Page MenuHomePhabricator

Allow viewing/searching LDAP account creations including date
Open, MediumPublic

Description

Today we can track LDAP account creations using the MediaWiki event logs created on wikitech.wikimedia.org. In the bold future where all LDAP accounts are created using Striker we will not have this audit trail. The labsauth_labsuser table in Striker's database includes a created_at timestamp that will be populated on first login. We could also easily add a separate audit log for account creations.

Event Timeline

bd808 created this task.Apr 20 2017, 6:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2017, 6:26 PM
bd808 added a comment.May 11 2017, 9:35 PM

There is a createTimestamp "operational attribute" on each LDAP object that tracks this per RFC 4512.

$ ldap 'uid=bd808' createTimestamp
dn: uid=bd808,ou=people,dc=wikimedia,dc=org
createTimestamp: 20130729163514Z

We just need to figure out where we want to expose this. It could be a tool or put into some other UI for LDAP account management like Striker itself.

https://tools.wmflabs.org/ldap/user/bd808 now includes "Account created: 2013-07-29 16:35:14".

But it sounds like we need a creation log as well, we can probably do a ldap query for that?

bd808 added a comment.Aug 29 2018, 8:56 PM

But it sounds like we need a creation log as well, we can probably do a ldap query for that?

Yes, we should treat the LDAP directory itself as the canonical source for this data. When we figure out the solution for T179463: Create a single application to provision and manage developer (LDAP) accounts that seems like the logical place to also build the log viewer.