Page MenuHomePhabricator

Allow everyone in ops group in LDAP to login to all Labs instances
Open, HighPublic

Description

They can already login to pretty much every host in prod, and can get themselves added to any project. Should just be automatic instead.

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
yuvipanda added a subscriber: yuvipanda.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 17 2015, 10:14 AM

Looks like this would be a change to modules/ldap/templates/access.conf.erb in puppet?

scfc added a subscriber: scfc.Oct 13 2015, 3:38 PM

Cf. also T85910 for a bigger revamp of access.conf.

chasemp triaged this task as High priority.Nov 30 2015, 5:13 PM
chasemp added a subscriber: chasemp.

While poking around in LDAP I found this:

krenair@bastion-01:~$ ldapsearch -x "(&(ou:dn:=sudoers)(cn:dn:=ops))"
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: (&(ou:dn:=sudoers)(cn:dn:=ops))
# requesting: ALL
#

# ops, sudoers, wikimedia.org
dn: cn=ops,ou=sudoers,dc=wikimedia,dc=org
objectClass: sudorole
objectClass: top
sudoOption: !authenticate
sudoCommand: ALL
sudoUser: %ops
cn: ops
sudoHost: ALL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at https://wikitech.wikimedia.org/wiki/LDAP_Groups#ops_grants_access_to: