wiki:ALL__security_edirrole

Version 3 (modified by lttoth@…, 10 years ago) (diff)

Revised to reflect current status.

EDIRrole and Associated iPlanet Roles

Original author: Beth Mercer - 20081103

Note: Though out this document are references to ldap_*<Inst> commands. Those are simply scripted invocations of the associated ldap* utilities that make it possible to search the directory, and to add, modify and delete directory data using the Directory Manager credentials. The ldap_*<Inst> scripts can be found on the "e" boxes under ~iplanet/local/ldap/scripts.

EDIRrole Overview

EDIRrole is a locally defined attribute used to make attribute based authorization decisions within EDIR, AUTHSERV, their UPDATE back end and at the directory level itself. Within the web gateways, the presence or absense of an EDIRrole value determines whether or not a user is allowed to interact with an administrative form. At the UPDATE back end, the presence or absense of an EDIRrole value determines whether or not a restricted function relying on agent credentials rather than user credentials will be performed at the request of a particular user. At the directory level, EDIRrole values are referenced by iPlanet roles which are associated with ACIs that provide update access to groups of directory records.

EDIRroles are given meaning by the web gateways, backend and directory roles that reference them.

EDIRrole General Groupings

There are currently 2900+ distinct EDIRrole values but most fall under the following general categories:

EDIRrole Identity Permissions Granted
ADadmin Administration of AD related attributes
EDIRadmin Administration of any self service attribute
abideByFERPA View FERPA protected student records
deptAdmin<unitUIDpattern> Update unit records
emailAdmin Administration of email related attributes
emplAdmin<unitUIDpattern> Update people records associated with unit
helpDesk Perform restricted account management tasks
phoneBook Administration of phoneBook related attributes
secretaryAdmin Administration of the secretary attribute
sponsorAccount Sponsor directory records (includes guest account creation )
tklAdmin<TKLpattern> Update people records associated with TKL

The greatest variety exists in the deptAdmin* emplAdmin* and tklAdmin* EDIRrole values. Those roles are scoped to allow access to a single unit/TKL or a group of units/TKLs which roll up to a common record.

EDIRrole Provisioning

EDIRrole values are provisioned on ou=people records by the ZUAUSR application when it processes super classes that contain EDIR related grants. Since ZUAUSR is an application that supports provisioning of administrative access only to employee accounts (and a handful of exceptions), EDIRrole values must be manually provisioned by OIT Technical Services Account Administration staff on ou=resource records and on any ou=people records not handled by ZUAUSR.

iPlanet Roles

The iPlanet roles based on EDIRrole values are divided into two categories:

  • those that apply to people accessing other records
  • those that apply to resource accounts accessing other records.

The iPlanet roles that govern people's access require that the person requesting access have a current job assignment. That helps insure that users who leave the university do not retain viable directory access even if account administration practices do not result in the timely revocation of administrative accesses. The following example shows the controls for permission to administer EDIR.

$ iplanet@egegik> cat role.EDIRadminRole.ldif         
dn: cn=EDIRadminRole,ou=people,dc=alaska,dc=edu
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: EDIRadminRole
nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0)))
Description: filtered role for entities administering EDIR

Resource credentials on the other hand are granted to applications not people and applications do not have current job assignments so the assignment criteria is omitted:

$ iplanet@egegik> cat role.EDIRadminRole.resource.ldif
dn: cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: EDIRadminRole
nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin))Description: filtered role for resource entities administering EDIR

Managing iPlanet Roles

The legacy method for managing iPlanet roles was to access a role.<role name>.ldif file and modify the LDAP EDIR listing accordingly. I find no evidence of the following on the production iPlanet directories for the IDMP cluster. If these are used, they are used solely via EDIR, despite the LDAP scripts and management details residing on idml-3.alaska.edu.

Current IAM documentation refers users to the Sun iPlanet documents to complete these tasks.

Legacy iPlanet Roles

The following is a listing of LDIF files remaining on the "E" boxes that correspond to iPlanet roles that were defined in the legacy method:

