| | 1 | = AUTHSERV GATEWAY SCRIPTS = |
| | 2 | Original author: Beth Mercer - 20081031 |
| | 3 | |
| | 4 | == Overview == |
| | 5 | The AUTHSERV interface originated with the EDIR web gateway but was separated from the |
| | 6 | EDIR interface in July of 2005. Because it started out as part of EDIR, the Perl |
| | 7 | modules that are utilized by the AUTHSERV interface contain many functions that are |
| | 8 | simply not pertinent to the AUTHSERV interface. Someday they may be dropped. |
| | 9 | |
| | 10 | == Configuration Files == |
| | 11 | |
| | 12 | Configuration files are located for every instance under $HOME/AUTHSERV<''INST''>/config |
| | 13 | |
| | 14 | === admin_actions.cfg === |
| | 15 | This file contains data from which Admin Actions pick list is built. The |
| | 16 | file can be copied to all servers hosting the same AUTHSERV instance. |
| | 17 | |
| | 18 | === registered_clients.cfg === |
| | 19 | This file contains data used by authentication service to determine if authentication is performed and. If authentication was performed it then determines what information is provided as a result of authentication and confirmation of authentication. The file can be copied to all servers hosting the same AUTHSERV instance |
| | 20 | === runtime_common.cfg === |
| | 21 | This file contains a subset of runtime configuration elements that are constant between servers hosting gateway - see runtime.cfg. The file can be copied to all servers hosting the same AUTHSERV instance. |
| | 22 | === runtime.cfg === |
| | 23 | This file contains runtime configuration data used by AUTHSERV CGI scripts |
| | 24 | |
| | 25 | ||= Script Name =||= Description =|| |
| | 26 | ||all_servers || list of all supported AUTHSERV hosts (sxmpa 2/13/2010 - I cannot find anywhere in the AUTHSERV gateway code where this configuration variable is read out of runtime.cfg) || |
| | 27 | ||authserv_agent || RDN of credentials utilized by AUTHSERV web gateway for unauthenticated directory access || |
| | 28 | ||authserv_gateway_link || URL to AUTHSERV web gateway || |
| | 29 | ||authserv_server_link || URL to server specific AUTHSERV web gateway (Equalizer issue) || |
| | 30 | ||authserv_gateway_name || name of AUTHSERV web gateway || |
| | 31 | ||authserv_passwd_file || path reference to authserv_agent password file || |
| | 32 | ||authserv_server_link || URL to server specific AUTHSERV web gateway (Equalizer issue) || |
| | 33 | ||debug || 0|1: debugging is ON when value is 1 || |
| | 34 | ||directory_adminupdate_link || URL to update interface for admin updates (record creation, not attribute updates) || |
| | 35 | ||directory_bulkupdate_link || URL to update interface for self service attribute updates || |
| | 36 | ||directory_gateway_link || URL to EDIR web gateway || |
| | 37 | ||directory_instance || iPlanet directory instance || |
| | 38 | ||directory_server_link || URL to EDIR web gateway utilized by server to server POST processes || |
| | 39 | ||local_announcements_file || path reference to local announcements text file || |
| | 40 | ||lock_file || path reference to file used to disable AUTHSERV updates || |
| | 41 | ||log_dir || path reference to AUTHSERV log location || |
| | 42 | ||mail_from || email address used in FROM of mail generated for AUTHSERV || |
| | 43 | ||mail_host || email domain expected in vanity addresses || |
| | 44 | ||mail_to || address list for recipients of troubleshooting/batch reporting email || |
| | 45 | ||privileged_agent || RDN of credentilas utilized by by AUTHSERV web gateway to access privileged information || |
| | 46 | ||privileged_agent_passwd_file || path reference to authserv_agent password file |
| | 47 | ||query_servers || list of servers that may respond to query requests. ''Note: (sxmpa 2/13/2010): This variable should be assigned a single value, which is the host housing the LDAP server queried by this AUTHSERV gateway instance. The AUTHSERV gateway instance is normally co-located with that LDAP server on the same host, but you have the option of choosing an LDAP server on some other host. Assigning this variable a list of hostnames rather than a single hostname appears to work correctly, but examination of the code suggests that behaviour in this case is undefined.'' || |
| | 48 | ||registry_agent || Oracle schema for AUTHSERV registry || |
| | 49 | ||registry_db || Oracle instance for AUTHSERV registry || |
| | 50 | ||registry_passwd_file || path reference to registry_agent password file || |
| | 51 | ||release || major release number for AUTHSERV web gateway || |
| | 52 | ||slapd_port || port for iPlanet directory access || |
| | 53 | ||slapd_ssl_clause || additional clause required if slapd_port is SSL configured port || |
| | 54 | ||update_server || server(s) that may respond to update requests (local machine issue. ''Note: (sxmpa 2/13/2010) I cannot find anywhere in the AUTHSERV gateway code where this variable is read out of runtime.cfg).'' || |
