[LTER-im] LTER LDAP to EDI LDAP transition plan...

[Mark Servilla]

Dear IM,

On 31 August, I sent an email (below) outlining a plan to transition user
accounts from the LTER LDAP to the EDI LDAP in preparation for the
decommissioning of the LTER LDAP. This transition was scheduled for the end
of September, which is now upon us. As of today we have identified and
migrated LTER LDAP user accounts for all recorded interactions within
PASTA+ to the EDI LDAP. On Wednesday evening 30 September during our weekly
maintenance window, we will complete this transition by performing the
following tasks:

1. We will remove all options to select LTER as an affiliation from the EDI
Data Portal login web page and the ezEML login web page. This will make all
LDAP-based logins that are performed through the EDI Data Portal or ezEML
authenticate strictly to the EDI LDAP. You will only need to provide your
user id and password as you did before, no further action on your part will
be necessary.

2. We will remove the LTER LDAP from the set of accepted LDAP servers in
all PASTA+ and authentication service (auth.edirepository.org) API calls.
If you or your site utilizes the PASTA+ or authentication service API
directly and rely on authenticated sessions, you will need to replace your
LTER LDAP distinguished name with your EDI LDAP distinguished name (for
example, “uid=mservilla,o=LTER,dc=ecoinformatics,dc=org” will change to
“uid=mservilla,o=EDI,dc=edirepository,dc=org”) - your password will remain
the same.

3. We will modify all PASTA+ database entries that contain the LTER LDAP
distinguished name substring "o=LTER,dc=ecoinformatics,dc=org" by replacing
them with the EDI LDAP distinguished name substring
"o=EDI,dc=edirepository,dc=org". This will allow you to update data
packages with your new EDI LDAP credentials that were previously uploaded
with your LTER LDAP credentials or contains an access rule with an LTER
LDAP distinguished name in the "principal" element.

We ask of you the following:

1. When creating access rules in your EML (after our Wednesday evening
maintenance window) for both new data packages and revisions, do not use
LTER LDAP distinguished names in the "principal" element; rather, use your
new EDI LDAP distinguished name (see #2 above). This change also applies to
site accounts that use the canonical three letter acronyms (e.g., CAP). We
recognize that muscle memory will likely result in some mishaps when
generating your EML access rules - not to worry, we can (and will) perform
the database modification (see #3 above) multiple times if necessary.

To recap, after our Wednesday evening maintenance window, the transition
from using the LTER LDAP to the EDI LDAP for authentication and
authorization purposes on all EDI services will be complete and LTER LDAP
credentials will no longer be accepted.

Please contact us immediately if you have any questions or concerns. Thank
you!

Sincerely,
Mark

---
Mark Servilla
mark.servilla at gmail.com


On Mon, Aug 31, 2020 at 1:17 PM Mark Servilla <mark.servilla at gmail.com>
wrote:

> Dear IM,
>
> EDI has recently been notified by the LTER Network Office that the LTER
> LDAP server will be decommissioned early this Fall. The EDI data repository
> relies, in part, on the user id component of the LTER LDAP to authenticate
> LTER users in the course of uploading and working within the EDI Data
> Portal and PASTA+ environment. The authentication and access control system
> built into our repository is directly dependent on the LDAP distinguished
> name (e.g., uid=mservilla,o=LTER,dc=ecoinformatics,dc=org) used to uniquely
> identify you in the LTER LDAP. This distinguished name is used in two
> components of our system: 1) as the submitter of a data package, the
> distinguished name is recorded as the authoritative owner of the data
> package version you submit and 2) the distinguished name of one or more
> users (including the LTER site user - e.g., HFR) are often recorded in the
> “access” element of the EML metadata you submit for upload. This latter use
> of the distinguished name is recorded in a separate access control table
> within our repository.
>
> With this upcoming change to the LTER LDAP in mind, I am proposing a plan
> that will allow you to continue your interactions with the EDI Data Portal
> and PASTA+ with the least amount of disruption as possible. In short, we
> will migrate any LTER LDAP user account that we identify within our system
> to that of the EDI LDAP. The end result will be that you will have a new
> EDI LDAP account using the same username found in the LTER LDAP;  the full
> distinguished name will change from the LTER sub-components to those of the
> EDI LDAP (for example, “uid=mservilla,o=LTER,dc=ecoinformatics,dc=org” will
> change to “uid=mservilla,o=EDI,dc=edirepository,dc=org”). Encrypted
> passwords for these accounts would also be migrated. At present, we have
> identified less than one hundred users that this transition would affect.
> The second part of this plan will be to update all user distinguished names
> found within the two components of our system so that they reflect the new
> EDI LDAP accounts: this will preserve current access to all existing data
> packages and services that rely on authentication and access control and
> WILL NOT require updates or modifications to any existing EML document
> (your new or revised EML documents associated with uploads, however, should
> reflect the new EDI LDAP distinguished name in any “access” element
> “principal” field). LTER LDAP usernames that are in conflict with an
> existing EDI LDAP username will be addressed on a case-by-case basis (we
> believe this will be a rare, if non-existing, case). Of course anyone not
> currently identified in our system is very welcome to also be registered in
> the EDI LDAP as a new user.
>
> We ask that you consider this plan and to provide any feedback or ask
> questions at your earliest convenience since this change is just around the
> corner. Our goal is to make this transition simple and effective. If there
> are no concerns or better alternatives suggested, I would like to implement
> this plan by late September. Thank you.
>
> Sincerely,
> Mark
>
> ---
> Mark Servilla
> mark.servilla at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lternet.edu/pipermail/im/attachments/20200928/30cadd36/attachment.html>