See for example https://tools.wmflabs.org/ldap/group/archiva-deployers
Apparently this is Milimetric in the list, which displays right on other ldap lists he's on as in https://tools.wmflabs.org/ldap/group/wmf
Wondering if he was added with a bad format via LDAP (tempted to tag with SRE but I prefer someone to see if there's anything wrong in the coding of the tool first).
He's not the only example. Multiple instances of <unknown users> can be found on the other listings.
18:03 < hauskatze> mutante: is https://phabricator.wikimedia.org/T224110 caused by an LDAP issue or it's the tool not fetching the data correctly?
18:03 < hauskatze> milimetric appears in archiva-deployers as '<unknown user>'
..
18:06 < mutante> hauskatze: when i use "[mwmaint1002:~] $ sudo modify-ldap-group archiva-deployers
18:06 < mutante> then i see both as normal members
18:06 < mutante> and i have never seen "unknown user" before when using the tools on the server
..
18:07 < mutante> so i would tend to "not fetching correctly" / somewhere later in the chain of things
18:08 < mutante> hauskatze: did any of them mention not being able to login or is this just a display issue
18:09 < mutante> hauskatze: interesting is also if you hover your mouse over the "more info" link you still get the user name
18:09 < mutante> so it somehow knows it
18:09 < mutante> just doesn't display it right
18:09 < hauskatze> just a display issue I noticed after updating the tool to display all avalaible ldap groups
18:09 < mutante> seems more like a bug in the https://phabricator.wikimedia.org/source/tool-ldap/ then
18:09 < hauskatze> (which I'm not sure it's listing them all, because I have to manually populate the list each time a new ldap group is created)
18:11 < mutante> hauskatze: ooh.. just noticed a new issue
18:11 < mutante> [mwmaint1002:~] $ ldaplist -l passwd iflorez
18:11 < mutante> The search returned an error.
18:11 < mutante> this is not how it used to be
18:11 < quiddity> Sidenote: It is Not related to the case-sensitive problem that was fixed a few months ago. Because those users are not in the list at
https://phabricator.wikimedia.org/T165795#5113566 (which was my first guess)
18:12 < mutante> but also ldaplist was supposed to be removed on 30 august 2016
18:12 < quiddity> >.<
18:13 < mutante> hauskatze: more interesting stuff.. if you look at the "more info" links. for users that appear normal it looks like this:
18:13 < mutante> https://tools.wmflabs.org/ldap/user/jhuneidi
18:13 < mutante> for a user that shows as "unknown" it looks like this:
18:13 < mutante> https://tools.wmflabs.org/ldap/user/uid%3Dmillimetric%2Cou%3Dpeople%2Cdc%3Dwikimedia%2Cdc%3Dorg
18:13 < hauskatze> mutante: yup, that's how I discovered the usernames for the 'unknown' ones :)
18:13 < mutante> some parsing issue
18:15 < hauskatze> okay then, if everything is okay on the ldap-side
18:15 < mutante> i dont know why ldaplist returns an error
18:15 < mutante> so kind of
18:15 < mutante> but if that was generally broken i would expect all users to be unknown and not 2 random ones
18:16 < mutante> nobody in the "wmf" group currently shows as unknown
18:18 < mutante> hauskatze: line 67 in https://phabricator.wikimedia.org/source/tool-ldap/browse/master/app.py is where it happens.. but dont know why
The users millimetric and ottomata in the archiva-deployers LDAP group do not exist. Theoretically anyone could create those account names and gain access to the group.
They should be milimetric (just one l) and otto per https://tools.wmflabs.org/ldap/user/milimetric and https://tools.wmflabs.org/ldap/user/otto
Restricted as a security task for now.
I tried to fix the user names in the archiva-deployers group but i could not save my edits. I got:
ldap_modify: Server is unwilling to perform (53) additional info: operation restricted
So i tried to find another root or member of ldap-admin to confirm if that is just me or broken for everybody.
turns out this was caused by https://gerrit.wikimedia.org/r/c/operations/puppet/+/521518 from https://phabricator.wikimedia.org/T46722
and fixed by https://gerrit.wikimedia.org/r/c/operations/puppet/+/521798/
The LDAP servers were set to readonly.
After that i was able to make the fixes. I changed "ottomata" to "otto" and "millimetric" to "milimetric" and now there are no more unknown users.
There's a remaining "unknown" user at https://tools.wmflabs.org/ldap/group/labsadminbots. The more info link returns an invalid username error message.
That is not a fix. Which tool(s) broke in specific? They need to be fixed to use ldap-eqiad.wikimedia.org and not reuse a random WMCS config.
currently there seems to be no difference between "ldap-eqiad" and "ldap-labs-eqiad" though
ldap-labs.eqiad.wikimedia.org is an alias for seaborgium.wikimedia.org.
ldap-eqiad.wikimedia.org is an alias for seaborgium.wikimedia.org.
Which tool(s) broke in specific?
modify-ldap-group and also it changed the config in /etc/ldapvi.conf, so ldapvi as well.
ldaplist -l <user> also stopped working but that seems to be a separate issue from the ro issue since it did not go away after the merge above.