wiki:UPDT_gw_scripts

Version 1 (modified by lttoth@…, 10 years ago) (diff)

--

UPDATE GATEWAY SCRIPTS

The update interface underlying the EDIR/AUTHSERV web gateways is tightly linked to both the iPlanet directory and to the Oracle registry and implements business rules about who may perform what update actions.

The update interface originated with the EDIR web gateway but was separated from the EDIR interface in May of 2007. Because it started out as part of EDIR, the runtime.cfg file and Perl modules that are utilized by the update interface contain many references that are not pertinent to the update interface. Someday they may be dropped.

CONFIG FILES: ($HOME/EDIR<INST>/config)

ldap_admin_actions.cfg

Contains data from which Admin Actions pick list is built; this file can be copied to all servers hosting the same UPDT instance

ldap_left_links.cfg

Contains data used to build links under EDIR banner this file can be copied to all servers hosting the same UPDT instance

runtime_common.cfg

Contains a subset of runtime configuration elements that are constant between servers hosting gateway - see runtime.cfg; this file can be copied to all servers hosting the same UPDT instance

all_servers list of all supported EDIR hosts ( - this list must include all functioning EDIR/AUTHSERV hosts)
bypassRegistryAttributes list of attributes that bypass registry processing; see also corresponding *_validate.pm scripts
debug 0|1: debugging is ON when value is 1
directory_agent RDN of credentials used by gateway for normal query access
directory_gateway_name name of EDIR web gateway
directory_manager_passwd_file path reference for privileged credential password file (Directory Manager issue)
directory_passwd_file path reference to directory_agent password file
kerberos_conversion 0|1: conversion of accounts to kerberos authentication is ON when value is 1
kerberos_krb5_config path reference to krb5 file that configures kerberos access
kerberos_mail_to email address to which kerberos related error messages are sent
kerberos_passwd_file path reference to kerberos_agent password file
kerberos_reset_expiration_days offset number of days used to compute password expiration for reset passwords
kerberos_server_access id@host reference used in ssh to server supporting kerberos account creation
kerberos_server_account id of UNIX account on server supporting kerberos account creation
kerberos_servers list of supported kerberos servers for this instance of directory/kerberos
local_announcements_file path reference to local announcements text file
lock_file path reference to file used to disable EDIR updates
log_dir path reference to EDIR log location
mail_from_authserv email address used in FROM of mail generated for AUTHSERV
mail_from_edir email address used in FROM of mail generated for EDIR
mail_host email domain expected in vanity addresses
mail_to address list for recipients of troubleshooting/batch reporting email
max_updateable_attrib_values max number of multiply occuring attribute values allowed by ldap_update
nsactivate_port port used when ns[in]activate invoked
oitdest path reference to directory (on remote server) that is destination for datafiles used during kerberos account creation
oracle_home path reference to explicit ORACLE_HOME directory
registry_agent Oracle schema for EDIR registry
registry_db Oracle instance for EDIR registry
registry_passwd_file path reference to registry_agent password file
release major release number for EDIR web gateway
slapd_port port for iPlanet directory access
<mau>_passwdSync_URL URL of MAU web site called by AUTHSERV to sync password changes
<mau>_passwdSync_domain domain of MAU specific servers pushing password changes to us (insures we don't get in loop passing password back and forth)
<mau>_passwdSync_key password/phrase used in MAU web site called by AUTHSERV to sync password changes
<mau>_passwdSync_scope none|all|<list of UIDs>: determines accounts to which sync does[n't] apply
<mau>_passwdSync_success character string returned by MAU web site when password sync is successful
<mau>_passwdSync_<var> edirAttrib_<attrib>: where attrib is the name of the EDIR attribute holding the data that will be returned as <var> to the MAU web site
version gateway instance: TEST PREP or PROD

runtime.cfg

Contains runtime configuration data used by EDIR CGI scripts this file is server/instance specific; do not copy to other servers.

directory_gateway_link URL to EDIR web gateway
directory_instance iPlanet directory instance
directory_server_link URL to server specific EDIR web gateway (Equalizer issue)
kerberos_agent kerberos principle used during kerberos account management
query_servers list of servers that may respond to query requests (1).
slapd_ssl_clause additional clause required if slapd_port is SSL configured port
update_server server(s) that may respond to update requests (local machine issue) (2)

(1) sxmpa 2/13/2010 -

This variable should be assigned a single value, which is the host housing the LDAP server queried by this UPDATE gateway instance. This value should be the same as that of the update_server variable. The UPDATE gateway instance is normally co-located with that LDAP server on the same host, but you have the option of choosing an LDAP server on some other host. Assigning this variable a list of hostnames rather than a single hostname appears to work correctly, but examination of the code suggests that behaviour in this case is undefined

(2) sxmpa 2/13/2010 - This variable should be assigned a single value,

which is the host housing the LDAP server queried by this UPDATE gateway instance. This value should be the same as that of the query_servers variable.

LIBRARIES: ($HOME/EDIR<INST>/cgi-bin/)

ldap_lib.pm

sub Authenticate accepts credentials (UID or mailAlternateAddress and password)

returns whether authenticated [Y|N] and if successful: null msg, UID, displayName and list of user's roles if unsuccessful: error msg, UID, null, null

sub CampusPickList? generates generic HTML form element for campus picklist using

ldap_uakEmployeeCampus.txt as input

sub Credentials generates HTML form elements for LDAP credentials (id and password)

sub UAclose generates closing HTML elements for standard window look and feel

sub UAopen generates opening HTML elements for standard window look and feel

sub abort uses mailx to send $body with $subject to $MAILTO

sub appendMsg formats $msg_in according to $msg_type and appends to $MSG

sub bldgCampusPickList generates HTML form element for building pick list for MAU

sub bldgExists checks static file to determine if building code exists (issue: building

codes are stored in registry and in static file but not in directory)

sub bldgPicklist generates HTML form element for building pick list

sub crypt simple encryption of strings; used to encrypt password before storing

in LDAP cookie

sub debug utility used to record debugging information (utilizes debug runtime config parm)

sub deptUnitPickList generates HTML form element for department picklist; elements of list

taken from external file ldap_deptUnits.txt

sub embeddedAttributes (may be obsolete; was formatting solution for uakPhonebookFlag attribute,

the values of which could represent an unlimited number of MAU specific phonebook "attributes")

sub employeeCampusPickList generates HTML form element for an employee's campus picklist using

ldapsearch to locate that employee's uakEmployeeCampus attribute values

sub employeeDeptPickList generates generic HTML form element for campus picklist using

ldap_uakEmployeeAffiliation.txt

sub formatAttributes function returning hash of attribute characteristics used to control

formatting of HTML form elements; elements with exceptional (non-standard) formatting requirements are recorded here

sub formatLabel formats field descriptions with or without accompanying comments

sub formatValue formats attribute values, generating href tags for specific attribute types

sub genClearCookie Generates Set-Cookie metadata that clears old cookie (where ldapstring

is assumed to be the cookie being cleared)

sub genClearSimpleCookie Generates Set-Cookie metadata that clears new simple cookie (where

name/value are passed to funtion).

sub genSetCookie Generates Set-Cookie metadata that establishes a specific cookie (new or old)

sub getACL Returns hash of permissions for requested list of ACL names.

sub getAttributes returns a hash of arrays for attributes meeting specified criteria

the hash keys are LDAP attribute names each hash value is an array of attribute characteristics

sub getEntityDisplayLabel function returning one of DISPLAY_NAME, TITLE_<something>, UNITDISPLAYNAME,

UNITNAME or UID from an array of attributes passed to the function

sub getUserAttributes returns array of attribute=value pairs for $filter

sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged

credentials)

sub is_deptAdmin function that determines if credentialed user is admin for department record

sub is_emplAdmin function that determines if credentialed user is admin for people record

sub lookUpParentUnit function that returns parent unit for department record

sub pad returns string padded with character to specified length

sub parseCookie parses old, complex cookie; returning the UID, password, name and role elements

sub parseDN parses $dn and returns UID and OU elements

sub parseSimpleCookie parses new simple cookie; returning a single string value

sub post_admin executes HTTPS request to call ldap_bulk_admin CGI script as though

from the web (utilizes directory_server_link runtime config parm)

sub post_updates executes HTTPS request to call ldap_bulk_update CGI script as though

from the web (utilizes directory_server_link runtime config parm)

sub returnIdentifierFilter used to return a generic filter that can be used to search for

a people record by name or any identifier accepted during AUTHSERV authentication (see ldap_dlevelx CGI script)

sub studentDeptPickList generates generic HTML form element for student department picklist using

ldap_uakStudentAffiliation.txt

sub uidLDAPlookup returns (last) $attribute value for matching $filter where query

executed by credentialed user or default gateway user (weak - utilized currently only by ldap_lib.pm)

ldap_mod.pm

sub bypassRegistryUpdates both determines if attribute is supposed to bypass registry

(see runtime configurartion parameter bypassRegistryAttributes) and then - if attrib will bypass registry - look for and execute attribute specific validation script (see *_validate.pm)

sub closing executes $dbh->rollback followed by $dbh->finish

(dhb->commit executed explicitly elsewhere)

sub connect establishes ORACLE_HOME and executes DBI->connect utilizing $eff_login

to establish $dbh

sub copy_to_oitdest copies LDIF processed by process_admin_request to location identified

in runtime parameter oitdest, if runtime parameter defined

sub directory_update executes ldapmodify statements to update LDAP directory

sub evaluate executes $dbh->prepare on $sql to establishes $sth

sub execute performs $sth->execute which executes sql statement in Oracle database

sub getSecureAttributes returns array of attribute=value pairs for $filter (utilizes privileged

credentials)

sub getSecureAttributes process that utilizes privileged application credentials to obtain

secure attribute values when needed for processing (don't rely on credentials of requester which might not have needed access)

sub kerberos_change process by which a kerberos principal *changes* his known kerberos

password to a new value

sub kerberos_create process by which a kerberos principal is created

sub kerberos_date_to_time process by which a kerberos date/time stamp is converted Perl date/time

sub kerberos_directoryPrincipal process which returns kerberos principal associated with given UID

sub kerberos_getprinc process which executes kadmin getprinc command

sub kerberos_inactivate process which inactivates a kerberos principal (creates random

preexpired password)

sub kerberos_initialize process which activates a kerberos principal (establishes the

default password with 14 day password expiration)

sub kerberos_lock process which locks a kerberos account (establishes a known

expiration date/time on account)

sub kerberos_reset process which resets a kerberos password to its default value

sub kerberos_unlock process which removes the expiration date/time from an account

sub kerberos_update process which determines if a password update request is a non-owner

reset or an owner change; also directs conversion processing steps (which entails a reset followed by a change)

sub lock_account executes iPlanet ns[in]activate command to disable/enable account

sub log_admin_update logs admin updates for historical reference

sub log_error writes $msg to $ERRORLOG

sub log_history logs normal gatewway updates

sub log_update writes $msg to $UPDATELOG using flock in coordination with

gateway_move_logs.pl to get a file lock before performing an action calls report_fatal if fails to write update to $UPDATELOG

sub mauPasswdSync

sub process_admin_request main routine for processing admin updates; like process_request only

restricted to EDIR administrator use to add/delete entities (results in creation or removal of a DN). Gets EDIRrole values from directory and looks for acceptable role before proceeding. First line of file input *must* reference a supported action (add or delete). Returns output from ldif processing which the calling program is expected to parse to determine result.

sub process_request main routine for processing updates; checks process type ($action)

and performs rudimentary error checking, then attempts to update the Oracle registry. if successful, calls directory_update to update directory. returns success (1) or failure (0) and $return_msg generated by either the registry update or the directory update

sub registry_update executes $sql in registry, capturing success (1) or failure (0),

$sql_msg and $sql_row_count resulting from sql execution; returns success or failure and $sql_msg

Note: $sql_row_count use is deprecated (not capturing row counts in EDIR package to return); will be removed from sub routine.

sub report_error utilizes mailx to send $body with $subject to $MAILTO without

disabling updates

sub report_fatal utilizes mailx to send $body with $subject to $MAILTO

generates $ldap_lib::LOCKFILE (gateway_updates_disabled) to disable updates until problem resovled

sub special_logging (obsoleted; discarded method of providing UAA with record of

EDIR updates)

sub uakEmployeeLocatorSubProcessing

process by which individual attributes underlying uakEmployeeLocator (office, telephonenumber, facsimiletelephonenumber) are maintained as a byproduct of uakEmployeeLocator maintenance

sub user_notification routine for notifying account holders of events (assuming they are

not a UAA student or staff member)

<attrib>_validation.pm

sub validate apply business rules to requested update of <attrib> and return

success or failure (these *.pm created for attributes which bypass registry processing; attrib must be listed in runtime parameter bypassRegistryAttributes for the *pm to be executed

++++++++++++ CGI SCRIPTS: ($HOME/EDIR<INST>/cgi-bin/) ++++++++++++

ldap_bulk_admin Script performing all special administration of EDIR records not supported in other

EDIR forms. When called via web browser, generates HTML form with file form variable for specifying file containing administative requests. When called via web browser, utilizes credentials stored in LDAP cookie by ldap_auth. When called via UNIX shell and HTTP request, generates *no* HTML form and credentials must be passed with the request along with name of file contaiing update requests. ldap_bulk_admin calls ldap_mod::process_admin_request which performs the actual Directory update.

ldap_bulk_update Script performing all EDIR gateway updates. When called via web browser, generates

HTML form with file form variable for specifying file containing update requests. When called via web browser, utilizes credentials stored in LDAP cookie by ldap_auth. When called via UNIX shell and HTTP request, generates *no* HTML form and credentials must be passed with the request along with name of file contaiing update requests. ldap_bulk_update calls ldap_mod::process_request which performs the actual Directory update.

####################### DOCUMENT CHANGE HISTORY

20081031 elm added reference to runtime_common.cfg and updated lists of runtime parameters 20081114 elm updated document to include *.pm functions not already documented sxmpa 2/13/2010 - noted list requirements for all_servers

# eof