Any Wikitech administrator and content administrator can use MediaWiki's Special:Block to block the user in LDAP, and additional hooks in wmf-config/wikitech.php disables blocked users in Phabricator and Gerrit. This functionality should be moved to Bitu.
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Open | None | T189531 All Wikimedia developer services should use single sign-on | |||
Open | None | T363125 sustainability of wikitech.wikimedia.org | |||
Open | None | T161859 Make Wikitech an SUL wiki | |||
Open | None | T359820 Add developer account (un)blocking support to Bitu |
Event Timeline
On the LDAP account side, the block happens via the mechanism described in T168692: Blocking an account on wikitech should disable LDAP logins:
- pwdAccountLockedTime is set to '000001010000Z'
- pwdPolicySubentry is set to 'cn=disabled,ou=ppolicies,dc=wikimedia,dc=org'
Undoing the block clears both attributes which allows the account to authenticate again. The lack of any mangling of account data (like changing the password to some unknown/invalid value) makes this an easily reversed action which in turn allows us to be bold in blocking by knowing that an incorrect block is easily reversed.
See https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LdapAuthentication/+/500681 and https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/497866 for the initial PHP implementation.
When implemented, this blocking/unblocking mechanism should have a public audit trail similar to https://wikitech.wikimedia.org/wiki/Special:Log?type=block that records who was (un)blocked by whom, when, and why. The block/unblock actions should also ideally be exposed via a web API of some kind so that other tools can poke bitu to do the needful instead of needing to implement all of the logic again themselves.