Page MenuHomePhabricator
Create Task
Maniphest T320794

Extend LDAP to allow storing all necessary attributes
Closed, ResolvedPublic
Actions

Description

Currently an LDAP record for a user looks like this:

dn: uid=foo,ou=people,dc=wikimedia,dc=org
sshPublicKey:: [base64-encoded SSH key]
uid: foo
cn: Foo
sn: Foo
loginShell: /bin/bash
userPassword:: [base64-encoded password hash]
homeDirectory: /home/foo
uidNumber: 12345
gidNumber: 500
structuralObjectClass: inetOrgPerson
pwdChangedTime: 20150401152756.248Z
memberOf: [list of group DNs]
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ldapPublicKey
objectClass: shadowAccount
objectClass: posixAccount
objectClass: top
objectClass: wikimediaPerson
description: something
mail: foo@bar.org

(And in addition a ton of internal attributes like createTimestamp, EntryUUID, creatorsName, modifiersName, modifyTimestamp, entryCSN).

Since we want to manage several attributes more, we need to

  • Figure out which are best served by currently unused attributes from core scheme
  • For the rest deploy LDAP schema extensions to our LDAP servers

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT189531 All Wikimedia developer services should use single sign-on
 OpenNoneT363125 sustainability of wikitech.wikimedia.org
 OpenNoneT161859 Make Wikitech an SUL wiki
 OpenSLyngshede-WMFT163478 Allow viewing/searching LDAP account creations including date
 ResolvedNoneT153821 wikitech.wikimedia.org missing from pageviews API
 OpenNoneT237773 Move Wikitech onto the production MW cluster
 ResolvedMarosteguiT167973 Move database for wikitech (labswiki) to a main cluster section
 ResolvedAndrewT188029 Move labswiki database to m5
ResolvedMarosteguiT282074 Audit labswiki grants
 ResolvedAndrewT282209 Enable connection from labweb1001/labweb1002 to s6
 DeclinedAndrewT282573 Move labweb/cloudweb hosts to private IPs
 ResolvedAndrewT284106 Replicate & sanitize wikitech data
 ResolvedAndrewT284108 Bring labswiki database tables up to date
 ResolvedLadsgroupT269348 wikitech database has almost all of its varbinary fields wrong
 DuplicateNoneT284736 Create views on labswiki on clouddb* hosts
 Resolved BstormT287442 Create views for labswiki (wikitech)
 DeclinedNoneT237889 Install php-ldap on all MW appservers
 ResolvedtaaviT237890 Remove and empty useless user groups
 ResolvedJdforrester-WMFT196466 Remove 'shell user' right on wikitech
 DeclinedNoneT246405 On wikitech, make sysops unable to edit site JS, and then retire contentadmin
 OpenjijikiT292707 Migrate Wikitech to Kubernetes
 OpenNoneT359551 Replace wikitech as source of two-factor auth protection for developer accounts
 OpenFeatureNoneT359554 Use IDP for authentication in Striker
 StalledFeatureNoneT359590 Use IDP for authentication in Horizon
 OpenFeatureSLyngshede-WMFT359552 Enable self-service IDP two-factor authentication management
 OpenNoneT359820 Add developer account (un)blocking support to Bitu
 OpenAndrewT360795 Set up a bitu instance for codfw1dev
 OpenSLyngshede-WMFT362128 Site: 1 VM for codfw1dev bitu deployment
 ResolvedABran-WMFT362619 Database request for Bitu Cloud DEV installation
 ResolvedtaaviT360883 Disable email address changes in Wikitech
 OpenNoneT364605 Move Striker to Bitu username validation API
 OpenSLyngshede-WMFT362318 Add Bitu container to Striker development environment
 ResolvedPRODUCTION ERRORTgrT195253 Special:Notifications gives a consistent PHP exception on load ("The trash icon is not registered") for users with OpenStackManager notifications
 OpenNoneT106123 Extensions needing to be removed from Wikimedia wikis
 Resolvedbd808T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org
 ResolvedyuvipandaT103995 Build a simple tool to query which instances have which roles / puppet variables
 Resolvedbd808T161662 Replace SMW data on project instances with a tool using the OpenStack APIs
 Resolvedbd808T162508 Implement Tool Labs membership application and processing in Striker
 Resolvedbd808T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker
 OpentaaviT161553 Remove OpenStackManager from Wikitech
 ResolvedtaaviT196171 Developer account creation without OpenStackManager
 DeclinedNoneT179463 Create a single application to provision and manage developer (LDAP) accounts
 OpenNoneT319405 Create an IDM for Wikimedia developer accounts
 ResolvedSLyngshede-WMFT320603 IDM milestone 2 "Initial limited deployment"
 ResolvedSLyngshede-WMFT320794 Extend LDAP to allow storing all necessary attributes
 OpenNoneT148048 Store Wikimedia unified account name (SUL) in LDAP directory
 OpentaaviT359428 Striker should use ID instead of username to identify SUL accounts

Event Timeline

MoritzMuehlenhoff created this task.Oct 14 2022, 12:07 PM
bd808 subscribed.Dec 14 2022, 10:15 PM

Related: T148048: Store Wikimedia unified account name (SUL) in LDAP directory

SLyngshede-WMF changed the task status from Open to In Progress.Mar 8 2023, 10:44 AM
SLyngshede-WMF triaged this task as Low priority.
SLyngshede-WMF added a comment.EditedMar 14 2023, 10:30 AM

Attributes we will be needing:

  • wikimediaGlobalAccountId (MediaWiki SUL account) (optional)
  • wikimediaGlobalAccountName (MediaWiki SUL account name) (optional)
  • First name (sn) (optional)
  • Given name (givenName) (optional)
  • password (userPassword) (required)
  • shell name (loginShell) (optional)
  • email address (required)
  • wikimedia developer account username, stored as uid (required)
  • phabricatorAccountID (optional)
  • phabricatorAccountName (optiona)

The following fields are NOT user editable, but requires interaction with authentication flows. SRE involvement or other automation to up:

  • wikimediaGlobalAccountId
  • wikimediaGlobalAccountName
  • phabricatorAccountID
  • phabricatorAccountName
  • email
  • WDA username

Users should be free to edit the following attributes in their profile page:

  • First name
  • Given name
  • Password
  • Shell
  • SSH keys
bd808 added a comment.Mar 14 2023, 4:06 PM
In T320794#8690975, @SLyngshede-WMF wrote:

Attributes we will be needing:

  • wikimediaGlobalAccountName (MediaWiki SUL account name) (optional)

Be aware that this value can change over time via https://meta.wikimedia.org/wiki/Special:GlobalRenameRequest

  • First name (sn) (optional)
  • Given name (givenName) (optional)

What are these values expected to be used for in practical terms? First name and given name are synonyms in most contexts. Sometimes first name is treated as a self-selected moniker and given name is required to be a legally identified first name, but both terms always apply to the same Western naming concept.

Human names are very complex, especially when dealing with individuals who are part of an international movement with strong commitments to privacy. If this is an attempt to apply "western" naming semantics to Developer accounts that could be seen as both anti-privacy (real names vs pseudonyms) and noninclusive (cultures and individuals who do not fit the name template) if not messaged well.

Today both the sn and cn attributes are both used to store the "Wikitech username" of a given developer account. I think this is the attribute you are calling "WDA username" later in the list.

  • WDA username (required)

I think this is the current cn and sn data.

  • Phabricator username (optional)

Be aware that this value can change over time. Phabricator account renaming is semi-discouraged as it does not rewrite historical uses of the prior name in tasks, but it can be and is done at least a few times per year.

SLyngshede-WMF added a comment.Mar 14 2023, 5:45 PM

We actually have uid, cn and sn which are all by default set to the developer account username.

It might make sense to drop sn and givenName for displayName. The advantage of using the sn and givenName is that this is what is "expect" in many systems that consume LDAP data. Strictly speaking we don't need them.

