Today we can track LDAP account creations using the MediaWiki event logs created on wikitech.wikimedia.org. In the bold future where all LDAP accounts are created using Striker we will not have this audit trail. The labsauth_labsuser table in Striker's database includes a created_at timestamp that will be populated on first login. We could also easily add a separate audit log for account creations.
|Open||None||T189531 All Wikimedia developer services should use single sign-on|
|Open||None||T161859 Make Wikitech an SUL wiki|
|Open||None||T163478 Allow viewing/searching LDAP account creations including date|
There is a createTimestamp "operational attribute" on each LDAP object that tracks this per RFC 4512.
$ ldap 'uid=bd808' createTimestamp dn: uid=bd808,ou=people,dc=wikimedia,dc=org createTimestamp: 20130729163514Z
We just need to figure out where we want to expose this. It could be a tool or put into some other UI for LDAP account management like Striker itself.
Yes, we should treat the LDAP directory itself as the canonical source for this data. When we figure out the solution for T179463: Create a single application to provision and manage developer (LDAP) accounts that seems like the logical place to also build the log viewer.