757706 - please create an account for bugzilla.mozilla.org to query LDAP

Status: RESOLVED FIXED

(Infrastructure & Operations :: Infrastructure: Other, task)

Description

[:glob ✱]

we require an account which will allow a bugzilla.mozilla.org script (running from cron) to query ldap.

as this is will be used from a script, i would like the password be configured to never expire.

the account will need access to read the following fields from o=com,dc=mozilla: cn, mail, bugzillaEmail, emailAlias, employeeType

i'd love for this to be created before the end of this week if possible.


thanks!

Comment 1

[Shyam Mani [:fox2mike]]

Jabba, we might need a special account for this one. Thanks!

Comment 2

[Justin Dow [:jabba]]

Current ACLs allow standard bind users to only read cn, mail and bugzillaEmail and to only perform search operations (but not read the value of) emailAlias and employeeType.

I'll need to create a new bind user and a set of ACLs to allow it to read these fields. I'll work on that now.

Comment 3

[Justin Dow [:jabba]]

I've created the account and updated the ACLs on all the ldap servers to allow it to read those attributes. Please let me know how I can securely communicate the credentials for this account.

Comment 4

[:glob ✱]

(In reply to Justin Dow [:jabba] from comment #3)
> I've created the account and updated the ACLs on all the ldap servers to
> allow it to read those attributes. Please let me know how I can securely
> communicate the credentials for this account.

thanks jabba.

are you able to drop it into ~bjones on web2.stage.bugs.scl3.mozilla.com ?

Comment 5

[:glob ✱]

sorry jabba, i'm just working through an issue and this account will also require access to the o=org,dc=mozilla dn (with the same set of fields); can you please also allow access to that?

thanks

Comment 6

[Justin Dow [:jabba]]

I added ~/bjones/.ldapaccount with the credentials in it and the way I structured the ACL, access to o=org should also work. Please let me know if there are any issues.

Comment 7

[:glob ✱]

thanks jabba;

i can successfully authenticate using those credentials, however i'm not getting any results back from o=com,dc=mozilla (however o=org,dc=mozilla works): 

Logging into LDAP as mail=bjones@mozilla.com,o=com,dc=mozilla...
Getting user list from LDAP o=com,dc=mozilla...
Found 841 entires
Getting user list from LDAP o=org,dc=mozilla...
Found 54 entires

Logging into LDAP as uid=bind-bmo,ou=logins,dc=mozilla...
Getting user list from LDAP o=com,dc=mozilla...
Found 0 entires
Getting user list from LDAP o=org,dc=mozilla...
Found 54 entires

Comment 8

[Justin Dow [:jabba]]

I will investigate in the morning

Comment 9

[Justin Dow [:jabba]]

What's your LDAP query look like? I'm not able to reproduce.

Comment 10

[:glob ✱]

the query is pretty simple .. here's the code i'm running:

    print "Getting user list from LDAP $ldap_base...\n";
    my $result = $ldap->search(
        base   => $ldap_base,
        scope  => 'sub',
        filter => '(mail=*)',
        attrs  => ['mail', 'bugzillaEmail', 'emailAlias', 'cn', 'employeeType'],
    );

Comment 11

[Justin Dow [:jabba]]

Hmm. Here's my ldapsearch equivalent:

ldapsearch -x -D "uid=bind-bmo,ou=logins,dc=mozilla" -w xxxxxxxxxxxx -h ldap.db.scl3.mozilla.com -b "o=org,dc=mozilla" '(mail=*)' cn mail bugzillaEmail emailAlias employeeType

(the xxxxxxxxxxxxx is the password)

Here I get 54 results (for o=org). If I run the same query with -b "o=com,dc=mozilla", I get 839 results. I get identical results when using ldap.db.scl3.mozilla.com or ldap.db.phx1.mozilla.com. If you are using pm-ns.mozilla.org, that should work too as it is a cname to the actual LDAP vip in each datacenter, depending on which DNS server you are using.

Comment 12

[:glob ✱]

ah, my development environment is outside of the moco network, so i'm hitting addressbook.mozilla.com:

~$ ldapsearch -D "mail=bjones@mozilla.com,o=com,dc=mozilla" -w xxxxxxxxxxxx -H ldaps://addressbook.mozilla.com/ -b "o=com,dc=mozilla" '(mail=*)' cn mail bugzillaEmail emailAlias employeeType | grep numEntries
# numEntries: 839

~$ ldapsearch -D "uid=bind-bmo,ou=logins,dc=mozilla" -w xxxxxxxxxxxx -H ldaps://addressbook.mozilla.com/ -b "o=com,dc=mozilla" '(mail=*)' cn mail bugzillaEmail emailAlias employeeType
# extended LDIF
#
# LDAPv3
# base <o=com,dc=mozilla> with scope subtree
# filter: (mail=*)
# requesting: cn mail bugzillaEmail emailAlias employeeType 
#

# search result
search: 2
result: 0 Success

# numResponses: 1


it works correctly from web2.stage.bugs.scl3.mozilla.com, but unfortunately i can't do development on that system.

Comment 13

[Justin Dow [:jabba]]

Ah, that would explain it then. Addressbook is just a proxy and has a different set of ACLs. I'm surprised it works for o=org even. :)

For development, do you have VPN access? I also have ldap.mozilla.org that could be used, but it is locked down to specific IP addresses. If you have a permanent IP where you are developing, I can add that to the ACL and have you use that. VPN would be preferred though.

Comment 14

[:glob ✱]

(In reply to Justin Dow [:jabba] from comment #13)
> Ah, that would explain it then. Addressbook is just a proxy and has a
> different set of ACLs. I'm surprised it works for o=org even. :)

sounds like your ACLs need to be updated to prevent that :P

> For development, do you have VPN access?

i do, but establishing it from this VM is somewhat painful, and has been problematic.

> I also have ldap.mozilla.org that could be used, but it is locked down to specific
> IP addresses. If you have a permanent IP where you are developing, I can add that
> to the ACL and have you use that.

i have a static IP, 202.72.161.89, that would be my preferred option.

Comment 15

[Justin Dow [:jabba]]

I added that IP to the ACL and confirmed over irc that things are working now.