Page MenuHomePhabricator
Projects LDAP-Access-Requests

LDAP-Access-RequestsComponent
ActivePublic
Watch Project

Members (7)

Watchers (11)

Details

Description

For Access requests for LDAP groups.

Note that some LDAP group membership (e.g. wmf, logstash-access, etc) is not requested via Phabricator but instead via Wikimedia IDM at https://idm.wikimedia.org. See the full list of LDAP groups managed in Wikimedia IDM.

Create your LDAP membership request in Phabricator

Please include:

  • Username: (The username of your existing LDAP account on https://idm.wikimedia.org or https://gerrit.wikimedia.org .)
  • Shell access: Yes/No (Whether you currently have shell access).
  • Purpose: (Specify which service you need to get access to, e.g. Icinga, Grafana, Superset etc).
  • Group: (The specific group you want to be added to - optional).
  • Contract end date: End date of contract (Contractors only)
  • Contract contact: Contact person for the contractor (Contractors only)

Refer to https://wikitech.wikimedia.org/wiki/LDAP/Groups for documentation on what each LDAP group is for.

How to create a LDAP account?

For LDAP admins only, how to process a request?

Recent Activity
View All

Yesterday

Dzahn added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.

We chatted a bit about this and it now seems like this is a bug or outdated docs, because she can login but not see any objects despite being in the wmf group.

Fri, May 23, 9:53 PM · SRE, LDAP-Access-Requests
Dzahn added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.

Hi Selena, could you link me to the tutorial you are following?

Fri, May 23, 5:53 PM · SRE, LDAP-Access-Requests
SDeckelmann-WMF added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.

Thanks! I can definitely login to netbox, but all of the objects are locked. I'm following the SRE tutorials, so if there's maybe something I missed earlier, let me know!

Fri, May 23, 5:37 PM · SRE, LDAP-Access-Requests
Dzahn closed T395094: Grant Access to ops-limited for sdeckelmann-wmf as Resolved.

resolving! But if there is any issue or more is needed feel free to just reopen it, or we can.

Fri, May 23, 5:32 PM · SRE, LDAP-Access-Requests
Dzahn added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.

@SDeckelmann-WMF Hey, so.. I checked and you already have membership in the "wmf" LDAP group. So that means you should be able to login on https://netbox.wikimedia.org Let us know if that works for you. Cheers!

Fri, May 23, 5:30 PM · SRE, LDAP-Access-Requests
Dzahn added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.

"netbox access" can still mean some different things.

Fri, May 23, 5:13 PM · SRE, LDAP-Access-Requests
Dzahn claimed T395094: Grant Access to ops-limited for sdeckelmann-wmf.
Fri, May 23, 4:59 PM · SRE, LDAP-Access-Requests
ABran-WMF reopened T395094: Grant Access to ops-limited for sdeckelmann-wmf as "Open".

@wiki_willy mentioned to me that @SDeckelmann-WMF needed to access netbox as well, I'm handing this over to @Dzahn if this is time sensitive as I'm out right now

Fri, May 23, 4:46 PM · SRE, LDAP-Access-Requests
hashar added a comment to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).
In T394749#10850867, @Dzahn wrote:

@hashar So it requires 2 things, membership in LDAP group ciadmin and also shell access with contint-admins?

Fri, May 23, 1:04 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
ABran-WMF closed T395094: Grant Access to ops-limited for sdeckelmann-wmf as Resolved.

T395094: Grant Access to ops-limited for sdeckelmann-wmf and T395110: Grant Access to ops-limited for lsobanski done

Fri, May 23, 12:54 PM · SRE, LDAP-Access-Requests
ABran-WMF closed T395110: Grant Access to ops-limited for lsobanski as Resolved.

