| | 1 | 20081103 elm Directory Account Administration |
| | 2 | |
| | 3 | See also: |
| | 4 | |
| | 5 | https://donnelly.alaska.edu/docs/LDAP/ALL__security |
| | 6 | https://donnelly.alaska.edu/docs/LDAP/ALL__security_access_control |
| | 7 | |
| | 8 | The Enterprise Directory is utilized not just as an electronic white pages, it |
| | 9 | is also utilized to authentication and in some cases authorize user access to |
| | 10 | external applications. The EDIR and AUTHSERV web gateways, MyUA and OnBase are |
| | 11 | examples of external applications relying on directory authentication and |
| | 12 | authorization. |
| | 13 | |
| | 14 | Directory records that can be used for authentication/authorization are those |
| | 15 | associated with people or applications. Records for people and applications |
| | 16 | differ from other directory records in that they have passwords used in binding |
| | 17 | to the directory (the ability to bind successfully to the directory results in |
| | 18 | successful authentication). People and application records reside in branches |
| | 19 | of the directory clearly identifiable ou= in the RDN: |
| | 20 | |
| | 21 | uid=*,ou=people,dc=alaska,dc=edu |
| | 22 | uid=*,ou=resource,dc=alaska,dc=edu |
| | 23 | |
| | 24 | Because ou=people and ou=resource directory records can be used for directory |
| | 25 | authentication, they are often referred to as "accounts". |
| | 26 | |
| | 27 | Additional branches of the directory exist to store other directory records |
| | 28 | but those records are not associated with passwords and can not be used to |
| | 29 | bind to the directory: |
| | 30 | |
| | 31 | uid=*,ou=routing,dc=alaska,dc=edu |
| | 32 | uid=*,ou=departments,dc=alaska,dc=edu |
| | 33 | uid=*,ou=group,dc=alaska,dc=edu |
| | 34 | |
| | 35 | |
| | 36 | ###################### |
| | 37 | ## Account Creation ## |
| | 38 | ###################### |
| | 39 | |
| | 40 | # ou=people |
| | 41 | |
| | 42 | Accounts for people are created via one of two mechanisms; the EDIR Banner Extract |
| | 43 | process and the AUTHSERV sponsor_account CGI script/web page. The vast majority |
| | 44 | of people accounts originate from the Banner Extract and/or are tied to Banner |
| | 45 | entities. However, the web page for sponsoring accounts allows for the creation of |
| | 46 | "guest" accounts; accounts that do not correspond to any Banner entity. |
| | 47 | |
| | 48 | Account sponsorship (including guest account creation) is ultimately performed at |
| | 49 | the update back-end and only after first confirming that the requesting party is |
| | 50 | entitled to sponsor accounts. |
| | 51 | |
| | 52 | # ou=resource |
| | 53 | |
| | 54 | Accounts utilized by applications are created only via the AUTHSERV seed_resource CGI |
| | 55 | script/web page. Ultimately it is the update back-end which generates the resource |
| | 56 | account after first confirming that the requesting party is entitled to request |
| | 57 | resource account creation.. |
| | 58 | |
| | 59 | |
| | 60 | ##################################### |
| | 61 | ## Account Activation/Inactivation ## |
| | 62 | ##################################### |
| | 63 | |
| | 64 | # ou=people |
| | 65 | |
| | 66 | The presence of a password signifies that an account is active. Prior to the advent |
| | 67 | of ELMO, a directory account could not be claimed, and user known password established, |
| | 68 | unless the account had first been activated (given a default password). With the |
| | 69 | advent of ELMO, an account need no longer be activated prior to claiming. However, it |
| | 70 | is still true that the old AUTHSERV form for account claiming - first_time - is |
| | 71 | dependent on prior account activation. |
| | 72 | |
| | 73 | Accounts for people generated via the EDIR Banner Extract are created inactive. |
| | 74 | Those accounts are claimed and given a user known password via the UAS written and |
| | 75 | maintained ELMO interface: |
| | 76 | |
| | 77 | https://elmo.alaska.edu |
| | 78 | |
| | 79 | Accounts for people generated via the AUTHSERV sponsor_account page are activated on |
| | 80 | creation (i.e. given a default password). The reason is based on the historical need |
| | 81 | for an account to be activated before it could be claimed and the fact that accounts |
| | 82 | being sponsored were expected to be claimed for the purpose of accessing external |
| | 83 | applications. |
| | 84 | |
| | 85 | https://authserv.alaska.edu/cgi-bin/sponsor_account |
| | 86 | |
| | 87 | For the most part, these accounts too can be claimed via ELMO. However, there are known |
| | 88 | issues with claiming guest accounts via ELMO and those users are directed to use the old |
| | 89 | AUTHSERV first_time page as an alternate method of account claiming: |
| | 90 | |
| | 91 | https://authserv.alaska.edu/cgi-bin/first_time |
| | 92 | |
| | 93 | Accounts can be activated/inactivated by authorized staff using the AUTHSERV activate |
| | 94 | CGI script/web page. |
| | 95 | |
| | 96 | https://authserv.alaska.edu/cgi-bin/activate |
