| | 1 | = EDIR Gateway Scripts = |
| | 2 | |
| | 3 | == POWER BROKER RULES: == |
| | 4 | |
| | 5 | * transfer_token_file |
| | 6 | * used to transfer gateway related files (needs mods) |
| | 7 | * token files, lock files, etc - between servers |
| | 8 | |
| | 9 | * destroy_token_file |
| | 10 | * used to remove token files from all servers |
| | 11 | |
| | 12 | * pull_token_file |
| | 13 | * used to transfer files between servers (pulls rather than pushes to avoid ssh timeout issues) |
| | 14 | |
| | 15 | **Note:** All of the Power Broker rules are defined to work with the iplanet owned directory |
| | 16 | /export/home/iplanet/local/ldap/web/log/. Until such time as the Power Broker rules are |
| | 17 | modified, all EDIR/AUTHSERV/UPDATE logging needs to share that directory. See log_dir |
| | 18 | parameter in runtime.cfg file. |
| | 19 | |
| | 20 | |
| | 21 | |
| | 22 | == CONFIG FILES: ($HOME/EDIR<INST>/config) == |
| | 23 | |
| | 24 | |
| | 25 | ||ldap_admin_actions.cfg || data from which Admin Actions pick list is built this file can be copied to all servers hosting the same EDIR instance || |
| | 26 | |
| | 27 | ldap_left_links.cfg data used to build links under EDIR banner |
| | 28 | this file can be copied to all servers hosting the same EDIR instance |
| | 29 | |
| | 30 | runtime_common.cfg subset of runtime configuration elements that are constant |
| | 31 | between servers hosting gateway - see runtime.cfg; |
| | 32 | this file can be copied to all servers hosting the same EDIR instance |
| | 33 | |
| | 34 | runtime.cfg runtime configuration data used by EDIR CGI scripts |
| | 35 | this file is server/instance specific; do not copy to other servers |
| | 36 | |
| | 37 | all_servers list of all supported EDIR hosts (sxmpa 2/13/2010 - I cannot find anywhere |
| | 38 | in the EDIR gateway code where this is read out of runtime.cfg) |
| | 39 | authserv_gateway_link URL to AUTHSERV web gateway |
| | 40 | authserv_server_link URL to server specific AUTHSERV web gateway (Equalizer issue) |
| | 41 | debug 0|1: debugging is ON when value is 1 |
| | 42 | directory_adminupdate_link URL to update interface for admin updates (record creation, not attribute updates) |
| | 43 | directory_agent RDN of credentials used by gateway for normal query access |
| | 44 | directory_bulkupdate_link URL to update interface for self service attribute updates |
| | 45 | directory_gateway_link URL to EDIR web gateway |
| | 46 | directory_gateway_name name of EDIR web gateway |
| | 47 | directory_instance iPlanet directory instance |
| | 48 | directory_passwd_file path reference to directory_agent password file |
| | 49 | directory_server_link URL to server specific EDIR web gateway (Equalizer issue) |
| | 50 | local_announcements_file path reference to local announcements text file |
| | 51 | lock_file path reference to file used to disable EDIR updates |
| | 52 | log_dir path reference to EDIR log location |
| | 53 | mail_from_authserv email address used in FROM of mail generated for AUTHSERV |
| | 54 | mail_from_edir email address used in FROM of mail generated for EDIR |
| | 55 | mail_host email domain expected in vanity addresses |
| | 56 | mail_to address list for recipients of troubleshooting/batch reporting email |
| | 57 | max_updateable_attrib_values max number of multiply occuring attribute values allowed by ldap_update |
| | 58 | nsactivate_port port used when ns[in]activate invoked |
| | 59 | privileged_agent RDN of credentilas utilized by iEDIR web gateway to access privileged information |
| | 60 | privileged_agent_passwd_file path reference to authserv_agent password file |
| | 61 | query_servers list of servers that may respond to query requests (sxmpa 2/13/2010 - |
| | 62 | This variable should be assigned a single value, which is the host |
| | 63 | housing the LDAP server queried by this EDIR gateway instance. The |
| | 64 | EDIR gateway instance is normally co-located with that LDAP server |
| | 65 | on the same host, but you have the option of choosing an LDAP server on |
| | 66 | some other host. Assigning this variable a list of hostnames rather |
| | 67 | than a single hostname appears to work correctly, but examination of |
| | 68 | the code suggests that behaviour in this case is undefined). |
| | 69 | registry_agent Oracle schema for EDIR registry |
| | 70 | registry_db Oracle instance for EDIR registry |
| | 71 | registry_passwd_file path reference to registry_agent password file |
| | 72 | release major release number for EDIR web gateway |
| | 73 | slapd_port port for iPlanet directory access |
| | 74 | slapd_ssl_clause additional clause required if slapd_port is SSL configured port |
| | 75 | update_server server(s) that may respond to update requests (local machine issue) |
| | 76 | (sxmpa 2/13/2010 - the EDIR gateway code reads this variable out of |
| | 77 | runtime.cfg but does not appear ever to use that value). |
| | 78 | version gateway instance: TEST PREP or PROD |
| | 79 | |
| | 80 | Note: runtime.cfg files are machine specific. Do not copy between servers. |
| | 81 | |
| | 82 | |
| | 83 | == LIBRARIES: ($HOME/EDIR<INST>/cgi-bin/) == |
| | 84 | |
| | 85 | |
| | 86 | ldap_lib.pm |
| | 87 | |
| | 88 | sub Authenticate accepts credentials (UID or mailAlternateAddress and password) |
| | 89 | returns whether authenticated [Y|N] and |
| | 90 | if successful: null msg, UID, displayName and list of user's roles |
| | 91 | if unsuccessful: error msg, UID, null, null |
| | 92 | |
| | 93 | sub CampusPickList generates generic HTML form element for campus picklist using |
| | 94 | ldap_uakEmployeeCampus.txt as input |
| | 95 | |
| | 96 | sub Credentials generates HTML form elements for LDAP credentials (id and password) |
| | 97 | |
| | 98 | sub UAclose generates closing HTML elements for standard window look and feel |
| | 99 | |
| | 100 | sub UAopen generates opening HTML elements for standard window look and feel |
| | 101 | |
| | 102 | sub abort uses mailx to send $body with $subject to $MAILTO |
| | 103 | |
| | 104 | sub appendMsg formats $msg_in according to $msg_type and appends to $MSG |
| | 105 | |
| | 106 | sub bldgCampusPickList generates HTML form element for building pick list for MAU |
| | 107 | |
| | 108 | sub bldgExists checks static file to determine if building code exists (issue: building |
| | 109 | codes are stored in registry and in static file but not in directory) |
| | 110 | |
| | 111 | sub bldgPicklist generates HTML form element for building pick list |
| | 112 | |
| | 113 | sub crypt simple encryption of strings; used to encrypt password before storing |
| | 114 | in LDAP cookie |
| | 115 | |
| | 116 | sub debug utility used to record debugging information (utilizes debug runtime config parm) |
| | 117 | |
| | 118 | sub deptUnitPickList generates HTML form element for department picklist; elements of list |
| | 119 | taken from external file ldap_deptUnits.txt |
| | 120 | |
| | 121 | sub embeddedAttributes (may be obsolete; was formatting solution for uakPhonebookFlag attribute, |
| | 122 | the values of which could represent an unlimited number of MAU specific |
| | 123 | phonebook "attributes") |
| | 124 | |
| | 125 | sub employeeCampusPickList generates HTML form element for an employee's campus picklist using |
| | 126 | ldapsearch to locate that employee's uakEmployeeCampus attribute values |
| | 127 | |
| | 128 | sub employeeDeptPickList generates generic HTML form element for campus picklist using |
| | 129 | ldap_uakEmployeeAffiliation.txt |
| | 130 | |
| | 131 | sub formatAttributes function returning hash of attribute characteristics used to control |
| | 132 | formatting of HTML form elements; elements with exceptional (non-standard) |
| | 133 | formatting requirements are recorded here |
| | 134 | |
| | 135 | sub formatLabel formats field descriptions with or without accompanying comments |
| | 136 | |
| | 137 | sub formatValue formats attribute values, generating href tags for specific attribute types |
| | 138 | |
| | 139 | sub genClearCookie Generates Set-Cookie metadata that clears old cookie (where ldapstring |
| | 140 | is assumed to be the cookie being cleared) |
| | 141 | |
| | 142 | sub genClearSimpleCookie Generates Set-Cookie metadata that clears new simple cookie (where |
| | 143 | name/value are passed to funtion). |
| | 144 | |
| | 145 | sub genSetCookie Generates Set-Cookie metadata that establishes a specific cookie (new or old) |
| | 146 | |
| | 147 | sub getACL Returns hash of permissions for requested list of ACL names. |
| | 148 | |
| | 149 | sub getAttributes returns a hash of arrays for attributes meeting specified criteria |
| | 150 | the hash keys are LDAP attribute names |
| | 151 | each hash value is an array of attribute characteristics |
| | 152 | |
| | 153 | sub getEntityDisplayLabel function returning one of DISPLAY_NAME, TITLE_<something>, UNITDISPLAYNAME, |
| | 154 | UNITNAME or UID from an array of attributes passed to the function |
| | 155 | |
| | 156 | sub getUserAttributes returns array of attribute=value pairs for $filter |
| | 157 | |
| | 158 | sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged |
| | 159 | credentials) |
| | 160 | |
| | 161 | sub is_deptAdmin function that determines if credentialed user is admin for department record |
| | 162 | |
| | 163 | sub is_emplAdmin function that determines if credentialed user is admin for people record |
| | 164 | |
| | 165 | sub lookUpParentUnit function that returns parent unit for department record |
| | 166 | |
| | 167 | sub pad returns string padded with character to specified length |
| | 168 | |
| | 169 | sub parseCookie parses old, complex cookie; returning the UID, password, name and role elements |
| | 170 | |
| | 171 | sub parseDN parses $dn and returns UID and OU elements |
| | 172 | |
| | 173 | sub parseSimpleCookie parses new simple cookie; returning a single string value |
| | 174 | |
| | 175 | sub post_admin executes HTTPS request to call ldap_bulk_admin CGI script as though |
| | 176 | from the web (utilizes directory_server_link runtime config parm) |
| | 177 | |
| | 178 | sub post_updates executes HTTPS request to call ldap_bulk_update CGI script as though |
| | 179 | from the web (utilizes directory_server_link runtime config parm) |
| | 180 | |
| | 181 | sub returnIdentifierFilter used to return a generic filter that can be used to search for |
| | 182 | a people record by name or any identifier accepted during AUTHSERV |
| | 183 | authentication (see ldap_dlevelx CGI script) |
| | 184 | |
| | 185 | sub studentDeptPickList generates generic HTML form element for student department picklist using |
| | 186 | ldap_uakStudentAffiliation.txt |
| | 187 | |
| | 188 | sub uidLDAPlookup returns (last) $attribute value for matching $filter where query |
| | 189 | executed by credentialed user or default gateway user |
| | 190 | (weak - utilized currently only by ldap_lib.pm) |
| | 191 | |
| | 192 | |
| | 193 | sub connect establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login |
| | 194 | to establish $dbh |
| | 195 | |
| | 196 | sub evaluate executes $dbh->prepare on $sql to establishes $sth |
| | 197 | |
| | 198 | sub execute performs $sth->execute which executes sql statement in Oracle database |
| | 199 | |
| | 200 | sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged |
| | 201 | credentials) |
| | 202 | |
| | 203 | sub log_error writes $msg to $ERRORLOG |
| | 204 | |
| | 205 | |
| | 206 | |
| | 207 | |
| | 208 | == CGI SCRIPTS: ($HOME/EDIR<INST>/cgi-bin/) == |
| | 209 | |
| | 210 | |
| | 211 | edir_auth CGI script that validates authentication provided by AUTHSERV before putting up the |
| | 212 | EDIR "welcome" page. |
| | 213 | |
| | 214 | ldap_admin_assist Generates an HTML form allowing us to assign LDAP entities as SECRETARY to groups |
| | 215 | of LDAP records sharing a given department. Utilizes credentials stored in LDAP |
| | 216 | cookie by ldap_auth. When form is submitted, ldap_admin_assist generates a file of |
| | 217 | update requests that is passed to ldap_bulk_update. Messages returned by |
| | 218 | bulk_update become a part of the next display of the HTML form. |
| | 219 | |
| | 220 | ldap_buildings Generates an HTML form used to manage building codes utilized by ldap_loc_update and |
| | 221 | stored in uakEmployeeLocator attribute values. |
| | 222 | |
| | 223 | ldap_dept_query (link to ldap_search; name provides context specific behavior) |
| | 224 | |
| | 225 | ldap_dlevelx Generates an HTML form used by individuals with emplAdmin access to add/delete |
| | 226 | DLEVELX values to people records. |
| | 227 | |
| | 228 | ldap_filter_help Generates HTML help page (topic: filters) |
| | 229 | |
| | 230 | ldap_history Generates an HTML form used to view EDIR gateway update logs (multiple server issue). |
| | 231 | |
| | 232 | ldap_loc_update Generates an HTML form for maintaining uakEmployeeLocator attribute. Utilizes |
| | 233 | credentials stored in LDAP cookie by ldap_auth. Form parses uakEmployeeLocator, breaking |
| | 234 | it into component parts: MAU, office location, phone and fax. When form is submitted, |
| | 235 | ldap_loc_update generates a file of update requests that is passed to ldap_bulk_update. |
| | 236 | Messages returned by bulk_update become a part of the next display of the HTML form. |
| | 237 | |
| | 238 | ldap_log_out Generates log out page that destroys EDIR cookie. |
| | 239 | |
| | 240 | ldap_passwd_help Generates HTML help page (topic: passwords) |
| | 241 | |
| | 242 | ldap_query (link to ldap_search; name provides context specific behavior) |
| | 243 | |
| | 244 | ldap_search Generates an HTML form used to get criteria used to search the directory. Utilizes |
| | 245 | credentials stored in LDAP cookie by edir_auth. If no credentials are present, the |
| | 246 | resulting form contains a subset of the form variables otherwise displayed and queries |
| | 247 | utilize the gateway interface credentials. |
| | 248 | |
| | 249 | Depending on the name used to call ldap_search (ldap_dept_query and ldap_query are links |
| | 250 | to ldap_search), the search form is customized to support either "people" or "department" |
| | 251 | searches. |
| | 252 | |
| | 253 | ldap_sec_update Generates an HTML form used only by account owner to update private question and response. |
| | 254 | |
| | 255 | ldap_seed_department Generates an HTML form allowing creation of "faux" department records ('04' UID extension). |
| | 256 | |
| | 257 | ldap_seed_resource Generates an HTML form allowing creation of ou=resource records. |
| | 258 | |
| | 259 | ldap_seed_routing Generates an HTML form allowing creation of ou=routing records (for @alaska.edu mail routing). |
| | 260 | |
| | 261 | ldap_update Generates an HTML form allowing users to update, add and delete LDAP attribute values for |
| | 262 | their own LDAP record and the records of those for which they have update ability. |
| | 263 | Utilizes the credentials stored in LDAP cookie by ldap_auth. When submitted, ldap_update |
| | 264 | generates a file of update requests that is passed to ldap_bulk_update. Messages returned |
| | 265 | by bulk_update become a part of the next display of the HTML form. |
| | 266 | |
| | 267 | ldap_update_help Generates HTML help page (topic: origins of EDIR data, etc.) |
| | 268 | |
| | 269 | |
| | 270 | ########################################################[[br]] |
| | 271 | LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki [[br]] |
| | 272 | ########################################################[[br]] |
| | 273 | ####################### |
| | 274 | 20081031 elm added reference to runtime_common.cfg |
| | 275 | |
| | 276 | # eof |