| 97 | | sub Authenticate accepts credentials (UID or mailAlternateAddress and password) |
| 98 | | returns whether authenticated [Y|N] and |
| 99 | | if successful: null msg, UID, displayName and list of user's roles |
| 100 | | if unsuccessful: error msg, UID, null, null |
| 101 | | |
| 102 | | sub CampusPickList generates generic HTML form element for campus picklist using |
| 103 | | ldap_uakEmployeeCampus.txt as input |
| 104 | | |
| 105 | | sub Credentials generates HTML form elements for LDAP credentials (id and password) |
| 106 | | |
| 107 | | sub UAclose generates closing HTML elements for standard window look and feel |
| 108 | | |
| 109 | | sub UAopen generates opening HTML elements for standard window look and feel |
| 110 | | |
| 111 | | sub abort uses mailx to send $body with $subject to $MAILTO |
| 112 | | |
| 113 | | sub appendMsg formats $msg_in according to $msg_type and appends to $MSG |
| 114 | | |
| 115 | | sub bldgCampusPickList generates HTML form element for building pick list for MAU |
| 116 | | |
| 117 | | sub bldgExists checks static file to determine if building code exists (issue: building |
| 118 | | codes are stored in registry and in static file but not in directory) |
| 119 | | |
| 120 | | sub bldgPicklist generates HTML form element for building pick list |
| 121 | | |
| 122 | | sub crypt simple encryption of strings; used to encrypt password before storing |
| 123 | | in LDAP cookie |
| 124 | | |
| 125 | | sub debug utility used to record debugging information (utilizes debug runtime config parm) |
| 126 | | |
| 127 | | sub deptUnitPickList generates HTML form element for department picklist; elements of list |
| 128 | | taken from external file ldap_deptUnits.txt |
| 129 | | |
| 130 | | sub embeddedAttributes (may be obsolete; was formatting solution for uakPhonebookFlag attribute, |
| 131 | | the values of which could represent an unlimited number of MAU specific |
| 132 | | phonebook "attributes") |
| | 97 | '''sub Authenticate :''' accepts credentials (UID or mailAlternateAddress and password) returns whether authenticated [Y|N] and if successful: null msg, UID, displayName and list of user's roles if unsuccessful: error msg, UID, null, null |
| | 98 | |
| | 99 | '''sub !CampusPickList : ''' generates generic HTML form element for campus picklist using ldap_uakEmployeeCampus.txt as input |
| | 100 | |
| | 101 | '''sub Credentials : ''' generates HTML form elements for LDAP credentials (id and password) |
| | 102 | |
| | 103 | '''sub UAclose : ''' generates closing HTML elements for standard window look and feel |
| | 104 | |
| | 105 | '''sub UAopen : ''' generates opening HTML elements for standard window look and feel |
| | 106 | |
| | 107 | '''sub abort : ''' uses mailx to send $body with $subject to $MAILTO |
| | 108 | |
| | 109 | '''sub appendMsg : ''' formats $msg_in according to $msg_type and appends to $MSG |
| | 110 | |
| | 111 | '''sub bldgCampusPickList : ''' generates HTML form element for building pick list for MAU |
| | 112 | |
| | 113 | '''sub bldgExists : ''' checks static file to determine if building code exists (issue: building codes are stored in registry and in static file but not in directory) |
| | 114 | |
| | 115 | '''sub bldgPicklist : ''' generates HTML form element for building pick list |
| | 116 | |
| | 117 | '''sub crypt : ''' simple encryption of strings; used to encrypt password before storing in LDAP cookie |
| | 118 | |
| | 119 | '''sub debug :''' utility used to record debugging information (utilizes debug runtime config parm) |
| | 120 | |
| | 121 | '''sub deptUnitPickList : ''' generates HTML form element for department picklist; elements of list taken from external file ldap_deptUnits.txt |
| | 122 | |
| | 123 | '''sub embeddedAttributes : ''' (may be obsolete; was formatting solution for uakPhonebookFlag attribute, the values of which could represent an unlimited number of MAU specific phonebook "attributes") |
| 137 | | sub employeeDeptPickList generates generic HTML form element for campus picklist using |
| 138 | | ldap_uakEmployeeAffiliation.txt |
| 139 | | |
| 140 | | sub formatAttributes function returning hash of attribute characteristics used to control |
