Page MenuHomePhabricator
Create Task
Maniphest T129788

Review list of LDAP groups and document exactly what kind of access they can be allowed to provide
Closed, ResolvedPublic
Actions

Description

I started this with https://wikitech.wikimedia.org/wiki/LDAP_Groups but there's many things missing. I think Jenkins has some LDAP group checks, and I think something in Analytics deals with LDAP - not sure where the documentation for that is - @Ottomata, can you help there?

krenair@bastion-01:~$ ldapsearch -x ou:dn:=groups | grep "dn: " | grep -v "ou=projects" | grep -v "cn=project-"
dn: ou=groups,dc=wikimedia,dc=org
dn: cn=Directory Managers,ou=groups,dc=wikimedia,dc=org
dn: cn=wikidev,ou=groups,dc=wikimedia,dc=org
dn: cn=svn,ou=groups,dc=wikimedia,dc=org
dn: cn=svnadm,ou=groups,dc=wikimedia,dc=org
dn: cn=wmf,ou=groups,dc=wikimedia,dc=org
dn: cn=ops,ou=groups,dc=wikimedia,dc=org
dn: cn=labsadminbots,ou=groups,dc=wikimedia,dc=org
dn: cn=wmde,ou=groups,dc=wikimedia,dc=org
dn: cn=sgeadmin,ou=groups,dc=wikimedia,dc=org
dn: cn=vagrant,ou=groups,dc=wikimedia,dc=org
dn: cn=l10nupdate,ou=groups,dc=wikimedia,dc=org
dn: cn=mwdeploy,ou=groups,dc=wikimedia,dc=org
dn: cn=trebuchet,ou=groups,dc=wikimedia,dc=org
dn: cn=parsoid,ou=groups,dc=wikimedia,dc=org
dn: cn=nda,ou=groups,dc=wikimedia,dc=org
dn: cn=shinken,ou=groups,dc=wikimedia,dc=org

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Remove non-existing group from jupyterhub LDAP configoperations/puppetproduction+0 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Krenair created this task.Mar 13 2016, 7:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 7:53 PM
Krenair added a comment.EditedMar 13 2016, 8:04 PM

Ugh, found this: https://integration.wikimedia.org/ci/configureSecurity/
wmf, wmde, and nda get some special rights there (but not all the same)

This stuff *needs* to be documented so that everyone knows exactly what is being granted when people ask to be added to groups

Peachey88 subscribed.Mar 14 2016, 8:34 AM
Ottomata added a comment.Mar 14 2016, 1:24 PM

There aren’t any special LDAP groups for Analytics, but hue.wikimedia.org
does authenticate logins via LDAP (shell username and LDAP password).

MoritzMuehlenhoff subscribed.Mar 14 2016, 1:28 PM
Krenair added a project: Documentation.Mar 14 2016, 2:49 PM
Dzahn subscribed.Mar 29 2016, 11:12 PM

"nda" has been created to be able to let non-wmf volunteers have access to tools like icinga and graphite without having to use the "wmf" group because that is used for too many other things and indicates an employee relation with WMF.

Krenair added a comment.EditedMar 29 2016, 11:22 PM

Yes (mostly - contractors are in wmf, for example), T129786: Add wmf LDAP group members into nda group, delete wmf group exists to get rid of the distinction and just have all of those users in an nda group.

fgiunchedi triaged this task as Medium priority.Apr 27 2016, 3:49 PM
AlexMonk-WMF added a parent task: T142815: Enhance account handling (meta bug).Aug 12 2016, 1:23 PM
MoritzMuehlenhoff claimed this task.Feb 6 2017, 1:00 PM
elukey subscribed.Feb 6 2017, 1:05 PM
Addshore subscribed.Feb 16 2017, 8:58 AM
gerritbot subscribed.Mar 6 2017, 3:38 PM

Change 341336 had a related patch set uploaded (by jmm):
[operations/puppet] Remove non-existing group from jupyterhub LDAP config

https://gerrit.wikimedia.org/r/341336

gerritbot added a project: Patch-For-Review.Mar 6 2017, 3:38 PM
Stashbot subscribed.Mar 9 2017, 1:46 PM

Mentioned in SAL (#wikimedia-operations) [2017-03-09T13:46:11Z] <moritzm> removed cn=trebuchet group from LDAP directory (Bug: T129788)

Stashbot added a comment.Mar 9 2017, 1:52 PM

Mentioned in SAL (#wikimedia-operations) [2017-03-09T13:52:46Z] <moritzm> removed cn=svnadm group from LDAP directory (Bug: T129788)

Stashbot added a comment.Mar 9 2017, 2:35 PM

Mentioned in SAL (#wikimedia-operations) [2017-03-09T14:35:44Z] <moritzm> removed cn=svn group from LDAP directory (Bug: T129788)

gerritbot added a comment.Mar 9 2017, 4:34 PM

Change 341336 merged by Madhuvishy:
[operations/puppet] Remove non-existing group from jupyterhub LDAP config

https://gerrit.wikimedia.org/r/341336

Dzahn added a comment.Mar 9 2017, 9:12 PM

also see: T160122

MoritzMuehlenhoff closed this task as Resolved.Mar 15 2017, 12:07 PM

https://wikitech.wikimedia.org/wiki/LDAP_Groups is now updated/complete, a few obsolete groups (like svn, svnadm) have been removed.

Legoktm mentioned this in rTLDAP0e19e028c189: Update group list.Apr 6 2018, 9:55 PM
bd808 mentioned this in T183508: Drop 'svn' and 'svnadm' groups from LDAP.Aug 29 2018, 8:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits