Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

How-To - Request a Delegation via ldapmodify

Expand
Warning

INCOMPLETE

The OpenLDAP ldapmodify client and Kerberos kinit tools can be leveraged together to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Request By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

  1. Ensure that your system is connect to the UT VPN

    Note

    VPN access is required to retrieve a Kerberos ticket


  2. Start a command-line terminal if using a graphical UI
  3. Ensure that

    the ldapmodify client is available
    • MacOS - included with all modern versions of the 
    • Ubuntu - install the ldap-utils package
    • RHEL - install the openldap-clients package
    Create the required LDIF file

    the required packages are installed: 

    Operating SystemOpenLDAPKerberos
    macOSincludedincluded
    RHELopenldap-clientskrb5-workstation
    Ubuntuldap-utilkrb5-user


  4. Modify then save the contents of the following code block to define the delegation request:

    Code Block
    dn: ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu
    changetype: modify
    add: utexasEduAustinMulti1
    utexasEduAustinMulti1: {"Timestamp":"2024-03-01T12:00:00.000Z","Type":"Delegation","Action":"Grant","Delegation":"Group","Principal":"EXAMPLE-ComputerAdmins","Path":"OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu","RequestedBy":"EXAMPLE-abc123"}


  5. Modify then run the following commands to retrieve a Kerberos ticket: 

    Info

    Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU


    Code Block
    kinit <dept-admin>@AUSTIN.UTEXAS.EDU


  6. Run the following commands to request a delegationto submit the delegation request

    Info

    Replace example in the LDIF file name with the actual file name


    Code Block
    ldapmodify
    -LLL -Q -H
     -Q -H "ldap://austin.utexas.edu" -f example.ldif


  7. Run the following commands to review the pending request: 

    Info

    Replace example in both the DN and filter with the actual department name


    ldapmodify
    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti1
    Code Block


  8. Wait until a few minutes after the next hour. 

    Info

    Requests are processed every hour within the first few minutes.


  9. Run the following commands to review the results of the request: 

    Info

    Replace example in both the DN and filter with the actual department name


    Code Block
    ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti2


Delegation Request String

...