Context Navigation

Changes between Version 3 and Version 4 of ALL__security_acis

Timestamp:: 11/24/14 16:57:36 (10 years ago)
Author:: lttoth@…
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

ALL__security_acis

-                      v3
+                      v4
                       and link both roles to the ACI in this step.
 ===7.  Invoke the macro which constructs the entire set of ACI creation commands ===
  from the ACI Attribs and ACI Logic tabbed pages:
+=== 7.  Invoke the macro which constructs the entire set of ACI creation commands ===
+This macro is invoked from the ACI Attribs and ACI Logic tabbed pages:
       SHIFT+CONTROL+L
+      * SHIFT+CONTROL+L
+    In the resulting dialog box, accept the default of ALL OUs and click OK.  This will build the ACI creation commands
+    in LDIF on the LDIF tabbed page.  When the macro completes, save the workbook with all your changes.
+In the resulting dialog box, accept the default of ALL OUs and click OK.  This will build the ACI creation commands in LDIF on the LDIF tabbed page.  When the macro completes, save the workbook with all your changes.
 === 8.  Transfer the ACI creation commands from the LDIF tabbed page ===
  of the spreadsheet to a text file on a directory host.
+Transfer from the LDIF tabbed pageof the spreadsheet to a text file on a directory host.
+    On any "e" box, as UNIX user iplanet
+      cd /export/home/iplanet/local/ldap/schema/ACI
+      ls -ltr
+    Note the most recent ACI creation file in the directory.  The name will be of the form
+. On any "e" box, as UNIX user iplanet
+      * cd /export/home/iplanet/local/ldap/schema/ACI
+      * ls -ltr
+. Note the most recent ACI creation file in the directory.  The name will be of the form
       user_update.<yyyymmdd><initials>_<description of changes to ACI>
+    If you introduce some problem into the directory with your new ACI, you will use this older ACI file to restore the
+    directory to its previous state.
+    Open a new ACI file with your favorite text editor. Copy-and-paste the entire content of the LDIF tabbed page of the
+    spreadsheet into the file.
+. If you introduce some problem into the directory with your new ACI, you will use this older ACI file to restore the directory to its previous state.
+. Open a new ACI file with your favorite text editor. Copy-and-paste the entire content of the LDIF tabbed page of the spreadsheet into the file.
 === 9.  Add the new ACI to the Test directory ===
 by dropping and recreating all ACIs in that instance.
+Accomplish this by dropping and recreating all ACIs in that instance.
+      apply_acisTest.ksh  <your ACI file name>
+. apply_acisTest.ksh  <your ACI file name>
+. apply_acisTest.ksh is in /export/home/iplanet/local/ldap/scripts, and writes standard output and standard error, respectively, to the files apply_acisTest.out and apply_acisTest.err in that directory.
+. After apply_acisTest.ksh completes, review its standard error in apply_acisTest.err.  A single line like this is an
+    expected, ignorable error:
+      *  ldap_modify: No such attribute
+    apply_acisTest.ksh is in /export/home/iplanet/local/ldap/scripts, and writes standard output and standard error,
+    respectively, to the files apply_acisTest.out and apply_acisTest.err in that directory.
+Any other errors represent problems with the ACI file which must be corrected.  If they cannot be resolved, roll back the changes you made by dropping and recreating all ACIs with the previous ACI file you identified in Step 4 above.
+    After apply_acisTest.ksh completes, review its standard error in apply_acisTest.err.  A single line like this is an
+    expected, ignorable error:
+      ldap_modify: No such attribute
+    Any other errors represent problems with the ACI file which must be corrected.  If they cannot be resolved, roll back
+    the changes you made by dropping and recreating all ACIs with the previous ACI file you identified in Step 4 above.
+    N.B. The ignorable error is caused by the first command in the ACI file, which attempts to drop all ACIs in the root
+    of the directory tree (dn: dc=Alaska,dc=edu).  Normally there are no ACIs there.
+N.B. The ignorable error is caused by the first command in the ACI file, which attempts to drop all ACIs in the root of the directory tree (dn: dc=Alaska,dc=edu).  Normally there are no ACIs there.
 === 10. Make the ACI change visible to the EDIR and AUTHSERV gateways ===
+ by running the following two scripts on all of the "e"
+    boxes (or at least on those "e" boxes serving EDIR/AUTHSERV, which are currently egegik and eklutna).  The gateways
+    cannot see the ACIs inside the LDAP server and so depend on the files updated by these scripts to find out what
+    updateable fields they should show to users.  These scripts will be run every morning via Appworx if you miss this step:
+Running the following two scripts on the "E" boxes (or at least on those "E" boxes serving EDIR/AUTHSERV, which are currently egegik and eklutna).  make ACI changes visible to the gateways.  The gateways cannot see the ACIs inside the LDAP server and so depend on the files updated by these scripts to find out what updateable fields they should show to users.  These scripts will be run every morning via Appworx if you miss this step:
       (as iplanet) ~iplanet/local/ldap/scripts/static_list_maint.ksh Test
       (as ldapgw)  ~ldapgw/local/scripts/static_list_maint.ksh Test
+      * AS iPLANET:  ~iplanet/local/ldap/scripts/static_list_maint.ksh Test
+      * AS LDAPGW:   ~ldapgw/local/scripts/static_list_maint.ksh Test
 === 11. Special Cases ===
+=== 11. Special Case ===
+If you defined the ACI on the ACI Logic tabbed page using a roledn in the ACI bind rule, e.g.
+      ldap:///cn=fooRole,ou=resource,dc=alaska,dc=edu
+    Then you will need to create an iPlanet role with that DN.  This role that you create will include an EDIRrole name,
+    chosen by you, which you can grant to a resource or people account.   This is the mechanism that links the ACI you created
+    to an account which will benefit from or be restricted by the ACI: the ACI names an iPlanet role, the iPlanet role names a
+    EDIRrole, and the EDIRrole is an attribute of the account.
+    Create the entry for the role.  The name you choose for the EDIRrole does not need to be the same name as the cn you already
+    chose for the iPlanet role, but if the EDIRrole will only comprise one iPlanet role then it may be the simplest naming
+    convention to follow.
+        dn: cn=<name of iPlanet role, e.g. fooRole>,ou=resource,dc=alaska,dc=edu
+        objectclass: top
+        objectclass: LDAPsubentry
+        objectclass: nsRoleDefinition
+        objectclass: nsComplexRoleDefinition
+        objectclass: nsFilteredRoleDefinition
+        cn: <name of iPlanet role, e.g. fooRole>
+        nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=<name of EDIRrole, e.g. fooRole))
+        Description: filtered role for <purpose of iPlanet role, i.e. what does underlying ACI allow or forbid>
+    Feed the LDIF above to the directory with ldap_add<Instance>, e.g. ldap_addTest < myFile.ldif.
+    The role will replicate to all the other LDAP servers.  Place the LDIF in ~iplanet/local/ldap/schema/ROLE/ on all the
+    "e" hosts for possible future reference.
+    Now grant the EDIRrole to the people or resource account which you want to benefit from (or be restricted by) the ACI you
+    created:
+        dn: uid=<uid of people or resource account>,ou=<resource or people, as appropriate>,dc=alaska,dc=edu
+        changetype: modify
+        add: EDIRrole
+        EDIRrole: <name of edirRole, e.g. fooRole>
+    Feed the LDIF above to the directory with ldap_modify<Instance>, e.g. ldap_modifyTest.
+You defined the ACI on the ACI Logic tabbed page using a roledn in the ACI bind rule as follows:
+    *  ldap:///cn=fooRole,ou=resource,dc=alaska,dc=edu
+==== Actions ====
+. You will need to create an iPlanet role with that DN.  This role that you create will include an EDIRrole name, chosen by you, which you can grant to a resource or people account.   This is the mechanism that links the ACI you created to an account which will benefit from or be restricted by the ACI: the ACI names an iPlanet role, the iPlanet role names a EDIRrole, and the EDIRrole is an attribute of the account.
+. Create the entry for the role.  The name you choose for the EDIRrole does not need to be the same name as the cn you already chose for the iPlanet role, but if the EDIRrole will only comprise one iPlanet role then it may be the simplest naming convention to follow.
+        * dn: cn=<name of iPlanet role, e.g. fooRole>,ou=resource,dc=alaska,dc=edu
+        * objectclass: top
+        * objectclass: LDAPsubentry
+        * objectclass: nsRoleDefinition
+        * objectclass: nsComplexRoleDefinition
+        * objectclass: nsFilteredRoleDefinition
+        * cn: <name of iPlanet role, e.g. fooRole>
+        * nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=<name of EDIRrole, e.g. fooRole))
+        * Description: filtered role for <purpose of iPlanet role, i.e. what does underlying ACI allow or forbid>
+. Feed the LDIF above to the directory with ldap_add<Instance>, e.g. ldap_addTest < myFile.ldif.
+        * The role will replicate to all the other LDAP servers.  Place the LDIF in ~iplanet/local/ldap/schema/ROLE/ on all the "E" hosts for possible future reference.
+. Now grant the EDIRrole to the people or resource account which you want to benefit from (or be restricted by) the ACI you created:
+        * dn: uid=<uid of people or resource account>,ou=<resource or people, as appropriate>,dc=alaska,dc=edu
+        * changetype: modify
+        * add: EDIRrole
+        * EDIRrole: <name of edirRole, e.g. fooRole>
+. Feed the LDIF above to the directory with ldap_modify<Instance>, e.g. ldap_modifyTest.
 === 12. Test the new ACI. ===
  If it works correctly, promote the new ACI to Prep and Production in turn by repeating Step 5 with
+    the apply_acisPrep.ksh and apply_acisProd.ksh scripts.  If the ACI does not and cannot be made to work correctly, roll
+    back the changes you made by dropping and recreating all ACIs with the previous ACI file you identified in Step 4 above.
+    Note that defined the ACI on the ACI Logic tabbed page using a roledn in the ACI bind rule, you will need to create an
+    EDIRrole and assign it to the
+the apply_acisPrep.ksh and apply_acisProd.ksh scripts.  If the ACI does not and cannot be made to work correctly, roll back the changes you made by dropping and recreating all ACIs with the previous ACI file you identified in Step 4 above.
+Note that defined the ACI on the ACI Logic tabbed page using a roledn in the ACI bind rule, you will need to create an EDIRrole and assign it to the
 === 13. Copy the ACI file you created to the other directory hosts ===