Re: Bug in account creation process?

[Sam Ruby]

On Sat, Apr 8, 2017 at 5:31 PM, Greg Stein  wrote:
>
> I would suggest allowing the LDAP maintainers access to the Whimsy page:
>   cn=apldap,ou=groups,ou=services,dc=apache,dc=org

Done.

This demonstrates two things:

1) It is possible to allow multiple disjoint groups access to access a
resource using only HTTPD.

2) There is demand for wider groups to access some of these scripts,
even if only in a degraded (read-only) mode.

My conclusion: there is no "one size fits all" answer to
authentication that fits all tools.  See also:
https://issues.apache.org/jira/browse/WHIMSY-54

- Sam Ruby

Re: Bug in account creation process?

[Craig Russell]

> On Apr 8, 2017, at 2:31 PM, Greg Stein  wrote:
> 
> On Fri, Apr 7, 2017 at 1:37 PM, Craig Russell 
> wrote:
>> ...
> 
>> Since there is a fairly big overlap in privileges held by infra and
>> secretary team, I'd be fine with putting all of our infra contractors into
>> the secretary ldap group.
>> 
> 
> I don't think it would be appropriate to place Infra into the secretarial
> team. That starts to conflate logical groups with permissions.
> 
> I would suggest allowing the LDAP maintainers access to the Whimsy page:
>  cn=apldap,ou=groups,ou=services,dc=apache,dc=org
> 
> That is even tighter than what we call "root".

I defer to your better knowledge of how to disconflate logical groups.

Simply put, I trust infra folk with the power to use this whimsy page and the 
advice how to change whimsy to accommodate it.

Craig
> 
> Cheers,
> -g

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo

Re: Bug in account creation process?

[Greg Stein]

On Fri, Apr 7, 2017 at 1:37 PM, Craig Russell 
wrote:
>...

> Since there is a fairly big overlap in privileges held by infra and
> secretary team, I'd be fine with putting all of our infra contractors into
> the secretary ldap group.
>

I don't think it would be appropriate to place Infra into the secretarial
team. That starts to conflate logical groups with permissions.

I would suggest allowing the LDAP maintainers access to the Whimsy page:
  cn=apldap,ou=groups,ou=services,dc=apache,dc=org

That is even tighter than what we call "root".

Cheers,
-g

Re: Bug in account creation process?

[Craig Russell]

> On Apr 7, 2017, at 2:13 AM, sebb  wrote:
> 
> On 6 April 2017 at 21:10, Shane Curcuru  wrote:
>> Greg Stein wrote on 4/5/17 9:18 PM:
>>> On Wed, Apr 5, 2017 at 7:53 PM, Craig Russell >> > wrote:
 ...
>>> 
>>>P.S. I think that infra should be authorized to access
>>>https://whimsy.apache.org/secretary/public-names
>>>
>> 
>> +1 with my Whimsy PMC hat, since the data there is merely a reswizzled
>> version of icla data that infra deals with anyway in the account create
>> process.  But up to a PMC member to ensure the right security changes
>> are made.
> 
> In which case maybe access should be granted to ASF members as well
> (or instead, as I think Infra are currently added to members anyway to
> get other karma)
> 
> [BTW: just noticed that only Firefox seems to display the realm, i.e.:
> The site says: “ASF Secretarial Team”
> ]
> 
> Still probably worthwhile changing the entry.

This page is special in that it provides for changing LDAP entries, which is a 
privilege not granted to many groups. I would totally be comfortable with 
anyone in infra having access but not members or pmc chairs in general.

Since there is a fairly big overlap in privileges held by infra and secretary 
team, I'd be fine with putting all of our infra contractors into the secretary 
ldap group. 

Craig
> 
>>> 
>>> 
>>> That is up to the Whimsy PMC, as I see things.
>>> 
>>> To clarify: Whimsy is not an official service provided by Infra. We have
>>> not assigned an SLA to it. It runs on a project VM, and Infra has
>>> provided some minimal support to its operation. This can change, but
>>> that's a separate discussion.
>>> 
>>> So it could certainly be helpful for Infra to have access to that area
>>> (and maybe others), I don't believe Infra is in the position to make
>>> that decision.
>>> 
>>> Cheers,
>>> Greg Stein
>>> Infrastructure Administrator, ASF
>>> 
>> 
>> 
>> --
>> 
>> - Shane
>>  https://www.apache.org/foundation/marks/resources

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo

Re: Bug in account creation process?

[sebb]

On 6 April 2017 at 21:10, Shane Curcuru  wrote:
> Greg Stein wrote on 4/5/17 9:18 PM:
>> On Wed, Apr 5, 2017 at 7:53 PM, Craig Russell > > wrote:
>>>...
>>
>> P.S. I think that infra should be authorized to access
>> https://whimsy.apache.org/secretary/public-names
>> 
>
> +1 with my Whimsy PMC hat, since the data there is merely a reswizzled
> version of icla data that infra deals with anyway in the account create
> process.  But up to a PMC member to ensure the right security changes
> are made.

In which case maybe access should be granted to ASF members as well
(or instead, as I think Infra are currently added to members anyway to
get other karma)

[BTW: just noticed that only Firefox seems to display the realm, i.e.:
The site says: “ASF Secretarial Team”
]

Still probably worthwhile changing the entry.

>>
>>
>> That is up to the Whimsy PMC, as I see things.
>>
>> To clarify: Whimsy is not an official service provided by Infra. We have
>> not assigned an SLA to it. It runs on a project VM, and Infra has
>> provided some minimal support to its operation. This can change, but
>> that's a separate discussion.
>>
>> So it could certainly be helpful for Infra to have access to that area
>> (and maybe others), I don't believe Infra is in the position to make
>> that decision.
>>
>> Cheers,
>> Greg Stein
>> Infrastructure Administrator, ASF
>>
>
>
> --
>
> - Shane
>   https://www.apache.org/foundation/marks/resources

Re: Bug in account creation process?

[Shane Curcuru]

Greg Stein wrote on 4/5/17 9:18 PM:
> On Wed, Apr 5, 2017 at 7:53 PM, Craig Russell  > wrote:
>>...
> 
> P.S. I think that infra should be authorized to access
> https://whimsy.apache.org/secretary/public-names
> 

+1 with my Whimsy PMC hat, since the data there is merely a reswizzled
version of icla data that infra deals with anyway in the account create
process.  But up to a PMC member to ensure the right security changes
are made.

> 
> 
> That is up to the Whimsy PMC, as I see things.
> 
> To clarify: Whimsy is not an official service provided by Infra. We have
> not assigned an SLA to it. It runs on a project VM, and Infra has
> provided some minimal support to its operation. This can change, but
> that's a separate discussion.
> 
> So it could certainly be helpful for Infra to have access to that area
> (and maybe others), I don't believe Infra is in the position to make
> that decision.
> 
> Cheers,
> Greg Stein
> Infrastructure Administrator, ASF
> 


-- 

- Shane
  https://www.apache.org/foundation/marks/resources

Re: Bug in account creation process?

[Sam Ruby]

On Wed, Apr 5, 2017 at 9:18 PM, Greg Stein  wrote:
> On Wed, Apr 5, 2017 at 7:53 PM, Craig Russell 
> wrote:
>>...
>
>> P.S. I think that infra should be authorized to access
>> https://whimsy.apache.org/secretary/public-names
>
> That is up to the Whimsy PMC, as I see things.
>
> To clarify: Whimsy is not an official service provided by Infra. We have
> not assigned an SLA to it. It runs on a project VM, and Infra has provided
> some minimal support to its operation. This can change, but that's a
> separate discussion.
>
> So it could certainly be helpful for Infra to have access to that area (and
> maybe others), I don't believe Infra is in the position to make that
> decision.

Greg is correct; but it is a very reasonable request.  The relevant
part of the configuration is here:

https://github.com/apache/infrastructure-puppet/blob/6a6c9f01a33cd10f1e36482d3b9c6a4bb4c73fbf/data/nodes/whimsy-vm3.apache.org.yaml#L163

The simplest solution would be to add people who already have root
authority anyway to the asf-secretary ldap group, much like we already
do to the members group.  Incidentally, that IS a decision that the
Infra team can chose to make, but should chose to do so in
consultation with the ASF Secretary, not the Whimsy PMC.

> Cheers,
> Greg Stein
> Infrastructure Administrator, ASF

- Sam Ruby

Re: Bug in account creation process?

[Greg Stein]

On Wed, Apr 5, 2017 at 7:53 PM, Craig Russell 
wrote:
>...

> P.S. I think that infra should be authorized to access
> https://whimsy.apache.org/secretary/public-names


That is up to the Whimsy PMC, as I see things.

To clarify: Whimsy is not an official service provided by Infra. We have
not assigned an SLA to it. It runs on a project VM, and Infra has provided
some minimal support to its operation. This can change, but that's a
separate discussion.

So it could certainly be helpful for Infra to have access to that area (and
maybe others), I don't believe Infra is in the position to make that
decision.

Cheers,
Greg Stein
Infrastructure Administrator, ASF

Re: Bug in account creation process?

[Craig Russell]

Hi Pono,

> On Apr 5, 2017, at 4:45 PM, Pono Takamori  wrote:
> 
> This was a previous bug in acreq which has since been fixed.  I manually
> created these accounts and forgot to update iclas.txt with their
> corresponding availids.  I've fixed iclas.txt after verifying the ldap
> accounts.
> The only problem is that Ray DeCampo has 2 accounts, the first rdecampo
> created 20090519 and the second rdecampo created 20170125.  As it stands
> his ICLA only holds the rdecampo uid.

The raydecampo id needs to be removed from LDAP. [1] is the email from January.

Thanks,

Craig

P.S. I think that infra should be authorized to access 
https://whimsy.apache.org/secretary/public-names

[1]
>>> 
>>> On Jan 27, 2017, at 4:57 PM, Craig Russell  wrote:
>>> 
>>> Hi Pono,
>>> 
>>> Can you please update records to associate rdecampo with the new email 
>>> address? No sense in creating another id when there is already one that 
>>> just needs email reset.
>>> 
>>> Thanks,
>>> 
>>> Craig
>>> 
 On Jan 27, 2017, at 2:50 PM, Raymond DeCampo  wrote:
 
 Thanks Craig everything seems to be working so far.
 
 Sorry about the confusion with the old account (rdecampo), I did not 
 realize that account could be used in this context.  (I am also not 
 certain I could get access to it.)
 
 It might be best to deactivate it, I certainly don't need two accounts.
 
 
 On Wed, Jan 25, 2017 at 9:16 AM, Craig L Russell  
 wrote:
 Prospective userid: raydecampo
 Full name: Raymond DeCampo
 Forwarding email address: r...@decampo.org
 
 Vote reference:
   
 https://lists.apache.org/thread.html/6c4bba5eef667086d526d7bce692a622f4904e5305ab1cfbfdfc902f@%3Cprivate.commons.apache.org%3E
 
 --
 Submitted by https://whimsy.apache.org/secmail/
 From 115.151.231.66.in-addr.arpa domain name pointer 
 66-231-151-115.apt.gru.net.
 Using Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.4.8 
 (KHTML, like Gecko) Version/10.0.3 Safari/602.4.8
 
Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo




> 
> On Wed, Apr 5, 2017 at 5:27 PM, Craig Russell 
> wrote:
> 
>> Hi Chris,
>> 
>> Sorry about that. /me assumes everyone in infra can see what i can see.
>> And I don't know how to grant permission. :(
>> 
>> These are the accounts that I believe are simply missing the proper
>> availid in the iclas.txt file. I figured you folks wanted to investigate
>> why this happened. I'm happy to simply add the missing availid if you don't
>> want to hone your forensic skills.
>> 
>> Craig
>> 
>> Only in LDAP
>> idcnmail
>> codingcat  Nan Zhu
>> zhunanmcg...@gmail.com
>> jeremydyer  Jeremy
>> Dyer jdy...@gmail.com
>> kirk-pepperdine
>>  Kirk
>> Pepperdine kirk.pepperd...@gmail.com
>> nswamy  Naveen Swamy
>> mnnav...@gmail.com
>> pluskid  Chiyuan Zhang
>> plus...@gmail.com
>> raydecampo  Raymond
>> DeCampo r...@decampo.org
>> rmonk  Richard Monk
>> rm...@redhat.com
>> sdutry  Stefaan Dutry
>> stefaan.du...@gmail.com
>> testsebb  Test
>> Sebastian Bazley sebbaz+t...@gmail.com
>> zihaolucky  Zihao
>> Zheng zihaolu...@gmail.com
>> 
>> 
>> 
>> On Apr 5, 2017, at 4:19 PM, Chris Lambertus  wrote:
>> 
>> I don’t have access to that URL. If you or Sam or whomever can grant it, I
>> can investigate further.
>> 
>> Presuming you’re referring to the iclas.txt notinavailid issue, that
>> wasn’t what I was specifically going to fix, but I mentioned it to Pono
>> just now, and we’re looking into it. My fix involves updating the accounts
>> in LDAP with a correct surname field where currently it is the uid. Copying
>> private@infra so Pono can see the thread. Dunno if he’s on dev@whimsical.
>> 
>> -Chris
>> 
>> 
>> 
>> On Apr 5, 2017, at 3:28 PM, Craig Russell 
>> wrote:
>> 
>> Hi Chris,
>> 
>> If I understand your message, you are going to go through the list of
>> accounts in https://whimsy.apache.org/secretary/public-names> /whimsy.apache.org/secretary/public-names> that are marked as Only in
>> LDAP and synchronize that with iclas.txt.
>> 
>> Please confirm.
>> 
>> Regards,
>> 
>> Craig
>> 
>> On Apr 4, 2017, at 7:58 PM, