Page MenuHomePhabricator
Create Task
Maniphest T163478

Allow viewing/searching LDAP account creations including date
Open, MediumPublic
Actions

Description

Old desciption:

Today we can track LDAP account creations using the MediaWiki event logs created on wikitech.wikimedia.org. In the bold future where all LDAP accounts are created using Striker we will not have this audit trail. The labsauth_labsuser table in Striker's database includes a created_at timestamp that will be populated on first login. We could also easily add a separate audit log for account creations.

New desciption:
Allow users with correct permissions to view user creation/modification logs in Bitu

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
LDAP Eventlogoperations/software/bitumaster+205 -32
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Apr 20 2017, 6:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 20 2017, 6:26 PM
bd808 added a comment.May 11 2017, 9:35 PM

There is a createTimestamp "operational attribute" on each LDAP object that tracks this per RFC 4512.

$ ldap 'uid=bd808' createTimestamp
dn: uid=bd808,ou=people,dc=wikimedia,dc=org
createTimestamp: 20130729163514Z

We just need to figure out where we want to expose this. It could be a tool or put into some other UI for LDAP account management like Striker itself.

Legoktm mentioned this in rTLDAPb0a968396f4d: Expose creation date on user page.Aug 19 2018, 9:47 AM
Legoktm subscribed.Aug 19 2018, 9:55 AM

https://tools.wmflabs.org/ldap/user/bd808 now includes "Account created: 2013-07-29 16:35:14".

But it sounds like we need a creation log as well, we can probably do a ldap query for that?

bd808 added a comment.Aug 29 2018, 8:56 PM
In T163478#4512715, @Legoktm wrote:

But it sounds like we need a creation log as well, we can probably do a ldap query for that?

Yes, we should treat the LDAP directory itself as the canonical source for this data. When we figure out the solution for T179463: Create a single application to provision and manage developer (LDAP) accounts that seems like the logical place to also build the log viewer.

GTirloni edited projects, added cloud-services-team (Kanban); removed Cloud-Services.Mar 24 2019, 12:10 PM
bd808 removed a project: cloud-services-team (Kanban).Jul 9 2019, 9:32 PM
taavi edited projects, added Bitu; removed Striker, wikitech.wikimedia.org.Mar 7 2024, 1:03 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptMar 7 2024, 1:03 PM
SLyngshede-WMF claimed this task.Apr 15 2024, 1:06 PM
gerritbot added a comment.May 3 2024, 1:12 PM

Change #1026919 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/software/bitu@master] LDAP Eventlog

https://gerrit.wikimedia.org/r/1026919

gerritbot added a project: Patch-For-Review.May 3 2024, 1:12 PM
Arendpieter updated the task description. (Show Details)Dec 12 2025, 9:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits