Hey Dzahn,
Apologies for the second ticket - we just realized that our new coding contractor (our last contractor, sparmar, is no longer available to help) also needs LDAP access to work on the transparency report. Could you add the account Progresslabs to the LDAP group as well? Thanks again!
Best,
Jim
Related task: https://phabricator.wikimedia.org/T221118
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| transparency report: allow members of LDAP 'nda' to see private site | operations/puppet | production | +2 -1 |
@JbuattiWMF: Removing assignee as it's up to the SRE team to decide who will work on this; adding LDAP-Access-Requests as per https://phabricator.wikimedia.org/tag/ldap-access-requests/ so this task can be found by anyone dealing with the queue of LDAP-Access-Requests
Hello, I am not seeing an existing account with username Progresslabs. Could you please confirm that the account has already been created, and this is indeed the username? If you know what email was used I could try searching for that.
Also, is this an individual account, or was it going to be shared by multiple people? We'll want individual accounts for each user.
Thanks in advance!
I will check with our contractor and ping back. I can confirm that it is an individual account, not a shared account. Thanks!
Could you try Patrick Johnson, Shell name pjohnson? I'm having trouble getting ahold of him but I'm told those might be correct. Thanks!
There are separate users but both use the identical email address. pjohnson vs. pbj.
Though 'pbj' looks more like a group accent given the cn/sn is 'Progresslabs' vs. "Patrick Johnson'.
[mwmaint1002:~] $ ldapsearch -x mail="*progresslabs*" | grep '^uid\|^sn\|^cn' uid: pbj sn: Progresslabs cn: Progresslabs uidNumber: 21156 uid: pjohnson sn: Patrick Johnson cn: Patrick Johnson uidNumber: 21260
Thanks for the quick reply! I can confirm that they aren't group accounts, it's just one person. I think it would work if either account is added to LDAP - could you let us know which one is added? We can tell Patrick to use that one.
@JbuattiWMF Sorry, but i don't think we can just put non-WMF employees into the wmf group like that. There is a separate group called "nda" for the purpose of giving access to contractors and volunteers though and the "pbj" user is already a member of that.
I checked if access to transparency-private.wm.org is already given to members of 'wmf or ops or nda' because that is a common default. But in this case it's just "wmf or ops". So that will need a code change to allow members of 'nda'.
Change 506848 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] transparency report: allow members of LDAP 'nda' to see private site
@JbuattiWMF I made a code change to allow members of "nda" to login on transparency-private. It's in code review now:
Change 506848 merged by Dzahn:
[operations/puppet@production] transparency report: allow members of LDAP 'nda' to see private site
HI @JbuattiWMF The change has been merged. This should be resolved now. The correct user is the 'pbj' user. He should be able to login now. Let us know if any issues.