Page MenuHomePhabricator
Create Task
Maniphest T162701

Investigate and document NSS LDAP interactions
Closed, DeclinedPublic
Actions

Description

While working on migrating sudo group creation from OpenStackManager to Keystone hooks, @Andrew discovered that groups would not provide the expected output for an LDAP user unless LDAP records of type organizationalUnit existed for ou={people,groups},cn=$PROJECT,ou=projects,dc=wikimedia,dc=org. These OUs can be left empty and things will work as expected. The open question is what configuration in /etc/ldap* and the NSS config makes these groups expected. We would like to know why this is needed so that we can either change the config so we can reduce the number of placeholder records in LDAP or document the reason so that we aren't tempted to remove them again in the future.

See rOPUPc7dc72cbea0d: Keystonehooks: Add two more ldap ous for sudo handling.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT138150 Purge stale data from LDAP
 OpenNoneT138151 Document LDAP structure unambiguously
 DeclinedNoneT162701 Investigate and document NSS LDAP interactions
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits