Closed Bug 1172597 Opened 10 years ago Closed 10 years ago

LDAP email address change for Rimas Kudelis

Categories

(Infrastructure & Operations :: MOC: Service Requests, task)

Product:
Infrastructure & Operations
Component:
MOC: Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: rimas, Assigned: Usul)

References

Details

Please change my LDAP handle from rq@akl.lt to rimas@mozilla.lt. Thanks in advance!
Assignee: server-ops → nobody
Component: Account Requests → MOC: Service Requests
QA Contact: moconnor → lypulong
Assignee: nobody → ludovic
When I try to change the email it looks like it works , but when I double check it doesn't seem to be taken into account. 302 for people that master ldap better than me.
Assignee: ludovic → infra
Component: MOC: Service Requests → Infrastructure: LDAP
QA Contact: lypulong → jdow
An e-mail address can't be changed in LDAP - but you can create a new account, copy over bits and group memberships and then disable the old account. The posix UID number will change, so permissions will skew if there are any shell accounts associated.
How was Bug 756977 fixed then?
Let me rephrase that: An account *can* be changed, but the e-mail address is the relative distinguished name of the account object. All references to the account will be lost if it's renamed, and our tools will fail trying to change it. One can write an LDIF file with a MODDN operation, which is functionally equivalent to deleting the account and recreating it with the new name, but preserving the originally created time stamp. When doing this, all permissions and group memberships will have to be re-added to the account after a rename is done. The difference is that it takes a command line modification and a backup and lots of manual checking before and after the rename to make sure all permissions are copied over. This requires an LDAP super administrator with underlying knowledge of interacting with LDAP from the command line to deal with. However, if a new account is created, the permissions and group memberships are copied over, the whole operation takes a few minutes and any LDAP support personnell can do it. If the posix uidNumber is of importance to the user (usually it's not), then after all other things are verified working on the new account, then the old account can be demoted to a non-posixAccount account (it would be disabled anyway), which would free the old uidNumber for re-use on the new account.
Assignee: infra → nobody
Component: Infrastructure: LDAP → MOC: Service Requests
QA Contact: jdow → lypulong
(In reply to Justin Dow [:jabba] from comment #4) > However, if a new account is created, > the permissions and group memberships are copied over, the whole operation > takes a few minutes and any LDAP support personnell can do it. If the posix > uidNumber is of importance to the user (usually it's not), then after all > other things are verified working on the new account, then the old account > can be demoted to a non-posixAccount account (it would be disabled anyway), > which would free the old uidNumber for re-use on the new account. That seems fine to me. Thanks for such detailed explanation!
Assignee: nobody → ludovic
Carried the bits and key over to the new address.
Initial account disbaled.
updated svn Authz in 1172597
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Thanks! I've successfully changed my password. Should anything go wrong, I'll file a new bug.
Status: RESOLVED → VERIFIED
Blocks: 1248559
You need to log in before you can comment on or make changes to this bug.