Great, thanks!

I have a meeting with Lisa in recruiting for 1 pm Pacific on Monday, May

21. I'll be doing the green house changes with her then. Can we coordinate

for this time or we can reschedule?

Hi All,

I have verified we can make Organizational Units under people without affecting mail flow, so this good!

Thanks for sending this along. This is a great help. I'm going to read over this, and see if I can make some sub OU's and see if mail still flows.

Hi All,

@Dzahn Can we try this again? We have made the Google and LDAP groups. I think we just have to wait for the "previous cache callout" to expire, then the mail will flow.

Let us know if the "secrets" worked.

I set the email address to the Google Group discourse-oauth@wikimedia.org, which I am an Manager of. Who should be a member and receive emails here if they are sent?

I have set this up and can send the secrets. Should I send via PGP or give you an usb in person, or something else? If I'm sending by PGP, can you email your fingerprint?

Adding me to this ticket is fine.

How about if we design a way where Office IT can create the groups that are needed in G-Suite without Ops having to make separate OUs? This way we (Office IT) could have more granular groups in G-Suite, without having to ask Ops for the OUs?

In T133191#3325072, @Reedy wrote:

I'd suggest a separate ticket for it :)

Could we also look at setting up a more restrictive DMARC record for our domain? Has it been considered before?

I found a workaround to avert our security concerns, and use gmail smtp, because Neil did not need the "reply-to" address to be qualtrics@wikimedia.org. If the "reply-to" address was needed we would have had to place cn=qualtrics in ou=people, ou=corp, ou=wikimedia, ou=org instead of ou=qualtrics, ou=corp, ou=wikimedia, ou=org so the address would receive mail. The ou=qualtrics, ou=corp, ou=wikimedia, ou=org is not replicated in production LDAP and does not receive mail.

The problem is somewhere in "Google Cloud Directory Sync", then. It appears as if moving a user to a different OU isn't reflected in the LDAP data generated by GCDS

I do not think this is the issue because GCDS does not generate LDAP data and it does not change our LDAP data. The GCDS just queries our LDAP server for users.

ldap1 is running Ubuntu 14.04.5 LTS. Google Cloud Directory Sync [1], to sync users from LDAP with G-Suite, is hosted on another server. We can not run ldap queries against G-suite, we have to use their Admin API [2]. A standard search, on ldap1, that determines if a employee is with us or not could be run as follows:

In T161004#3150359, @MoritzMuehlenhoff wrote:

...
@bbogaert: If OIT offboards a staff member, does the @wikimedia.org continue to receive mail in general or what's the policy here?

I see the value in making a more generic ou address more use cases, but I would rather have an ou that more aligns more with their purpose. These persons will also have access to Google Calendar too. Also, I would like to account for a situation if we were to give these persons more access, for example, Google Drive.

Is it possible for us to modify the replication? We have an ou for ex-employees.

@Dzahn Ricard has the laptop.

Thanks for the nudge @demon !!!

@Krenair Thanks, for the input. I updated ns2 to have those records too.

I updated for these missing records.

I looked at past backups and could not find reverse lookup records going back as far as September, 2013. I started with creating a reverse record for tan1.corp.wikimedia.org and have now added tan[2-4].

With the decision to move to a a new Office, we will not be pursuing infrastructure changes such as this.

Today around 12:00 AM PST our domain was suspended and if you attempted to use any of our google services you would have received an error. It was suspended because Google had "set up billing" for us and it expired today. They "Set Up Billing" for us because we wanted to explore moving to a G-Suite Unlimited plan and this was the only way they could send "terms and conditions". When I received notice at 10:08 PM PST I emailed our representative to make sure our account was not suspended and he assurede me it was not, and opened a support case. However, at 12:00 AM PST it was indeed suspended and services became inaccessible. I called G-suite support numbers but they were unavailable. I was able to fix our issue for now by setting up billing and moving the organization to an unlimited plan.
In the morning I plan on contacting Google, and finding out what happened and how this could have been prevented.

@akosiaris Yes, I can take a look.

Hi All,

Migration to new file server with LDAP integration has been completed.

DNS points to new server and is working properly.

Made sure rsnapshot backups were working correctly for new server.

I made the change to corp LDAP. I have been able to add the wikimediaPerson objectClass and YubiKeyVPN attribute to myself. Can you check if LDAP is still syncing properly?

Awesome. Thank you for the help @MoritzMuehlenhoff . I'll make the changes and let you know if there's any trouble.

Updated Google Group to have members: dmenard and wolliff

Hi Daniel,

Hi Daniel,

Sure. Thanks for the bump.

Update: The sync was getting stuck on person's whom had an yubikey ldap attribute. I added the attribute back, deleted the attribute from the people that had it, and then removed the attribute from the schema. Email is now flowing again to the new entries who were not receiving anything.

I added the yubikey attribute for two-factor -vpn.

Hi Alex,

Hi Alex,

We can close this. This was a session with Grace on Phabricator.

RSYNC configured to run at 4 AM every day.

Hi All,

Board@wikimedia.org is a Google Group that sends to board members and wikimedia staff.

Hi Alex,

Hi All,

Hi Daniel,

Hi Daniel,

Hi Daniel,

@Dzahn Thanks, I just need to make sure they were added to fr-tech

@Dzahn Who was in fr-tech-ops? I can not nest/inherit other groups in Google Groups.

@atgo Do we need fundraiser-2012 or fr-2012?

Hi Daniel,

Found problem to be ports for uplinks to ulsfo were in err-disable. These have been recovered (thanks cajoel), and the links are backup.

What I have found out so far:

Thanks Faidon. I'll troubleshoot, and let you know what I find.

Hey Daniel,

Hi Daniel,