Closed Bug 1527693 Opened 6 years ago Closed 6 years ago

Request for access to infoblox

Categories

(Infrastructure & Operations :: Corporate VPN: ACL requests, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gene, Assigned: gcox)

References

Details

Can Enterprise Information Security (team_opsec LDAP group) have access to infoblox so that given an IP address we can lookup what host it was associated with before that host record was deleted? This will help us during incident response when we encounter IPs which have no forward or reverse DNS record.

Assignee: infra → vpn-acl
Component: DNS and Domain Registration → Mozilla VPN: ACL requests
QA Contact: cshields → gcox

EIS folks added to vpn_infoblox. Should be available upon vpn disconnect/reconnect.

https://infoblox1.private.mdc1.mozilla.com/ui/

Assignee: vpn-acl → gcox
Group: infra
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

Yup, confirmed, thanks Greg.

Status: RESOLVED → VERIFIED

Greg, it looks like Lucious Bono wasn't added to vpn_infoblox.

  1. Can you confirm this and if so add him
  2. Can you share what method you used to determine the list of users to add since it's likely something Lucius and I should also get fixed up (with him being a member of infosec)

-Gene

Status: VERIFIED → REOPENED
Resolution: FIXED → ---

lbono is/was-already a member of vpn_infoblox. Can you describe the failure scenario?

:lucius can you share what you're getting when you try to login to infoblox?

Flags: needinfo?(lbono)

Hrm. Took a flyer at this, added lucius to cn=inventory, which is an old ACL around the inventory system (I wonder if it got reused in infoblox).

Give it a try at your convenience, let's see if that's it. If so, great, I'll back-audit membership there; if not, we'll see if :rtucker can shed some light.

Tried just now and no dice. Maybe I'm just being impatient?
Also, I'm trying to login at https://infoblox1.private.mdc1.mozilla.com/ui/ - am I doing it wrong?

Verified with Lucius, he's in now.

This was a learning thing for me - https://mana.mozilla.org/wiki/display/SYSADMIN/Infoblox+DDI - "In order for users to be granted access, the must have the user attribute 'infobloxGroup' populated with one of the values on the table below."

So, while Lucius was in the VPN group, he didn't have an attribute set. Set him to "read-only", which is parity with :gene.

I landed a change in puppet, 4423a90376e9b96a124eaabf3d26f171300cd04f, to lint LDAP for this situation ("you're in vpn_infoblox, but your infobloxGroup user attribute isn't set"). I'll get the other people that this affects solved as part of test-in-production for that linter script change (if they haven't noticed by now, they can wait 1 more day).

Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Group: infra
You need to log in before you can comment on or make changes to this bug.