Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand

The OpenLDAP ldapmodify and Kerberos kinit tools can be leveraged together to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Request Requests By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

  1. Ensure that your system is connect to the UT VPN

    Note

    VPN access is required to retrieve a Kerberos ticket


  2. Start a command-line terminal if using a graphical UI
  3. Ensure that the required packages are installed: 

    Operating SystemOpenLDAPKerberos
    macOSincludedincluded
    RHELopenldap-clientskrb5-workstation
    Ubuntuldap-utilkrb5-user


  4. Modify then save the contents of the following code block to define the delegation request:

    Code Block
    dn: ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu
    changetype: modify
    add: utexasEduAustinMulti1
    utexasEduAustinMulti1: {"Timestamp":"2024-03-01T12:00:00.000Z","Type":"Delegation","Action":"Grant","Delegation":"Group","Principal":"EXAMPLE-ComputerAdmins","Path":"OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu","RequestedBy":"EXAMPLE-abc123"}


  5. Modify then run the following commands to retrieve a Kerberos ticket:

    Info

    Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU


    Code Block
    kinit <dept-admin>@AUSTIN.UTEXAS.EDU


  6. Run Modify then run the following commands to submit the delegation request: 

    Info

    Replace example in the LDIF file name with the actual file name


    Code Block
    ldapmodify -Q -H "ldap://austin.utexas.edu" -f example.ldif


  7. Run Modify then run the following commands to to review the pending request: 

    Info

    Replace example in both the DN and filter with the actual department name


    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti1


  8. Wait until a few minutes after the next hour. 

    Info

    Requests are processed every hour within the first few minutes.


  9. Run Modify then run the following commands to to review the results of the request: 

    Info

    Replace example in both the DN and filter with the actual department name


    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti2


...