Versions Compared

Old Version 16

changes.mady.by.user Alex Barth

Saved on

compared with

New Version Current

changes.mady.by.user Alex Barth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Delegation request type enables a department administrator to modify  modify permissions on an organizational unit in a department OU. A department administrator can submit a delegation request to grant or revoke one of the defined permissions sets called delegations to an existing group in Active Directory. The supported delegationsare defined on the following page:

How-To - Request a Delegation via PowerShell script

...

The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process. These scripts must be run on a Windows system joined to the Austin Active Directory and the system must have the Active Directory PowerShell module installed.

  • Add-ADDelegationRequest.ps1 - submits a new delegation request for a department
  • Remove-ADDelegationRequst.ps1 - remove a pending delegation request for a department

Request a delegation

...

Start a PowerShell session as a department administrator. 

Info

Complete the following steps in this PowerShell session unless instructed otherwise

...

Run the following commands to request a delegation: 

Info

The following example would be run by EXAMPLE-abc123 who is a department administrator in the EXAMPLE department and to submit a request that would grant the Computer delegation to the EXAMPLE-ComputerAdmins on the OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu organizational unit. The RequestedFor parameter notes that the department administrator is requesting the delegation on behalf of the xyz789 user.

Code Block
.\Add-ADDelegationRequest.ps1 -Department EXAMPLE -Action Grant -Path 'OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu' -Principal 'EXAMPLE-ComputerAdmins' -Delegation Computer -RequestedFor xyz789

How-To - Request a Delegation via ldapmodify

...

Warning

INCOMPLETE

The OpenLDAP ldapmodify client can be leveraged to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Request By Attribute - Technical Details page for more information about the components of the process.

Request a delegation

...

  • VPN access is required to retrieve a Kerberos ticket

...

  • MacOS - included with all modern versions of the 
  • Ubuntu - install the ldap-utils package
  • RHEL - install the openldap-clients package

...

Modify then run the following commands to retrieve a Kerberos ticket: 

Info

Replace the <dept-admin> in the following command with your department administrator username. The domain name must be capitalized. The example-abc123 department administrator would run the following: example-abc123@AUSTIN.UTEXAS.EDU

Code Block
kinit <dept-admin>@AUSTIN.UTEXAS.EDU

Run the following commands to request a delegation: 

Info

ldapmodify -LLL -Q -H "ldap://austin.utexas.edu" -

...

Delegation Request String

The request string for a delegation request is a JSON string that contains the following properties: 

Delegation Result String

The result string for a delegation request is a JSON string that contains the following properties: