Version 7 (modified by lttoth@…, 10 years ago) (diff) |
---|
Accounts, Roles, and Groups Utilized by UPDATE, EDIR, and AUTHSERV
Original Author: Beth Mercer - 20081114
The following accounts are utilized in some manner by UPDATE, EDIR, or AUTHSERV batch processing or the web gateway(s). They are grouped by category: directory or registry.
IPLANET ACCOUNTS/ROLES/ACIS
iPlanet Accounts
- uid=edirbatch03,ou=resource,dc=alaska,dc=edu
credentials utilized by UPDATE interface for batch processing
- uid=edirgw03,ou=resource,dc=alaska,dc=edu
credentials utilized by EDIR web gateway for "anonymous" access
- uid=edirpriv03,ou=resource,dc=alaska,dc=edu
credentials utilized by EDIR web gateway to access privileged information not expected to be visible to "anonymous" access but need for functions like the "This is me! Log In" link.
- uid=authserv03,ou=resource,dc=alaska,dc=edu
credentials utilized by the AUTHSERV web gateway
- uid=authpriv03,ou=resource,dc=alaska,dc=edu
credentials utilized by AUTHSERV web gateway to access privileged information
- uid=updategw03,ou=resource,dc=alaska,dc=edu
credentials utilized by UPDATE back end to access privileged information and perform privileged tasks
Note: Most likely, AUTHSERV needs only one set of credentials.
iPlanet Roles
- cn=directoryGatewayRole,ou=people,dc=alaska,dc=edu
- cn=directoryGatewayRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to non-privileged information
- cn=directoryPrivilegedRole,ou=people,dc=alaska,dc=edu
- cn=directoryPrivilegedRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to privileged information
- cn=authserviceRole,ou=people,dc=alaska,dc=edu
- cn=authserviceRole,ou=resource,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to non-privileged information
- cn=authservicePrivilegedRole,ou=resource,dc=alaska,dc=edu
- cn=authservicePrivilegedRole,ou=people,dc=alaska,dc=edu
roles associated with ACIs allowing gateway access to privileged information
- (future) cn=superUserRole,ou=resource,dc=alaska,dc=edu
role associated with ACIs allowing the update back end access to privileged information
iPlanet ACIs
- EDIRGWANYCOMPARE
- EDIRGWANYREAD
- EDIRGWEMPREAD
- EDIRGWSTUREAD
ACIs that provide the non-privileged gateway role with read access to non-privileged information
- EDIRGWCOMPARE
- EDIRGWEMPCOMPARE
- EDIRGWSTUCOMPARE
ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible
- EDIRGWPRIVREAD
ACIs that provide the privileged gateway role with read access to privileged information
- AUTHSERVICEREAD
ACIs that provide the non-privileged authservice role with read access to non-privileged information
- AUTHSERVICEPRIVCOMPARE
ACIs that provide the privileged gateway role the ability to ask true/false questions about attributes that are not otherwise visible
- AUTHSERVICEPRIVREAD
ACIs that provide the privileged authservice role with read access to privileged information
(future) SUADDDEL (future) SUDENYREADSEARCHCOMPARE (future) SUDENYWRITE (future) SUREADWRITE
ACIs that provide (or deny) the privileged superuser role with read/write access to privileged information
UNIX GROUPS AND MEMBER ACCOUNTS
Directory Server Groups
Accounts associated with these groups are italicized.
group: iplanet
Default group of iplanet account
group: ldapgw
Default group of ldapgw account
group: updategw
- Group used by iplanet to expose files that must be visible to 'nobody'
- Group used by sxldap to expose files that must be visible to 'nobody'
- Owner of Apache processes when executing update process CGI scripts
group: edirgw
- Group used by ldapgw to expose files that must be visible to 'nobody'
- Owner of Apache processes when executing gateway CGI scripts
Directory Server Accounts
account: ldapgw
UNIX account owning CGI scripts representing the EDIR/AUTHSERV web gateways.
