Hi All,
At times we have contractors and/or staff whom we would like to give only email access. In order to give this person only email access in the Google Admin console I needed to create a new Object Unit in LDAP. However, when a person is placed in this OU they can not send mail. Can we update our mail servers to allow sending to people in ou=strategy_contractors,dc=corp,dc=wikimedia,dc=org?
Thanks,
Byron
I'd say let's make the name a little bit more generic, how about ou=mail_only or similar?
I see the value in making a more generic ou address more use cases, but I would rather have an ou that more aligns more with their purpose. These persons will also have access to Google Calendar too. Also, I would like to account for a situation if we were to give these persons more access, for example, Google Drive.
Thanks,
Byron
@bbogaert, there are multiple uses for a limited-access OU (strategy contractors, other temporary contractors with different situations, Qualtrics email sending), so I think it makes more sense to have a generic OU and deal with changing situations by moving accounts between OUs. That way, we don't ask Ops to replicate a new OU every time a new use case comes up.
As far as I know, the main sensitive service we're trying to protect is Google Drive. Could we set this group up with access to Gmail, Google Calendar, and Hangouts only? That seems like a good balance between limiting access to sensitive data and making the OU useful enough to be used for contractors.
@MoritzMuehlenhoff , @Neil_P._Quinn_WMF ,
How about if we design a way where Office IT can create the groups that are needed in G-Suite without Ops having to make separate OUs? This way we (Office IT) could have more granular groups in G-Suite, without having to ask Ops for the OUs?
We could have an parent OU that will route all mail, even for the sub OUs?
Right now all google accounts are in ou=people, dc=corp, dc=wikimedia, dc=org and we have no sub OUs in that group. If the mail servers are setup with search base, and search DN to send mail as long as they are in the parent OU, Office IT could make sub-directories more easily in Google Apps not have to rely on Ops creating a new OU. I think this would be the best option for the long term.
Thoughts?
Proposed structure would look like this, or something similar:
dc=corp, dc=wikimedia, dc=org
-ou=people
--ou=qualtrics
--ou=strategy_contractors
--ou=custom_ou
--ou=full_time
Thoughts?
Thanks,
Byron
@bbogaert, from my perspective (as someone who both works with Qualtrics and manages temporary contractors), that would work perfectly!
Hi All,
Could we (Office IT) discuss this with someone in Ops? We are currently blocked on my tasks/projects until we get our alignment on LDAP gorups and the way our MX servers query our LDAP.
Thanks,
Byron
Hi @bbogaert
For sure, here is the ldap config used by the MX servers https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/role/templates/exim/exim4.conf.mx.erb;737071c4395dd47a2e3c915ece802d9764fa5624$278-309
AFAICT this should work for OUs under ou=people,dc=corp,dc=wikimedia,dc=org as-is (and ou=groups as well) since the search scope is set to sub.
If you'd like we could coordinate a time to test/confirm this. Let me know!
Hi @herron ,
Thanks for sending this along. This is a great help. I'm going to read over this, and see if I can make some sub OU's and see if mail still flows.
Also, @MoritzMuehlenhoff , or someone else with familiarity with the LDAP sync from Office IT, will creating sub OU's break our sync if they are created?
Thanks,
Byron
Hi @herron ,
I have verified we can make Organizational Units under people without affecting mail flow, so this good!
I just want to make sure it does not affect any other "syncs" between Office IT and Operations.
Thanks,
Byron
@Aklapper I see that "WMF-Office-IT" was archived but there does not seem to be a replacement for "ITS". There are tickets though that should still be tagged.. what should we do with those?
Separately I am wondering if this task should stay open.
And there shouldn't be a replacement. :) See its project description...
Tags with names of teams that don't use Phab usually create the wrong expectation that the team would look into tasks in Phab.
There are tickets though that should still be tagged.. what should we do with those?
People could continue to use that archived tag if they see some usecase for themselves, for example.
Shouldn't we just close these tickets then to not give the expectation that someone will work on them?
@Dzahn: There are no open tickets to close, as all open tickets with the WMF-Office-IT tag also have other active tags.
We can close this task given that the OpenLDAP mirror in going away in favour of JumpCloud