Changes between Initial Version and Version 1 of ALL__accounts_roles

Timestamp:

11/13/14 13:36:59 (10 years ago)

Author:

lttoth@…

Comment:

--

ALL__accounts_roles

@@ +1 @@
+= All Account Roles =
+
+20081114 sxelm          Accounts/Roles/Groups Utilized by UPDATE/EDIR/AUTHSERV
+
+The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing 
+or the web gateway(s).  They are grouped by category: directory or registry.
+
+== IPLANET ACCOUNTS/ROLES/ACIS ==
+
+=== iPlanet Accounts ===
+
+        * uid=edirbatch03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by UPDATE interface for batch processing
+
+        * uid=edirgw03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by EDIR web gateway for "anonymous" access
+
+        * uid=edirpriv03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by EDIR web gateway to access privileged information 
+                not expected to be visible to "anonymous" access but need for functions 
+                like the "This is me! Log In" link.
+
+        * uid=authserv03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by the AUTHSERV web gateway 
+
+        * uid=authpriv03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by AUTHSERV web gateway to access privileged information 
+
+        * uid=updategw03,ou=resource,dc=alaska,dc=edu
+                credentials utilized by UPDATE back end to access privileged information 
+                and perform privileged tasks
+
+Note: Most likely, AUTHSERV needs only one set of credentials.
+
+=== iPlanet Roles ===
+        
+        cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu
+        cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu
+                roles associated with ACIs allowing gateway access to non-privileged information
+
+        cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu
+        cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu
+                roles associated with ACIs allowing gateway access to privileged information
+
+        cn=authserviceRole,ou=people,dc=alaska,dc=edu
+        cn=authserviceRole,ou=resource,dc=alaska,dc=edu
+                roles associated with ACIs allowing gateway access to non-privileged information
+
+        cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu
+        cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu
+                roles associated with ACIs allowing gateway access to privileged information
+
+        (future) cn=superUserRole,ou=resource,dc=alaska,dc=edu
+                role associated with ACIs allowing the update back end access to privileged information
+
+=== iPlanet ACIs ===
+
+        * EDIRGWANYCOMPARE
+        * EDIRGWANYREAD
+        * EDIRGWEMPREAD
+        * EDIRGWSTUREAD
+                ACIs that provide the non-privileged gateway role with read access to non-privileged
+                information 
+
+        * EDIRGWCOMPARE
+        * EDIRGWEMPCOMPARE
+        * EDIRGWSTUCOMPARE
+                ACIs that provide the privileged gateway role the ability to ask true/false
+                questions about attributes that are not otherwise visible
+
+        * EDIRGWPRIVREAD
+                ACIs that provide the privileged gateway role with read access to privileged 
+                information
+
+        * AUTHSERVICEREAD
+                ACIs that provide the non-privileged authservice role with read access to non-privileged 
+                information
+
+        * AUTHSERVICEPRIVCOMPARE
+                ACIs that provide the privileged gateway role the ability to ask true/false
+                questions about attributes that are not otherwise visible
+
+        * AUTHSERVICEPRIVREAD
+                ACIs that provide the privileged authservice role with read access to privileged information
+
+        (future) SUADDDEL
+        (future) SUDENYREADSEARCHCOMPARE
+        (future) SUDENYWRITE
+        (future) SUREADWRITE
+                ACIs that provide (or deny) the privileged superuser role with read/write access
+                to privileged information
+
+
+
+== UNIX ACCOUNT/GROUPS ==
+
+=== Directory Servers ===
+        ==== account: ldapgw ====       
+        UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.
+                * member of group ldapgw (primary group)
+                * member of group edirgw (used to expose password files to nobody during CGI script execution)
+                        * any files opened during execution of CGI scripts
+                        * <GW>/logs directory where output is written
+                * member of group other  
+                * member of group UA_Korn (on toklat only)
+                * .shosts file must allow access by 
+                        * <<directory servers>> iplanet
+                * ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV
+
+        ==== account: sxldap ====
+        UNIX account owning CGI scripts representing the UPDATE back end gateway.
+
+                * Group Membership
+                member of group updategw (primary group)
+                member of group edirgw (used to expose password files to nobody during CGI script execution)
+                        any files opened during execution of CGI scripts
+                        <GW>/logs directory where output is written
+                member of group other  
+                member of group UA_Korn (on toklat and summit only)
+        
+                .shosts file must allow access by 
+                        <<directory servers>>   iplanet
+        
