This outlines how to take new membership and create their account in ACM's Active Directory domain as well as management of existing membership accounts.
DO NOT accept applications with bad handwriting.
ACM Active Directory accounts are needed to log into any of the software systems provided for chapter member usage. The group membership of these accounts is used to track membership status as well as control access to specific systems and services.
Any changes to the ACM membership procedure needs to address concerns involved in managing the account statuses and the information contained within them. Additional membership features should not interfere with or otherwise unnecessarily encumber the management of Active Directory account data. Several pieces of code are tied directly to Active Directory, such as the membership list on the website which directly pulls AD data and most of our software systems use Active Directory for authentication and authorization.
Todos from spring 2016 officers accounts meeting.
Decide on how scripts/mechanisms will be accessed and controlled Document how accounts and membership are tied together. Document how this works clearly on the user facing page. Document misc operations commands. See github SambaADWrapper.
Data Retention Policy Make sure official contact points are correct (partially related to email contents) reply email officers@acm.cs.uic.edu lives under SambaADWrapper/acm_ad_mod.conf (https://acm.cs.uic.edu/git/sig-sysadmin/sambaadwrapper/blob/master/acm_ad_mod.conf)
Todo: Document considerations needed for future dev work. How would a fuller web flow work? AD specific considerations?
Ideas Maintain an FAQ for future ideas/answers. See Development Kanboard.
Todo: Document a public facing membership page, directing people to a contact point for when problems arise.
Those wanting an account need to pay the ACM membership fee, do not process applications that have not been signed off on.
Document information about account requirements, validity period, renewal notices, expiration information, and deletion policy.
Alumni, Defunct, NotPaid, Paid, Temp
Note: If someone comes back to contribute and needs an account, flow is <NEW>,NotPaid,Defunct→Paid→Alumni.
Note: Temp status is used for people who want temporary access. Cases include allocating accounts to professors to use cuda machine for class students. The goal of the Temp status is to remember they must be removed.
Note: A defunct member is someone who has not paid for two years, the account has been deactivated and the member cannot access services.
<New>,NotPaid,Defunct → Paid (new membership or renewal)
Paid → NotPaid (person has not renewed membership at the end of the constitution specified grace period)
NotPaid → Defunct (1 term NotPaid accounts will decay at the end of the constitution specified grace period)
Defunct → <Deleted> (2 terms Defunct accounts will be deleted)
Paid,NotPaid,Defunct → Alumni (opt in renewal case for graduated members, Alumni status ignored after creation)
Temp → <Deleted> (cleared at the end of the term unless requested otherwise)
Log in to chopin. Cd to /opt/acm-officers/membership. Execute the target account creation command generated in by the ACM Membership sheet located in the ACM Google Drive.
Notice email body.
Your ACM account has been created with the user name '%s' and the TEMPORARY password '%s'\nYou must change your password when logging into the ACM server for the first time. You need to log into the server using an SSH client to connect to acm.cs.uic.edu, once connected you will be asked to change your password to a permanent one. You CANNOT set your INITIAL password on our website.\n\nYour permanent password MUST conform to the password requirements listed here,\n\t http://acm.cs.uic.edu/password-policy\n\nTo connect on Windows download and run Putty\n\t http://www.chiark.greenend.org.uk/~sgtatham/putty/\n\nOn OSX and Linux, enter the following in a terminal window\n\t'ssh %s@acm.cs.uic.edu'\nAnd hit enter, you will be prompted for your password and it is normal if no additional text appears on screen when you type.\n\nBest Regards,\n\tThe UIC ACM
Log in to chopin. Cd to /opt/acm-officers/membership. Execute the target account creation command generated in by the ACM Membership sheet located in the ACM Google Drive.
System Administrators/President/Treasurer/Vice President Note: If the officers can solve a problem, they should NOT call in the system administrators.
samba-tool user setpassword <username you are changing> -H ldaps://sambaad1.acm.cs -U<your username>@acm.cs
Password Reset for non-present Members Login to <username>@acm.cs.uic.edu. Navigate to the officers scripts /opt/acm-officers. Under /membership run the passwdReset.sh <username> <email>. This will send a temporary password to the target username.
Reset password email notice:
Your ACM account password has been reset, user name '%s' and the TEMPORARY password '%s'\nYou must change your password by logging into the ACM server. You need to log into the server using an SSH client to connect to acm.cs.uic.edu, once connected you will be asked to change your password to a permanent one. You CANNOT reset your TEMP password on our website.\n\nYour permanent password MUST conform to the password requirements listed here,\n\t http://acm.cs.uic.edu/password-policy\n\nTo connect on Windows download and run Putty\n\t http://www.chiark.greenend.org.uk/~sgtatham/putty/\n\nOn OSX and Linux, enter the following in a terminal window\n\t'ssh %s@acm.cs.uic.edu'\nAnd hit enter, you will be prompted for your password and it is normal if no additional text appears on screen when you type.\n\nBest Regards,\n\tThe UIC ACM
To allow access to the Windows Server, but not sudo, only add Domain Admins. For full access add ACMLanAdmins
A basic list of the current members and alumni members can be found on the ACM Website
If you need the list of current paid members for official purposes, the CSV generation script is currently located at: https://acm.cs.uic.edu/~walter/paidmembers-to-csv.php You must log in with you ACM user/pass combo and your account must be a members of ACMOfficers
The Apache Directory Studio LDAP Browser should be installed on every ACM workstation. It can also be used on any machine that is connected to the ACM network provided it is configured correct to connect to one of the LDAP servers.
ACM custom attributes is: `1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.X` (Where X is the numbered attribute.) Custom Schema changes were requested by acting ACM Officer & Head of DevOps Team, Jeff Kaleshi. These changes were made on September 11, 2017. Custom ACM attributes are now allowable on the ACM Users object within AD. These were configured with RSAT. More information can be found in the additional docs section.
OID | Attribute Name |
---|---|
2.5.4.20 | telephoneNumber |
1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.1 | UICnetid |
1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.2 | UICUIN |
1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.3 | UICClassLevel |
1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.4 | UICMajor |
1.2.840.113556.1.8000.2554.55282.20636.13169.16663.37926.11767076.67635.5 | UICCollege |