| | 55 | ||version || gateway instance: TEST PREP or PROD || |
| | 56 | |
| | 57 | ''Note:'' runtime.cfg files are machine specific. Do not copy between servers. |
| | 58 | |
| | 59 | == Libraries == |
| | 60 | |
| | 61 | Libraries are located at $HOME/AUTHSERV<''INST''>/cgi-bin/) for every instance. |
| | 62 | |
| | 63 | === authserv_lib.pm === |
| | 64 | |
| | 65 | Perl Sub procedures are identified by the demarcation of "sub Authenticate", e.g. In the listing below for lib.pm, the "sub" portion of the procedure is dropped. |
| | 66 | |
| | 67 | ||= Library Sub Procedure =||= Description =|| |
| | 68 | || Authenticate || accepts credentials (UID or mailAlternateAddress and password) returns whether authenticated [Y|N] and if successful: null msg, UID, displayName and list of user's roles if unsuccessful: error msg, UID, null, null || |
| | 69 | || !CampusPickList || generates generic HTML form element for campus picklist using ldap_uakEmployeeCampus.txt as input || |
| | 70 | || Credentials || generates HTML form elements for LDAP credentials (id and password) || |
| | 71 | || UAclose || generates closing HTML elements for standard window look and feel || |
| | 72 | || UAopen || generates opening HTML elements for standard window look and feel || |
| | 73 | || abort || uses mailx to send $body with $subject to $MAILTO || |
| | 74 | || appendMsg || formats $msg_in according to $msg_type and appends to $MSG || |
| | 75 | || bldgCampusPickList || generates HTML form element for building pick list for MAU || |
| | 76 | || bldgExists || checks static file to determine if building code exists (issue: building codes are stored in registry and in static file but not in directory) || |
| | 77 | || bldgPicklist || generates HTML form element for building pick list || |
| | 78 | || crypt || simple encryption of strings; used to encrypt password before storing in LDAP cookie || |
| | 79 | || debug || utility used to record debugging information (utilizes debug runtime config parm) || |
| | 80 | || deptUnitPickList || generates HTML form element for department picklist; elements of list taken from external file ldap_deptUnits.txt || |
| | 81 | || embeddedAttributes || (may be obsolete; was formatting solution for uakPhonebookFlag attribute, the values of which could represent an unlimited number of MAU specific phonebook "attributes") || |
| | 82 | || employeeCampusPickList || generates HTML form element for an employee's campus picklist using ldapsearch to locate that employee's uakEmployeeCampus attribute values || |
| | 83 | || employeeDeptPickList || generates generic HTML form element for campus picklist using ldap_uakEmployeeAffiliation.txt || |
| | 84 | || formatAttributes || function returning hash of attribute characteristics used to control formatting of HTML form elements; elements with exceptional (non-standard) formatting requirements are recorded here || |
| | 85 | || formatLabel || formats field descriptions with or without accompanying comments || |
| | 86 | || formatValue || formats attribute values, generating href tags for specific attribute types || |
| | 87 | || genClearCookie || Generates Set-Cookie metadata that clears old cookie (where ldapstring is assumed to be the cookie being cleared) || |
| | 88 | || genClearSimpleCookie || Generates Set-Cookie metadata that clears new simple cookie (where name/value are passed to funtion). || |
| | 89 | || genSetCookie || Generates Set-Cookie metadata that establishes a specific cookie (new or old) || |
| | 90 | || getACL || Returns hash of permissions for requested list of ACL names. || |
| | 91 | || getAttributes || returns a hash of arrays for attributes meeting specified criteria the hash keys are LDAP attribute names each hash value is an array of attribute characteristics || |
| | 92 | || getEntityDisplayLabel || function returning one of DISPLAY_NAME, TITLE_<something>, UNITDISPLAYNAME, UNITNAME or UID from an array of attributes passed to the function || |
| | 93 | || getUserAttributes || returns array of attribute=value pairs for $filter || |
| | 94 | || getSecureAttributes || returns array of attribute=value pairs for $filter (utilizes privilege credentials) || |
| | 95 | || log_registry_error || appends text to a SID specific registry error log || |
| | 96 | || pad || returns string padded with character to specified length || |
| | 97 | || parseCookie || parses old, complex cookie; returning the UID, password, name and role elements || |
| | 98 | || parseDN || parses $dn and returns UID and OU elements || |
| | 99 | || parseSimpleCookie || parses new simple cookie; returning a single string value || |
| | 100 | || prefixMsg || like appendMsg but adds text to start of message string || |
| | 101 | || post_admin || executes HTTPS request to call ldap_bulk_admin CGI script as though from the web (utilizes directory_server_link runtime config parm) || |
| | 102 | || post_updates || executes HTTPS request to call ldap_bulk_update CGI script as though from the web (utilizes directory_server_link runtime config parm) || |
| | 103 | || returnIdentifierFilter || used to return a generic filter that can be used to search for a people record by name or any identifier accepted during AUTHSERV authentication (see ldap_dlevelx CGI script) || |
| | 104 | || simpleIdentity || generates HTML form elements prompting for UA Username and elements of default password (last for of SSN and birthdate) || |
| | 105 | || stockBoilerPlate || generates HTML, stock or "style" specific, displayed only in the various log in or password change related pages || |
| | 106 | || studentDeptPickList || generates generic HTML form element for student department picklist using ldap_uakStudentAffiliation.txt || |
| | 107 | || tokenCleanUP || deletes authentication tokens where age is greater than the expecte lifetime || |
| | 108 | || uidLDAPlookup || returns (last) $attribute value for matching $filter where query executed by credentialed user or default gateway user (weak - utilized currently only by ldap_lib.pm) || |
| | 109 | || connect || establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login to establish $dbh || |
| | 110 | || evaluate || executes $dbh->prepare on $sql to establishes $sth || |
| | 111 | || execute || performs $sth->execute which executes sql statement in Oracle database || |
| | 112 | || getSecureAttributes || returns array of attribute=value pairs for $filter (utilizes privileged credentials) || |
| | 113 | |
| | 114 | |
| | 115 | == CGI Scripts == |
| | 116 | CGI scripts are located at $HOME/AUTHSERV<''INST''>/cgi-bin/) for every instance. |
| | 117 | |
| | 118 | ''Note:''All update processing is performed by the UPDATE gateway which reports success or failure |
| | 119 | to the calling CGI script. |
| | 120 | ||= CGI Script Name =||= Description =|| |
| | 121 | ||activate || generates form utilized to request account activation || |
| | 122 | ||admin_lock || generates form utilized to request administrative lock/unlock of account; administrative locks can be performed only by users with edirAdmin role || |
| | 123 | ||authenticate || generates form used to authenticate using directory credentials || |
| | 124 | ||bulk_update || generates form used to submit updates in bulk || |
| | 125 | ||change_history || generates form used to view UPDATE gateway logs || |
| | 126 | ||first_time || generates form used to authenticate using id and elements of default password || |
| | 127 | ||home || generates home page for AUTHSERV interface in which AUTHSERV cookie is set || |
| | 128 | ||lock || generates form used to request lock/unlock of account; normal locks can be set and removed by users with helpDesk role || |
| | 129 | ||logout || generates logout page which destroys AUTHSERV cookie || |
| | 130 | ||passwd_chg -> authenticate || link to authenticate; when called as passwd_chg, additional fields are displayed for new password || |
| | 131 | ||passwd_help || generates help text and positions display at section on passwords || |
| | 132 | ||post_reset -> first_time || link to first time; when called as post_reset, introductory text is modified || |
| | 133 | ||reset || generates form used to change password during authentication || |
| | 134 | ||seed_group || generates form used to create ou=group records || |
| | 135 | ||seed_resource || generates form used to create ou=resource records || |
| | 136 | ||self_reset || generates form used to perform self reset of directory password || |
| | 137 | ||self_reset_help || generates help text displayed to users if they click on corresponding link in page collecting the security question/response used by self reset process || |
| | 138 | ||self_reset_setup || generates form used to change self reset related attributes || |
| | 139 | ||simpleSearch || ???? (research) ???? || |
| | 140 | ||smallauth -> authenticate || link to authenticate; results in small footprint authentication form || |
| | 141 | ||sponsor_account || generates form used to create (if not already exists) and sponsor ou=people records for Banner entities and/or for guests || |
| | 142 | ||sponsor_account_help || generated help text specific to sponsoring accounts || |
| | 143 | ||token_cleanup || deletes token files where the age of the file exceeds expected life time || |
| | 144 | ||validate || page called by registered AUTHSERV clients to confirm authentication token supplied with redirect from AUTHSERV; results in confirmation of redirect and additional attributes (if so registered) || |
| | 145 | |
| | 146 | ######################################################## [[br]] |
| | 147 | LEGACY CHANGE HISTORY - NOTE: All subsequent changes are recorded in TracWiki [[br]] |
| | 148 | ######################################################## [[br]] |
| | 149 | |
| | 150 | 20081031 elm added reference to runtime_common.cfg |
