Page MenuHomePhabricator
Create Task
Maniphest T302109

Delete "theresnotime" LDAP account
Closed, ResolvedPublic
Actions

Description

Please delete LDAP account theresnotime which is a "duplicate" of my samtar LDAP account — ideally this would be to make way for a LDAP/Wikitech rename but that seems unlikely at best.

Related: T287699

Related Objects

Event Timeline

TheresNoTime created this task.Feb 18 2022, 7:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2022, 7:33 PM
bd808 subscribed.Feb 18 2022, 8:17 PM

We don't generally delete accounts from LDAP, but we can disable the account by blocking it on wikitech which in turn triggers blocking of any linked accounts on Phabricator and Gerrit as well as marking the LDAP record as locked.

bd808 claimed this task.Feb 18 2022, 8:22 PM
bd808 moved this task from Inbox to Clinic Duty on the cloud-services-team (Kanban) board.

{{Done}} https://wikitech.wikimedia.org/w/index.php?title=Special:Log/block&page=User%3ATheresNoTime

The history of that account on wikitech will look a bit strange. The account was not attached so I had to attach it first before blocking.

Restricted Application added a project: User-bd808. · View Herald TranscriptFeb 18 2022, 8:22 PM
TheresNoTime added a comment.Feb 18 2022, 8:22 PM
In T302109#7722409, @bd808 wrote:

{{Done}} https://wikitech.wikimedia.org/w/index.php?title=Special:Log/block&page=User%3ATheresNoTime

The history of that account on wikitech will look a bit strange. The account was not attached so I had to attach it first before blocking.

Many thanks :-)

TheresNoTime added a comment.Feb 19 2022, 1:29 AM

@bd808 what would the chances be that doing this has somehow caused me to be locked out of Gerrit? I think both LDAP accounts had the same email (sam@theresnotime.co.uk) so that might be why?

bd808 added a comment.Feb 19 2022, 4:36 PM
In T302109#7723227, @TheresNoTime wrote:

@bd808 what would the chances be that doing this has somehow caused me to be locked out of Gerrit? I think both LDAP accounts had the same email (sam@theresnotime.co.uk) so that might be why?

I would not rule it out as impossible. The hook that does gerrit blocks appears to use the blocked account's username and not email address, but the internals of the gerrit user db are murky to me. I do not have Gerrit superpowers, so you will need somebody from Release-Engineering-Team or another Gerrit manager to poke around and figure things out.

TheresNoTime added a project: Gerrit.Feb 19 2022, 7:29 PM
TheresNoTime added a subscriber: hashar.
hashar added a comment.Feb 19 2022, 7:43 PM

The account is still deactivated:

commit c021b72596aa8ce0480325a2b5bceed3546d584e (HEAD -> users/70/3070, origin/users/70/3070)
Author: [BOT] Gerrit Code Review <gerrit@wikimedia.org>
Date:   Fri Feb 18 20:19:51 2022 +0000

    Deactivate Account via API

diff --git a/account.config b/account.config
index 638684eee..5bd6b4698 100644
--- a/account.config
+++ b/account.config
+       active = false

I can not activate it again possible because the account is still blocked by the LDAP policy or is still stored in a Gerrit cache. I have tried enabling the account by manually editing the account.config. No promises it will work though. Will revisit on Monday.

TheresNoTime added a comment.Feb 19 2022, 7:46 PM
In T302109#7723878, @hashar wrote:

The account is still deactivated:

commit c021b72596aa8ce0480325a2b5bceed3546d584e (HEAD -> users/70/3070, origin/users/70/3070)
Author: [BOT] Gerrit Code Review <gerrit@wikimedia.org>
Date:   Fri Feb 18 20:19:51 2022 +0000

    Deactivate Account via API

diff --git a/account.config b/account.config
index 638684eee..5bd6b4698 100644
--- a/account.config
+++ b/account.config
+       active = false

I can not activate it again possible because the account is still blocked by the LDAP policy or is still stored in a Gerrit cache. I have tried enabling the account by manually editing the account.config. No promises it will work though. Will revisit on Monday.

I can now log in to Gerrit :-)

hashar closed this task as Resolved.Feb 19 2022, 9:19 PM

Unblocking is done in LDAP by removing the account from a specific policy but since that is cached in Gerrit it is not immediately active. I think the person has to login again to force an uncached LDAP lookup which would then automatically reactivate the account.

TheresNoTime mentioned this in T309392: Rename doppelganger LDAP/shell (TheresNoTime).May 27 2022, 12:05 PM
TheresNoTime mentioned this in T315897: Jobs started failing on https://releases-jenkins.wikimedia.org on 2022-08-21.Aug 22 2022, 3:35 PM
bd808 mentioned this in T316029: Potential misassociation of Git/Gerrit username and LDAP username.Sep 3 2022, 12:26 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits