Versions Compared

Old Version 20

changes.mady.by.user Alex Barth

Saved on

compared with

New Version 21

changes.mady.by.user Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Delegation request type enables a department administrator to modify permissions on an organizational unit in a department OU. A department administrator can submit a delegation request to grant or revoke one of the defined permissions sets called delegations. The supported delegationsare defined on the following page:

How-To - Request a Delegation via PowerShell script

Expand

The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process. These scripts must be run on a Windows system joined to the Austin Active Directory and the system must have the Active Directory PowerShell module installed.

  • Get-ADRequests.ps1 - displays the pending requests for a department
  • Get-ADResults.ps1 - displays the results of any requests for a department
  • Add-ADDelegationRequest.ps1 - submits a new delegation request for a department
  • Remove-ADDelegationRequst.ps1 - remove a pending delegation request for a department

Request a delegation

  1. Download the scripts in the RequestByAttribute repo to a local directory.

  2. Start a PowerShell session as a department administrator. 

    Info

    Complete the following steps in this PowerShell session unless instructed otherwise


  3. Navigate to the directory where the RequestByAttribute scripts are located.

  4. Run the following commands to request a delegation: 

    Info

    The following example would submit a request to grant the Computer delegation to the EXAMPLE-ComputerAdmins on the OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu organizational unit. The example must be run by a department administrator in the EXAMPLE department.


    Code Block
    .\Add-ADDelegationRequest.ps1 -Department 'EXAMPLE' -Action 'Grant' -Delegation 'Computer' -Principal 'EXAMPLE-ComputerAdmins' -Path 'OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu'


  5. Run the following commands to review the pending request: 

    Code Block
    .\Get-ADRequests.ps1 -Department 'EXAMPLE'


  6. Wait until a few minutes after the next hour. 

    Info

    Requests are processed every hour within the first few minutes.


  7. Run the following commands to review the results of the request: 

    Code Block
    .\Get-ADResults.ps1 -Department 'EXAMPLE'


How-To - Request a Delegation via ldapmodify

Expand

The OpenLDAP ldapmodify and Kerberos kinit tools can be leveraged together to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Requests By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

  1. Ensure that your system is connect to the UT VPN

    Note

    VPN access is required to retrieve a Kerberos ticket


  2. Start a command-line terminal if using a graphical UI

  3. Ensure that the required packages are installed: 

    Operating SystemOpenLDAPKerberos
    macOSincludedincluded
    RHELopenldap-clientskrb5-workstation
    Ubuntuldap-utilkrb5-user


  4. Modify then save the contents of the following code block to define the delegation request:

    Code Block
    dn: ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu
changetype: modify
add: utexasEduAustinMulti1
utexasEduAustinMulti1: {"Timestamp":"2024-03-01T12:00:00.000Z","Type":"Delegation","Action":"Grant","Delegation":"Group","Principal":"EXAMPLE-ComputerAdmins","Path":"OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu","RequestedBy":"EXAMPLE-abc123"}


  5. Modify then run the following commands to retrieve a Kerberos ticket:

    Info

    Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU


    Code Block
    kinit <dept-admin>@AUSTIN.UTEXAS.EDU


  6. Modify then run the following commands to submit the delegation request: 

    Info

    Replace example in the LDIF file name with the actual file name


    Code Block
    ldapmodify -Q -H "ldap://austin.utexas.edu" -f example.ldif


  7. Modify then run the following commands to review the pending request: 

    Info

    Replace example in both the DN and filter with the actual department name


    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti1


  8. Wait until a few minutes after the next hour. 

    Info

    Requests are processed every hour within the first few minutes.


  9. Modify then run the following commands to review the results of the request: 

    Info

    Replace example in both the DN and filter with the actual department name


    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti2


Delegation Request String

The request string for a delegation request is a JSON string that contains the following properties: 

Delegation Result String

The result string for a delegation request is a JSON string that contains the following properties: 

...