Page MenuHomePhabricator

Store Wikimedia unified account name (SUL) in LDAP directory
Open, MediumPublic

Description

The mapping between an LDAP account and an SUL account is currently stored in Striker's local mysql database as part of the labsauth_labsuser table. This is convenient for Striker, but not convenient for other LDAP consumers who may want to use the same data.

The WMF corp LDAP schema was recently extended to support a wikimediaPerson object class (rOPUP6386a7a, rOPUP2ce2697). Something similar could be done for the labs/prod LDAP servers to give us a class and attribute for storing the SUL account. Striker would then be updated to add the new object class and attribute to an LDAP account when linking accounts.

Event Timeline

bd808 created this task.Oct 13 2016, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 13 2016, 4:06 PM
bd808 triaged this task as Medium priority.Oct 14 2016, 10:42 PM

I think we should use the same wmf-user.schema file across the labs and corp servers, but introduce a separate object class for storing the SUL mapping. This allows us to extend staff-specific attributes independantly and it the corp LDAP needs the SUL mapping at some point we can add the new object class to corp user accounts.

@faidon, @Volans, and I talked about this at the Vienna hackathon. Moving this data from Striker's local DB to LDAP would be a useful step in an as yet undocumented project to create an LDAP management portal to replace the current mix of wikitech, Striker, and cli tools used by Operations.

Majavah added a subscriber: Majavah.Mon, Jul 6, 5:29 AM