Details
Sun, Dec 1
Change #1064480 abandoned by Andrew Bogott:
[operations/puppet@production] openstack keystone: add a new auth plugin to validate totp tokens against idm
Change #1064481 abandoned by Andrew Bogott:
[operations/puppet@production] openstack keystone: switch to idmtotp for 2fa
Reason:
no longer needed
Nov 11 2024
Nov 9 2024
Change #1042267 abandoned by Majavah:
[operations/puppet@production] openstack: wikitech: Stop setting writable LDAP credentials
Nov 6 2024
Nov 1 2024
That's an issue in the underlying data in LDAP, which the tool is showing correctly enough.
taavi@tools-bastion-12:~ $ ldapsearch -x cn=novaadmin memberOf | grep wikinewsie memberOf: cn=wikinewsie,ou=projects,dc=wikimedia,dc=org
Oct 26 2024
Oct 7 2024
Oct 2 2024
Change #1077444 merged by jenkins-bot:
[labs/striker@master] auth: Properly remove 2FA support
Change #1077444 had a related patch set uploaded (by Majavah; author: Majavah):
[labs/striker@master] auth: Properly remove OATHAuth support
Oct 1 2024
See T359554: Use IDP for authentication in Striker as a replacement.
Striker still has some code that needs to be cleaned up so T373461: Striker: use idm for 2fa validation instead of wikitech probably needs to be re-purposed to that, but otherwise probably not. T372892 is for replacing 2FA functionality in IDP.
Still relevant?
Still relevant?
Still relevant?
Since LdapAuthentication is gone these LDAP credentials should be removed completely instead.
Sep 30 2024
Change #1076816 had a related patch set uploaded (by Majavah; author: Majavah):
[labs/striker@master] labsauth: Write SUL details to LDAP when updating linkage
Change #1076815 had a related patch set uploaded (by Majavah; author: Majavah):
[labs/striker@master] labsauth: Write SUL account details to LDAP on registration
Change #1076814 had a related patch set uploaded (by Majavah; author: Majavah):
[labs/striker@master] dev(docker): Add wmf-user custom LDAP schema
Sep 29 2024
This is probably obsolete now that Horizon does IDP authentication via Keystone?
Sep 24 2024
Renaming shell/idm/gerrit accounts is out of the scope of wikitech SULification so I'm not sure reopening this ticket makes sense. But for your wikitech account, we can rename "Kizule" to "Kizule (usurped)" and then rename "Zoranzoki21" to "Kizule". For that, request a rename in https://wikitech.wikimedia.org/wiki/Wikitech:Rename_requests
Sep 23 2024
I'm reopening this task per https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/message/5NBCVPPOXB4O3KI7B4YJBZUEA7N3YFQK/.
Sep 17 2024
These days we have Bitu running on idm.wikimedia.org and we're in the process of moving access requests into it (early code has already landed). When this is all properly finished, the process of requesting access to an LDAP group, the approval by the service owner and the eventual addition to the group will all happen within idm.wikimedia.org for fixed, pre-defined groups. This solves the problem reported here, marking it as resolved even though we're not fully done yet.
Sep 14 2024
Is https://wikitech.wikimedia.org/wiki/Wikitech:Rename_requests and this task really necessary? We already have ways to connect LDAP and SUL accounts with different names (in Bitu).
Sep 13 2024
Aug 29 2024
We are probably skipping ahead to idp auth.
I'm not quite ready to close this as invalid but I'm dropping the priority since we are probably not doing it!
Aug 27 2024
I'm definitely going in circles here, but @bd808 suggests that we just skip ahead to https://phabricator.wikimedia.org/T359554 and let striker run without 2fa until 2fa is enabled in CAS. That would at least stop me being confused about what the intermediate steps are in all this.
Change #1064481 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: switch to idmtotp for 2fa
Change #1064480 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] openstack keystone: add a new auth plugin to validate totp tokens against idm
Simon writes: