Page MenuHomePhabricator

Disable nodepoolmanager user in LDAP
Closed, ResolvedPublic

Description

nodepoolmanager is a wikitech/LDAP user that was used for the CI software Nodepool. We have phased it.

The user should be disabled in LDAP (prevent shell/login/access etc).

I guess LDAP-Access-Requests

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 25 2019, 5:50 PM
RobH closed this task as Resolved.Feb 26 2019, 3:59 PM
RobH claimed this task.
RobH added subscribers: Volans, RobH.

Thanks to @Volans for pointing out to me we have an offboard script to handle this: https://wikitech.wikimedia.org/wiki/Ops_Offboarding#Completely_remove_user

I've gone ahead and done this, so this user no longer has any groups or login rights.

4 $> ssh mwmaint1002.eqiad.wmnet
Linux mwmaint1002 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64
Debian GNU/Linux 9.5 (stretch)
mwmaint1002 is a Mediawiki Maintenance Server: pagetriage extension (mediawiki::maintenance::pagetriage)
mwmaint1002 is a Mediawiki Maintenance Server: parser cache purging (mediawiki::maintenance::parsercachepurging)
mwmaint1002 is a noc.wikimedia.org (noc::site)
The last Puppet run was at Tue Feb 26 15:45:36 UTC 2019 (12 minutes ago). 
Debian GNU/Linux 9 auto-installed on Wed Sep 19 00:33:58 UTC 2018.
Last login: Mon Feb 25 21:10:13 2019 from 2620:0:860:1:208:80:153:5
robh@mwmaint1002:~$ sudo offboard-user --drop-all -l nodepoolmanager
User DN: uid=nodepoolmanager,ou=people,dc=wikimedia,dc=org
Is member of the following unprivileged LDAP groups:
  cn=project-bastion,ou=groups,dc=wikimedia,dc=org (removing)
Is not a project admin in Nova
Is not a member in any privileged group
LDIF file written to  nodepoolmanager.ldif
Please review and if all is well, you can effect the change running
ldapmodify -h ldap-labs.eqiad.wikimedia.org -p 389 -x -D "cn=scriptuser,ou=profile,dc=wikimedia,dc=org" -W -f nodepoolmanager.ldif
To obtain the password run
sudo cat /etc/ldap.scriptuser.yaml
nodepoolmanager does not exist in modules/admin/data/data.yaml
Skipping Phabricator offboarding, use -p USERNAME to run it at later point
robh@mwmaint1002:~$
RobH removed RobH as the assignee of this task.Feb 26 2019, 4:00 PM

That is excellent! Thank you @RobH