= EDIR Gateway Scripts = == POWER BROKER RULES: == * transfer_token_file * used to transfer gateway related files (needs mods) * token files, lock files, etc - between servers * destroy_token_file * used to remove token files from all servers * pull_token_file * used to transfer files between servers (pulls rather than pushes to avoid ssh timeout issues) **Note:** All of the Power Broker rules are defined to work with the iplanet owned directory /export/home/iplanet/local/ldap/web/log/. Until such time as the Power Broker rules are modified, all EDIR/AUTHSERV/UPDATE logging needs to share that directory. See log_dir parameter in runtime.cfg file. == Configuration Files == Configuration files are located at: $HOME/EDIR/config === ldap_admin_actions.cfg === Contains data from which Admin Actions pick list is built. This file can be copied to all servers hosting the same EDIR instance === ldap_left_links.cfg === Contains data used to build links under EDIR banner. This file can be copied to all servers hosting the same EDIR instance. === runtime_common.cfg === subset of runtime configuration elements that are constant between servers hosting gateway - see runtime.cfg; this file can be copied to all servers hosting the same EDIR instance === runtime.cfg === runtime configuration data used by EDIR CGI scripts: this file is server/instance specific; do not copy to other serversv ||= Parameter Names =||= Description =|| ||all_servers ||List of all supported EDIR hosts (sxmpa 2/13/2010 - I cannot find anywhere in the EDIR gateway code where this is read out of runtime.cfg) || || authserv_gateway_link ||URL to AUTHSERV web gateway || ||authserv_server_link ||URL to server specific AUTHSERV web gateway (Equalizer issue) || ||debug ||0|1: debugging is ON when value is 1 || ||directory_adminupdate_link ||URL to update interface for admin updates (record creation, not attribute updates) || ||directory_agent ||RDN of credentials used by gateway for normal query access|| ||directory_bulkupdate_link ||URL to update interface for self service attribute updates|| ||directory_gateway_link ||URL to EDIR web gateway|| ||directory_gateway_name ||Name of EDIR web gateway|| ||directory_passwd_file ||Path reference to directory_agent password file|| ||directory_server_link ||URL to server specific EDIR web gateway (Equalizer issue)|| ||local_announcements_file ||Path reference to local announcements text file|| ||lock_file ||Path reference to file used to disable EDIR updates|| ||log_dir ||Path reference to EDIR log location|| || mail_from_authserv ||email address used in FROM of mail generated for AUTHSERV|| ||mail_from_edir ||Email address used in FROM of mail generated for EDIR|| ||mail_host ||Email domain expected in vanity addresses|| || mail_to ||Address list for recipients of troubleshooting/batch reporting email|| ||max_updateable_attrib_values ||Max number of multiply occuring attribute values allowed by ldap_update|| ||nsactivate_port ||Port used when ns[in]activate invoked|| || privileged_agent ||RDN of credentilas utilized by iEDIR web gateway to access privileged information|| || privileged_agent_passwd_file ||Path reference to authserv_agent password file|| ||query_servers ||List of servers that may respond to query requests (sxmpa 2/13/2010 -This variable should be assigned a single value, which is the host housing the LDAP server queried by this EDIR gateway instance. The EDIR gateway instance is normally co-located with that LDAP server on the same host, but you have the option of choosing an LDAP server on some other host. Assigning this variable a list of hostnames rather than a single hostname appears to work correctly, but examination of the code suggests that behaviour in this case is undefined).|| ||registry_agent ||Oracle schema for EDIR registry|| ||registry_db ||Oracle instance for EDIR registry|| ||registry_passwd_file ||Path reference to registry_agent password file|| ||release ||Major release number for EDIR web gateway|| ||slapd_port ||Port for iPlanet directory access|| ||slapd_ssl_clause ||Additional clause required if slapd_port is SSL configured port|| ||update_server ||Server(s) that may respond to update requests (local machine issue) (sxmpa 2/13/2010 - the EDIR gateway code reads this variable out of runtime.cfg but does not appear ever to use that value).|| ||version ||Gateway instance: TEST PREP or PROD|| Note: runtime.cfg files are machine specific. Do not copy between servers. == Libraries == Library sub procedures are located for every instance at: $HOME/EDIR/cgi-bin/ === ldap_lib.pm === ||= Library Sub Procedure =||= Description =|| ||sub Authenticate ||accepts credentials (UID or mailAlternateAddress and password) returns whether authenticated [Y|N] and if successful: null msg, UID, displayName and list of user's roles if unsuccessful: error msg, UID, null, null || ||sub !CampusPickList ||generates generic HTML form element for campus picklist using ldap_uakEmployeeCampus.txt as input|| ||sub Credentials ||generates HTML form elements for LDAP credentials (id and password) ||sub UAclose ||generates closing HTML elements for standard window look and feel|| ||sub UAopen ||generates opening HTML elements for standard window look and feel ||sub abort ||uses mailx to send $body with $subject to $MAILTO ||sub appendMsg ||formats $msg_in according to $msg_type and appends to $MSG|| ||sub bldgCampusPickList ||generates HTML form element for building pick list for MAU|| ||sub bldgExists ||checks static file to determine if building code exists (issue: building codes are stored in registry and in static file but not in directory)|| ||sub bldgPicklist ||generates HTML form element for building pick list|| ||sub crypt ||simple encryption of strings; used to encrypt password before storing in LDAP cookie|| ||sub debug ||utility used to record debugging information (utilizes debug runtime config parm)|| ||sub deptUnitPickList ||generates HTML form element for department picklist; elements of list taken from external file ldap_deptUnits.txt|| ||sub embeddedAttributes ||(may be obsolete; was formatting solution for the values of which could represent an unlimited number of MAU specific phonebook "attributes")|| ||sub employeeCampusPickList ||generates HTML form element for an employee's ldapsearch to locate that employee's uakEmployeeCampus attribute values || ||sub employeeDeptPickList ||generates generic HTML form element for campus picklist using ldap_uakEmployeeAffiliation.txt|| ||sub formatAttributes ||function returning hash of attribute characteristics used to control formatting of HTML form elements; elements with exceptional (non-standard) formatting requirements are recorded here|| ||sub formatLabel ||formats field descriptions with or without accompanying comments|| ||sub formatValue ||formats attribute values, generating href tags for specific attribute types|| ||sub genClearCookie ||Generates Set-Cookie metadata that clears old cookie (where ldapstring is assumed to be the cookie being cleared)|| ||sub genClearSimpleCookie ||Generates Set-Cookie metadata that clears new simple cookie (where name/value are passed to funtion).|| ||sub genSetCookie ||Generates Set-Cookie metadata that establishes a specific cookie (new or old)|| ||sub getACL ||Returns hash of permissions for requested list of ACL names.|| ||sub getAttributes ||returns a hash of arrays for attributes meeting specified criteria the hash keys are LDAP attribute names each hash value is an array of attribute characteristics|| ||sub getEntityDisplayLabel ||function returning one of DISPLAY_NAME, TITLE_, UNITDISPLAYNAME, UNITNAME or UID from an array of attributes passed to the function|| ||sub getUserAttributes ||returns array of attribute=value pairs for $filter || ||sub getSecureAttributes ||returns array of attribute=value pairs for $filter (utilizes privileged credentials)|| ||sub is_deptAdmin ||function that determines if credentialed user is admin for department record|| ||sub is_emplAdmin ||function that determines if credentialed user is admin for people record|| ||sub lookUpParentUnit ||function that returns parent unit for department record ||sub pad ||returns string padded with character to specified length|| ||sub parseCookie ||parses old, complex cookie; returning the UID, password, name and role elements || ||sub parseDN ||parses $dn and returns UID and OU elements|| ||sub parseSimpleCookie ||parses new simple cookie; returning a single string value || ||sub post_admin ||executes HTTPS request to call ldap_bulk_admin CGI script as though from the web (utilizes directory_server_link runtime config parm)|| ||sub post_updates ||executes HTTPS request to call ldap_bulk_update CGI script as though from the web (utilizes directory_server_link runtime config parm)|| ||sub returnIdentifierFilter ||used to return a generic filter that can be used to search for a people record by name or any identifier accepted during AUTHSERV authentication (see ldap_dlevelx CGI script)|| ||sub studentDeptPickList ||generates generic HTML form element for student department picklist using ldap_uakStudentAffiliation.txt|| ||sub uidLDAPlookup ||returns (last) $attribute value for matching $filter where query executed by credentialed user or default gateway user (weak - utilized currently only by ldap_lib.pm)|| ||sub connect ||establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login to establish $dbh|| ||sub evaluate ||executes $dbh->prepare on $sql to establishes $sth|| ||sub execute ||performs $sth->execute which executes sql statement in Oracle database|| ||sub getSecureAttributes ||returns array of attribute=value pairs for $filter (utilizes privileged credentials)|| ||sub log_error ||writes $msg to $ERRORLOG|| == CGI Scripts == GCI Scripts are located at: $HOME/EDIR/cgi-bin/ ||= Script Name =||= Description =|| ||edir_auth ||CGI script that validates authentication provided by AUTHSERV before putting up the EDIR "welcome" page. || ||ldap_admin_assist ||Generates an HTML form allowing us to assign LDAP entities as SECRETARY to groups of LDAP records sharing a given department. Utilizes credentials stored in LDAP cookie by ldap_auth. When form is submitted, ldap_admin_assist generates a file of update requests that is passed to ldap_bulk_update. Messages returned by bulk_update become a part of the next display of the HTML form. || ||ldap_buildings ||Generates an HTML form used to manage building codes utilized by ldap_loc_update and stored in uakEmployeeLocator attribute values. ||ldap_dept_query ||(link to ldap_search; name provides context specific behavior) || ||ldap_dlevelx ||Generates an HTML form used by individuals with emplAdmin access to add/delete DLEVELX values to people records. || ||ldap_filter_help ||Generates HTML help page (topic: filters) || ||ldap_history ||Generates an HTML form used to view EDIR gateway update logs (multiple server issue). || ||ldap_loc_update ||Generates an HTML form for maintaining uakEmployeeLocator attribute. Utilizes credentials stored in LDAP cookie by ldap_auth. Form parses uakEmployeeLocator, breaking it into component parts: MAU, office location, phone and fax. When form is submitted, ldap_loc_update generates a file of update requests that is passed to ldap_bulk_update. Messages returned by bulk_update become a part of the next display of the HTML form. || ||ldap_log_out ||Generates log out page that destroys EDIR cookie. || ||ldap_passwd_help ||Generates HTML help page (topic: passwords) || ||ldap_query ||link to ldap_search; name provides context specific behavior || ||ldap_search ||Generates an HTML form used to get criteria used to search the directory. Utilizes credentials stored in LDAP cookie by edir_auth. If no credentials are present, the resulting form contains a subset of the form variables otherwise displayed and queries utilize the gateway interface credentials. Depending on the name used to call ldap_search (ldap_dept_query and ldap_query are links to ldap_search), the search form is customized to support either "people" or "department" searches. || ||ldap_sec_update ||Generates an HTML form used only by account owner to update private question and response. || ||ldap_seed_department ||Generates an HTML form allowing creation of "faux" department records ('04' UID extension). || ||ldap_seed_resource ||Generates an HTML form allowing creation of ou=resource records. || ||ldap_seed_routing ||Generates an HTML form allowing creation of ou=routing records (for @alaska.edu mail routing). || ||ldap_update ||Generates an HTML form allowing users to update, add and delete LDAP attribute values for their own LDAP record and the records of those for which they have update ability. Utilizes the credentials stored in LDAP cookie by ldap_auth. When submitted, ldap_update generates a file of update requests that is passed to ldap_bulk_update. Messages returned by bulk_update become a part of the next display of the HTML form. || ||ldap_update_help ||Generates HTML help page (topic: origins of EDIR data, etc.) || ########################################################[[br]] LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki [[br]] ########################################################[[br]] ####################### 20081031 elm added reference to runtime_common.cfg # eof