I've update the Phabricator field to be two, as with the SUL account/global account id and one with the name. The name is simply intended to serve as a "cache", to avoid doing request to both MediaWiki and Phabricator everytime we need the username. The id is what must be used when doing any operations.

bd808 added a comment.Mar 14 2023, 6:22 PM
In T320794#8693751, @SLyngshede-WMF wrote:

We actually have uid, cn and sn which are all by default set to the developer account username.

Possibly pedantic, but uid is the Developer account's shell name. This name is subject to different restrictions than what most folks would consider the "account name" which is stored doubly in the cn and sn attributes.

It might make sense to drop sn and givenName for displayName. The advantage of using the sn and givenName is that this is what is "expect" in many systems that consume LDAP data. Strictly speaking we don't need them.

I haven't been here quite long enough to know the history behind the duplication of the Wikitech account name data in cn and sn. I think that most docs and config uses are for cn, but I would not rule out that some system is expecting sn to be the account name.

I've update the Phabricator field to be two, as with the SUL account/global account id and one with the name. The name is simply intended to serve as a "cache", to avoid doing request to both MediaWiki and Phabricator everytime we need the username. The id is what must be used when doing any operations.

nod. When interacting with Phabricator's API I think you always need to use the account's PHID value rather than the display name. For MediaWiki APIs generally you need the display name rather than the numeric id. I don't think anything I have built outside of MediaWiki actually handles MediaWiki account renames correctly, so I'm more trying to make sure you are aware of some of the traps than telling you what to do or how. :)

MoritzMuehlenhoff added a comment.Mar 15 2023, 9:57 AM
In T320794#8692786, @bd808 wrote:
  • First name (sn) (optional)
  • Given name (givenName) (optional)

What are these values expected to be used for in practical terms?

The name will be opt-in, people can continue to use the nickname and never disclose their "passport name". That said, there's a few practical uses around permission management which really benefit from the more expressive name. One practical use case is for things like permission management, if someone requests access to a given group it's useful to have the approver/manager show the full name instead of just the account name.

First name and given name are synonyms in most contexts. Sometimes first name is treated as a self-selected moniker and given name is required to be a legally identified first name, but both terms always apply to the same Western naming concept.
Human names are very complex, especially when dealing with individuals who are part of an international movement with strong commitments to privacy. If this is an attempt to apply "western" naming semantics to Developer accounts that could be seen as both anti-privacy (real names vs pseudonyms) and noninclusive (cultures and individuals who do not fit the name template) if not messaged well.

That's a good point. We should maybe simply create a custom attribute like wikimediaDisplayName which allows specifying the preferred name independent of any concepts of first/middle/last/family names.

Today both the sn and cn attributes are both used to store the "Wikitech username" of a given developer account. I think this is the attribute you are calling "WDA username" later in the list.

The use of "sn" always striked me as odd, and the reason seems to have been lost in history, my proposal would be to only use "cn" for newly created or modified accounts. If some interface breaks (which I doubt), the fix is a single character away :-)

SLyngshede-WMF added a comment.Jun 28 2023, 12:53 PM

Small note:
We store both cn, with username capitalized, to be in compliance with mediaWiki, otherwise users could not be authenticated on wikitech.
uid contains the actual username, for use by the servers during authentication.
sn is currently not require, and will only be implemented as an optional field in the future.

SLyngshede-WMF closed this task as Resolved.Jun 28 2023, 12:53 PM
SLyngshede-WMF claimed this task.
SLyngshede-WMF raised the priority of this task from Low to Medium.
MoritzMuehlenhoff added a comment.Jun 28 2023, 1:02 PM

That's not really resolved? There'll be plenty of additional attributes needed when we actually get to add the core attributes?

SLyngshede-WMF added a comment.EditedJun 28 2023, 1:27 PM

Isn't that going to be a new task for each set of additional attributes? I think that makes it easier to track.

MoritzMuehlenhoff added a comment.Jun 28 2023, 2:05 PM

Ok, that works for me

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL