Jump to content

SRE/LDAP/Renaming users

From Wikitech
< SRE | LDAP
(Redirected from Ldap rename)
We do not rename users (Developer accounts) anymore. It can (and has) lead to various problems and errors all over the many separate systems which consume Developer accounts as their local databases and authentication methods will get out of sync. We can reconsider when we have better tooling for identity management
This has only been tested changing the cn, sn LDAP attributes. It has not been tested with change of the uid ldap attribute and would almost certainly not work

It is possible, but not trivial, to rename a LDAP user account. The complication occurs mostly because multiple "primary" data stores all reference each other in interdependent ways.

Prerequisites

Open 2 tabs and stay logged in on Gerrit and Phabricator. On Phabricator, check the user profile page to make sure that the user to be renamed has enabled both LDAP and MediaWiki auth methods so that they do not lose access to Phabricator entirely during the rename.

Rename the user in LDAP

  1. Find the user's current information
    • ldaplist -l passwd <shell-account-name>
  2. Ensure the new CN doesn't conflict with another user's CN
    • ldapsearch -xLLL -P 3 -E pr=40000/noprompt -b"dc=wikimedia,dc=org" 'cn=<new-cn>'
  3. Change the user's CN using ldapmodify
    • $ ldapmodify -v -H 'ldap://ldap-rw.eqiad.wikimedia.org:389' -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W -
      Enter bind password:
      dn: uid=<shell-account-name>,ou=people,dc=wikimedia,dc=org
      changetype: modify 
      replace: cn 
      cn: <new-cn>
      - 
      replace: sn 
      sn: <new-cn>
      -
      

Icinga

Login to Icinga with your new creds. It should work for lowercase as well.

Gerrit

As of Gerrit 3.2, the user database is a git repository. See the LDAP/Renaming_users/Gerrit page for instructions.

Phabricator

  • Got to your profile and click on Manage->Edit Settings->External Accounts (direct link)
  • Unlink the Wikitech auth and relink it with your new wikitech username.
  • If you want a new phabricator username, you could create a new account (not tested)

Wikimedia Cloud Services (Horizon)

  • You should be able to login using your new username.
  • You should have access to all projects you were before.

Hope for the best.