Page MenuHomePhabricator
Create Task
Maniphest T157131

Harmonise "Directory Managers" group
Closed, ResolvedPublic
Actions

Description

The "Directory Managers" group in LDAP was inherited from OpenDJ. It grants full write access to OpenLDAP via ACLs (in addition to the cn=admin user).

It's however a different group type compared to all other groups in LDAP (groupOfUniqueNames as compared to the default groupOfNames). Thus the membership attribute is also different. For consistency it would be nice to only deal with one group type.

The group currently contains two members from Ops and two system users: uid=novaadmin and cn=scriptuser. It needs to be checked which of those actually still use the group, if only cn=scriptuser remains we could just as well drop the group and add this to the ACLs directly.

If cn=admin is insufficient, OpenLDAP could also be configured to accept a root-accessible ldapi socket for simple Ops access.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Harmonise group type for LDAP admin accessoperations/puppetproduction+1 -1
Harmomise group type for LDAP admin accessoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT142815 Enhance account handling (meta bug)
 ResolvedMoritzMuehlenhoffT157131 Harmonise "Directory Managers" group

Event Timeline

MoritzMuehlenhoff created this task.Feb 3 2017, 3:04 PM
MoritzMuehlenhoff added a subscriber: Andrew.Feb 17 2017, 12:58 PM

@faidon and @Andrew ; you are currently the only two non-role members in that group; are you using the group member ship to make LDAP changes or do you typically use cn=admin or tool frontend ends using cn=scriptuser?

faidon added a comment.Feb 17 2017, 1:00 PM

I typically use my own account rather than cn=admin (as to not share a password and provide accountability of who made the changes) but I'm happy to change my ways.

Andrew added a comment.Feb 17 2017, 7:23 PM

Same here -- I use my own account but it won't kill me to look up the manager password instead.

gerritbot subscribed.Mar 9 2017, 1:18 PM

Change 342008 had a related patch set uploaded (by Muehlenhoff):
[operations/puppet] Harmomise group type for LDAP admin access

https://gerrit.wikimedia.org/r/342008

gerritbot added a project: Patch-For-Review.Mar 9 2017, 1:18 PM
gerritbot added a comment.Mar 21 2017, 1:50 PM

Change 342008 merged by Muehlenhoff:
[operations/puppet] Harmomise group type for LDAP admin access

https://gerrit.wikimedia.org/r/342008

gerritbot added a comment.Mar 21 2017, 3:12 PM

Change 343884 had a related patch set uploaded (by Muehlenhoff):
[operations/puppet] Harmonise group type for LDAP admin access

https://gerrit.wikimedia.org/r/343884

gerritbot added a comment.Mar 21 2017, 3:13 PM

Change 343884 merged by Muehlenhoff:
[operations/puppet] Harmonise group type for LDAP admin access

https://gerrit.wikimedia.org/r/343884

Stashbot subscribed.Mar 21 2017, 3:27 PM

Mentioned in SAL (#wikimedia-operations) [2017-03-21T15:27:42Z] <moritzm> removed "Directory Managers" group from LDAP (Bug T157131)

MoritzMuehlenhoff closed this task as Resolved.Mar 21 2017, 3:29 PM
MoritzMuehlenhoff claimed this task.

LDAP ACLs have been converted to use "cn=ldap_ops" (which is a standard group) and "cn=Directory Managers" has eventually been removed.

Legoktm mentioned this in rTLDAP0e19e028c189: Update group list.Apr 6 2018, 9:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits