You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 21
Next »
The Delegation request type enables a department administrator to modify permissions on an organizational unit in a department OU. A department administrator can submit a delegation request to grant or revoke one of the defined permissions sets called delegations. The supported delegations are defined on the following page:
How-To - Request a Delegation via PowerShell script
Click here to expand...
The Active Directory team maintains a set of PowerShell scripts at https://github.austin.utexas.edu/eis1-aad/RequestsByAttribute to assist department administrators with this process. These scripts must be run on a Windows system joined to the Austin Active Directory and the system must have the Active Directory PowerShell module installed.
- Get-ADRequests.ps1 - displays the pending requests for a department
- Get-ADResults.ps1 - displays the results of any requests for a department
- Add-ADDelegationRequest.ps1 - submits a new delegation request for a department
- Remove-ADDelegationRequst.ps1 - remove a pending delegation request for a department
Request a delegation
- Download the scripts in the RequestByAttribute repo to a local directory.
Start a PowerShell session as a department administrator.
- Navigate to the directory where the RequestByAttribute scripts are located.
Run the following commands to request a delegation:
.\Add-ADDelegationRequest.ps1 -Department 'EXAMPLE' -Action 'Grant' -Delegation 'Computer' -Principal 'EXAMPLE-ComputerAdmins' -Path 'OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu'
Run the following commands to review the pending request:
.\Get-ADRequests.ps1 -Department 'EXAMPLE'
Wait until a few minutes after the next hour.
Run the following commands to review the results of the request:
.\Get-ADResults.ps1 -Department 'EXAMPLE'
How-To - Request a Delegation via ldapmodify
Click here to expand...
The OpenLDAP ldapmodify and Kerberos kinit tools can be leveraged together to submit delegation requests to the Austin Active Directory by directly adding the delegation request JSON string to the requests attribute. Please see the Requests By Attribute - Technical Details page for more information about the components of the process.
Request a delegation
Ensure that your system is connect to the UT VPN
- Start a command-line terminal if using a graphical UI
Ensure that the required packages are installed:
Operating System | OpenLDAP | Kerberos |
---|
macOS | included | included |
RHEL | openldap-clients | krb5-workstation |
Ubuntu | ldap-util | krb5-user |
Modify then save the contents of the following code block to define the delegation request:
dn: ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu
changetype: modify
add: utexasEduAustinMulti1
utexasEduAustinMulti1: {"Timestamp":"2024-03-01T12:00:00.000Z","Type":"Delegation","Action":"Grant","Delegation":"Group","Principal":"EXAMPLE-ComputerAdmins","Path":"OU=Computers,OU=EXAMPLE,OU=Departments,DC=austin,DC=utexas,DC=edu","RequestedBy":"EXAMPLE-abc123"}
Modify then run the following commands to retrieve a Kerberos ticket:
kinit <dept-admin>@AUSTIN.UTEXAS.EDU
Modify then run the following commands to submit the delegation request:
ldapmodify -Q -H "ldap://austin.utexas.edu" -f example.ldif
Modify then run the following commands to review the pending request:
ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti1
Wait until a few minutes after the next hour.
Modify then run the following commands to review the results of the request:
ldapsearch -Q -H "ldap://austin.utexas.edu" -b "ou=example,ou=departments,ou=administrative,dc=austin,dc=utexas,dc=edu" -s base "(ou=example)" utexasEduAustinMulti2
Delegation Request String
The request string for a delegation request is a JSON string that contains the following properties:
Delegation Result String
The result string for a delegation request is a JSON string that contains the following properties: