Closed Bug 780317 Opened 12 years ago Closed 9 years ago

MozLDAP - dev & stage & prod servers

Categories

(Infrastructure & Operations :: IT-Managed Tools, task, P1)

Product:
Infrastructure & Operations
Component:
IT-Managed Tools
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: peterbe, Unassigned)

References

Details

(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/57] [triaged 20120824]) 

We need servers set up for a new Django Playdoh web app called MozLDAP. :jabba has set up a bind user for the LDAP connection thing. 

The Mana page is here:
https://mana.mozilla.org/wiki/display/websites/MozLDAP

The most complicated dependency are the compiled python packages as laid out here:
https://github.com/mozilla/moz-ldap/blob/master/requirements/compiled.txt

The sec review for this app is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=780202

The original bug for the app is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=773691

The app is part of WebDev/WebTools 2012Q3 goals
https://intranet.mozilla.org/2012Q3Goals#Web_Development
Whiteboard: [pending triage]
Depends on: 780202
Priority: -- → P1
Whiteboard: [pending triage] → [triaged 20120824][waiting][appsec]
Hesitant to set up the dev env prior to appsec/opsec review... but will do so if they'd prefer us to do so. :)
Still blocked on this, pending sec-review. I posted a comment in the blocking bug. Sorry!
(In reply to Jake Maul [:jakem] from comment #2)
> Still blocked on this, pending sec-review. I posted a comment in the
> blocking bug. Sorry!

You're a gem! Thanks for helping out with the sec-review "pestering". That is really useful and helpful.
Component: Server Operations: Web Operations → WebOps: IT-Managed Tools
Product: mozilla.org → Infrastructure & Operations
QA Contact: cshields → nmaul
Flags: sec-review?
cleared flag and created a new blocking bug for the opsec side and blocked this bug
Flags: sec-review?
Yay! We're ready to go on this.
Anything I can do to help here?
Flags: needinfo?(nmaul)
Jakem, 

What's the latest on this? Do you think we can have this deployed some time next quarter?
Started deploying this to the generic cluster. Just because I can, I started with the prod service.


TODO, in no particular order:

1) create LDAP bind-user, add LDAP connection info to settings/local.py

2) ??? database ??? - mana page from comment 0 says no, settings/local.py-dist indicates yes

3) ??? memcache ???

4) double-check necessary compiled libs are present... I think they are already

5) DNS (I vote for "mozldap.mozilla.org")

6) Zeus (probably just update SSL cert)

7) Apache config - should probably enforce SSL

8) dev and/or stage setup

9) ??? Chief / Captain-Shove ???

10) New Relic and/or Sentry/ErrorMill
Flags: needinfo?(nmaul)
Whiteboard: [triaged 20120824][waiting][appsec] → [triaged 20120824]
(In reply to Jake Maul [:jakem] from comment #7)
> Started deploying this to the generic cluster. Just because I can, I started
> with the prod service.
> 
> 
> TODO, in no particular order:
> 
> 1) create LDAP bind-user, add LDAP connection info to settings/local.py
> 
:jabba created this UID for me: uid=bind-mozldap,ou=logins,dc=mozilla 
that's what I use for testing locally. Want the password?

> 2) ??? database ??? - mana page from comment 0 says no,
> settings/local.py-dist indicates yes
> 
No database is needed but Django might get grumpy if we don't configure any. 
local.py-dist configures a `:memory:` sqlite database which should work. 

> 3) ??? memcache ???
>
Not needed. Use the LocMemCache as per settings/local.py-dist
 
> 
> 5) DNS (I vote for "mozldap.mozilla.org")
>
I like it!
 
> 6) Zeus (probably just update SSL cert)
> 
> 7) Apache config - should probably enforce SSL
> 
> 8) dev and/or stage setup
> 
> 9) ??? Chief / Captain-Shove ???
>
As you please. I don't forsee upgrading this app very often so if it saves a ton of time, perhaps not bother. 
 
> 10) New Relic and/or Sentry/ErrorMill
Perhaps post-launch. Errormill would definitely be nice and it's so easy to set up in Django.
I completely forgot... the reason this got stalled (after sec-review) was that it requires libldap-2.4, and RHEL6 only has 2.3. We need to poke around and figure out what we can do about that.
Stackato has gone prod... is the version of libldap any better there? That might be the quickest and easiest way to get this unblocked.
Flags: needinfo?(peterbe)
Flags: needinfo?(cturra)
What about the firewall? I thought talking to the ldap.mozilla.com requires VPN or being served behind the firewall.
Flags: needinfo?(peterbe)
external access to ldap is probably a question to run by infra, but i *do* know it's possible - we do it with service now for example. ldap.mozilla.org is an external traffic group.

 $ dig +short ldap.mozilla.org
 63.245.217.122

 $ nslookup 63.245.217.122
 Server:	10.8.75.21
 Address:	10.8.75.21#53


with regards to the version of libldap - is this now something that could be managed within the stackato application container?

122.217.245.63.in-addr.arpa	name = ldap.zlb.phx.mozilla.net.
Flags: needinfo?(cturra)
Is this going to be applicable on dev equally? I mean, is there any difference between the two in terms of deliberate firewall parameters?
Whiteboard: [triaged 20120824] → [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824]
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824] → [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/2598] [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824]
Whiteboard: [kanban:engops:https://mozilla.kanbanize.com/ctrl_board/6/2598] [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824] → [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824]
Whiteboard: [kanban:https://kanbanize.com/ctrl_board/4/85] [triaged 20120824] → [kanban:https://webops.kanbanize.com/ctrl_board/2/57] [triaged 20120824]
Hey folks,

This lost steam a while back because the proposed users for the service found other needs.  However, we now have two services that will find this very useful, and probably more once it's functional.  Specifically, when RelengAPI is hosted outside of the Mozilla network, it will need this support; and TaskCluster needs to improve its authentication story from its existing use of "persona && mail ~= /.*@mozilla.com/"

It's so close!  Sec review is finished, and it looks like a decent amount of thought has gone into how to deploy it.  Can we push it over the finish line in a reasonable amount of time?
Blocks: 1106583
No longer blocks: 1106583
(In reply to Jake Maul [:jakem] from comment #9)
> I completely forgot... the reason this got stalled (after sec-review) was
> that it requires libldap-2.4, and RHEL6 only has 2.3. We need to poke around
> and figure out what we can do about that.

RedHat seems to indicate that RHEL6 now has this library available:

> Install package openldap-2.4.19-15.el6 which provides missing module libldap-2.4.so.2.
Peter, I think this is agreed to be a dead-end now.  Should we just close this bug?
(In reply to Dustin J. Mitchell [:dustin] from comment #16)
> Peter, I think this is agreed to be a dead-end now.  Should we just close
> this bug?

Why? You say you have two projects that need it. And apparently RHEL6 has an openldap package for 2.4.
After talking to Dustin, we've decided to close this bug. 

There are just too many hurdles to make this worthwhile. Having to get additional LDAP credentials for even being able to query mozldap (unrelated to the binduser mozldap uses to actually talk to LDAP) is just too much of a hazzle. Also, setting this up would require some sort of extra cert on the mod_ldap part. 

Dustin will be able to achieve his goals without MozLDAP. He'll be able to take just the inner core of the code (the big LDAP query for employees) and paste it into his project instead. So much less hassle. 

If we one day have a dying need for a web API for Mozilla LDAP we can reopen this bug.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.