Closed Bug 524080 Opened 13 years ago Closed 13 years ago

Hg/SVN: Informative error for "login denied due to deactivation for inactivity"


( Graveyard :: Server Operations, task)

Not set


(Not tracked)



(Reporter: gerv, Assigned: aravind)



(Whiteboard: 02/28/2010)

[This request is for both Hg and SVN; let me know if you need a separate bug split out for SVN.]

We want to deactivate unused contributor accounts. Several people have suggested this would be much more palatable if the error message they got when trying to log in was more informative than "login denied". Something like:

"Account deactivated due to inactivity. Please file a bug at
to have it quickly reactivated."

(Perhaps you could tinyURL that URL.)

This bug requests that the necessary mechanisms to produce such an error be developed for SVN and for Hg.

pash could be modified to query LDAP for disabled accounts, I guess.
Assignee: nobody → server-ops
Component: Hg: Customizations → Server Operations
QA Contact: hg.customizations → mrz
Assignee: server-ops → aravind
How do we plan on de-activating accounts?  Is someone going to sweep hg/svn/cvs and automate that somehow?
Yes :-) I've done that bit, although my script apparently needs work because it's not quite giving all the right answers yet. I'm sure I'll get it soon.

Component: Server Operations → Server Operations: Projects
arzhel/aravind - can you give an approximate ETA for this?  This will help set some decisions in bug 524153.
I discussed this with Derek - we need to create a new attribute indicating account status in ldap and backfill existing accounts.  We also have to fix the existing login scripts to look at this new attribute and grant/deny access accordingly.  Jeremy has to fix devldap to add this new attribute (or reset it for disabled accounts).  All this will probably take at least a few days (if that's all we are working on).  But looking at my workload, I expect it to take at least a couple of weeks (or more) if I start working on it now.
Aravind: this confuses me; what you write suggests that currently there is no "account deactivation" mechanism. And yet accounts have been deactivated in the past, e.g. in bug 510511. Those people are still in LDAP, because dmoore's original list he sent me included them (by mistake). But they presumably can't log in. So how are those accounts marked as "deactivated"?

Or have I misunderstood?

There is a mechanism to disable accounts, what we want is not to disable accounts.  Folks could simply not be checking anything into any source control systems, but be active in other ways.  For folks like that (and even in general), we don't want to disable their accounts.  We need a way to disable only their subversion/mercurial accounts and leave the rest of their stuff intact.  Also, when we do disable their source control access, we need a way to look at some flag that says this account was inactive and hence we disabled source control access - What I laid out above is a way to go about doing that.
OK, I get it now. Thank you :-) 

I guess I didn't realise that this work was required, otherwise I would have tried to get it scheduled while we were going through the long process of defining the list of accounts :-( Ah well.

Component: Server Operations: Projects → Server Operations
Whiteboard: 01/15/2010
Blocks: 524153
@Gerv: starting to work on this, and had a question.  How do you want to handle the case of someone having multiple scm system accounts (like say in svn and hg) and they happen to be active in one of them, but not the other?  I am leaning towards treating them as independent objects and deactivating them independently as well.
Aravind: great to hear :-) Yes, I think the best thing to do is to treat the accounts independently. That's what I've been assuming in creating my lists. 

Aravind: might you be able to give us a progress report?

Thanks :-)

After looking at my options in ldap, I know how I want to implement this.  Was going to work on it this week, should be ready in a couple of weeks (so.. shooting for the end of Feb seems reasonable to me).
Thanks :-) Let me know if you need anything from me (requirements, design etc.).

Whiteboard: 01/15/2010 → 02/28/2010
Okay, the scripts to detect and report inactive accounts are in place.  I tested them as best as I could.  Note that at this point, none of the accounts are disabled in ldap.
Closed: 13 years ago
Resolution: --- → FIXED
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.