ADTF 2016 02 03
wderman, sandoval, dattilo, buss, kimn, fredrick, rwallis, chartier, estradar, tarrant, truss, mark, jlampe, jdister
We will be looking over the user creation scripts today and will discuss the next steps of the IAM/IDM project (and there will be donuts :-).
Garth reviews the script developed to populate AD from LDAP. Only change the minimal set of data so as not to accidentally overwrite fields set by labs/programs. In future, run script on regular basis; need to define schedule. Issues of non-UCAR staff -- CISL will cover licensing for active supercomputer users, disabled users don’t count for licensing.
What if there’s an error? Script errors out and doesn’t change things. Disaster recovery? Garth will talk to Ramsey about some sort of snapshot/rollback mechanism. Wendy suggests turning a domain controller off before updating, then turning back on once we’re confident in the update -- leaves a known good copy.
Current effort is focused on immediate needs, there’s always the option of adding additional or different scripting in the future.
Are people comfortable with the process? General assent. Most folks are already in good shape.
How about staff from “forbidden” countries? No problem having them in AD; labs/programs need to ensure they don’t end up in AD groups that give them access to stuff they shouldn’t. Could be useful to have group of individuals from embargoed nations.
Anne-Marie wants declaration of what is SPI so we know what needs to be protected in AD. Employee ID is a grey area -- could be used for charging.
Another desired outcome of this process is eliminating possibility of duplicate entries that need to be reconciled.
Will still be edge cases, e.g. joint appointments. AD will be populated from LDAP but would be good to cross-check. Don’t want to rely on user to report whether they should be paid. Employee payroll information is already held separately, not in LDAP or AD; can double-check that all the people who need to log into Time Card system are present in AD.
Labs and programs will be responsible for setting passwords where necessary. Will need to test! Need new “your password is expiring” warning mechanism. (Mark warns that Time Card will no longer be able to warn -- we don’t have the cycles to continue to patch the JDK.)
Garth describes ACOM’s password-setting script -- willing to share (without warranty!). Side discussion on implications of Garth and Tim knowing people’s passwords. Token future would also be good!
Where are ADTF meeting notes? Wiki. Ramsey will send link.
Ramsey has alternated future meetings between FL and ML.
Wrapped at 11:15.