| | 1 | = Ad Hoc Changes to EDIR accounts = |
| | 2 | Original author: Mark Anderson - 20091029 |
| | 3 | |
| | 4 | == Limitations in the UI Interface Necessitating Alternate Editing Methods == |
| | 5 | We cannot make all necessary additions, deletions and updates to |
| | 6 | EDIR/AUTHSERV data through the existing web interfaces. This document |
| | 7 | describes one way to make the small-scale changes which are the most common |
| | 8 | case. Although simple to carry out, these changes must be performed |
| | 9 | with care to ensure that the updated data is accurate. Since the changes |
| | 10 | are easy to make, it is also easy to make them carelessly. |
| | 11 | |
| | 12 | It is also important to ensure that the updated data is organized |
| | 13 | consistently with the other data in EDIR/AUTHSERV. Otherwise, as |
| | 14 | inconsistent "edge cases" proliferate in the data it becomes increasingly |
| | 15 | difficult to carry out large-scale changes to, or queries of, the data. |
| | 16 | |
| | 17 | Changes must (almost always) be made to both the LDAP server Directory and |
| | 18 | the Oracle server Registry. If changes are made only to the Directory, then |
| | 19 | they may be erased by the next Banner refresh which pushes the contents of |
| | 20 | the Registry out to the Directory. If changes are made only to the Registry, |
| | 21 | they will not be visible in EDIR/AUTHSERV. The only exceptions to this rule |
| | 22 | are the attributes which are not stored in the Registry but only in the |
| | 23 | Directory: userPassword, uakSecQuestion and uakSecResponse |
| | 24 | |
| | 25 | The following procedure is just one way to make these updates. The |
| | 26 | artifacts of this procedure -- the .ldif and .sql files -- are not of |
| | 27 | permanent value but are useful to keep around for a short time so that |
| | 28 | if you made an error (for example, updated the Directory but not the |
| | 29 | Registry) you can consult the files to isolate that error. They can also |
| | 30 | serve as templates for similar updates later. |
| | 31 | |
| | 32 | == EDIR LDAP Updates == |
| | 33 | To update the Directory, log in to any of the LDAP directory hosts |
| | 34 | as iplanet and submit an LDIF script to the appropriate Directory instance. |
| | 35 | How to do this is described in detail in this section. |
| | 36 | |
| | 37 | === Create an LDIF === |
| | 38 | First, create an LDIF file consisting of four basic lines (described in detail |
| | 39 | below) and optional comment lines preceded by #: |
| | 40 | {{{ |
| | 41 | % cat phmccarthy_addEduPersonAffiliation.ldif |
| | 42 | # Paul McCarthy - emeritus |
| | 43 | |
| | 44 | dn: uid=FR464UKX01,ou=people,dc=alaska,dc=edu |
| | 45 | changetype: modify |
| | 46 | add: eduPersonAffiliation |
| | 47 | eduPersonAffiliation: Member |
| | 48 | % |
| | 49 | }}} |
| | 50 | By convention the file is named after the directory entry followed by |
| | 51 | the change, e.g. |
| | 52 | |
| | 53 | * phmccarthy_addEduPersonAffiliation.ldif |
| | 54 | * elaineVroman_changeDefaultPassword.ldif |
| | 55 | * syfnd_addVanityAddress.ldif |
| | 56 | |
| | 57 | ==== Line 1: Distinguished Name (dn) ==== |
| | 58 | The first line of the LDIF will contain the unique Distinguished Name (dn) |