| 141 | | formatting of HTML form elements; elements with exceptional (non-standard) |
| 142 | | formatting requirements are recorded here |
| 143 | | |
| 144 | | sub formatLabel formats field descriptions with or without accompanying comments |
| 145 | | |
| 146 | | sub formatValue formats attribute values, generating href tags for specific attribute types |
| 147 | | |
| 148 | | sub genClearCookie Generates Set-Cookie metadata that clears old cookie (where ldapstring |
| 149 | | is assumed to be the cookie being cleared) |
| 150 | | |
| 151 | | sub genClearSimpleCookie Generates Set-Cookie metadata that clears new simple cookie (where |
| 152 | | name/value are passed to funtion). |
| 153 | | |
| 154 | | sub genSetCookie Generates Set-Cookie metadata that establishes a specific cookie (new or old) |
| 155 | | |
| 156 | | sub getACL Returns hash of permissions for requested list of ACL names. |
| 157 | | |
| 158 | | sub getAttributes returns a hash of arrays for attributes meeting specified criteria |
| 159 | | the hash keys are LDAP attribute names |
| 160 | | each hash value is an array of attribute characteristics |
| 161 | | |
| 162 | | sub getEntityDisplayLabel function returning one of DISPLAY_NAME, TITLE_<something>, UNITDISPLAYNAME, |
| 163 | | UNITNAME or UID from an array of attributes passed to the function |
| 164 | | |
| 165 | | sub getUserAttributes returns array of attribute=value pairs for $filter |
| 166 | | |
| 167 | | sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged |
| 168 | | credentials) |
| 169 | | |
| 170 | | sub is_deptAdmin function that determines if credentialed user is admin for department record |
| 171 | | |
| 172 | | sub is_emplAdmin function that determines if credentialed user is admin for people record |
| 173 | | |
| 174 | | sub lookUpParentUnit function that returns parent unit for department record |
| 175 | | |
| 176 | | sub pad returns string padded with character to specified length |
| 177 | | |
| 178 | | sub parseCookie parses old, complex cookie; returning the UID, password, name and role elements |
| 179 | | |
| 180 | | sub parseDN parses $dn and returns UID and OU elements |
| 181 | | |
| 182 | | sub parseSimpleCookie parses new simple cookie; returning a single string value |
| 183 | | |
| 184 | | sub post_admin executes HTTPS request to call ldap_bulk_admin CGI script as though |
| 185 | | from the web (utilizes directory_server_link runtime config parm) |
| 186 | | |
| 187 | | sub post_updates executes HTTPS request to call ldap_bulk_update CGI script as though |
| 188 | | from the web (utilizes directory_server_link runtime config parm) |
| 189 | | |
| 190 | | sub returnIdentifierFilter used to return a generic filter that can be used to search for |
| 191 | | a people record by name or any identifier accepted during AUTHSERV |
| 192 | | authentication (see ldap_dlevelx CGI script) |
| 193 | | |
| 194 | | sub studentDeptPickList generates generic HTML form element for student department picklist using |
| 195 | | ldap_uakStudentAffiliation.txt |
| 196 | | |
| 197 | | sub uidLDAPlookup returns (last) $attribute value for matching $filter where query |
| 198 | | executed by credentialed user or default gateway user |
| 199 | | (weak - utilized currently only by ldap_lib.pm) |
| | 128 | |
| | 129 | '''sub employeeDeptPickList : ''' generates generic HTML form element for campus picklist using ldap_uakEmployeeAffiliation.txt |
| | 130 | |
| | 131 | '''sub formatAttributes : ''' function returning hash of attribute characteristics used to control formatting of HTML form elements; elements with exceptional (non-standard) formatting requirements are recorded here |
| | 132 | |
| | 133 | '''sub formatLabel : ''' formats field descriptions with or without accompanying comments |
| | 134 | |
| | 135 | '''sub formatValue : ''' formats attribute values, generating href tags for specific attribute types |
| | 136 | |
| | 137 | '''sub genClearCookie : ''' Generates Set-Cookie metadata that clears old cookie (where ldapstring is assumed to be the cookie being cleared) |
| | 138 | |
| | 139 | '''sub genClearSimpleCookie : ''' Generates Set-Cookie metadata that clears new simple cookie (where name/value are passed to funtion). |