- Group Membership
- ldapgw - primary group
- edirgw
- exposes password files to nobody during CGI script execution via group membership
- any files opened during execution of CGI scripts
- <GW>/logs directory where output is written
- other
- UA_Korn (on toklat only)
- .shosts file must allow access by
- <<directory servers>> iplanet
- ldapgw must be listed in ~ua?synch/.shosts file to facilitate transfer of UA? specific "style" elements utilized by EDIR/AUTHSERV
account: sxldap
UNIX account owning CGI script representing the UPDATE back end gateway.
- Group Membership
- updategw - primary group
- edirgw
- exposes password files to nobody during CGI script execution via group membership
- affects any files opened during execution of CGI scripts
- affects <GW>/logs directory where output is written
- other
- UA_Korn (on toklat and summit only)
- .shosts file must allow access by
- <<directory servers>> iplanet
account: iplanet
UNIX account owning iPlanet directory and web update processes.
- Directory Locations
- ~iplanet/EDIR[TEST|PREP|PROD]/
- ~iplanet/AUTH[TEST|PREP|PROD]/
- All directory maintenance related source code is stored under this account
- ~iplanet/local/ldap/
- .shosts file must allow access by
- <<registry servers>> sxldap
- Group membership
- iplanet - primary group
- other
- edirgw
- associated with files visible to all parties supporting gateways
- updategw
- associated with password files read by CGI scripts
- any files opened during execution of CGI scripts
- <GW>/ldap/web/log directory where output is written
account: nobody
UNIX account under which Apache httpd processes are started and under which EDIR CGI scripts are executed via the web.
- Group membership
- nobody - primary group
- edirgw
- facilitate reading of password files read by CGI scripts
- updategw
- facilitate reading of password files read by CGI scripts
account: ua?synch
UNIX accounts under which UAA specific "style" elements are maintained for test and preproduction EDIR or AUTHSERV.
- for test and preproduction EDIR or AUTHSERV.
- ~ua?synch/[TEST|PREP]/
- .shosts file must allow access by
- <<directory servers>> iplanet # may become obsolete with gw ownership change
- <<directory servers>> ldapgw
- <<ua? entities>>
- Group Membership
- other - primary group
- edirsynch
- facilitate transfer of LDIF to uaasynch account
Note: Production "style" elements are copied from preproduction to the gateway directories; no reliance on links.
Registry Servers - Groups and Accounts
group: SWLDAP
Group used to share output of registry database batch processes where output is owned by oracle and written to /tmp
account: oracle
UNIX account owning oracle processes on registry servers where DBMS_FILE is used in LDIF generation. oracle owns resulting files and must change the file permissions before files can be copied by the registry account.
- Group Membership
- group SWLDAP
- facilitate change owner on EDIR LDIF
- many other groups not applicable to EDIR processing
- group SWLDAP
account: sxldap
UNIX account under which EDIR Banner Extract processing occurs and from which registry generated LDIF originates. All EDIR registry related source code is stored under this account.
- Master - eklutna:~sxldap/local/ldap/
- sxldap must be listed in ~iplanet/.shosts file to facilitate transfer and application of registry generated LDIF
- Group Membership
- group SWLDAP (primary group)
- group UA_Korn
ORACLE ACCOUNTS AND ROLES
account: OPS$SXLDAP
Oracle schema owning EDIR registry and performing EDIR Banner Extract processing.
- Roles
- Granted role CONNECT
- Granted role LDAP_ROLE (role to which oracle SYS privs are granted)
Note: Table grants are made directly to the OPS$SXLDAP account which in turn creates objects referencing those accounts. See the following files on toklat:
/ODS/product/PROD/bin/grant_*_to_sxldap.sql
account: EDIR_GATEWAY
Oracle schema granted execute and select privilege on OPS$SXLDAP owned registry procedures and views.
granted role EDIR_ROLE
role: EDIR_ROLE
Oracle role to which ops$sxldap can grant privileges so that EDIR_GATEWAY has access.
Note: Historically, all grants on OPS$SXLDAP objects are made to the EDIR_GATEWAY via the SQL source scripts for creating the objects. We haven't been utilizing the role. See eklutnat:~sxldap/local/ldap/registry/*.sql
########################################################
LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki
########################################################
20071031 elm added section about oracle_[en|dis]able_updates.ksh scripts
20081114 elm added reference to credentials, roles, ACIs soon to be associated with update back end under sxldap ownership rather than iplanet ownership