T395094: Grant Access to ops-limited for sdeckelmann-wmf and T395110: Grant Access to ops-limited for lsobanski done

Fri, May 23, 12:53 PM · SRE, LDAP-Access-Requests
LSobanski created T395110: Grant Access to ops-limited for lsobanski.
Fri, May 23, 9:34 AM · SRE, LDAP-Access-Requests

Thu, May 22

RobH added a comment to T395094: Grant Access to ops-limited for sdeckelmann-wmf.
Thu, May 22, 10:42 PM · SRE, LDAP-Access-Requests
Dzahn closed T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE) as Resolved.

Done. Peter has a shell user on contint* machines now and is the LDAP ciadmin group.

Thu, May 22, 10:34 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
Maintenance_bot removed a project from T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE): Patch-For-Review.
Thu, May 22, 10:30 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
gerritbot added a comment to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).

Change #1148264 merged by Dzahn:

[operations/puppet@production] admin: Add phedenskog to contint-admins

https://gerrit.wikimedia.org/r/1148264

Thu, May 22, 10:26 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
Dzahn added a comment to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).

I already did the LDAP group membership just now after Tyler's approval.

Thu, May 22, 10:16 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
Dzahn added a comment to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).

@hashar So it requires 2 things, membership in LDAP group ciadmin and also shell access with contint-admins?

Thu, May 22, 10:16 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
SDeckelmann-WMF created T395094: Grant Access to ops-limited for sdeckelmann-wmf.
Thu, May 22, 10:10 PM · SRE, LDAP-Access-Requests
Dzahn moved T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE) from Manager/NDA Approval/Confirmation to Patch in Review on the SRE-Access-Requests board.
Thu, May 22, 10:03 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
thcipriani placed T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE) up for grabs.

Approved as keeper of contint-admins.

Thu, May 22, 9:58 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
Dzahn moved T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE) from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.
Thu, May 22, 9:48 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
Dzahn assigned T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE) to thcipriani.
Thu, May 22, 9:48 PM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests

Wed, May 21

SLyngshede-WMF closed T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF as Resolved.
Wed, May 21, 6:16 AM · SRE, LDAP-Access-Requests

Tue, May 20

MBinder_WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

I was able to login now, thanks! I think we can proceed with keeping "mbinder" and cleaning up "maxbinderWMF". I appreciate your patience. :)

Tue, May 20, 2:14 PM · SRE, LDAP-Access-Requests
Mmta created T394784: Grant Access to <INSERT LDAP GROUP> for <INSERT USERNAME>.
Tue, May 20, 2:12 PM · Trash
SLyngshede-WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

It might be an issue with your email already being in the system using the new "maxbinderwmf" user. I've invalided that email address, let's see if that will allow the authentication to link the users correctly.

Tue, May 20, 8:48 AM · SRE, LDAP-Access-Requests
SLyngshede-WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

@MBinder_WMF Can you sign in at https://idp.wikimedia.org ?

Tue, May 20, 8:36 AM · SRE, LDAP-Access-Requests
Maintenance_bot added a project to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE): SRE.
Tue, May 20, 8:29 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
hashar updated subscribers of T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).

+ @thcipriani as the manager approving shell access / contint-admins ( 1148264 - admin: Add phedenskog to contint-admins ).

Tue, May 20, 7:48 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
gerritbot added a project to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE): Patch-For-Review.
Tue, May 20, 7:43 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
gerritbot added a comment to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).

Change #1148264 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] admin: Add phedenskog to contint-admins

https://gerrit.wikimedia.org/r/1148264

Tue, May 20, 7:43 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
hashar added a project to T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE): Jenkins.
Tue, May 20, 7:36 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests
hashar created T394749: Grant Jenkins admin rights to Peter Hedenskog (QTE).
Tue, May 20, 7:35 AM · SRE, Jenkins, SRE-Access-Requests, Continuous-Integration-Infrastructure, LDAP-Access-Requests

Mon, May 19

MBinder_WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

Thanks for the help. So I reset via email, and still can't log in with mbinder. I double checked the password I created is what's entered. I also tried to log in first with what I think the password would be (because I would use that to do the Phab batch edit work). After waiting a few minutes and trying again, I saw this:

Mon, May 19, 3:21 PM · SRE, LDAP-Access-Requests

Fri, May 16

MoritzMuehlenhoff added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.
In T394523#10831292, @MBinder_WMF wrote:

hmm, well, I do use the other one for Phabricator batch edit silencing, though I don't know that that would always have to be done under an official account. I'd probably prefer to keep one account for now. In that case, is there a way to delete the one for this request, and I can try to recover login info for the other?

Fri, May 16, 9:22 PM · SRE, LDAP-Access-Requests
BCornwall added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

I'm unfortunately not the right person to ask for that! I'd get in touch with your manager and see what the bigger wigs say.

Fri, May 16, 8:52 PM · SRE, LDAP-Access-Requests
MBinder_WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

hmm, well, I do use the other one for Phabricator batch edit silencing, though I don't know that that would always have to be done under an official account. I'd probably prefer to keep one account for now. In that case, is there a way to delete the one for this request, and I can try to recover login info for the other?

Fri, May 16, 7:59 PM · SRE, LDAP-Access-Requests
BCornwall added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

My guess is that your old one would remain as a personal account and that MaxBinderWMF would be for official representation (given that the WMF suffix is reserved).

Fri, May 16, 7:04 PM · SRE, LDAP-Access-Requests
MBinder_WMF added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

I am not! That other account was set up on my behalf, I think, as part of another small issue wherein I needed SSH to a specific thing but not much else, so I wasn't sure if I should or how to use it in this context. Should I instead do a password reset of that existing username? I'm not attached to the new one, and would be more concerned about breaking anything with the old one.

Fri, May 16, 4:11 PM · SRE, LDAP-Access-Requests
taavi added a comment to T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.

Hmm, are you intentionally using a new developer account for this instead of the existing 'mbinder' one that your Phabricator shell access is already associated with?

Fri, May 16, 3:37 PM · SRE, LDAP-Access-Requests
MBinder_WMF created T394523: Grant Access to https://idm.wikimedia.org/ for maxbinderWMF.
Fri, May 16, 3:04 PM · SRE, LDAP-Access-Requests
BWojtowicz-WMF added a comment to T393595: Requesting access to analytics-privatedata-users & Kerberos identity & deployment POSIX group & ml-team-admins for Bartosz Wójtowicz .

Thank you @BCornwall for the help!
I have all needed SSH access now, however I'm not sure about Kerberos - I did not receive any email with temporary password yet. Is there anything else I need to request besides the Kerberos identity?

Fri, May 16, 9:41 AM · LDAP-Access-Requests, Machine-Learning-Team, SRE, SRE-Access-Requests

Thu, May 15

BCornwall added a project to T393626: Grant Access to Product's Superset & Turnilo for SKivlehan: Data-Engineering.
Thu, May 15, 6:36 PM · Data-Engineering, Patch-For-Review, SRE, LDAP-Access-Requests
Maintenance_bot removed a project from T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed: Patch-For-Review.
Thu, May 15, 6:31 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests
BCornwall closed T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed as Resolved.

This access has been granted. It'll be up to an hour before it will be in effect. If there's anything else you need don't hesitate to ask!

Thu, May 15, 6:21 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests
gerritbot added a comment to T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed.

Change #1146027 merged by BCornwall:

[operations/puppet@production] admin: Add jtweed to analytics-privatedata-users

https://gerrit.wikimedia.org/r/1146027

Thu, May 15, 6:19 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests
Bmueller added a comment to T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed.

Approved, thanks!

Thu, May 15, 12:51 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests

Wed, May 14

BCornwall moved T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed from Untriaged to Manager/NDA Approval/Confirmation on the SRE-Access-Requests board.
Wed, May 14, 6:43 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests
BCornwall changed the status of T394308: Grant Access to analytics-privatedata-users for Jonathan Tweed from Open to In Progress.
Wed, May 14, 6:37 PM · SRE, SRE-Access-Requests, LDAP-Access-Requests
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits