Request for access to infoblox
Categories
(Infrastructure & Operations :: Corporate VPN: ACL requests, task)
Tracking
(Not tracked)
People
(Reporter: gene, Assigned: gcox)
References
Details
Can Enterprise Information Security (team_opsec LDAP group) have access to infoblox so that given an IP address we can lookup what host it was associated with before that host record was deleted? This will help us during incident response when we encounter IPs which have no forward or reverse DNS record.
![]() |
Assignee | |
Updated•6 years ago
|
![]() |
Assignee | |
Comment 1•6 years ago
|
||
EIS folks added to vpn_infoblox. Should be available upon vpn disconnect/reconnect.
Reporter | ||
Comment 3•6 years ago
|
||
Greg, it looks like Lucious Bono wasn't added to vpn_infoblox.
- Can you confirm this and if so add him
- Can you share what method you used to determine the list of users to add since it's likely something Lucius and I should also get fixed up (with him being a member of infosec)
-Gene
![]() |
Assignee | |
Comment 4•6 years ago
|
||
lbono is/was-already a member of vpn_infoblox. Can you describe the failure scenario?
Reporter | ||
Comment 5•6 years ago
|
||
:lucius can you share what you're getting when you try to login to infoblox?
Comment 6•6 years ago
|
||
![]() |
Assignee | |
Comment 7•6 years ago
|
||
Hrm. Took a flyer at this, added lucius to cn=inventory, which is an old ACL around the inventory system (I wonder if it got reused in infoblox).
Give it a try at your convenience, let's see if that's it. If so, great, I'll back-audit membership there; if not, we'll see if :rtucker can shed some light.
Comment 8•6 years ago
•
|
||
Tried just now and no dice. Maybe I'm just being impatient?
Also, I'm trying to login at https://infoblox1.private.mdc1.mozilla.com/ui/ - am I doing it wrong?
![]() |
Assignee | |
Comment 9•6 years ago
|
||
Verified with Lucius, he's in now.
This was a learning thing for me - https://mana.mozilla.org/wiki/display/SYSADMIN/Infoblox+DDI - "In order for users to be granted access, the must have the user attribute 'infobloxGroup' populated with one of the values on the table below."
So, while Lucius was in the VPN group, he didn't have an attribute set. Set him to "read-only", which is parity with :gene.
I landed a change in puppet, 4423a90376e9b96a124eaabf3d26f171300cd04f
, to lint LDAP for this situation ("you're in vpn_infoblox, but your infobloxGroup user attribute isn't set"). I'll get the other people that this affects solved as part of test-in-production for that linter script change (if they haven't noticed by now, they can wait 1 more day).
Reporter | ||
Updated•6 years ago
|
Description
•