While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

In T133476#2232876, @Krenair wrote:

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

That was not my understanding, as the documentation and new agent training are stored on the wiki.

In T133476#2232878, @Matthewrbowker wrote:

In T133476#2232876, @Krenair wrote:

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

In T133476#2232878, @Matthewrbowker wrote:

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

Okay. If you did go with the existing LDAP route, the current account creation system for LDAP is wikitech. This might change in the future however.
https://otrs.github.io/doc/manual/admin/5.0/en/html/external-backends.html#agent-auth-backend-ldap

• Login to both OTRS and OTRS wiki would be via the same credentials.
• But they would require the user to be in a particular group.
• We'd have to find some way to let admins control who is in the group.
• I was going to say "OTRS' internal permissions would still have to be controlled inside OTRS", but if you scroll down it does say "you can use LDAP groups to determine group memberships or roles in OTRS" - if we got that working it'd ideally be administered in the same manner as the OTRS generic access group.

In T133476#2232878, @Matthewrbowker wrote:

I quit a year ago but my understanding of the access policy at the time was that they were moving away from everyone having wiki access.

That was not my understanding, as the documentation and new agent training are stored on the wiki.

Indeed.

So I guess the tricky part would be finding a sane way for OTRS admins to control the LDAP groups. We'd presumably want it integrated with either OTRS (sounds from "This module has only read access to the LDAP tree, which means that you cannot edit your user data via the agent management interface." like that's not possible with the existing code, and few around here know enough perl to make it happen) or OTRS wiki (would have to build a custom extension and put it through deployment review...)

And I suppose an argument in favour of a new separate LDAP system would be the existing OTRS/OTRS wiki users conflicting with the existing LDAP users - although maybe we could put OTRS accounts elsewhere in the existing LDAP tree (in which case OTRS account creation would be somewhere separate from wikitech/its successor and it wouldn't be integrated with the labs/technical systems, which most agents probably don't care much about) instead of having to perform some SUL-migration-like-thing.

In T133476#2232879, @Krenair wrote:

In T133476#2232878, @Matthewrbowker wrote:

In T133476#2232876, @Krenair wrote:

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

In T133476#2232878, @Matthewrbowker wrote:

I also don't understand why you're proposing setting up a new server (external? what?) when we have an existing LDAP setup where you could be using groups - like how labs projects/roles work.

Either that or do use the existing infrastructure with groups. This task is open-ended in that regard. Wisest might be to choose either OTRS or otrs-wiki as a provider and create accounts at this provider, with the other as a slave.

Okay. If you did go with the existing LDAP route, the current account creation system for LDAP is wikitech. This might change in the future however.
https://otrs.github.io/doc/manual/admin/5.0/en/html/external-backends.html#agent-auth-backend-ldap

• Login to both OTRS and OTRS wiki would be via the same credentials.
• But they would require the user to be in a particular group.
• We'd have to find some way to let admins control who is in the group.
• I was going to say "OTRS' internal permissions would still have to be controlled inside OTRS", but if you scroll down it does say "you can use LDAP groups to determine group memberships or roles in OTRS" - if we got that working it'd ideally be administered in the same manner as the OTRS generic access group.

I agree, I'm going to let operations make the call though. I'm not sure how they would want to centralize the account information, if at all.

In T133476#2232883, @Krenair wrote:

And I suppose an argument in favour of a new separate LDAP system would be the existing OTRS/OTRS wiki users conflicting with the existing LDAP users - although maybe we could put OTRS accounts elsewhere in the existing LDAP tree (in which case OTRS account creation would be somewhere separate from wikitech/its successor and it wouldn't be integrated with the labs/technical systems, which most agents probably don't care much about) instead of having to perform some SUL-migration-like-thing.

Agreed.

In T133476#2232886, @Matthewrbowker wrote:

In T133476#2232879, @Krenair wrote:

In T133476#2232878, @Matthewrbowker wrote:

In T133476#2232876, @Krenair wrote:

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

It's a private wiki and I believe that my wiki account was closed again a few months ago after I refused to sign an extra NDA (I already have one in my own name for volunteer activities with the foundation and this had different terms, etc.). What I wrote was not just the logging thing but a couple of forms - one for opening accounts (e.g. create wiki account, add to LOA, admin log, and I think there was something in there about welcoming the user on their talk page?) and one for closing accounts (block wiki account, move to LOA/C, admin log, etc.)

In T133476#2232888, @Krenair wrote:

In T133476#2232886, @Matthewrbowker wrote:

In T133476#2232879, @Krenair wrote:

In T133476#2232878, @Matthewrbowker wrote:

In T133476#2232876, @Krenair wrote:

While I was an agent I wrote scripts for the admins to turn half of that process into a simple form. What happened with that?

Erm... which part? The wiki account creation? I use your admin log script frequently.

Oh, so it's just not solved the problem entirely? okay :)

Pardon my confusion, are you referring to https://otrs-wiki.wikimedia.org/wiki/ACC or the simple logging script that's at the top of every subpage of https://otrs-wiki.wikimedia.org/wiki/Admin_log ?

It's a private wiki and I believe that my wiki account was closed again a few months ago after I refused to sign an extra NDA (I already have one in my own name for volunteer activities with the foundation and this had different terms, etc.). What I wrote was not just the logging thing but a couple of forms - one for opening accounts (e.g. create wiki account, add to LOA, admin log, and I think there was something in there about welcoming the user on their talk page?) and one for closing accounts (block wiki account, move to LOA/C, admin log, etc.)

[[ACC]] looks like the one, I should include that in the training. Thanks for the information.

Strong oppose. No need, more problems created than resolved, if any resolved at at.
Additionally, no prior discussion has taken place at the appropriate venue, which would have been the OTRS admin mailing list.

In T133476#2232933, @Krd wrote:

No need, more problems created than resolved, if any resolved at at.

I don't think you could say no problems resolved until details were confirmed. Also @Matthewrbowker is not the first OTRS admin to complain about the length of the process for opening/closing OTRS accounts, so I think you need to back up the "No need"

In T133476#2232933, @Krd wrote:

Additionally, no prior discussion has taken place at the appropriate venue, which would have been the OTRS admin mailing list.

These sorts of things often come to Phabricator before being discussed locally.