5 years ago
4 years ago


(Reporter: avillarde, Assigned: rbryce)





5 years ago
Need LDAP service account to use for logging into all our graphs and monitors like graphite and nagios.  This will be used long-term by the NOC.  nocuser uid would be fine.


5 years ago
Assignee: server-ops → rbryce

Comment 1

5 years ago
DN: uid=nocuser,ou=logins,dc=mozilla has been created.  I will work with Albert tomorrow to get this user into proper groups.
Albert, can you give more details on the specific use cases of this account, who will have the credentials, and from where it will be used?

Basically, I have concerns about shared accounts like this and normally, we do it with "allow from" directives in apache to allow certain hosts access to this data without the need for credentials.

If it's for humans to have a shared login, this is very discouraged, and we should instead create a group and put said humans into it.

So while, we have similar shared accounts like this, they are very few and very far between and we need to have a good technical reason as to why it needs to be done this way instead of one of the other ways that we more commonly use to bypass LDAP auth for specific purposes.

Also, if we determine that this account has valid reasons, we need to add additional "require user" lines for it explicitly, rather than add it to other groups that might possibly grant access to other systems. For example if graphite uses the IntranetWiki group to allow logins, we do *not* want this nocuser to be in the IntranetWiki group, as it would grant other unintended access to other systems and can create a pretty serious security risk.

Anywho, please provide more information on this before proceeding and we can discuss the best options.
We'll need to setup individual accounts for each and every NOC user.

What groups will the NOC employees need to be in?
(In reply to Joe Stevensen [:joes] from comment #3)
> We'll need to setup individual accounts for each and every NOC user.
> What groups will the NOC employees need to be in?

I'm guessing this is for the NOC screens that Albert has been working on, but I'll let him answer in more detail :)

Comment 5

5 years ago
I was working with Albert on this.  This account is just for NOC displays.  Currently, Albert is running this from his desk, but will ultimately live in the NOC.  My plan was to do as Jabba mentions. Explicitly allow the user from Albert's IP to access to the tools behind ldap login.
I think it's done.
Last Resolved: 5 years ago
Resolution: --- → FIXED
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.