| | 140 | |
| | 141 | '''sub genSetCookie : ''' Generates Set-Cookie metadata that establishes a specific cookie (new or old) |
| | 142 | |
| | 143 | '''sub getACL : ''' Returns hash of permissions for requested list of ACL names. |
| | 144 | |
| | 145 | '''sub getAttributes : ''' returns a hash of arrays for attributes meeting specified criteria the hash keys are LDAP attribute names each hash value is an array of attribute characteristics |
| | 146 | |
| | 147 | '''sub getEntityDisplayLabel : ''' function returning one of DISPLAY_NAME, TITLE_<something>, UNITDISPLAYNAME, UNITNAME or UID from an array of attributes passed to the function |
| | 148 | |
| | 149 | '''sub getUserAttributes : ''' returns array of attribute=value pairs for $filter |
| | 150 | |
| | 151 | '''sub getSecureAttributes : ''' returns array of attribute=value pairs for $filter (utilizes privileged credentials) |
| | 152 | |
| | 153 | '''sub is_deptAdmin : ''' function that determines if credentialed user is admin for department record |
| | 154 | |
| | 155 | '''sub is_emplAdmin : ''' function that determines if credentialed user is admin for people record |
| | 156 | |
| | 157 | '''sub lookUpParentUnit : ''' function that returns parent unit for department record |
| | 158 | |
| | 159 | '''sub pad : ''' returns string padded with character to specified length |
| | 160 | |
| | 161 | '''sub parseCookie : ''' parses old, complex cookie; returning the UID, password, name and role elements |
| | 162 | |
| | 163 | '''sub parseDN : ''' parses $dn and returns UID and OU elements |
| | 164 | |
| | 165 | '''sub parseSimpleCookie : ''' parses new simple cookie; returning a single string value |
| | 166 | |
| | 167 | '''sub post_admin : ''' executes HTTPS request to call ldap_bulk_admin CGI script as though from the web (utilizes directory_server_link runtime config parm) |
| | 168 | |
| | 169 | '''sub post_updates : ''' executes HTTPS request to call ldap_bulk_update CGI script as though from the web (utilizes directory_server_link runtime config parm) |
| | 170 | |
| | 171 | '''sub returnIdentifierFilter : ''' used to return a generic filter that can be used to search for a people record by name or any identifier accepted during AUTHSERV authentication (see ldap_dlevelx CGI script) |
| | 172 | |
| | 173 | '''sub studentDeptPickList : ''' generates generic HTML form element for student department picklist using ldap_uakStudentAffiliation.txt |
| | 174 | |
| | 175 | '''sub uidLDAPlookup : ''' returns (last) $attribute value for matching $filter where query executed by credentialed user or default gateway user (weak - utilized currently only by ldap_lib.pm) |
| 213 | | sub connect establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login |
| 214 | | to establish $dbh |
| 215 | | |
| 216 | | sub copy_to_oitdest copies LDIF processed by process_admin_request to location identified |
| 217 | | in runtime parameter oitdest, if runtime parameter defined |
| 218 | | |
| 219 | | sub directory_update executes ldapmodify statements to update LDAP directory |
| 220 | | |
| 221 | | sub evaluate executes $dbh->prepare on $sql to establishes $sth |
| 222 | | |
| 223 | | sub execute performs $sth->execute which executes sql statement in Oracle database |
| 224 | | |
| 225 | | sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged |
| 226 | | credentials) |
| 227 | | |
| 228 | | sub getSecureAttributes process that utilizes privileged application credentials to obtain |
| 229 | | secure attribute values when needed for processing (don't rely on |
| 230 | | credentials of requester which might not have needed access) |
| 231 | | |
| 232 | | sub kerberos_change process by which a kerberos principal *changes* his known kerberos |
| 233 | | password to a new value |
| 234 | | |
| 235 | | sub kerberos_create process by which a kerberos principal is created |
| 236 | | |
| 237 | | sub kerberos_date_to_time process by which a kerberos date/time stamp is converted Perl date/time |
| 238 | | |
| 239 | | sub kerberos_directoryPrincipal process which returns kerberos principal associated with given UID |
| 240 | | |
