 | helpDesk # the ability to perform restricted account management tasks |
| | 33 | phoneBook # the ability to administer phoneBook related attributes |
| | 34 | secretaryAdmin # the ability to administer the secretary attribute |
| | 35 | sponsorAccount # the ability to sponsor directory records (includes guest account creation) |
| | 36 | tklAdmin<TKLpattern> # the ability to update people records associated with TKL |
| | 37 | |
| | 38 | The greatest variety exists in the deptAdmin* emplAdmin* and tklAdmin* EDIRrole |
| | 39 | values. Those roles are scoped to allow access to a single unit/TKL or a group of |
| | 40 | units/TKLs which roll up to a common record. |
| | 41 | |
| | 42 | EDIRrole values are provisioned on ou=people records by the ZUAUSR application when |
| | 43 | it processes super classes that contain EDIR related grants. Since ZUAUSR is an |
| | 44 | application that supports provisioning of administrative access only to employee |
| | 45 | accounts (and a handful of exceptions), EDIRrole values must be manually provisioned |
| | 46 | by TSAA staff on ou=resource records and on any ou=people records not handled by |
| | 47 | ZUAUSR. |
| | 48 | |
| | 49 | The iPlanet roles based on EDIRrole values come in two flavors: those that apply to |
| | 50 | people accessing other records and those that apply to resource accounts accessing |
| | 51 | other records. The iPlanet roles that govern people's access require that the person |
| | 52 | doing the accessing have a current job assignment. That helps insure that users |
| | 53 | who leave the university do not retain viable directory access even if account |
| | 54 | administration practices do not result in the timely revocation of administrative |
| | 55 | accesses. |
| | 56 | |
| | 57 | iplanet@egegik> cat role.EDIRadminRole.ldif |
| | 58 | dn: cn=EDIRadminRole,ou=people,dc=alaska,dc=edu |
| | 59 | objectclass: top |
| | 60 | objectclass: LDAPsubentry |
| | 61 | objectclass: nsRoleDefinition |
| | 62 | objectclass: nsComplexRoleDefinition |
| | 63 | objectclass: nsFilteredRoleDefinition |
| | 64 | cn: EDIRadminRole |
| | 65 | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0))) |
| | 66 | Description: filtered role for entities administering EDIR |
| | 67 | |
| | 68 | Resource credentials on the other hand are granted to applications not people and |
| | 69 | applications do not have current job assignments so the assignment criteria is omitted: |
| | 70 | |
| | 71 | iplanet@egegik> cat role.EDIRadminRole.resource.ldif |
| | 72 | dn: cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| | 73 | objectclass: top |
| | 74 | objectclass: LDAPsubentry |
| | 75 | objectclass: nsRoleDefinition |
| | 76 | objectclass: nsComplexRoleDefinition |
| | 77 | objectclass: nsFilteredRoleDefinition |
| | 78 | cn: EDIRadminRole |
| | 79 | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)) |
| | 80 | Description: filtered role for resource entities administering EDIR |
| | 81 | |
| | 82 | iPlanet roles are created and deleted as follows: |
| | 83 | |
| | 84 | iplanet@egegik> ldap_deleteTest |
| | 85 | inst: test |
| | 86 | port: 13338 |
| | 87 | |
| | 88 | |
| | 89 | ldapdelete: started Mon Nov 3 16:35:08 2008 |
| | 90 | |
| | 91 | ldap_init( egegik, 13338 ) |
| | 92 | ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 93 | ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 94 | ldaptool_getdonglefilename -- (null) |
| | 95 | cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| | 96 | deleting entry cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| | 97 | entry removed |
| | 98 | <ctrl+d> |
| | 99 | |
| | 100 | iplanet@egegik> ldap_addTest -f role.EDIRadminRole.resource.ldif |
| | 101 | inst: test |
| | 102 | port: 13338 |
| | 103 | |
| | 104 | |
| | 105 | ldapmodify: started Mon Nov 3 16:35:25 2008 |
| | 106 | |
| | 107 | ldap_init( egegik, 13338 ) |
| | 108 | ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 109 | ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db |
| | 110 | ldaptool_getdonglefilename -- (null) |
| | 111 | add objectclass: |
| | 112 | top |
| | 113 | LDAPsubentry |
| | 114 | nsRoleDefinition |
| | 115 | nsComplexRoleDefinition |
| | 116 | nsFilteredRoleDefinition |
| | 117 | add cn: |
| | 118 | EDIRadminRole |
| | 119 | add nsRoleFilter: |
| | 120 | (&(EDIRROLE=*)(EDIRrole=EDIRadmin)) |
| | 121 | add Description: |
| | 122 | filtered role for resource entities administering EDIR |
| | 123 | adding new entry cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| | 124 | modify complete |
| | 125 | |
| | 126 | iPlanet roles created for ou=people,dc=alaska,dc=edu and ou=resource,dc=alaska,dc=edu |
| | 127 | in a directory instance on one server are automatically replicated to the same directory |
| | 128 | instance on all other servers. That is because roles are simply another form of |
| | 129 | directory data and those branches of the directory are configured for automatic |
| | 130 | replication of directory data changes. |
| | 131 | |
| | 132 | # eof |
