Page MenuHomePhabricator

Drop ldapsupportlib.py
Open, NormalPublic

Description

ldapsupportlib.py quite terrible and the wrong level of abstraction on so many things (enforces people use OptParse...) and also not python 3 compatible. We should entirely drop it.

Related Objects

Mentioned In
T122595: Restore ldaplist -l passwd
rOPUP842c300c8be7: ldap: Add warning to ldaplist
rOPUP84d9a6478bb1: ldap: Vastly simplify modify-ldap-group
rOPUP5132b8db6e5a: ldap: Replace change-ldap-password with reset-ldap-password
rOPUPf7759caf2d6a: ldap: Remove unused homedirectorymanager
rOPUP6f47ff295bba: ldap: Drastically simplify modify-ldap-user
rOPUP5f8a0599d3f1: ldap: Add warning to ldaplist
rOPUP2629d7faa769: ldap: Vastly simplify modify-ldap-group
rOPUPf42bad4fca7b: ldap: Add warning to ldaplist
rOPUPc369845a0348: ldap: Vastly simplify modify-ldap-group
rOPUP9f73981e4a67: ldap: Remove unused homedirectorymanager
rOPUP0d569b522b48: ldap: Drastically simplify modify-ldap-user
rOPUPd108a2480a48: ldap: Replace change-ldap-password with reset-ldap-password
rOPUP5e33e298bd2e: ldap: Add warning to ldaplist
rOPUPaba10d1b0e3d: ldap: Vastly simplify modify-ldap-group
rOPUP1b6bee3dd310: ldap: Remove unused homedirectorymanager
rOPUPa4da00008f96: ldap: Drastically simplify modify-ldap-user
rOPUP41ccec858b76: ldap: Replace change-ldap-password with reset-ldap-password
rOPUPc3457c9d6b69: ldap: Kill a bunch of unused scripts
rOPUPa19c13d67dce: Get rid of the LDAP+YAML ENC
rOPUP697a5e3ddff9: Get rid of the LDAP+YAML ENC
rOPUP47c68aff42fb: ldap: Kill a bunch of unused scripts
rOPUP3f3b23e914d3: ldap: Kill a bunch of unused scripts
rOPUP395ead9b436d: ldap: Kill a bunch of unused scripts
rOPUP783523de5ee3: ldap: Kill a bunch of unused scripts
rOPUP2a838eb9ff76: ldap: Kill a bunch of unused scripts
rOPUPbcef76edcc90: ldap: Rewrite ssh lookup script
rOPUP7706639b63ce: ldap: Provide ldap credentials and servernames in YAML format
rOPUP0cdcc79576d0: ldap: Remove add-labs-user & scriptconfig.py

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
yuvipanda added a subscriber: yuvipanda.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 28 2015, 11:43 PM

Change 242017 had a related patch set uploaded (by Yuvipanda):
ldap: Provide ldap credentials and servernames in YAML format

https://gerrit.wikimedia.org/r/242017

Change 242017 merged by Yuvipanda:
ldap: Provide ldap credentials and servernames in YAML format

https://gerrit.wikimedia.org/r/242017

scfc added a subscriber: scfc.Sep 29 2015, 12:45 AM

What is the problem with it? It is used by some scripts and works for them. It doesn't stop anyone from writing scripts in Python 3 or using their own support library or …

The code is terrible, and at least for me that's reason enough. I'm cleaning up the ldap module and most of the infrastructure level scripts there depend on it, so this is a tracking ticket for cleaning those up.

It also makes the scripts that use it not be standlone nor packaged into a library but dependent on this one file that is placed into place by puppet...

scfc added a comment.Sep 29 2015, 1:23 AM

The dependence on Puppet to install local Python modules is a not-uncommon theme in the repository, so I don't know why that would be unbearable for ldapsupportlib.py. (But that's more JFTR.)

Where else are individual python files installed by puppet for use as libraries by other scripts?

Change 242039 had a related patch set uploaded (by Yuvipanda):
ldap: Rewrite ssh lookup script

https://gerrit.wikimedia.org/r/242039

Change 242044 had a related patch set uploaded (by Yuvipanda):
tools: Remove ldapspportlib use from toolschecker

https://gerrit.wikimedia.org/r/242044

scfc added a comment.Sep 29 2015, 1:46 AM

Besides Toolforge, it's used by swift and varnish (grepped for /usr/local/lib/python).

Change 242039 merged by Yuvipanda:
ldap: Rewrite ssh lookup script

https://gerrit.wikimedia.org/r/242039

chasemp triaged this task as Normal priority.Nov 30 2015, 4:53 PM
chasemp added a subscriber: chasemp.

Change 242044 merged by Yuvipanda:
tools: Remove ldapspportlib use from toolschecker

https://gerrit.wikimedia.org/r/242044

Change 301040 had a related patch set uploaded (by Yuvipanda):
ldap: Kill a bunch of unused scripts

https://gerrit.wikimedia.org/r/301040

Change 301036 had a related patch set uploaded (by Yuvipanda):
Get rid of the LDAP YAML ENC

https://gerrit.wikimedia.org/r/301036

Change 301036 merged by Yuvipanda:
Get rid of the LDAP YAML ENC

https://gerrit.wikimedia.org/r/301036

Change 301040 merged by Yuvipanda:
ldap: Kill a bunch of unused scripts

https://gerrit.wikimedia.org/r/301040

Change 301052 had a related patch set uploaded (by Yuvipanda):
ldap: Drastically simplify modify-ldap-user

