| | 1 | = EDIR Account Management Processes and Associated Utilities = |
| | 2 | |
| | 3 | == Account Creation == |
| | 4 | Creating an account generates a new EDIR LDAP record. |
| | 5 | |
| | 6 | REGISTRY: EDIR Banner Extract (includes restore of previously purged entities) |
| | 7 | |
| | 8 | employees with active assigments |
| | 9 | |
| | 10 | students with current or preenrolled credit hours |
| | 11 | |
| | 12 | AUTHSERV: Sponsor Account Page |
| | 13 | |
| | 14 | Banner entities with recorded SSN not qualifying for EDIR Banner Extract |
| | 15 | (seed information must tie to Banner on SSN and birth date; |
| | 16 | identical input ties to only one or no Banner entities, |
| | 17 | if multiples matches found, no EDIR record is created) |
| | 18 | |
| | 19 | guest accounts |
| | 20 | (seed information never tied to Banner; |
| | 21 | identical input generates multiple unique guest accounts) |
| | 22 | |
| | 23 | Note: Birth date being added to matching criteria. Currently matching to Banner only on SSN. |
| | 24 | |
| | 25 | |
| | 26 | == Account Activation == |
| | 27 | Account activation establishes a default password, i.e., the presence of password signifies an "active" account. |
| | 28 | |
| | 29 | Note: EDIR accounts are created **with out** passwords because we have not had the opportunity |
| | 30 | to create a robust account claiming page based on highly privileged information only the user |
| | 31 | is likely to know. Our "First Time" login page (sometimes refered to as account claiming) |
| | 32 | requires only that you know the users identifier (UID, UAUsername or UAUserID), last 4 of ssn |
| | 33 | and birth date. Those pieces of information are readily available to many people. |
| | 34 | |
| | 35 | AUTHSERV/EDIR: Bulk Update Page |
| | 36 | |
| | 37 | activate and silent activate functions |
| | 38 | (activate establishes default password only if password *not* already present) |
| | 39 | |
| | 40 | reset and silent reset functions (including "trusted" form of function) |
| | 41 | (reset establishes default password whether or not password already present) |
| | 42 | (trusted reset clears password history first) |
| | 43 | |
| | 44 | Notes: |
| | 45 | 1) The "silent" functionality was for UAA which did not want it's users receiving AUTHSERV/EDIR |
| | 46 | notifications. The non-silent versions will, under the appropriate circumstances, notify the |
| | 47 | user of the account activation or password reset. |
| | 48 | |
| | 49 | 2) The "trusted" functionality was implemented in support of support of (MAU)->AUTHSERV |
| | 50 | password synchronization (see Password Synchronization below). |
| | 51 | |
| | 52 | AUTHSERV: Account Activation Page |
| | 53 | |
| | 54 | calls bulk update page for noisy activate function |
| | 55 | |
| | 56 | AUTHSERV: Password Reset Page |
| | 57 | |
| | 58 | calls bulk update for noisy reset function |
| | 59 | |
| | 60 | |
| | 61 | == Account Inactivation == |
| | 62 | IInactivating an account removed passwords, so the absence of passwords signifies an "inactive" account). |
| | 63 | |
| | 64 | AUTHSERV/EDIR: Bulk Update Page |
| | 65 | |
| | 66 | purge attribute function for userPassword |
| | 67 | (removes userPassword, making account "inactive") |
| | 68 | |
| | 69 | AUTHSERV: Account Activation Page |
| | 70 | |
| | 71 | calls bulk update to purge userPassword |
| | 72 | |
| | 73 | |
| | 74 | == Account Claiming == |
| | 75 | EDIR, unlike ELMO, has the notion of claiming an account by changing the password from default to a user chosen password.. |
| | 76 | |
| | 77 | AUTHSERV: First Time Login Page |
| | 78 | |
| | 79 | calls bulk update update function with default and new userPassword values |
| | 80 | (must successfully answer weak challenge questions) |
| | 81 | |
| | 82 | Note: See note concerning Account Activation. |
| | 83 | |
| | 84 | AUTHSERV: Log In with Password Change Page |
| | 85 | |
| | 86 | calls bulk update update function with old (default) and new userPassword values |
| | 87 | |
| | 88 | |
| | 89 | == Account Locking/Unlocking == |
| | 90 | |
| | 91 | AUTHSERV: Account Lock Page |
| | 92 | AUTHSERV: Administrative Lock Page |
| | 93 | |
| | 94 | both call bulk update lock/unlock function |
| | 95 | (executes iPlanet ns-[in]activate script which enables/prevents directory BINDs; |
| | 96 | writes/removes accountStatusFlag attribute value indicating type of lock) |
| | 97 | |
| | 98 | accountStatusFlag=L (regular lock) |
| | 99 | accountStatusFlag=AL (admin lock) |
| | 100 | |
| | 101 | Note: Only individuals with EDIRadmin role can add/remove administrative locks. The |
| | 102 | reason for the 2 types of locks originates from ZUAUSR in which a user might request his |
| | 103 | account be locked (as during sabatical - regular lock) or an administrative security |
| | 104 | action might be taken (prevent the user from having Oracle/UNIX access - admin lock). |
| | 105 | |
| | 106 | |
| | 107 | == Password Resets == |
| | 108 | |
| | 109 | AUTHSERV: Password Reset Page |
| | 110 | |
| | 111 | calls bulk update for noisy reset function |
| | 112 | |
| | 113 | AUTHSERV: Self Reset Page |
| | 114 | |
| | 115 | calls bulk update for noisy reset function |
| | 116 | (must successfully complete private challenge/response dialog) |
| | 117 | |
| | 118 | |
| | 119 | == Password Changes == |
| | 120 | |
| | 121 | AUTHSERV: First Time Login Page |
| | 122 | AUTHSERV: Post Reset Login Page |
| | 123 | |
| | 124 | calls bulk update update function with default and new userPassword values |
| | 125 | (must successfully answer weak challenge questions) |
| | 126 | |
| | 127 | Note: See note concerning Account Activation. |
| | 128 | |
| | 129 | AUTHSERV: Log In with Password Change Page |
| | 130 | |
| | 131 | calls bulk update update function with old (default) and new userPassword values |
| | 132 | |
| | 133 | |
| | 134 | == Password Expiration Warning == |
| | 135 | |
| | 136 | AUTHSERV: (following successful authentication - MAU "style" specific behavior) |
| | 137 | |
| | 138 | REGISTRY: Account Management Process |
| | 139 | |
| | 140 | looks for passwords about to expire and unclaimed accounts |
| | 141 | (unclaimed: default password present 14 days after default password established) |
| | 142 | sends email warning, if mailRoutingAddress present, 14, 7, 3 and 1 days prior to password expiration |
| | 143 | calls bulk update purge function to inactivate (delete userPassword for) unclaimed accounts |
| | 144 | |
| | 145 | == Directory Purges == |
| | 146 | |
| | 147 | REGISTRY: Directory Purge Process |
| | 148 | |
| | 149 | generates ldapdelete statements to drop the directory records for registry records with |
| | 150 | a record state of "BAD" or "INACTIVE" |
| | 151 | |
| | 152 | |
| | 153 | Note: EDIR registry "record state" and EDIR directory account state are two different things. |
| | 154 | Registry record state is used to regulate account lifecyle. EDIR account state indicates |
| | 155 | whether or not a password is present and if the user is allowed to BIND to the directory. |
| | 156 | |
| | 157 | |
| | 158 | == Password Syncronization == |
| | 159 | Formerly, password synchronization occurred when via a password push received clear text value for new password. ELMO now handles all Banner active accounts. The AUTHSERV interface manages guest passwords, only. |
| | 160 | |
| | 161 | UAA->AUTHSERV |
| | 162 | UAS(ELMO)->AUTHSERV |
| | 163 | |
| | 164 | UAA and UAS have been granted resource credentials with helpDesk, passwordSync and twoStepBind |
| | 165 | EDIR roles. These credentials and their administrative access are used to push their MAU specific |
| | 166 | password down to our directory. |
| | 167 | |
| | 168 | The password push is a three step process: |
| | 169 | |
| | 170 | 1) Resource credentials are used to reset userPassword to it's default value. This is done |
| | 171 | by calling the bulk update trusted reset function. During a trusted reset, passwordHistory |
| | 172 | is cleared to insure differences in recorded historys do not prevent the directory from |
| | 173 | accepting an otherwise good password. |
| | 174 | |
| | 175 | 2) Resource credentials are used to look up defaultPassword which is used in step 3. |
| | 176 | |
| | 177 | 3) The account holder's credentials (UID and defaultPassword) are used during call to the |
| | 178 | bulk update update function with old (default) and new userPassword values. |
| | 179 | |
| | 180 | |
| | 181 | AUTHSERV->UAS(ELMO) |
| | 182 | |
| | 183 | UAS has created a restricted access web page that can be called to push a new directory |
| | 184 | password to UAS. AUTHSERV calls this web page only on completion of a successful password |
| | 185 | *change* and only if the change request does not originate from the UAS->AUTHSERV password |
| | 186 | process. The call to the UAS web page is "blind"; we don't care if it fails and no status |
| | 187 | is returned to the end user. |
| | 188 | |
| | 189 | Since all password changes (not resets) must be made as the account owner, we could not use |
| | 190 | the UAS resource credentials to identify when the UAS push process had originated the request. |
| | 191 | Instead, UAS has provided us with an IP/domain list to exclude from AUTHSERV->UAS password |
| | 192 | synchronization. Requests originating from those IPs/domains are assumed to have originated |
| | 193 | from the UAS(ELMO)->AUTHSERV synchronization. This prevents us from getting into a password |
| | 194 | change loop. |
| | 195 | |
| | 196 | The AUTHSERV->(MAU) push process is designed to be extensible and so is parameter driven. |
| | 197 | The password push to UAS can be modified by editing UAS specific configuration parameters in |
| | 198 | "e":~ldapgw/AUTHPROD/config/runtime.cfg. Likewise, a push to UAA could be implemented by |
| | 199 | adding UAA specific configuration parameters to the same config file. |
| | 200 | |
| | 201 | Note: The runtime.cfg file resides on each "e" box. AUTHSERV->(MAU) password push parameters |
| | 202 | must be added to runtime.cfg on every "e" box. |
| | 203 | |
| | 204 | ########################################################[[br]] |
| | 205 | LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki[[br]] |
| | 206 | ########################################################[[br]] |
| | 207 | |
| | 208 | 20081028 elm Expanded on processes for disabling updates particularly since change that allows userPassword, uakSecQuestion and uakSecResponse updates to bypass the registry.[[br]] |
| | 209 | 20081031 elm corrected typos |
| | 210 | 20070815 sxelm updated to include password synchronization |
| | 211 | 20070814 sxelm original doc |