SRE/LDAP/Renaming users

It is possible, but not trivial, to rename a LDAP user account. The complication occurs mostly because multiple "primary" data stores all reference each other in interdependent ways.

Open 2 tabs and stay logged in on Gerrit and Phabricator. On Phabricator, check the user profile page to make sure that the user to be renamed has enabled both LDAP and MediaWiki auth methods so that they do not lose access to Phabricator entirely during the rename.

1. Find the user's current information
   • ldaplist -l passwd <shell-account-name>
2. Ensure the new CN doesn't conflict with another user's CN
   • ldapsearch -xLLL -P 3 -E pr=40000/noprompt -b"dc=wikimedia,dc=org" 'cn=<new-cn>'
3. Change the user's CN using ldapmodify

   • $ ldapmodify -v -H 'ldap://ldap-rw.eqiad.wikimedia.org:389' -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W -
     Enter bind password:
     dn: uid=<shell-account-name>,ou=people,dc=wikimedia,dc=org
     changetype: modify 
     replace: cn 
     cn: <new-cn>
     - 
     replace: sn 
     sn: <new-cn>
     -
     

Login to Icinga with your new creds. It should work for lowercase as well.

As of Gerrit 3.2, the user database is a git repository. See the LDAP/Renaming_users/Gerrit page for instructions.

• Got to your profile and click on Manage->Edit Settings->External Accounts (direct link)
• Unlink the Wikitech auth and relink it with your new wikitech username.
• If you want a new phabricator username, you could create a new account (not tested)

• You should be able to login using your new username.
• You should have access to all projects you were before.

Hope for the best.