Version 2 (modified by lttoth@…, 10 years ago) (diff) |
---|
Accounts, Roles, and Groups Utilized by UPDATE, EDIR, and AUTHSERV
Original Author: Beth Mercer - 20081114
The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing or the web gateway(s). They are grouped by category: directory or registry.
IPLANET ACCOUNTS/ROLES/ACIS
iPlanet Accounts
- uid=edirbatch03,ou=resource,dc=alaska,dc=edu
credentials utilized by UPDATE interface for batch processing
- uid=edirgw03,ou=resource,dc=alaska,dc=edu
credentials utilized by EDIR web gateway for "anonymous" access
- uid=edirpriv03,ou=resource,dc=alaska,dc=edu
credentials utilized by EDIR web gateway to access privileged information not expected to be visible to "anonymous" access but need for functions like the "This is me! Log In" link.
- uid=authserv03,ou=resource,dc=alaska,dc=edu
credentials utilized by the AUTHSERV web gateway
- uid=authpriv03,ou=resource,dc=alaska,dc=edu
credentials utilized by AUTHSERV web gateway to access privileged information
- uid=updategw03,ou=resource,dc=alaska,dc=edu
credentials utilized by UPDATE back end to access privileged information and perform privileged tasks
Note: Most likely, AUTHSERV needs only one set of credentials.
iPlanet Roles
cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to non-privileged information
cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to privileged information
cn=authserviceRole,ou=people,dc=alaska,dc=edu cn=authserviceRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to non-privileged information
cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to privileged information
(future) cn=superUserRole,ou=resource,dc=alaska,dc=edu
role associated with ACIs allowing the update back end access to privileged information
iPlanet ACIs
- EDIRGWANYCOMPARE
- EDIRGWANYREAD
- EDIRGWEMPREAD
- EDIRGWSTUREAD
ACIs that provide the non-privileged gateway role with read access to non-privileged information
- EDIRGWCOMPARE
- EDIRGWEMPCOMPARE
- EDIRGWSTUCOMPARE
ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible
- EDIRGWPRIVREAD
ACIs that provide the privileged gateway role with read access to privileged information
- AUTHSERVICEREAD
ACIs that provide the non-privileged authservice role with read access to non-privileged information
- AUTHSERVICEPRIVCOMPARE
ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible
- AUTHSERVICEPRIVREAD
ACIs that provide the privileged authservice role with read access to privileged information
(future) SUADDDEL (future) SUDENYREADSEARCHCOMPARE (future) SUDENYWRITE (future) SUREADWRITE
ACIs that provide (or deny) the privileged superuser role with read/write access to privileged information
UNIX ACCOUNT/GROUPS
Directory Servers
account: ldapgw
UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.
- member of group ldapgw (primary group)
- member of group edirgw (used to expose password files to nobody during CGI script execution)
- any files opened during execution of CGI scripts
- <GW>/logs directory where output is written
- member of group other
- member of group UA_Korn (on toklat only)
- .shosts file must allow access by
- <<directory servers>> iplanet
- ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV
account: sxldap
UNIX account owning CGI scripts representing the UPDATE back end gateway.
- Group Membership member of group updategw (primary group) member of group edirgw (used to expose password files to nobody during CGI script execution)
any files opened during execution of CGI scripts <GW>/logs directory where output is written
member of group other member of group UA_Korn (on toklat and summit only)
.shosts file must allow access by
<<directory servers>> iplanet
account: iplanet UNIX account owning iPlanet directory and web update processes.
- Directory Locations
~iplanet/EDIR[TEST|PREP|PROD]/ ~iplanet/AUTH[TEST|PREP|PROD]/
*All directory maintenance related source code is stored under this account
~iplanet/local/ldap/
*.shosts file must allow access by
<<registry servers>> sxldap
- Group membership
- iplanet (primary group)
- other
- edirgw (associated with files visible to all parties supporting gateways)
- updategw (associated with password files read by CGI scripts) any files opened during execution of CGI scripts <GW>/ldap/web/log directory where output is written
account: nobody UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.
- member of group nobody (primary group)
- member of group edirgw (facilitate reading of password files read by CGI scripts)
- member of group updategw (facilitate reading of password files read by CGI scripts)
account: ua?synch
UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR/AUTHSERV.
~ua?synch/[TEST|PREP]/
Note: Production "style" elements are copied from preproduction to the gateway directories; no reliance on links.
.shosts file must allow access by
<<directory servers>> iplanet # may become obsolete with gw ownership change <<directory servers>> ldapgw <<ua? entities>>
member of group other (primary group) member of group edirsynch (facilitate transfer of LDIF to uaasynch account)
group: iplanet
default group of iplanet account
group: ldapgw
default group of ldapgw account
group: updategw
group used by iplanet to expose files that must be visible to 'nobody' (future) group used by sxldap to expose files that must be visible to 'nobody' (owner of Apache processes) when executing update process CGI scripts
group: edirgw
group used by ldapgw to expose files that must be visible to 'nobody' (owner of Apache processes) when executing gateway CGI scripts
Registry Servers:
account: oracle
UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation. oracle owns resulting files and must change the file permissions before files can be copied by the registry account.
member of group SWLDAP (facilitate change owner on EDIR LDIF) <<and member of many other groups not applicable to EDIR processing>>
account: sxldap
UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates. All EDIR registry related source code is stored under this account
summit:~sxldap/local/ldap/
sxldap must be listed in ~iplanet/.shosts file to facilitate transfer and application of registry generated LDIF
member of group SWLDAP (primary group) member of group UA_Korn
group: SWLDAP
group used to share output of registry database batch processes where output is owned by oracle and written to /tmp
ORACLE ACCOUNTS/ROLES =====================
account: OPS$SXLDAP
Oracle schema owning EDIR registry and performing EDIR Banner Extract processing.
granted role CONNECT granted role LDAP_ROLE (role to which oracle SYS privs are granted)
Note: Table grants are made directly to the OPS$SXLDAP account which in turn creates objects referencing those accounts. See the following files on toklat:
/ODS/product/PROD/bin/grant_*_to_sxldap.sql
account: EDIR_GATEWAY
Oracle schema granted execute and select privilege on OPS$SXLDAP owned registry procedures and views.
granted role EDIR_ROLE
role: EDIR_ROLE
Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY has access.
Note: Historically, all grants on OPS$SXLDAP objects are made to the EDIR_GATEWAY via the SQL source scripts for creating the objects. We haven't been utilizing the role. See summit:~sxldap/local/ldap/registry/*.sql
############## CHANGE HISTORY ############## 20071031 elm added section about oracle_[en|dis]able_updates.ksh scripts 20081114 elm added reference to credentials, roles, ACIs soon to be associated
with update back end under sxldap ownership rather than iplanet ownership
(eof)