Page MenuHomePhabricator

Assistance with LDAP Access for Transparency Report
Closed, ResolvedPublic

Description

Hello,

Jim Buatti (WMF legal fellow) and I are working on putting together the next WMF Transparency Report. It's being assembled on a site that we should be able to access using our LDAP credentials. However, we have been unable to log in, as the site rejects the credentials. We have double-checked that the credentials are working elsewhere, so it appears that it may be an issue with this site. The site has been accessible to the contractor updating the report, @siddharth11, so it's not a general problem. Can anyone help? Thank you!

Cheers,

Aeryn

Event Timeline

Hi,

could you please add the exact user name that you are using, for the new user and the existing contractor that already has access? When you say that you checked it works elsewhere, where was that? wikitech wiki?

also, where is the login please?

They're definitely related, in that access to the same website is the goal. But @siddharth11 had just joined, and I think wasn't certain if LDAP credentials were sufficient to access the site. I checked with @ori when we couldn't get access, and he confirmed that LDAP credentials should work, and said we should open a ticket here.

@APalmer_WMF Can you give us the username that you guys are using to login (as opposed to phabricator users) and where exactly you are trying to login?

Hi @Dzahn, just sent you an email with this information. Since this task is public and we didn't know what other detail might be required, didn't fancy talking too much about credentials. Hope that is alright; really appreciate your help.

There is no need to send private mail. The user names are public.

The user names are apalmer and jbuatti. We understand that they are public, but were leery of continuing to use Phabricator to talk about details of access because the site itself will contain sensitive information, which must be kept password protected. In my previous email, I sent you the URL in question. Apologies for the confusion on my end.

@APalmer_WMF We are using Phabricator for access requests all the time. Even for root shell. It's better to keep access things on tickets. That way others can understand, chime in and look up later how things were done when it comes up again.

Back to the technical issue, though. These are LDAP users, they are not related to your Google login. For this you should use the same account you would use on "labs", the wikitech wiki and on Gerrit.

Do you have users on https://wikitech.wikimedia.org? If yes, please try to use these. If not yet, please create one and let us know the user name. Thank you!

Hey, @Dzahn my Wikitech account name is "Jbuatti".

@Dzahn, thanks for clarifying -- must have misunderstood previous info from someone else about Google app credentials. My wikitech username is "Apalmer".

@APalmer_WMF @JbuattiWMF

Alright, thank you. I found your users in LDAP, I added you to the WMF group (based on the @Wikimedia email addresses and the private mail)

[terbium:~] $ sudo modify-ldap-group --addmembers apalmer wmf
[terbium:~] $ sudo modify-ldap-group --addmembers jbuatti wmf
[terbium:~] $ sudo ldaplist -l group wmf | grep palmer
member: uid=apalmer,ou=people,dc=wikimedia,dc=org
[terbium:~] $ sudo ldaplist -l group wmf | grep buatti
member: uid=jbuatti,ou=people,dc=wikimedia,dc=org

This means you should now be able to login. Let me know if any problems.

Dzahn claimed this task.

Hi @Dzahn , could we add access for the following two Wikitech accounts?

skidd
rgopal

They need access to review the draft transparency report. Their Wikimedia email accounts are skidd@wikimedia.org and rgopal@wikimedia.org, in case these are needed. Thanks!

Hi @JbuattiWMF,

done. "skidd" and "rgopal" have been added to the "wmf" group.

Hi @Dzahn (again),

Could we add three more accounts to this LDAP group? RStallman is our long-time paralegal, and the other two are legal fellows. All three need access to review the next iteration of the transparency report. Thanks again!

RStallman
Adavenport
lmixter

Hi @JbuattiWMF

I could find "lmixter" and "Adavenport" and, based on your request and their wikimedia.org email address, i have added them to the "wmf" group.

So they should be able to login now.

What i could not find was "rstallman". Could you double check that is the right username (or get one created on wikitech.wikimedia.org wiki)?

Cheers

Hi @Dzahn, looks like we had the wrong username. Are you able to find "raqstallman"? Thanks so much for taking care of this.

Hi @APalmer_WMF Yes, i can find that. Added to "wmf". The login should work now.

Thanks so much, @Dzahn. Really appreciate it!

Hey @Dzahn, would it be possible to add AShahrestani to the WMF group? This is again so that one of our legal fellows can work on the WMF transparency report at transparency.wikimedia.org/private. Thanks!

Dzahn added a subscriber: RobH.

@JbuattiWMF i'm in in middle of travel now @RobH could you help out by any chance? would be great, thank you!

Change 370555 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding AShahrestani to ldap per request

https://gerrit.wikimedia.org/r/370555

Change 370555 merged by RobH:
[operations/puppet@production] adding AShahrestani to ldap per request

https://gerrit.wikimedia.org/r/370555

I'm not entirely certain on this process, and the instructions are not entirely clear. I've reverted my patchset until my uncertainty regarding the process is addressed. I rather not do it incorrectly!

https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty#LDAP_group_changes

So user AShahrestani shows up when I poll LDAP on terbium. I can see they are not a member of the wmf group yet. The directions don't state if the addition to data.yaml is required if the user is already in LDAP, or if it is just required when they don't exist yet.

Change 370579 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] add AShahrestani to admin module for inclusion in wmf group

https://gerrit.wikimedia.org/r/370579

Change 370579 merged by RobH:
[operations/puppet@production] add AShahrestani to admin module for inclusion in wmf group

https://gerrit.wikimedia.org/r/370579

RobH added a subscriber: MoritzMuehlenhoff.

Ok, chatted with @MoritzMuehlenhoff who was able to clarify. We include in the file (even though they have an ldap account) if they do not have a shell account.

Then we manually add them into the wmf group, which I have done. They should be able to access those items/sites now via the wmf ldap group.

Hi @RobH so sorry to reopen this old thread, but would it be possible to grant the same LDAP access referenced above to the following two Wikitech accounts? Thanks very much!

SChang
LDoan

Hi @JbuattiWMF , i made a new ticket for your request and linked it here: -> T221118. We have a rotating clinic duty on who handles access requests and for example Rob is currently not available, so it should work easier and quicker if you make new ticket for new requests. Thank you.