====== Accounts ====== ====== Membership Process ====== This outlines how to take new membership and create their account in ACM's Active Directory domain as well as management of existing membership accounts. ===== How to Take Forms and Membership Dues ===== {{:membership-application-09-18-15.pdf|}} \\ {{:membership-application-09-18-15.odt|}} \\ ==== Membership Application, President/Treasurer/Vice President ==== - Have the applicant fill out a Membership Application form. If the form is not legible make the applicant fill out a new Membership Application. - Verify the form has been completed. In particular verify contact information and requested account name. **DO NOT accept applications with bad handwriting.** ==== Dues Collection/Processing ==== - If the applicant is member of the National ACM, then the membership dues are waved. President/Treasurer/Vice President can collect the applicant's National ACM Membership number and sign off on the treasurer line. **Todo: Determine a process to verify National ACM Membership.** - If the applicant is not a member of the National ACM, then membership dues must be collected by President/Treasurer. The applicant must receive a receipt from the President/Treasurer. Once a receipt is issued, the President/Treasurer should sign off on the treasurer line. Collected membership dues must be recorded to the ledger/register. **Don't forget to update the ledger.** ==== Membership Application Processing, President/Treasurer/Vice President ==== - Record physical membership application information into the ACM Membership sheet located in the ACM Google Drive. - From the ACM Membership sheet, process the new membership application as either a [[accounts#creation|new membership]] or a [[accounts#renewal|renewal]]. For either account type, following the procedures listed below under [[accounts#procedures|Procedures]]. - Once the new membership application has been processed, sign off on the systems line to indicate the new membership application has been processed. Move the completed and signed membership application form to storage. ====== Accounts ====== ===== About ===== ACM Active Directory accounts are needed to log into any of the software systems provided for chapter member usage. The group membership of these accounts is used to track membership status as well as control access to specific systems and services. Any changes to the ACM membership procedure needs to address concerns involved in managing the account statuses and the information contained within them. Additional membership features should not interfere with or otherwise unnecessarily encumber the management of Active Directory account data. Several pieces of code are tied directly to Active Directory, such as the membership list on the website which directly pulls AD data and most of our software systems use Active Directory for authentication and authorization. Todos from spring 2016 officers accounts meeting. Decide on how scripts/mechanisms will be accessed and controlled Document how accounts and membership are tied together. Document how this works clearly on the user facing page. Document misc operations commands. See github SambaADWrapper. Data Retention Policy Make sure official contact points are correct (partially related to email contents) reply email officers@acm.cs.uic.edu lives under SambaADWrapper/acm_ad_mod.conf (https://acm.cs.uic.edu/git/sig-sysadmin/sambaadwrapper/blob/master/acm_ad_mod.conf) Todo: Document considerations needed for future dev work. How would a fuller web flow work? AD specific considerations? Ideas Maintain an FAQ for future ideas/answers. See Development Kanboard. Todo: Document a public facing membership page, directing people to a contact point for when problems arise. ==== Policies ==== **Those wanting an account need to pay the ACM membership fee, do not process applications that have not been signed off on.** Document information about account requirements, validity period, renewal notices, expiration information, and deletion policy. === Statuses === Alumni, Defunct, NotPaid, Paid, Temp Note: If someone comes back to contribute and needs an account, flow is ,NotPaid,Defunct->Paid->Alumni. Note: Temp status is used for people who want temporary access. Cases include allocating accounts to professors to use cuda machine for class students. The goal of the Temp status is to remember they must be removed. Note: A defunct member is someone who has not paid for two years, the account has been deactivated and the member cannot access services. === Valid Status Transitions === ,NotPaid,Defunct -> Paid (new membership or renewal) Paid -> NotPaid (person has not renewed membership at the end of the constitution specified grace period) NotPaid -> Defunct (1 term NotPaid accounts will decay at the end of the constitution specified grace period) Defunct -> (2 terms Defunct accounts will be deleted) Paid,NotPaid,Defunct -> Alumni (opt in renewal case for graduated members, Alumni status ignored after creation) Temp -> (cleared at the end of the term unless requested otherwise) ===== Procedures ===== ==== Creation ==== Log in to chopin. Cd to /opt/acm-officers/membership. Execute the target account creation command generated in by the ACM Membership sheet located in the ACM Google Drive. ==== Activation ==== Notice email body. Your ACM account has been created with the user name '%s' and the TEMPORARY password '%s'\nYou must change your password when logging into the ACM server for the first time. You need to log into the server using an SSH client to connect to acm.cs.uic.edu, once connected you will be asked to change your password to a permanent one. You CANNOT set your INITIAL password on our website.\n\nYour permanent password MUST conform to the password requirements listed here,\n\t http://acm.cs.uic.edu/password-policy\n\nTo connect on Windows download and run Putty\n\t http://www.chiark.greenend.org.uk/~sgtatham/putty/\n\nOn OSX and Linux, enter the following in a terminal window\n\t'ssh %s@acm.cs.uic.edu'\nAnd hit enter, you will be prompted for your password and it is normal if no additional text appears on screen when you type.\n\nBest Regards,\n\tThe UIC ACM ==== Renewal ==== Log in to chopin. Cd to /opt/acm-officers/membership. Execute the target account creation command generated in by the ACM Membership sheet located in the ACM Google Drive. ==== Changing a Password ==== System Administrators/President/Treasurer/Vice President ** Note: If the officers can solve a problem, they should NOT call in the system administrators.** - This must be done with the member present. If the member is not present, see below. - Login to chopin (or any other system with samba-tools (Samba 4 or greater). - Assuming you have administrative rights (group membership in the main admins group or ACMOfficers), execute the command: samba-tool user setpassword -H ldaps://sambaad1.acm.cs -U@acm.cs - The member will enter their new password. This new password must match the password requirements for ACM accounts. - You will have to input your password to confirm the member password reset. Password Reset for non-present Members Login to @acm.cs.uic.edu. Navigate to the officers scripts /opt/acm-officers. Under /membership run the passwdReset.sh . This will send a temporary password to the target username. Reset password email notice: Your ACM account password has been reset, user name '%s' and the TEMPORARY password '%s'\nYou must change your password by logging into the ACM server. You need to log into the server using an SSH client to connect to acm.cs.uic.edu, once connected you will be asked to change your password to a permanent one. You CANNOT reset your TEMP password on our website.\n\nYour permanent password MUST conform to the password requirements listed here,\n\t http://acm.cs.uic.edu/password-policy\n\nTo connect on Windows download and run Putty\n\t http://www.chiark.greenend.org.uk/~sgtatham/putty/\n\nOn OSX and Linux, enter the following in a terminal window\n\t'ssh %s@acm.cs.uic.edu'\nAnd hit enter, you will be prompted for your password and it is normal if no additional text appears on screen when you type.\n\nBest Regards,\n\tThe UIC ACM ==== Updating Statuses for New School Year ==== - Log in to chopin. - Cd to /opt/acm-officers/membership. - Start either a tmux or screen session in case you get disconnected during the command execution. - Run ./update_account_groups.sh and enter your password when prompted - The script dumps output to ~/acm_accounts.log when running, you can use another session to watch the command status - Wait for script to finish, this will take a couple minutes ==== Group Membership in AD ==== To allow access to the Windows Server, but not sudo, only add Domain Admins. For full access add ACMLanAdmins [[admin:adgroups|AD Groups List]] ====== Other LDAP Domain Operations ====== ==== Viewing the List of Current Members (Web) ==== A basic list of the current members and alumni members can be found on the [[https://acm.cs.uic.edu/members|ACM Website]] If you need the list of current paid members for official purposes, the CSV generation script is currently located at: [[https://acm.cs.uic.edu/~walter/paidmembers-to-csv.php]] //**You must log in with you ACM user/pass combo and your account must be a members of ACMOfficers**// ==== View and Edit LDAP Data with Apache Directory Studio ==== The Apache Directory Studio LDAP Browser should be installed on every ACM workstation. It can also be used on any machine that is connected to the ACM network provided it is configured correct to connect to one of the LDAP servers. === LDAP Configuration === === Directory Structure === ==== Custom Active Directory Schema ==== ACM custom attributes is: `1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.X` (Where X is the numbered attribute.) Custom Schema changes were requested by acting ACM Officer & Head of DevOps Team, Jeff Kaleshi. These changes were made on September 11, 2017. Custom ACM attributes are now allowable on the ACM Users object within AD. These were configured with RSAT. More information can be found in the additional docs section. ^ OID ^ Attribute Name ^ | 2.5.4.20 | telephoneNumber | | 1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.1 | UICnetid | |1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.2 | UICUIN | |1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.3 | UICClassLevel | |1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.4 | UICMajor | |1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.5 | UICCollege | ==== Additional Docs ==== [[https://wiki.samba.org/index.php/Installing_RSAT_on_Windows_for_AD_Management]] [[https://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx]] [[https://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06]]