https://gerrit.wikimedia.org/r/301052

Change 301048 had a related patch set uploaded (by Yuvipanda):
ldap: Replace change-ldap-password with reset-ldap-password

https://gerrit.wikimedia.org/r/301048

Change 301053 had a related patch set uploaded (by Yuvipanda):
ldap: Remove unused homedirectorymanager

https://gerrit.wikimedia.org/r/301053

Change 301059 had a related patch set uploaded (by Yuvipanda):
ldap: Vastly simplify modify-ldap-group

https://gerrit.wikimedia.org/r/301059

Change 301061 had a related patch set uploaded (by Yuvipanda):
ldap: Add warning to ldaplist

https://gerrit.wikimedia.org/r/301061

Change 301048 merged by Yuvipanda:
ldap: Replace change-ldap-password with reset-ldap-password

https://gerrit.wikimedia.org/r/301048

Change 301061 merged by Yuvipanda:
ldap: Add warning to ldaplist

https://gerrit.wikimedia.org/r/301061

Change 301059 merged by Yuvipanda:
ldap: Vastly simplify modify-ldap-group

https://gerrit.wikimedia.org/r/301059

Change 301053 merged by Yuvipanda:
ldap: Remove unused homedirectorymanager

https://gerrit.wikimedia.org/r/301053

Change 301052 merged by Yuvipanda:
ldap: Drastically simplify modify-ldap-user

https://gerrit.wikimedia.org/r/301052

Dzahn added a subscriber: Dzahn.Jul 28 2016, 10:57 PM

I just used ldaplist on terbium and saw the warning:

If you are still relying on ldaplist and not using ldapsearch,
please comment on https://phabricator.wikimedia.org/T114063
before 30 August 2016. If nobody comments, ldaplist will be removed!

Maybe that message could contain an example how do use ldapsearch for the most common search, the equivalent of: ldaplist -l passwd someuser

currently i am getting:

SASL/DIGEST-MD5 authentication started
Please enter your password:

@Dzahn ah, can you tell me what you were trying to do with ldaplist?

ah, I see you included it, nvm.

@Krenair do you think you can help?

Yes, you need ldapsearch -x followed by your LDAP query. The -x is important, it specifies basic authentication instead of SASL.

Could you paste the entire command that replaces "ldaplist -l passwd?

ldapsearch -x objectClass=posixaccount should give you the same thing as ldaplist -l passwd
ldapsearch -x uid=krenair should give you the same thing as ldaplist -l passwd krenair

Dzahn added a comment.Jul 29 2016, 7:54 PM

Thank you very much. That works. No concerns removing ldaplist then.

ldapsearch -x objectClass=posixaccount should give you the same thing as ldaplist -l passwd
ldapsearch -x uid=krenair should give you the same thing as ldaplist -l passwd krenair

Can we replace ldaplist with a simple script that echos those? It might take a while before my muscles unlearn ldaplist -l passwd ;-)

hashar added a subscriber: hashar.EditedAug 29 2016, 1:48 PM

Just found that ldaplist is scheduled for deletion. I am still relying on it because its syntax is quite trivial. If I want to lookup my LDAP informations I just:

ldaplist -l passwd hashar

Way easier than the very cumbersome ldapsearch command that requires you to remember the -x and the LDAP properties..

jcrespo added a subscriber: jcrespo.EditedSep 1 2016, 9:04 AM

I arrived here by looking at outdated documentation found on wikitech. I found the new one, too. But please before killing it, make sure you redirect on all places to the right command (for casual users like me that do not want to think).

E.g: https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty#LDAP_group_changes

hashar renamed this task from Kill ldapsupportlib.py to Drop ldapsupportlib.py.Sep 1 2016, 10:50 AM
hashar updated the task description. (Show Details)
hashar set Security to None.
bd808 added a subscriber: bd808.Aug 3 2017, 11:24 PM

Apparently the admin tool in Toolforge uses ldaplist -l servicegroups to maintain a local to Toolforge(?!) git repo containing servicegroups.ldif which is a dump of the servicegroup tree.

I believe this was added at some point as a backup in case someone accidentally removes themselves from the service group. @coren may remember the background story :-)

jcrespo added a comment.EditedNov 26 2018, 3:14 PM

I am back here because a comment on ldaplist on mwmaint1002:

If you are still relying on ldaplist and not using ldapsearch,
please comment on https://phabricator.wikimedia.org/T114063
before 30 August 2016. If nobody comments, ldaplist will be removed!

https://wikitech.wikimedia.org/wiki/SRE_Clinic_Duty#LDAP_group_changes still needs to be updated with the alternative commands, do not close before that.

I am here because of the same comment – https://wikitech.wikimedia.org/wiki/LDAP#Common_LDAP_administrative_actions also still recommends ldaplist (and mwmaint1001, which no longer exists).

@Lucas_Werkmeister_WMDE ldaplist still exists and works. Just the maintenance server has changed to mwmaint1002.

[mwmaint1002:~] $ which ldaplist
/usr/local/bin/ldaplist

[mwmaint1002:~] $ ldaplist -l passwd dzahn | grep cn:
	cn: Dzahn

@Dzahn I’m aware, the command told me to leave a comment here so I did :)

Fixed section to use ldapsearch and new admin hostname

Dzahn added a comment.EditedMar 29 2019, 1:33 PM

Ok, let's just fix the docs regarding the host name. I can as soon as i got my phone to charge again so i can use 2fa, heh.

About this task in general: I don't think anyone is working on this since Yuvi started it but isn't with WMF anymore.

Edit: Thanks Krenair!