Page MenuHomePhabricator

Allow everyone in ops group in LDAP to login to all Labs instances
Open, HighPublic


They can already login to pretty much every host in prod, and can get themselves added to any project. Should just be automatic instead.

Event Timeline

yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
yuvipanda added a subscriber: yuvipanda.

Looks like this would be a change to modules/ldap/templates/access.conf.erb in puppet?

Cf. also T85910 for a bigger revamp of access.conf.

chasemp added a subscriber: chasemp.

While poking around in LDAP I found this:

krenair@bastion-01:~$ ldapsearch -x "(&(ou:dn:=sudoers)(cn:dn:=ops))"
# extended LDIF
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: (&(ou:dn:=sudoers)(cn:dn:=ops))
# requesting: ALL

# ops, sudoers,
dn: cn=ops,ou=sudoers,dc=wikimedia,dc=org
objectClass: sudorole
objectClass: top
sudoOption: !authenticate
sudoCommand: ALL
sudoUser: %ops
cn: ops
sudoHost: ALL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

So they have full sudo everywhere, but can't necessarily log in everywhere? We should probably document this at