| | 59 | of the entry you intend to update. Usually the entry will be for a People |
| | 60 | or Resource account, although occasionally the DN may be in the Departments or Routing OU of the directory. |
| | 61 | |
| | 62 | ===== Distinguished Name - ou=people ===== |
| | 63 | {{{ |
| | 64 | dn: uid=FL0Z2N9R01,ou=people,dc=alaska,dc=edu |
| | 65 | dn: uid=GOOGLEAPPS03,ou=resource,dc=alaska,dc=edu |
| | 66 | }}} |
| | 67 | In any case, you can get the dn by querying the Directory for the entry. |
| | 68 | The DN will always be the first non-comment line returned: |
| | 69 | {{{ |
| | 70 | % ldap_queryProd "(cn=lawrence duffy)" dn |
| | 71 | # SSL connection to port 17630 |
| | 72 | dn: uid=FL0Z2N9R01,ou=people,dc=alaska,dc=edu |
| | 73 | }}} |
| | 74 | |
| | 75 | ===== Distinguished Name - ou=resource ===== |
| | 76 | {{{ |
| | 77 | % ldap_queryProd "(uid=GOOGLEAPPS03)" dn |
| | 78 | # SSL connection to port 17630 |
| | 79 | dn: uid=GOOGLEAPPS03,ou=resource,dc=alaska,dc=edu |
| | 80 | }}} |
| | 81 | ===== Distinguished Name - ou=routing ===== |
| | 82 | {{{ |
| | 83 | % ldap_queryProd "(mailRoutingAddress=syfnd@email.alaska.edu)" dn |
| | 84 | # SSL connection to port 17630 |
| | 85 | dn: uid=46506,ou=routing,dc=alaska,dc=edu |
| | 86 | }}} |
| | 87 | The examples above query the Prod Directory; you would use ldap_queryPrep |
| | 88 | or ldap_queryTest for the Prep or Test Directories. The arguments to |
| | 89 | the scripts are the search filter and a space-delimited list of attributes |
| | 90 | you wish the query to return. If you omit the list, all attributes will be |
| | 91 | returned. |
| | 92 | |
| | 93 | ==== Line 2: LDIF Modification Entry ==== |
| | 94 | The second line of the LDIF will, for purposes of this document, always be |
| | 95 | |
| | 96 | * changetype: modify |
| | 97 | |
| | 98 | === Line 3: LDIF Change Type === |
| | 99 | The third line of the LDIF may be an "add:", "change:" or "delete:" of an attribute. |
| | 100 | However, best practice for changing an attribute's value is to delete it and then add it (details |
| | 101 | on this later). For example: |
| | 102 | {{{ |
| | 103 | add: edupersonAffiliation |
| | 104 | or |
| | 105 | delete: defaultPassword |
| | 106 | }}} |
| | 107 | |
| | 108 | ==== Line 4: Change Value ==== |
| | 109 | The fourth line of the LDIF will be the value of the attribute named in |
| | 110 | the third line, for example: |
| | 111 | {{{ |
| | 112 | edupersonAffiliation: sponsored |
| | 113 | or |
| | 114 | defaultPassword: 3562041167 |
| | 115 | }}} |
| | 116 | |
| | 117 | === Creating LDIF Files for Multiple Changes === |
| | 118 | If you want to make several changes to the same entry in the same LDIF, |
| | 119 | you can repeat the third and fourth lines separated by "-" on a line by |
| | 120 | itself. For example, to modify an attribute: |
| | 121 | |
| | 122 | {{{ |
| | 123 | delete: edupersonAffiliation |
| | 124 | edupersonAffiliation: sponsored |
| | 125 | - |
| | 126 | add: edupersonAffiliation |
| | 127 | edupersonAffiliation: member |
| | 128 | }}} |
| | 129 | |
| | 130 | === Apply LDIF to EDIR LDAP === |
| | 131 | To apply the LDIF to the directory, use the ldap_modifyProd (or |
| | 132 | ldap_modifyTest or ldap_modifyPrep, as appropriate) script as iplanet: |
| | 133 | |
| | 134 | {{{ |
| | 135 | % ldap_modifyProd < phmccarthy_addEduPersonAffiliation.ldif |
| | 136 | |
| | 137 | (blah blah blah) |
| | 138 | modify complete |
| | 139 | |
| | 140 | % |
| | 141 | }}} |
| | 142 | The change you make will be automatically replicated to all the other |
| | 143 | LDAP servers in the Test, Prep or Prod EDIR instance. |
| | 144 | |
| | 145 | == People Registry Updates == |
| | 146 | To update the Registry, connect to the appropriate Registry database |
| | 147 | (RPTS or RPTP for Prod, RPTQ for Prep, RPTT for Test) as ops$sxldap and |
| | 148 | submit an SQL script. |
| | 149 | |
| | 150 | The steps to perform an update are |
| | 151 | 1. Log in to target database, RPTP (Prod), RPTT (Test), or RPTQ (Prep) |
| | 152 | 1. Shell to user 'sxldap' |
| | 153 | 1. Create SQL update file |
| | 154 | 1. Log in to People Registry Schema |
| | 155 | 1. Run query from SQLPLUS command line |
| | 156 | |
| | 157 | === Login to RPTP and Shell to 'sxldap' === |
| | 158 | From your desktop login to RPTP. |
| | 159 | {{{ |
| | 160 | [Your desktop]: /Users/<desktop user name> > ssh <sx ID>@rptp.alaska.edu |
| | 161 | Password: |
| | 162 | Last login: Tue Dec 23 13:22:05 2014 from <desktop user name>.swits.alaska.edu |
| | 163 | <sx ID>@tazlina> ssh sxldap@tazlina.alaska.edu |
| | 164 | Last login: Tue Dec 23 13:41:05 2014 from tazlina.alaska.edu |
| | 165 | sxldap@tazlina> |
| | 166 | }}} |
| | 167 | |
| | 168 | === Create a SQL File to Add an Attribute === |
| | 169 | Create an SQL script like the one below, by convention |
| | 170 | named exactly like the corresponding LDIF file but with a ".sql" extension. |
| | 171 | The following example '''adds''' an attribute. |
| | 172 | {{{ |
| | 173 | % cat phmccarthy_addEduPersonAffiliation.sql |
| | 174 | -- add eduPersonAffiliation: Member |
| | 175 | insert into LDAP_ATTR_SS ( |
| | 176 | LUID, |
| | 177 | OU, |
| | 178 | PIDM, |
| | 179 | ATTRIB_NAME, |
| | 180 | ATTRIB_VALUE, |
| | 181 | ATTRIB_CHANGE_DATE, |
| | 182 | ATTRIB_EXTRACT_DATE, |
| | 183 | CHANGED_BY |
| | 184 | ) |
| | 185 | values ( |
| | 186 | 'FR464UKX01', |
| | 187 | 'people', |
| | 188 | -1, |
| | 189 | 'eduPersonAffiliation', |
| | 190 | 'Member', |
| | 191 | sysdate, |
| | 192 | NULL, |
| | 193 | 'uid=XKK63NT8Z01,ou=people,dc=alaska,dc=edu' |
| | 194 | ); |
| | 195 | % |
| | 196 | }}} |
| | 197 | The "insert into" clause of the SQL enumerates the columns of the |
| | 198 | OPS$SXLDAP.LDAP_ATTR_SS table and the "values" clause lists the row of values |
| | 199 | that will be inserted into those columns. |
| | 200 | |
| | 201 | It is worth noting here that the Registry, unlike the Directory, separates |
| | 202 | data that flows into EDIR/AUTHSERV from Banner from data that flows into |
| | 203 | EDIR/AUTHSERV from other sources. Ad hoc updates should only be made to |
| | 204 | tables with the latter kind of data (like LDAP_ATTR_SS); if you update |
| | 205 | tables of Banner data, your updates will be overwritten by the daily |
| | 206 | Banner refresh. |
| | 207 | |
| | 208 | The values for a row of the LDAP_ATTR_SS table are: |
| | 209 | |
| | 210 | LUID - "uid" attribute from the dn: line on your LDIF file |
| | 211 | OU - "ou" attribute from the dn: line on your LDIF file |
| | 212 | PIDM - always -1 in non-Banner-data tables |
| | 213 | ATTRIB_NAME - attribute name from the LDIF file "add:" line |
| | 214 | ATTRIB_VALUE - attribute value from the LDIF file |
| | 215 | ATTRIB_CHANGE_DATE - current date-time; the SYSDATE funtion will return this |
| | 216 | ATTRIB_EXTRACT_DATE - always null in non-Banner-data tables |
| | 217 | CHANGED_BY - your EDIR uid |
| | 218 | |
| | 219 | === Create a SQL File to Delete an Attribute === |
| | 220 | Create an SQL script like this one, by convention |
| | 221 | named exactly like the corresponding LDIF file but with a ".sql" extension. The following examples are for TEST. |
| | 222 | {{{ |
| | 223 | % cat codyJohnson_removeVanityAddress.sql |
| | 224 | -- Cody Johnson, Post Doctoral Researcher |
| | 225 | |
| | 226 | -- delete mailAlternateAddress: cody.johnson@alaska.edu |
| | 227 | delete from LDAP_ATTR_SS |
| | 228 | where LUID = '0IP53JMT02' |
| | 229 | and ATTRIB_NAME = 'mailAlternateAddress' |
| | 230 | and ATTRIB_VALUE = 'cody.johnson@alaska.edu'; |
| | 231 | % |
| | 232 | }}} |
| | 233 | In this example, LUID, ATTRIB_NAME and ATTRIB_VALUE have the same meanings |
| | 234 | that they did in the Add example. The LUID uniquely identifies the entry |
| | 235 | (i.e. the EDIR account) and the ATTRIB_NAME and ATTRIB_VALUE uniquely |
| | 236 | identify the attribute within the entry. |
| | 237 | |
| | 238 | === Log in to the People Registry and Submit the Script === |
| | 239 | The following example is for RPTP (Prod). Submit the SQL script to RPTP like this. The references to RPTP will be replaced by references to some other database as appropriate. |
| | 240 | {{{ |
| | 241 | % sqlplus / |
| | 242 | |
| | 243 | SQL*Plus: Release 11.2.0.2.0 Production on Tue Dec 23 16:39:40 2014 |
| | 244 | |
| | 245 | Copyright (c) 1982, 2010, Oracle. All rights reserved. |
| | 246 | |
| | 247 | |
| | 248 | Connected to: |
| | 249 | Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production |
| | 250 | With the Partitioning, OLAP, Data Mining and Real Application Testing options |
| | 251 | |
| | 252 | OPS$SXLDAP@RPTP> @phmccarthy_addEduPersonAffiliation.sql |
| | 253 | |
| | 254 | 1 row created. |
| | 255 | |
| | 256 | OPS$SXLDAP@RPTP> commit work; |
| | 257 | |
| | 258 | Commit complete. |
| | 259 | |
| | 260 | OPS$SXLDAP@RPTP> quit |
| | 261 | % |
| | 262 | }}} |
| | 263 | |
| | 264 | The following sequence sets the environment to one of the other environments. You must know the password for the environment to use this approach. |
| | 265 | {{{ |
| | 266 | % . ua_oracle rpts env |
| | 267 | % sqlplus |
| | 268 | Enter user-name: ops$sxldap |
| | 269 | Enter password: |
| | 270 | RPTS> |
| | 271 | }}} |
| | 272 | |
| | 273 | Double-check to ensure that you deleted exactly the number of rows that |
| | 274 | you expected to delete. If anything unexpected happened, then roll back |
| | 275 | your changes: |
| | 276 | {{{ |
| | 277 | RPTS> rollback work; |
| | 278 | |
| | 279 | Rollback complete. |
| | 280 | }}} |
| | 281 | If all seems well, then commit your delete: |
| | 282 | {{{ |
| | 283 | RPTS> commit work; |
| | 284 | |
| | 285 | Commit complete. |
| | 286 | |
| | 287 | RPTS> quit |
| | 288 | % |
| | 289 | }}} |