| 241 | | sub kerberos_getprinc process which executes kadmin getprinc command |
| 242 | | |
| 243 | | sub kerberos_inactivate process which inactivates a kerberos principal (creates random |
| 244 | | preexpired password) |
| 245 | | |
| 246 | | sub kerberos_initialize process which activates a kerberos principal (establishes the |
| 247 | | default password with 14 day password expiration) |
| 248 | | |
| 249 | | sub kerberos_lock process which locks a kerberos account (establishes a known |
| 250 | | expiration date/time on account) |
| 251 | | |
| 252 | | sub kerberos_reset process which resets a kerberos password to its default value |
| 253 | | |
| 254 | | sub kerberos_unlock process which removes the expiration date/time from an account |
| 255 | | |
| 256 | | sub kerberos_update process which determines if a password update request is a non-owner |
| 257 | | reset or an owner change; also directs conversion processing steps |
| 258 | | (which entails a reset followed by a change) |
| 259 | | |
| 260 | | |
| 261 | | sub lock_account executes iPlanet ns[in]activate command to disable/enable account |
| 262 | | |
| 263 | | sub log_admin_update logs admin updates for historical reference |
| 264 | | |
| 265 | | sub log_error writes $msg to $ERRORLOG |
| 266 | | |
| 267 | | sub log_history logs normal gatewway updates |
| 268 | | |
| 269 | | sub log_update writes $msg to $UPDATELOG using flock in coordination with |
| 270 | | gateway_move_logs.pl to get a file lock before performing an action |
| 271 | | calls report_fatal if fails to write update to $UPDATELOG |
| | 184 | '''sub connect :''' establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login to establish $dbh |
| | 185 | |
| | 186 | '''sub copy_to_oitdest :''' copies LDIF processed by process_admin_request to location identified in runtime parameter oitdest, if runtime parameter defined |
| | 187 | |
| | 188 | '''sub directory_update :''' executes ldapmodify statements to update LDAP directory |
| | 189 | |
| | 190 | '''sub evaluate :''' executes $dbh->prepare on $sql to establishes $sth |
| | 191 | |
| | 192 | '''sub execute :''' performs $sth->execute which executes sql statement in Oracle database |
| | 193 | |
| | 194 | '''sub getSecureAttributes :''' returns array of attribute=value pairs for $filter (utilizes privileged credentials) |
| | 195 | |
| | 196 | '''sub getSecureAttributes :''' process that utilizes privileged application credentials to obtain secure attribute values when needed for processing (don't rely on credentials of requester which might not have needed access) |
| | 197 | |
| | 198 | '''sub kerberos_change :''' process by which a kerberos principal *changes* his known kerberos password to a new value |
| | 199 | |
| | 200 | '''sub kerberos_create :''' process by which a kerberos principal is created |
| | 201 | |
| | 202 | '''sub kerberos_date_to_time :''' process by which a kerberos date/time stamp is converted Perl date/time |
| | 203 | |
| | 204 | '''sub kerberos_directory :''' Principal process which returns kerberos principal associated with given UID |
| | 205 | |
| | 206 | '''sub kerberos_getprinc :''' process which executes kadmin getprinc command |
| | 207 | |
| | 208 | '''sub kerberos_inactivate :''' process which inactivates a kerberos principal (creates random preexpired password) |
| | 209 | |
| | 210 | '''sub kerberos_initialize :''' process which activates a kerberos principal (establishes the default password with 14 day password expiration) |
| | 211 | |
| | 212 | '''sub kerberos_lock :''' process which locks a kerberos account (establishes a known expiration date/time on account) |
| | 213 | |
| | 214 | '''sub kerberos_reset :''' process which resets a kerberos password to its default value |
| | 215 | |
| | 216 | '''sub kerberos_unlock :''' process which removes the expiration date/time from an account |
| | 217 | |
| | 218 | '''sub kerberos_update :''' process which determines if a password update request is a non-owner reset or an owner change; also directs conversion processing steps (which entails a reset followed by a change) |
| | 219 | |
| | 220 | |
| | 221 | '''sub lock_account :''' executes iPlanet ns[in]activate command to disable/enable account |
| | 222 | |
| | 223 | '''sub log_admin_update :''' logs admin updates for historical reference |
| | 224 | |
| | 225 | '''sub log_error :''' writes $msg to $ERRORLOG |
| | 226 | |
| | 227 | '''sub log_history :''' logs normal gatewway updates |
| | 228 | |
| | 229 | '''sub log_update :''' writes $msg to $UPDATELOG using flock in coordination with gateway_move_logs.pl to get a file lock before performing an action calls report_fatal if fails to write update to $UPDATELOG |
| 275 | | sub process_admin_request main routine for processing admin updates; like process_request only |
| 276 | | restricted to EDIR administrator use to add/delete entities (results |
| 277 | | in creation or removal of a DN). Gets EDIRrole values from directory |
| 278 | | and looks for acceptable role before proceeding. First line of file |
| 279 | | input *must* reference a supported action (add or delete). Returns |
| 280 | | output from ldif processing which the calling program is expected to |
| 281 | | parse to determine result. |
| 282 | | |
| 283 | | sub process_request main routine for processing updates; checks process type ($action) |
| 284 | | and performs rudimentary error checking, then attempts to update |
| 285 | | the Oracle registry. if successful, calls directory_update to |
| 286 | | update directory. returns success (1) or failure (0) and $return_msg |
| 287 | | generated by either the registry update or the directory update |
| 288 | | |
| 289 | | sub registry_update executes $sql in registry, capturing success (1) or failure (0), |
| 290 | | $sql_msg and $sql_row_count resulting from sql execution; returns |
| 291 | | success or failure and $sql_msg |
| 292 | | |
| 293 | | Note: $sql_row_count use is deprecated (not capturing row counts |
| 294 | | in EDIR package to return); will be removed from sub routine. |
| 295 | | |
| 296 | | sub report_error utilizes mailx to send $body with $subject to $MAILTO without |
| 297 | | disabling updates |
| 298 | | |
| 299 | | sub report_fatal utilizes mailx to send $body with $subject to $MAILTO |
| 300 | | generates $ldap_lib::LOCKFILE (gateway_updates_disabled) to |
| 301 | | disable updates until problem resovled |
| 302 | | |
| 303 | | sub special_logging (obsoleted; discarded method of providing UAA with record of |
| 304 | | EDIR updates) |
| 305 | | |
| 306 | | sub uakEmployeeLocatorSubProcessing |
| 307 | | process by which individual attributes underlying uakEmployeeLocator |
| 308 | | (office, telephonenumber, facsimiletelephonenumber) are maintained |
| 309 | | as a byproduct of uakEmployeeLocator maintenance |
| 310 | | |
| 311 | | sub user_notification routine for notifying account holders of events (assuming they are |
| 312 | | not a UAA student or staff member) |
| | 233 | '''sub process_admin_request :''' main routine for processing admin updates; like process_request only restricted to EDIR administrator use to add/delete entities (results in creation or removal of a DN). Gets EDIRrole values from directory and looks for acceptable role before proceeding. First line of file input *must* reference a supported action (add or delete). Returns output from ldif processing which the calling program is expected to parse to determine result. |
| | 234 | |
| | 235 | '''sub process_request :''' main routine for processing updates; checks process type ($action) and performs rudimentary error checking, then attempts to update the Oracle registry. if successful, calls directory_update to update directory. returns success (1) or failure (0) and $return_msg generated by either the registry update or the directory update |
| | 236 | |
| | 237 | '''sub registry_update :''' executes $sql in registry, capturing success (1) or failure (0), $sql_msg and $sql_row_count resulting from sql execution; returns success or failure and $sql_msg. [[br]][[br]] |
| | 238 | |
| | 239 | Note: $sql_row_count use is deprecated (not capturing row counts in EDIR package to return); will be removed from sub routine. |
| | 240 | |
| | 241 | '''sub report_error :''' utilizes mailx to send $body with $subject to $MAILTO without disabling updates |
| | 242 | |
