Page MenuHomePhabricator

Add Progresslabs to WMF LDAP group for transparency report editing (allow 'nda' users to login on transparency-private)
Closed, ResolvedPublic

Description

Hey Dzahn,

Apologies for the second ticket - we just realized that our new coding contractor (our last contractor, sparmar, is no longer available to help) also needs LDAP access to work on the transparency report. Could you add the account Progresslabs to the LDAP group as well? Thanks again!

Best,
Jim

Related task: https://phabricator.wikimedia.org/T221118

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 24 2019, 3:46 AM
Aklapper removed Dzahn as the assignee of this task.Apr 24 2019, 7:47 AM
Aklapper added a project: LDAP-Access-Requests.
Aklapper added a subscriber: Dzahn.

@JbuattiWMF: Removing assignee as it's up to the SRE team to decide who will work on this; adding LDAP-Access-Requests as per https://phabricator.wikimedia.org/tag/ldap-access-requests/ so this task can be found by anyone dealing with the queue of LDAP-Access-Requests

herron added a subscriber: herron.Apr 25 2019, 4:24 PM

Hello, I am not seeing an existing account with username Progresslabs. Could you please confirm that the account has already been created, and this is indeed the username? If you know what email was used I could try searching for that.

Also, is this an individual account, or was it going to be shared by multiple people? We'll want individual accounts for each user.

Thanks in advance!

I will check with our contractor and ping back. I can confirm that it is an individual account, not a shared account. Thanks!

Could you try Patrick Johnson, Shell name pjohnson? I'm having trouble getting ahold of him but I'm told those might be correct. Thanks!

Dzahn added a comment.EditedApr 26 2019, 10:15 PM

There are separate users but both use the identical email address. pjohnson vs. pbj.

Though 'pbj' looks more like a group accent given the cn/sn is 'Progresslabs' vs. "Patrick Johnson'.

[mwmaint1002:~] $ ldapsearch -x mail="*progresslabs*" | grep '^uid\|^sn\|^cn'

uid: pbj
sn: Progresslabs
cn: Progresslabs
uidNumber: 21156

uid: pjohnson
sn: Patrick Johnson
cn: Patrick Johnson
uidNumber: 21260

Thanks for the quick reply! I can confirm that they aren't group accounts, it's just one person. I think it would work if either account is added to LDAP - could you let us know which one is added? We can tell Patrick to use that one.

@JbuattiWMF Sorry, but i don't think we can just put non-WMF employees into the wmf group like that. There is a separate group called "nda" for the purpose of giving access to contractors and volunteers though and the "pbj" user is already a member of that.

I checked if access to transparency-private.wm.org is already given to members of 'wmf or ops or nda' because that is a common default. But in this case it's just "wmf or ops". So that will need a code change to allow members of 'nda'.

Change 506848 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] transparency report: allow members of LDAP 'nda' to see private site

https://gerrit.wikimedia.org/r/506848

@JbuattiWMF I made a code change to allow members of "nda" to login on transparency-private. It's in code review now:

https://gerrit.wikimedia.org/r/c/operations/puppet/+/506848

Dzahn renamed this task from Add Progresslabs to WMF LDAP group for transparency report editing to Add Progresslabs to WMF LDAP group for transparency report editing (allow 'nda' users to login on transparency-private).Apr 29 2019, 10:32 PM

Change 506848 merged by Dzahn:
[operations/puppet@production] transparency report: allow members of LDAP 'nda' to see private site

https://gerrit.wikimedia.org/r/506848

Dzahn closed this task as Resolved.Apr 30 2019, 6:30 PM
Dzahn claimed this task.
Dzahn triaged this task as High priority.

HI @JbuattiWMF The change has been merged. This should be resolved now. The correct user is the 'pbj' user. He should be able to login now. Let us know if any issues.

  • Daniel