Page MenuHomePhabricator

Fix LDAP config on codfw1dev instances
Closed, ResolvedPublic

Description

The proxyagent password in this region was the usual one (https://phabricator.wikimedia.org/diffusion/LPRI/browse/master/hieradata/common.yaml$125) prefixed with lt- for reasons I'm forgetting. This was done in https://gerrit.wikimedia.org/r/c/labs/private/+/288615 but the file is no longer in use.
It might be easiest just to update the password in codfw1dev's LDAP to remove the prefix.
This password goes into /etc/ldap.yaml etc. on the instances and is used by e.g. /usr/sbin/ssh-key-ldap-lookup. Also shows up in ldap_default_authtok in /etc/sssd/sssd.conf
In addition, I've found /etc/ldap.conf (note: distinct from /etc/ldap.yaml and /etc/ldap/ldap.conf) with a reference to ldap://ldap-ro.eqiad.wikimedia.org:389

Event Timeline

After updating ldap_default_authtok in /etc/sssd/sssd.conf and password in /etc/ldap.yaml to include the prefix, and restarting sssd, my instance works a little more normally:

alex@alex-laptop:~$ ssh puppetmaster-codfw1dev-01.cloudinfra-codfw1dev.codfw1dev.cloud
Creating directory '/home/labtestkrenair'.
Linux puppetmaster-codfw1dev-01 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
Debian GNU/Linux 10 (buster)
The last Puppet run was at Tue Jan 14 00:57:51 UTC 2020 (11 minutes ago). Puppet is disabled. https://phabricator.wikimedia.org/T242697
Last puppet commit: (a83f55682f) Daniel Zahn - codesearch: fix parameters of apt::package_from:component
labtestkrenair@puppetmaster-codfw1dev-01:~$
Krenair assigned this task to Andrew.

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/566351/
https://gerrit.wikimedia.org/r/566353 (not sure this is actually in use but anyway)
and the LDAP password change done by Andrew. thanks