| | 243 | '''sub report_fatal :''' utilizes mailx to send $body with $subject to $MAILTO generates $ldap_lib::LOCKFILE (gateway_updates_disabled) to disable updates until problem resovled |
| | 244 | |
| | 245 | '''sub special_logging :''' (obsoleted; discarded method of providing UAA with record of EDIR updates) |
| | 246 | |
| | 247 | '''sub uakEmployeeLocatorSubProcessing :''' process by which individual attributes underlying uakEmployeeLocator (office, telephonenumber, facsimiletelephonenumber) are maintained as a byproduct of uakEmployeeLocator maintenance |
| | 248 | |
| | 249 | '''sub user_notification :''' routine for notifying account holders of events (assuming they are not a UAA student or staff member) |
| 317 | | sub validate apply business rules to requested update of <attrib> and return |
| 318 | | success or failure (these *.pm created for attributes which bypass |
| 319 | | registry processing; attrib must be listed in runtime parameter |
| 320 | | bypassRegistryAttributes for the *pm to be executed |
| 321 | | |
| 322 | | |
| 323 | | |
| 324 | | ++++++++++++ |
| 325 | | CGI SCRIPTS: ($HOME/EDIR<INST>/cgi-bin/) |
| 326 | | ++++++++++++ |
| 327 | | |
| 328 | | ldap_bulk_admin Script performing all special administration of EDIR records not supported in other |
| 329 | | EDIR forms. When called via web browser, generates HTML form with file form variable |
| 330 | | for specifying file containing administative requests. When called via web browser, |
| 331 | | utilizes credentials stored in LDAP cookie by ldap_auth. When called via UNIX shell |
| 332 | | and HTTP request, generates *no* HTML form and credentials must be passed with the |
| 333 | | request along with name of file contaiing update requests. ldap_bulk_admin calls |
| 334 | | ldap_mod::process_admin_request which performs the actual Directory update. |
| 335 | | |
| 336 | | ldap_bulk_update Script performing all EDIR gateway updates. When called via web browser, generates |
| 337 | | HTML form with file form variable for specifying file containing update requests. |
| 338 | | When called via web browser, utilizes credentials stored in LDAP cookie by ldap_auth. |
| 339 | | When called via UNIX shell and HTTP request, generates *no* HTML form and credentials |
| 340 | | must be passed with the request along with name of file contaiing update requests. |
| 341 | | ldap_bulk_update calls ldap_mod::process_request which performs the actual Directory |
| 342 | | update. |
| 343 | | |
| 344 | | |
| 345 | | ####################### |
| | 254 | '''sub validate :''' apply business rules to requested update of <attrib> and return success or failure (these *.pm created for attributes which bypass registry processing; attrib must be listed in runtime parameter bypassRegistryAttributes for the *pm to be executed |
| | 255 | |
| | 256 | |
| | 257 | |
| | 258 | == CGI SCRIPTS: ($HOME/EDIR<INST>/cgi-bin/) == |
| | 259 | |
| | 260 | '''ldap_bulk_admin :''' Script performing all special administration of EDIR records not supported in other EDIR forms. |
| | 261 | * When called via web browser, generates HTML form with file form variable for specifying file containing administative requests. |
| | 262 | * When called via web browser, utilizes credentials stored in LDAP cookie by ldap_auth. |
| | 263 | * When called via UNIX shell and HTTP request, generates *no* HTML form and credentials must be passed with the request along with name of file contaiing update requests. [[br]][[br]]ldap_bulk_admin calls ldap_mod::process_admin_request which performs the actual Directory update. |
| | 264 | |
| | 265 | '''ldap_bulk_update :''' Script performing all EDIR gateway updates. |
| | 266 | * When called via web browser, generates HTML form with file form variable for specifying file containing update requests. |
| | 267 | * When called via web browser, utilizes credentials stored in LDAP cookie by ldap_auth. |
| | 268 | * When called via UNIX shell and HTTP request, generates *no* HTML form and credentials must be passed with the request along with name of file contaiing update requests.[[br]][[br]] ldap_bulk_update calls ldap_mod::process_request which performs the actual Directory update. |
| | 269 | |
| | 270 | |
| | 271 | #######################[[br]] |
