Details
Tue, Sep 17
These days we have Bitu running on idm.wikimedia.org and we're in the process of moving access requests into it (early code has already landed). When this is all properly finished, the process of requesting access to an LDAP group, the approval by the service owner and the eventual addition to the group will all happen within idm.wikimedia.org for fixed, pre-defined groups. This solves the problem reported here, marking it as resolved even though we're not fully done yet.
Sat, Sep 14
Is https://wikitech.wikimedia.org/wiki/Wikitech:Rename_requests and this task really necessary? We already have ways to connect LDAP and SUL accounts with different names (in Bitu).
Fri, Sep 13
Thu, Aug 29
We are probably skipping ahead to idp auth.
I'm not quite ready to close this as invalid but I'm dropping the priority since we are probably not doing it!
Tue, Aug 27
I'm definitely going in circles here, but @bd808 suggests that we just skip ahead to https://phabricator.wikimedia.org/T359554 and let striker run without 2fa until 2fa is enabled in CAS. That would at least stop me being confused about what the intermediate steps are in all this.
Change #1064481 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: switch to idmtotp for 2fa
https://gerrit.wikimedia.org/r/1064481
Change #1064480 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: add a new auth plugin to validate totp tokens against idm
https://gerrit.wikimedia.org/r/1064480
Simon writes:
Aug 21 2024
Change #1064481 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: switch to idmtotp for 2fa
https://gerrit.wikimedia.org/r/1064481
Change #1064480 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: add a new auth plugin to validate totp tokens against idm
https://gerrit.wikimedia.org/r/1064480
Aug 10 2024
Boldly closing this a few years later :-)
Aug 5 2024
Jul 30 2024
Jul 29 2024
Jul 24 2024
Jul 22 2024
Merging Wikitech accounts is not technically possible.
Per the note at the top of https://wikitech.wikimedia.org/wiki/SRE/LDAP/Renaming_users, we no longer rename LDAP accounts.
Per the note at the top of https://wikitech.wikimedia.org/wiki/SRE/LDAP/Renaming_users, we no longer rename LDAP accounts.
Jul 10 2024
Change #1052085 merged by Slyngshede:
[operations/software/bitu@master] MediaWiki: Allow Bitu to be used as a 2FA proxy.
https://gerrit.wikimedia.org/r/1052085
Jul 4 2024
Change #1052085 had a related patch set uploaded (by Slyngshede; author: Slyngshede):
[operations/software/bitu@master] MediaWiki: Allow Bitu to be used as a 2FA proxy.
https://gerrit.wikimedia.org/r/1052085
Jun 27 2024
I'll take care of this when I'm back from sabbatical
Jun 26 2024
Jun 25 2024
Change #1049536 merged by Muehlenhoff:
[operations/puppet@production] offboard-user: New -H for ldapmodify
https://gerrit.wikimedia.org/r/1049536
Change #1049536 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] offboard-user: New -H for ldapmodify
https://gerrit.wikimedia.org/r/1049536
Jun 19 2024
Currently the highest number in use is 47058. So that's 1081 accounts in the 148 days since I created this task, or about 7.3 accounts per day. Assuming a similar rate of growth we're looking at running out of numbers in about 400 days, which would be late July next calendar year.
Change #1046596 merged by Muehlenhoff:
[operations/puppet@production] Drop ldap-admins access group from mwmaint hosts
https://gerrit.wikimedia.org/r/1046596
Jun 17 2024
The LDAP management parts have been split off to the new ldap-maint1001/ldap-maint2001 hosts.
Change #1046592 merged by Muehlenhoff:
[operations/puppet@production] Disable openldap::management timers on mwmaint hosts
https://gerrit.wikimedia.org/r/1046592
Change #1046594 merged by Muehlenhoff:
[operations/puppet@production] profile::openldap::management: Remove support for buster
https://gerrit.wikimedia.org/r/1046594
Change #1046596 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Drop ldap-admins access group from mwmaint hosts
https://gerrit.wikimedia.org/r/1046596
Change #1046594 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] profile::openldap::management: Remove support for buster
https://gerrit.wikimedia.org/r/1046594
Change #1046592 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Disable openldap::management timers on mwmaint hosts
https://gerrit.wikimedia.org/r/1046592