iplanet@edgar.alaska.edu> find . -name role.*
./local/ldap/schema/ROLE/role.HelpDeskRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.EDIRadminRole.resource.ldif
./local/ldap/schema/ROLE/role.emailAdminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.passwordSynchRole.resource.ldif
./local/ldap/schema/ROLE/role.authserviceRole.resource.ldif
./local/ldap/schema/ROLE/role.twoStepBindrole.resource.ldif
./local/ldap/schema/ROLE/role.EDIRadminRole.ldif
./local/ldap/schema/ROLE/role.authservicePrivilegedRole.resource.ldif
./local/ldap/schema/ROLE/role.acceptedFERPArole.ldif.20060407elm
./local/ldap/schema/ROLE/role.HelpDeskRole.ldif
./local/ldap/schema/ROLE/role.EDIRadminRole.departments.ldif
./local/ldap/schema/ROLE/role.deptAdminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.ADadminRole.ldif
./local/ldap/schema/ROLE/role.abideByFERPArole.resource.ldif
./local/ldap/schema/ROLE/role.ADadminRole.people.ldif
./local/ldap/schema/ROLE/role.HelpDeskStudentRole.ldif.20050422elm.not_used
./local/ldap/schema/ROLE/role.deptAdminRole.ldif.20030908eml
./local/ldap/schema/ROLE/role.directoryGatewayRole.ldif
./local/ldap/schema/ROLE/role.phoneBookRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.superUserRole.resource.ldif
./local/ldap/schema/ROLE/role.secretaryAdminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.EDIRadminRole.routing.ldif
./local/ldap/schema/ROLE/role.directoryPrivilegedRole.resource.ldif
./local/ldap/schema/ROLE/role.authserviceRole.ldif
./local/ldap/schema/ROLE/role.phoneBookRole.ldif.20050303
./local/ldap/schema/ROLE/role.emailAdminRole.resource.ldif.20050603elm
./local/ldap/schema/ROLE/role.directoryGatewayRole.resource.ldif
./local/ldap/schema/ROLE/role.EDIRadminRole.resource.ldif.20070607
./local/ldap/schema/ROLE/role.passwordSynchRole.ldif
./local/ldap/schema/ROLE/role.EDIRadminRole.resource.ldif.20060710
./local/ldap/schema/ROLE/role.administratorsRole.ldif
./local/ldap/schema/ROLE/role.acceptedFERPArole.ldif
./local/ldap/schema/ROLE/role.passwordSynchRole.ldif.20060511
./local/ldap/schema/ROLE/role.passwordSynchRole.ldif.20070307
./local/ldap/schema/ROLE/role.GAE-EDIRgadgetRole.resource.ldif
./local/ldap/schema/ROLE/role.directoryPrivilegedRole.ldif
./local/ldap/schema/ROLE/role.acceptedFERPArole.ldif.20050511elm
./local/ldap/schema/ROLE/role.EDIRadminRole.group.ldif
./local/ldap/schema/ROLE/role.HelpDeskRole.resource.ldif.20050603elm
./local/ldap/schema/ROLE/role.ADadminRole.resource.ldif
./local/ldap/schema/ROLE/role.authservicePrivilegedRole.ldif
./local/ldap/schema/ROLE/role.emplAdminRole.ldif.20050203
./local/ldap/schema/ROLE/role.tklAdminRole.ldif
./local/ldap/schema/ROLE/role.abideByFERPArole.resource.ldif.20070607
./local/ldap/schema/ROLE/role.emailAdminRole.ldif
./local/ldap/schema/ROLE/role.phoneBookRole.ldif
./local/ldap/schema/ROLE/role.emplAdminRole.resource.ldif
./local/ldap/schema/ROLE/role.UaSystemIdRole.resource.ldif
./local/ldap/schema/ROLE/role.secretaryAdminRole.ldif
./local/ldap/schema/ROLE/role.emplAdminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.EDIRadminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.deptAdminRole.ldif
./local/ldap/schema/ROLE/role.emplAdminRole.ldif
./local/ldap/schema/ROLE/role.CurrentMailRole.resource.ldif
./local/ldap/schema/ROLE/role.tklAdminRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.administratorsRole.ldif.20050511elm
./local/ldap/schema/ROLE/role.authserviceRole.ldif.tmp
./local/ldap/schema/ROLE/role.abideByFERPArole.ldif
./local/ldap/schema/ROLE/role.HelpDeskRole.ldif.20030716elm

Running the Scripts to Add and Delete Defined Roles

To delete a role enter ldap_delete<instance> at the command line prompt. The output will resemble the following:

	iplanet@egegik> ldap_deleteTest 
	inst: test
	port: 13338
	
	
	ldapdelete: started Mon Nov  3 16:35:08 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu
	deleting entry cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu
	entry removed
	<ctrl+d>

To add a role, enter ldap_add<instance> at the command line prompt. The output will resemble the following:

	iplanet@egegik> ldap_addTest -f role.EDIRadminRole.resource.ldif             
	inst: test
	port: 13338
	
	
	ldapmodify: started Mon Nov  3 16:35:25 2008
	
	ldap_init( egegik, 13338 )
	ldaptool_getcertpath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getkeypath -- /e01/iplanet/servers/alias/slapd-egegiktest-cert8.db
	ldaptool_getdonglefilename -- (null)
	add objectclass:
	        top
	        LDAPsubentry
	        nsRoleDefinition
	        nsComplexRoleDefinition
	        nsFilteredRoleDefinition
	add cn:
	        EDIRadminRole
	add nsRoleFilter:
	        (&(EDIRROLE=*)(EDIRrole=EDIRadmin))
	add Description:
	        filtered role for resource entities administering EDIR
	adding new entry cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu
	modify complete

iPlanet roles created for ou=people,dc=alaska,dc=edu and ou=resource,dc=alaska,dc=edu in a directory instance on one server are automatically replicated to the same directory instance on all other servers. That is because roles are simply another form of directory data and those branches of the directory are configured for automatic replication of directory data changes.