| | 97 | |
| | 98 | In addition, a nightly batch process looks for an inactivates directory accounts |
| | 99 | previously activated but still unclaimed after 14 days. |
| | 100 | |
| | 101 | ~iplanet/local/ldap/scripts/account_managementProd.ksh |
| | 102 | |
| | 103 | # ou=resource |
| | 104 | |
| | 105 | Application accounts are created inactive via the AUTHSERV seed resource CGI script/ |
| | 106 | web page. |
| | 107 | |
| | 108 | https://authserv.alaska.edu/cgi-bin/seed_resource |
| | 109 | |
| | 110 | An individual with shell access to the "e" boxes must activate application accounts |
| | 111 | by generating and running a script that establishes a known password (using Directory |
| | 112 | Manager credentials) and then changes that known password using the application account |
| | 113 | credentials. The same scripts are used to reset an application account password |
| | 114 | should the password expire or be forgotten. For that reason, the scripts are named |
| | 115 | with a reset_ prefix. |
| | 116 | |
| | 117 | See ~iplanet/local/ldap/schema/RESET/ for examples of those scripts. |
| | 118 | |
| | 119 | NOTE: Application account passwords are set initially to expire in 2020. |
| | 120 | |
| | 121 | |
| | 122 | ############################# |
| | 123 | ## Password Changes/Resets ## |
| | 124 | ############################# |
| | 125 | |
| | 126 | # ou=people |
| | 127 | |
| | 128 | Account passwords for most people can be changed via the ELMO interface. This is |
| | 129 | true whether the password is active or has expired, is known or is unknown. As |
| | 130 | stated earlier about account claiming, some guest accounts will be unsuccessful |
| | 131 | utilizing ELMO and will be directed to the old AUTHSERV password change or self |
| | 132 | reset CGI scripts/web pages: |
| | 133 | |
| | 134 | https://authservtest.alaska.edu/cgi-bin/passwd_chg |
| | 135 | https://authservtest.alaska.edu/cgi-bin/self_reset |
| | 136 | https://authservtest.alaska.edu/cgi-bin/post_reset |
| | 137 | |
| | 138 | When using the old AUTHSERV pages, the user either changes a known password or resets an |
| | 139 | unknown/expired password. When reset, passwords are set to a default value based on a |
| | 140 | number and date (generally SSN and birthdate) supplied to the account creation process. |
| | 141 | The post reset page prompts for that number and date and allows the user to establish a |
| | 142 | new password. |
| | 143 | |
| | 144 | # ou=resource |
| | 145 | |
| | 146 | Application account passwords can be changed by the account holder only by using the old |
| | 147 | EDIR change_passwd CGI script/web page. Application account password changes result in a |
| | 148 | standard 400 day expiration, not the 2020 expiration established when the account is first |
| | 149 | activated. It is the application account holder's responsibility to insure the password |
| | 150 | is changed before expiration. |
| | 151 | |
| | 152 | There is currently no mechanism by which an application accounts can perform a self reset |
| | 153 | should a password expire or become forgotten. Expired application account passwords must |
| | 154 | be reset/changed by an individual with shell access to the "e" boxes where the "reset_" |
| | 155 | scripts are maintained. |
| | 156 | |
| | 157 | |
| | 158 | ##################### |
| | 159 | ## Account Locking ## |
| | 160 | ##################### |
| | 161 | |
| | 162 | # ou=people |
| | 163 | |
| | 164 | Accounts for either people or applications can be locked via the AUTHSERV lock and |
| | 165 | administrative lock CGI scripts/web pages: |
| | 166 | |
| | 167 | https://authservtest.alaska.edu/cgi-bin/lock |
| | 168 | https://authservtest.alaska.edu/cgi-bin/admin_lock |
| | 169 | |
| | 170 | The difference between the two lock types is in the privilege necessary to add or remove |
| | 171 | the lock. Any one with the HelpDesk or EDIRadmin EDIRrole grants may establish or remove |
| | 172 | a normal lock. Only people with the EDIRadmin EDIRrole grant may establish or remove |
| | 173 | an administrative lock. The type of lock can be identified by the accountStatusFlag |
| | 174 | attribute: |
| | 175 | |
| | 176 | accountStatusFlag=L (regular lock, writable by HelpDesk or EDIRadmin EDIRrole) |
| | 177 | accountStatusFlag=AL (administrative lock, writable by EDIRadmin EDIRrole) |
| | 178 | |
| | 179 | Administrative locks are most likely placed on an account in the advent of a security action |
| | 180 | which results in the immediate suspension of account access. |
| | 181 | |
| | 182 | # ou=resource |
| | 183 | |
| | 184 | Existing forms for locking accounts were designed to support locking of people accounts |
| | 185 | and do not currently support the locking of application accounts. |
| | 186 | |
| | 187 | ####################### |
| | 188 | DOCUMENT CHANGE HISTORY |
| | 189 | |
| | 190 | 20081031 elm corrected typos |
| | 191 | 20081103 elm added "See also:" section with links to other security related docs |
| | 192 | |
| | 193 | # eof |
