Warning Livedoc is no longer being updated and will be deprecated shortly. Please refer to https://documentation.tjhsst.edu.

Difference between revisions of "Account provisioning"

From Livedoc - The Documentation Repository
Jump to: navigation, search
m (Reverted edits by 2016fwilsonbot (talk) to last revision by Andrew Hamilton)
m (categorize)
Line 7: Line 7:
 
The update_nssldap.sh script (authored by [[User:William Yang|William Yang]]; see [[NSS LDAP]]) will handle user provisioning in [[AFS]] and [[NSS LDAP]].  It depends on [[Identity Synchronization for Windows]] (ISW) to be working properly.  Because of the way AD accounts are recreated every year, it is recommended to follow this procedure when it is time to create accounts every fall.  The idsync command below is part of ISW and is located in /opt/SUNWisw/bin on the ISW server (usually the primary NSS LDAP server).  All idsync commands are required to have options -D -w -q. For our purposes, we use -D 'cn=Directory Manager' -w - -q -
 
The update_nssldap.sh script (authored by [[User:William Yang|William Yang]]; see [[NSS LDAP]]) will handle user provisioning in [[AFS]] and [[NSS LDAP]].  It depends on [[Identity Synchronization for Windows]] (ISW) to be working properly.  Because of the way AD accounts are recreated every year, it is recommended to follow this procedure when it is time to create accounts every fall.  The idsync command below is part of ISW and is located in /opt/SUNWisw/bin on the ISW server (usually the primary NSS LDAP server).  All idsync commands are required to have options -D -w -q. For our purposes, we use -D 'cn=Directory Manager' -w - -q -
  
<b>Requirements</b>
+
'''Requirements'''
 
*Have a /admin credential
 
*Have a /admin credential
 
*Be added as a user on the AFS servers (bos adduser <server> <username>.admin)
 
*Be added as a user on the AFS servers (bos adduser <server> <username>.admin)
 
*Know/have ready the NSS Manager password
 
*Know/have ready the NSS Manager password
  
<b>Account Creation</b>
+
'''Account Creation'''
 
*Stop ISW synchronization (<code>idsync stopsync -D 'cn=Directory Manager' -w - -q -</code>)
 
*Stop ISW synchronization (<code>idsync stopsync -D 'cn=Directory Manager' -w - -q -</code>)
 
*Reassociate accounts (<code>idsync resync -D 'cn=Directory Manager' -w - -q -</code>)
 
*Reassociate accounts (<code>idsync resync -D 'cn=Directory Manager' -w - -q -</code>)
Line 25: Line 25:
 
/mnt/mail/mail.py will update accounts and account attributes, including quotas, based on data in AD.  It should be run as root on all mail servers (currently casey and smith). Currently, accounts disabled or deleted in AD are disabled on the mail servers. See [[Email]] for more information on how this works.
 
/mnt/mail/mail.py will update accounts and account attributes, including quotas, based on data in AD.  It should be run as root on all mail servers (currently casey and smith). Currently, accounts disabled or deleted in AD are disabled on the mail servers. See [[Email]] for more information on how this works.
  
[[Category:outdated]]
+
[[Category:Outdated]]
 +
[[Category:Obsolete Page]]

Revision as of 16:33, 26 February 2016

Even though we have integrated authentication for accounts, user provisioning still needs to occur in every system independently.

Windows/Active Directory

The Windows IT staff takes care of this. At the time of writing, all users are deleted and recreated at the beginning of every school year. Sysadmins (starting with the graduating class of 2006) are moved into a separate ou (organizational unit) before this occurs and will have their accounts preserved, but passwords are still subject to expire annually.

UNIX accounts

The update_nssldap.sh script (authored by William Yang; see NSS LDAP) will handle user provisioning in AFS and NSS LDAP. It depends on Identity Synchronization for Windows (ISW) to be working properly. Because of the way AD accounts are recreated every year, it is recommended to follow this procedure when it is time to create accounts every fall. The idsync command below is part of ISW and is located in /opt/SUNWisw/bin on the ISW server (usually the primary NSS LDAP server). All idsync commands are required to have options -D -w -q. For our purposes, we use -D 'cn=Directory Manager' -w - -q -

Requirements

  • Have a /admin credential
  • Be added as a user on the AFS servers (bos adduser <server> <username>.admin)
  • Know/have ready the NSS Manager password

Account Creation

  • Stop ISW synchronization (idsync stopsync -D 'cn=Directory Manager' -w - -q -)
  • Reassociate accounts (idsync resync -D 'cn=Directory Manager' -w - -q -)
  • Restart ISW synchronization (idsync startsync -D 'cn=Directory Manager' -w - -q -)
  • Run update_nssldap.sh script (make sure you've read the section on this script in NSS LDAP!). Make a backup (backup.sh) before and after running this script, just in case.

If accounts are not deleted and recreated in AD anymore, or there are only a handful of new accounts added that need to be provisioned in NSS LDAP and AFS (for example, staff or late registering students), just run the update_nssldap.sh script (you should still read the relevant section of NSS LDAP).

Intranet

This is handled by a data import module, currently "newimport." A SASI dump is involved for students. Student data import must currently be handled by a member of the IT staff or the sysadmin sponsor due to privacy issues with student data in intranet. New staff are individually added by Mr. Washer using an interface in the newimport module.

Mail

/mnt/mail/mail.py will update accounts and account attributes, including quotas, based on data in AD. It should be run as root on all mail servers (currently casey and smith). Currently, accounts disabled or deleted in AD are disabled on the mail servers. See Email for more information on how this works.