The WiscNIC LDAP Audit and What to Do About It

This document describes procedures for handling action items reported by the WiscNIC LDAP Audit.

Introduction

There is a script on Peleus called ldap_audit.pl which lives in the AANTS cgi-bin directory.  It runs in cron.  Essentially it gets a list of everyone in WiscNIC and compares that list against the official UW directory.  If someone is no longer in the official UW Directory, it usually means they have left the employment of the University and they should have their AANTS access removed.

The report arrives once a day and looks something like this:

No entry for Srinivas Govindan <govindan@wisc.edu>!
No entry for Nathan Panike <nwp@cs.wisc.edu>!
No entry for Theo Streibel <streibel@wisc.edu>!
513 contacts found in LDAP.

3 contacts not found in LDAP.

23 known mismatches skipped.
0 people with multiple entries.
So this particular report says that it checked 513 contacts in WiscNIC.
3 people who used to be in the UW Directory are no longer there.
23 people were skipped.  (We'll get to this in a second.)
0 people had multiple entries.

There are three categories of things that might need to happen as a result of the report.  They are covered below.

An admin is no longer in the UW Directory

This will be reported with a line like this:
No entry for Srinivas Govindan <govindan@wisc.edu>!

Steps to take:

1) Send an email directly to the person involved letting them know what they are no longer in the UW Directory and ask them if they know a reason why this might be and also if they are still an admin for a UW Lan.

2) If the email from 1 bounces, remove the person from WiscNIC.  See directions for doing that below.

3) If the person responds that they ARE still a UW Admin have them get in touch with their HR dept. about the Directory issue and put a note on their WiscNIC entry in the remarks field that says "Not in LDAP."  It's important that LDAP is all in capital letters.  This is a clue to the auditing script to skip this person for the time being.

4) If the person responds that they have left the UW, follow directions for removing the person from WiscNIC.

5) If you don't hear from the person in a week or so, delete them from WiscNIC.  You can always add them back later.

An admin was discovered in the UW Directory who was not there previously


This will be reported with a line like this:

Srinivas Govindan now in LDAP as SRINIVAS GOVIDAN!

Steps to take:

1) Remove the comment from their WiscNIC entry (in the remarks field) that says something like "Not in LDAP".  This will allow the audit to start monitoring them.

An admin has multiple entries


This will be reported with a line like this:

2 entries for Srinivas Govindan!  Try SRINIVAS A GOVIDAN?

Steps to take:

1) Go to the UW directory (http://www.wisc.edu/directories/) and see if you can find an entry for the right person.  If there's a middle initial, etc, add it to the WiscNIC entry so the script will be able to choose between them.

Deleting someone from WiscNIC:

1) Use WiscnicSearch.cgi to look up their current list of records.  You can get this using the "Vlan and Subnet Info From =>" option and giving a user name, NIC handle, or NetID, depending on what you have.

2) Note any records on which they are the ONLY tech-c or admin-c.  You'll have to do more work for these.

3) If they are not the only tech-c or admin-c on any of the records, just use WiscnicUpdate.cgi to delete them.  There's an option for "Delete a Contact From WiscNIC".

4) If they are the only tech-c or admin-c on a given record, you have to update that record first using WiscnicUpdate.cgi.  Put "HM1" (Hostmaster) as the tech-c or admin-c instead of the person you want to remove.

5) Once all records are changed, use the WiscnicUpdate.cgi tool to remove them from WiscNIC.




Keywords:WiscNIC, LDAP, audit   Doc ID:33555
Owner:Charles T.Group:Network Services
Created:2013-09-18 15:28 CDTUpdated:2013-09-23 11:10 CDT
Sites:Network Services
Feedback:  0   0