Review list of LDAP groups and document exactly what kind of access they can be allowed to provide
Closed, ResolvedPublic


I started this with but there's many things missing. I think Jenkins has some LDAP group checks, and I think something in Analytics deals with LDAP - not sure where the documentation for that is - @Ottomata, can you help there?

krenair@bastion-01:~$ ldapsearch -x ou:dn:=groups | grep "dn: " | grep -v "ou=projects" | grep -v "cn=project-"
dn: ou=groups,dc=wikimedia,dc=org
dn: cn=Directory Managers,ou=groups,dc=wikimedia,dc=org
dn: cn=wikidev,ou=groups,dc=wikimedia,dc=org
dn: cn=svn,ou=groups,dc=wikimedia,dc=org
dn: cn=svnadm,ou=groups,dc=wikimedia,dc=org
dn: cn=wmf,ou=groups,dc=wikimedia,dc=org
dn: cn=ops,ou=groups,dc=wikimedia,dc=org
dn: cn=labsadminbots,ou=groups,dc=wikimedia,dc=org
dn: cn=wmde,ou=groups,dc=wikimedia,dc=org
dn: cn=sgeadmin,ou=groups,dc=wikimedia,dc=org
dn: cn=vagrant,ou=groups,dc=wikimedia,dc=org
dn: cn=l10nupdate,ou=groups,dc=wikimedia,dc=org
dn: cn=mwdeploy,ou=groups,dc=wikimedia,dc=org
dn: cn=trebuchet,ou=groups,dc=wikimedia,dc=org
dn: cn=parsoid,ou=groups,dc=wikimedia,dc=org
dn: cn=nda,ou=groups,dc=wikimedia,dc=org
dn: cn=shinken,ou=groups,dc=wikimedia,dc=org
Krenair created this task.Mar 13 2016, 7:53 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 13 2016, 7:53 PM
Krenair added a comment.EditedMar 13 2016, 8:04 PM

Ugh, found this:
wmf, wmde, and nda get some special rights there (but not all the same)

This stuff *needs* to be documented so that everyone knows exactly what is being granted when people ask to be added to groups

There aren’t any special LDAP groups for Analytics, but
does authenticate logins via LDAP (shell username and LDAP password).

Dzahn added a subscriber: Dzahn.Mar 29 2016, 11:12 PM

"nda" has been created to be able to let non-wmf volunteers have access to tools like icinga and graphite without having to use the "wmf" group because that is used for too many other things and indicates an employee relation with WMF.

Krenair added a comment.EditedMar 29 2016, 11:22 PM

Yes (mostly - contractors are in wmf, for example), T129786: Add wmf LDAP group members into nda group, delete wmf group exists to get rid of the distinction and just have all of those users in an nda group.

fgiunchedi triaged this task as Normal priority.Apr 27 2016, 3:49 PM
elukey added a subscriber: elukey.Feb 6 2017, 1:05 PM

Change 341336 had a related patch set uploaded (by jmm):
[operations/puppet] Remove non-existing group from jupyterhub LDAP config

Mentioned in SAL (#wikimedia-operations) [2017-03-09T13:46:11Z] <moritzm> removed cn=trebuchet group from LDAP directory (Bug: T129788)

Mentioned in SAL (#wikimedia-operations) [2017-03-09T13:52:46Z] <moritzm> removed cn=svnadm group from LDAP directory (Bug: T129788)

Mentioned in SAL (#wikimedia-operations) [2017-03-09T14:35:44Z] <moritzm> removed cn=svn group from LDAP directory (Bug: T129788)

Change 341336 merged by Madhuvishy:
[operations/puppet] Remove non-existing group from jupyterhub LDAP config

MoritzMuehlenhoff closed this task as Resolved.Mar 15 2017, 12:07 PM is now updated/complete, a few obsolete groups (like svn, svnadm) have been removed.