Page MenuHomePhabricator

Assistance with LDAP Access for Transparency Report
Closed, ResolvedPublic

Description

Hello,

Jim Buatti (WMF legal fellow) and I are working on putting together the next WMF Transparency Report. It's being assembled on a site that we should be able to access using our LDAP credentials. However, we have been unable to log in, as the site rejects the credentials. We have double-checked that the credentials are working elsewhere, so it appears that it may be an issue with this site. The site has been accessible to the contractor updating the report, @siddharth11, so it's not a general problem. Can anyone help? Thank you!

Cheers,

Aeryn

Event Timeline

Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 14 2016, 5:21 PM
APalmer_WMF updated the task description. (Show Details)Jul 14 2016, 5:22 PM
APalmer_WMF updated the task description. (Show Details)
Aklapper edited projects, added LDAP-Access-Requests; removed LDAP.Jul 14 2016, 8:18 PM

Sounds very similar to T138369

Dzahn added a subscriber: Dzahn.Jul 14 2016, 8:32 PM

Hi,

could you please add the exact user name that you are using, for the new user and the existing contractor that already has access? When you say that you checked it works elsewhere, where was that? wikitech wiki?

Dzahn added a comment.Jul 14 2016, 8:32 PM

also, where is the login please?

They're definitely related, in that access to the same website is the goal. But @siddharth11 had just joined, and I think wasn't certain if LDAP credentials were sufficient to access the site. I checked with @ori when we couldn't get access, and he confirmed that LDAP credentials should work, and said we should open a ticket here.

Dzahn added a comment.Jul 14 2016, 8:57 PM

@APalmer_WMF Can you give us the username that you guys are using to login (as opposed to phabricator users) and where exactly you are trying to login?

Hi @Dzahn, just sent you an email with this information. Since this task is public and we didn't know what other detail might be required, didn't fancy talking too much about credentials. Hope that is alright; really appreciate your help.

Dzahn added a comment.Jul 14 2016, 9:18 PM

There is no need to send private mail. The user names are public.

The user names are apalmer and jbuatti. We understand that they are public, but were leery of continuing to use Phabricator to talk about details of access because the site itself will contain sensitive information, which must be kept password protected. In my previous email, I sent you the URL in question. Apologies for the confusion on my end.

Dzahn added a comment.Jul 14 2016, 9:34 PM

@APalmer_WMF We are using Phabricator for access requests all the time. Even for root shell. It's better to keep access things on tickets. That way others can understand, chime in and look up later how things were done when it comes up again.

Back to the technical issue, though. These are LDAP users, they are not related to your Google login. For this you should use the same account you would use on "labs", the wikitech wiki and on Gerrit.

Do you have users on https://wikitech.wikimedia.org? If yes, please try to use these. If not yet, please create one and let us know the user name. Thank you!

Hey, @Dzahn my Wikitech account name is "Jbuatti".

@Dzahn, thanks for clarifying -- must have misunderstood previous info from someone else about Google app credentials. My wikitech username is "Apalmer".

@APalmer_WMF @JbuattiWMF

Alright, thank you. I found your users in LDAP, I added you to the WMF group (based on the @Wikimedia email addresses and the private mail)

[terbium:~] $ sudo modify-ldap-group --addmembers apalmer wmf
[terbium:~] $ sudo modify-ldap-group --addmembers jbuatti wmf
[terbium:~] $ sudo ldaplist -l group wmf | grep palmer
member: uid=apalmer,ou=people,dc=wikimedia,dc=org
[terbium:~] $ sudo ldaplist -l group wmf | grep buatti
member: uid=jbuatti,ou=people,dc=wikimedia,dc=org

This means you should now be able to login. Let me know if any problems.

Dzahn closed this task as Resolved.Jul 14 2016, 11:59 PM
Dzahn claimed this task.

Hi @Dzahn , could we add access for the following two Wikitech accounts?

skidd
rgopal

They need access to review the draft transparency report. Their Wikimedia email accounts are skidd@wikimedia.org and rgopal@wikimedia.org, in case these are needed. Thanks!

JbuattiWMF reopened this task as Open.Aug 4 2016, 10:16 PM
Dzahn added a comment.Aug 5 2016, 2:54 PM

Hi @JbuattiWMF,

done. "skidd" and "rgopal" have been added to the "wmf" group.

Dzahn closed this task as Resolved.Aug 5 2016, 2:54 PM

Hi @Dzahn (again),

Could we add three more accounts to this LDAP group? RStallman is our long-time paralegal, and the other two are legal fellows. All three need access to review the next iteration of the transparency report. Thanks again!

RStallman
Adavenport
lmixter

JbuattiWMF reopened this task as Open.Feb 7 2017, 12:39 AM
Dzahn added a comment.Feb 7 2017, 2:45 AM

Hi @JbuattiWMF

I could find "lmixter" and "Adavenport" and, based on your request and their wikimedia.org email address, i have added them to the "wmf" group.

So they should be able to login now.

What i could not find was "rstallman". Could you double check that is the right username (or get one created on wikitech.wikimedia.org wiki)?

Cheers

Hi @Dzahn, looks like we had the wrong username. Are you able to find "raqstallman"? Thanks so much for taking care of this.

Dzahn added a comment.Feb 7 2017, 7:08 PM

Hi @APalmer_WMF Yes, i can find that. Added to "wmf". The login should work now.

Thanks so much, @Dzahn. Really appreciate it!

APalmer_WMF closed this task as Resolved.Feb 7 2017, 7:10 PM
JbuattiWMF reopened this task as Open.Aug 7 2017, 8:00 PM

Hey @Dzahn, would it be possible to add AShahrestani to the WMF group? This is again so that one of our legal fellows can work on the WMF transparency report at transparency.wikimedia.org/private. Thanks!

Dzahn reassigned this task from Dzahn to RobH.Aug 7 2017, 8:33 PM
Dzahn added a subscriber: RobH.

@JbuattiWMF i'm in in middle of travel now @RobH could you help out by any chance? would be great, thank you!

Change 370555 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding AShahrestani to ldap per request

https://gerrit.wikimedia.org/r/370555

Change 370555 merged by RobH:
[operations/puppet@production] adding AShahrestani to ldap per request

https://gerrit.wikimedia.org/r/370555

RobH added a comment.EditedAug 7 2017, 8:46 PM

I'm not entirely certain on this process, and the instructions are not entirely clear. I've reverted my patchset until my uncertainty regarding the process is addressed. I rather not do it incorrectly!

https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty#LDAP_group_changes

So user AShahrestani shows up when I poll LDAP on terbium. I can see they are not a member of the wmf group yet. The directions don't state if the addition to data.yaml is required if the user is already in LDAP, or if it is just required when they don't exist yet.

Change 370579 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add AShahrestani to admin module for inclusion in wmf group

https://gerrit.wikimedia.org/r/370579

Change 370579 merged by RobH:
[operations/puppet@production] add AShahrestani to admin module for inclusion in wmf group

https://gerrit.wikimedia.org/r/370579

RobH closed this task as Resolved.Aug 7 2017, 9:16 PM
RobH added a subscriber: MoritzMuehlenhoff.

Ok, chatted with @MoritzMuehlenhoff who was able to clarify. We include in the file (even though they have an ldap account) if they do not have a shell account.

Then we manually add them into the wmf group, which I have done. They should be able to access those items/sites now via the wmf ldap group.

Hi @RobH so sorry to reopen this old thread, but would it be possible to grant the same LDAP access referenced above to the following two Wikitech accounts? Thanks very much!

SChang
LDoan

JbuattiWMF reopened this task as Open.Apr 15 2019, 10:25 PM
Dzahn added a comment.Apr 16 2019, 5:31 PM

Hi @JbuattiWMF , i made a new ticket for your request and linked it here: -> T221118. We have a rotating clinic duty on who handles access requests and for example Rob is currently not available, so it should work easier and quicker if you make new ticket for new requests. Thank you.

Dzahn closed this task as Resolved.Apr 16 2019, 5:32 PM