Opened 12 months ago

Last modified 6 months ago

#32519 new defect

improve user onboard/offboarding procedures

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: gaba Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

while working on the nextcloud project, we realized it wasn't exactly trivial to setup the LDAP bridge because of our specific requirements (no direct connexion, offline support). so we just didn't implement it yet (#32332). i added a note about this in the retire a user procedure, but then i realized there are probably many other such services that do *not* connect with LDAP.

On the top of my head, there's at least Trac and mailing lists, for example, which are managed completely separarely. Audit org/operations/services and see which services are manager manually and which aren't. Those services have been identified as particularly out of sync:

  •, see also #33109
  • email, see also #32558
  • IRC, the @tor-tpomember group
  • Nagios contacts (almost cleaned up, but will still need checking for sysadmins arriving/departing)
  • Nextcloud (#32332)
  •, see #34036 for an example audit

That list is not exhaustive.

Then make sure there's an automated way to add/remove users to services, either by hooking up the service with LDAP, or by creating a wrapper script that will manage those accesses.

So the following needs to be done here:

Note that the two pages have different scope: new-person is about TSA while retire-a-user is broader. This should also be converged, probably in the broader sense.

Also note that a particularly tricky situation is when we want to do a *partial* removal. For example, maybe the person needs to be removed from tor-internal, but keep access to some servers. Or removed from server, but keep an email alias.

The latter case is especially sensitive: some people feel keeping their email alias around forever is an inalienable right and that we should keep forwarding their email even after they are fully retired from Tor. This policy needs to be clarified, see #32558 for that particularly tricky problem.

Child Tickets

#32332newnextcloud-admin@torproject.orgSet up LDAP authn for nc.tpnInternal Services/Service - nextcloud
#32558newtpaclarify what happens to email when we retire a userInternal Services/Tor Sysadmin Team

Change History (12)

comment:1 Changed 12 months ago by anarcat

Description: modified (diff)

mention the new person page as well

comment:2 Changed 12 months ago by gaba

Cc: gaba added

comment:3 Changed 12 months ago by anarcat

Description: modified (diff)

create #32558 to followup on the email problem, and expand on that.

comment:4 Changed 11 months ago by arma

"the blog" is another service with its own accounts

comment:5 Changed 11 months ago by arma

and another is the @tor-tpomember irc group.

comment:6 Changed 7 months ago by anarcat

i started working on a fabric script to audit LDAP. i needed to implement something to talk with LDAP anyways so it made sense to start there.

this, for example, will check the EXAMPLE user:

fab  -H user.audit-ldap --user=EXAMPLE

a real-world example:

$ fab  -H user.audit-ldap --user=anarcat
ldaps:// LDAP password for uid=anarcat,ou=users,dc=torproject,dc=org: 
uid	flags	groups
anarcat	ldap-admin,login-everywhere	adm,torproject
WARNING:root:ldap-admin: has root and LDAP admin (adm group)
WARNING:root:login-everywhere: has SSH access everywhere (torproject group)

Those two WARNING lines are "flags" that are hardcoded in the code, which currently warns about about certain special groups or abnormal conditions. the idea is to have various audit tools that would raise certain "flags" like this. those, in turn, could become "actions" (like remove someone from a group or reset a password), specific to those flags.

comment:7 Changed 6 months ago by anarcat is one of those services that has been suffering from neglect in this process as well.

comment:8 Changed 6 months ago by anarcat

Description: modified (diff)

regroup the list of services in the description explicitely.

comment:9 Changed 6 months ago by anarcat

Description: modified (diff)

comment:10 Changed 6 months ago by anarcat

Description: modified (diff)

comment:11 Changed 6 months ago by ggus

Please, add blog account policy -

comment:12 in reply to:  11 Changed 6 months ago by anarcat

Description: modified (diff)

Replying to ggus:

Please, add blog account policy -

added to summary, thanks!

Note: See TracTickets for help on using tickets.