Context Navigation

Changes between Version 2 and Version 3 of ALL__accounts_roles

Timestamp:: 11/13/14 14:37:12 (10 years ago)
Author:: lttoth@…
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ALL__accounts_roles

-                      v2
+                      v3
+== UNIX ACCOUNT/GROUPS ==
+=== Directory Servers ===
+        ==== account: ldapgw ====
+        UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.
+                * member of group ldapgw (primary group)
+                * member of group edirgw (used to expose password files to nobody during CGI script execution)
+== UNIX GROUPS AND MEMBER ACCOUNTS ==
+       === Directory Server Groups ===
+        ==== group: iplanet     ====
+                default group of iplanet account
+        ==== group: ldapgw ====
+                default group of ldapgw account
+        ==== group: updategw ====
+                group used by iplanet to expose files that must be visible to 'nobody'
+                (future) group used by sxldap to expose files that must be visible to 'nobody'
+                (owner of Apache processes) when executing update process CGI scripts
+        ==== group: edirgw ====
+                group used by ldapgw to expose files that must be visible to 'nobody'
+                (owner of Apache processes) when executing gateway CGI scripts
+=== Directory Server Accounts  ===
+        ==== account: //ldapgw// ====
+UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.
+                * Group Membership
+                  * ldapgw - primary group
+                  * edirgw
+                        * exposes password files to //nobody// during CGI script execution via group membership
                         * any files opened during execution of CGI scripts
                         * <GW>/logs directory where output is written
                 * member of group other
                 * member of group UA_Korn (on toklat only)
+                  * other
+                  * UA_Korn (on toklat only)
                 * .shosts file must allow access by
                         * <<directory servers>> iplanet
                 * ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV
         ==== account: sxldap ====
         UNIX account owning CGI scripts representing the UPDATE back end gateway.
+        ==== account: //sxldap// ====
+UNIX account owning CGI script representing the UPDATE back end gateway.
                 * Group Membership
                 member of group updategw (primary group)
                 member of group edirgw (used to expose password files to nobody during CGI script execution)
+                        any files opened during execution of CGI scripts
                         <GW>/logs directory where output is written
                 member of group other
                 member of group UA_Korn (on toklat and summit only)
                 .shosts file must allow access by
                         <<directory servers>>   iplanet
         account: iplanet
+                 * updategw  - primary group
+                 * edirgw
+                        * exposes password files to //nobody// during CGI script execution via group membership
+                        * affects any files opened during execution of CGI scripts
+                        * affects <GW>/logs directory where output is written
+                 * other
+                 * UA_Korn (on toklat and summit only)
+                 * .shosts file must allow access by
+                        * <<directory servers>> iplanet
+        ==== account: //iplanet// ====
         UNIX account owning iPlanet directory and web update processes.
                 * Directory Locations
                         ~iplanet/EDIR[TEST|PREP|PROD]/
                         ~iplanet/AUTH[TEST|PREP|PROD]/
                 *All directory maintenance related source code is stored under this account
+                * All directory maintenance related source code is stored under this account
                         ~iplanet/local/ldap/
                 *.shosts file must allow access by
+                * .shosts file must allow access by
                         <<registry servers>>    sxldap
                 * Group membership
                   * iplanet (primary group)
+                  * iplanet - primary group
                   * other
+                  * edirgw (associated with files visible to all parties supporting gateways)
+                  * updategw (associated with password files read by CGI scripts) any files opened during execution of CGI scripts <GW>/ldap/web/log directory where output is written
+        account: nobody
+        UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.
+                * member of group nobody (primary group)
+                * member of group edirgw (facilitate reading of password files read by CGI scripts)
+                * member of group updategw (facilitate reading of password files read by CGI scripts)
+        account: ua?synch
+                UNIX accounts under which UAA specific "style" elements are maintained
+                for test and preproduction EDIR/AUTHSERV.
+                        ~ua?synch/[TEST|PREP]/
+                  * edirgw
+                   * associated with files visible to all parties supporting gateways
+                  * updategw
+                   * associated with password files read by CGI scripts
+                   * any files opened during execution of CGI scripts
+                   * <GW>/ldap/web/log directory where output is written
+        ==== account: //nobody// ====
+UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.
+                * Group membership
+                * nobody - primary group
+                * edirgw
+                 * facilitate reading of password files read by CGI scripts
+                * updategw
+                 * facilitate reading of password files read by CGI scripts
+        ==== account: //ua?synch// ====
+UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR or AUTHSERV.
+                * for test and preproduction EDIR/AUTHSERV.
+                        * ~ua?synch/[TEST|PREP]/
                 Note: Production "style" elements are copied from preproduction to the gateway
 …
                         <<ua? entities>>
+                member of group other (primary group)
+                member of group edirsynch (facilitate transfer of LDIF to uaasynch account)
+        group: iplanet
+                default group of iplanet account
+        group: ldapgw
+                default group of ldapgw account
+        group: updategw
+                group used by iplanet to expose files that must be visible to 'nobody'
+                (future) group used by sxldap to expose files that must be visible to 'nobody'
+                (owner of Apache processes) when executing update process CGI scripts
+        group: edirgw
+                group used by ldapgw to expose files that must be visible to 'nobody'
+                (owner of Apache processes) when executing gateway CGI scripts
+Registry Servers:
+        account: oracle
+                UNIX account owning oracle processes on registry servers where DBMS_FILE
+                is used in LDIF generation.  oracle owns resulting files and must change the
+                file permissions before files can be copied by the registry account.
+                member of group SWLDAP (facilitate change owner on EDIR LDIF)
+                <<and member of many other groups not applicable to EDIR processing>>
+        account: sxldap
+                UNIX account under which EDIR Banner Extract processing occurs and from
+                which registry generated LDIF originates.  All EDIR registry related source
+                code is stored under this account
+                        summit:~sxldap/local/ldap/
+                * Group Membership
+                 * other - primary group
+                 * edirsynch
+                   * facilitate transfer of LDIF to uaasynch account
+=== Registry Servers - Groups and Accounts ===
+        ==== group: SWLDAP ====
+                group used to share output of registry database batch processes where output is
+                owned by oracle and written to /tmp
+        ==== account: //oracle// ====
+UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation.  oracle owns resulting files and must change the file permissions before files can be copied by the registry account.
+               * Group Membership
+                  * group SWLDAP
+                    * facilitate change owner on EDIR LDIF
+                  * many other groups not applicable to EDIR processing
+        ==== account: //sxldap// ====
+UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates.  All EDIR registry related source code is stored under this account.
+                Master - eklutna:~sxldap/local/ldap/
                 sxldap must be listed in ~iplanet/.shosts file to facilitate transfer
 …
                 member of group UA_Korn
-        group: SWLDAP
-                group used to share output of registry database batch processes where output is
-                owned by oracle and written to /tmp