+        account: iplanet        
+        UNIX account owning iPlanet directory and web update processes.  
+                * Directory Locations
+                        ~iplanet/EDIR[TEST|PREP|PROD]/
+                        ~iplanet/AUTH[TEST|PREP|PROD]/
+                *All directory maintenance related source code is stored under this account 
+                        ~iplanet/local/ldap/
+                *.shosts file must allow access by
+                        <<registry servers>>    sxldap
+                * Group membership
+                  * iplanet (primary group)
+                  * other  
+                  * edirgw (associated with files visible to all parties supporting gateways)
+                  * updategw (associated with password files read by CGI scripts) any files opened during execution of CGI scripts <GW>/ldap/web/log directory where output is written
+        
+        account: nobody 
+        UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.
+                * member of group nobody (primary group)
+                * member of group edirgw (facilitate reading of password files read by CGI scripts)
+                * member of group updategw (facilitate reading of password files read by CGI scripts)
+        
+        account: ua?synch
+                UNIX accounts under which UAA specific "style" elements are maintained 
+                for test and preproduction EDIR/AUTHSERV.
+                        ~ua?synch/[TEST|PREP]/
+
+                Note: Production "style" elements are copied from preproduction to the gateway 
+                directories; no reliance on links.
+        
+                .shosts file must allow access by 
+                        <<directory servers>>   iplanet         # may become obsolete with gw ownership change
+                        <<directory servers>>   ldapgw
+                        <<ua? entities>>
+        
+                member of group other (primary group)
+                member of group edirsynch (facilitate transfer of LDIF to uaasynch account)
+
+        group: iplanet  
+                default group of iplanet account
+
+        group: ldapgw   
+                default group of ldapgw account
+
+        group: updategw
+                group used by iplanet to expose files that must be visible to 'nobody' 
+                (future) group used by sxldap to expose files that must be visible to 'nobody'
+                (owner of Apache processes) when executing update process CGI scripts
+
+
+        group: edirgw
+                group used by ldapgw to expose files that must be visible to 'nobody' 
+                (owner of Apache processes) when executing gateway CGI scripts
+
+
+Registry Servers:
+
+        account: oracle
+                UNIX account owning oracle processes on registry servers where DBMS_FILE 
+                is used in LDIF generation.  oracle owns resulting files and must change the 
+                file permissions before files can be copied by the registry account.
+        
+                member of group SWLDAP (facilitate change owner on EDIR LDIF)
+                <<and member of many other groups not applicable to EDIR processing>>
+        
+        account: sxldap
+                UNIX account under which EDIR Banner Extract processing occurs and from 
+                which registry generated LDIF originates.  All EDIR registry related source 
+                code is stored under this account
+                        summit:~sxldap/local/ldap/
+        
+                sxldap must be listed in ~iplanet/.shosts file to facilitate transfer 
+                and application of registry generated LDIF
+        
+                member of group SWLDAP (primary group)
+                member of group UA_Korn
+
+        group: SWLDAP
+                group used to share output of registry database batch processes where output is 
+                owned by oracle and written to /tmp
+        
+
+ORACLE ACCOUNTS/ROLES
+=====================
+
+        account: OPS$SXLDAP
+                Oracle schema owning EDIR registry and performing EDIR Banner Extract
+                processing.
+        
+                granted role CONNECT 
+                granted role LDAP_ROLE (role to which oracle SYS privs are granted)
+        
+                Note: Table grants are made directly to the OPS$SXLDAP account which 
+                in turn creates objects referencing those accounts.  See the following
+                files on toklat: 
+        
+                        /ODS/product/PROD/bin/grant_*_to_sxldap.sql
+
+        account: EDIR_GATEWAY
+                Oracle schema granted execute and select privilege on OPS$SXLDAP owned 
+                registry procedures and views.
+
+                granted role EDIR_ROLE
+
+        role: EDIR_ROLE
+                Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY
+                has access.
+
+                Note: Historically, all grants on OPS$SXLDAP objects are made to the 
+                EDIR_GATEWAY via the SQL source scripts for creating the objects.  We haven't
+                been utilizing the role.  See summit:~sxldap/local/ldap/registry/*.sql
+
+        
+##############
+CHANGE HISTORY
+##############
+20071031 elm    added section about oracle_[en|dis]able_updates.ksh scripts
+20081114 elm    added reference to credentials, roles, ACIs soon to be associated 
+                with update back end under sxldap ownership rather than iplanet ownership
+
+(eof)