DINO (DINO Is Non-ONID) Accounts Primer
What are DINO accounts?
DINO accounts are not ONID accounts. DINO accounts are created in the ONID LDAP directory but are only visible to the services that specifically allow DINO accounts. DINO accounts are not created in Active Directory, do not have file storage, do not have web sites, and do not have email addresses.
DINO accounts can be used by any service which uses the ONID LDAP directory for authentication. This includes ONID SSO websites, the OSU VPN service, and more.
How do I manage DINO accounts?
DINO accounts are managed at https://secure.onid.oregonstate.edu/dino/. This tool manages 3 different aspects of DINO accounts: Users, Services, and LDAP Groups. There are 2 levels of control: Managers and Gatekeepers. Managers and Gatekeepers are identical except Gatekeepers can add or remove Managers.
Once a User group has been created and you have been given Manager or Gatekeeper access to the User group, you will be able to create DINO accounts. The usernames of DINO accounts begin with a 3 letter prefix followed by an underscore followed by up to 4 more characters (for example, tst_fred). The 3 letter prefix provides an easy visual cue to the group/owner of the user, and the underscore prevents namespace clashes with regular ONID accounts. A password must be set on DINO accounts, and the password must satisfy the same requirements as regular ONID accounts. DINO accounts always have an expiration date, which can be up to 1 year in the future. The expiration date can be extended indefinitely, but only up to 1 year from the present date. The expiration date prevents orphaned or abandoned accounts from remaining in the system.
DINO accounts by themselves do not have access to anything. They must be granted access to Services.
Services are used to grant DINO accounts access. A Service is linked to a specific LDAP authentication agent. As DINO users are granted access to the Service, the LDAP authentication agent will be able to "see" and authenticate those DINO users.
For example, SCF (Student Computing Facilities) uses ONID LDAP authentication for their Mac OS X computers. Those computers use a special LDAP authentication agent. A corresponding DINO Service was created and linked to SCF's LDAP authentication agent. SCF can create DINO users, grant them access to their Service, and those DINO accounts will be able to login to SCF's Mac OS X computers.
DINO Services can also be created for the purpose of ONID SSO authentication. Once a DINO Service is linked to an SSO Service, DINO accounts can be created and given access to the SSO Service.
Some LDAP enabled applications can also use LDAP Groups to control authorization. LDAP Groups can be managed using the DINO tools. Both ONID and DINO accounts can be added to LDAP Groups.
How do I create a DINO user group, service, or LDAP group?
A DINO User group, Service, or LDAP Group may be requested by sending email to support at onid.orst.edu. Please include:
- Department or organization name
- Email address which will receive all notifications (a generic email address, not personal, is recommended)
- List of ONID usernames which should be Managers or Gatekeepers
- For Service requests, the special LDAP authentication agent or SSO Service to which it should be linked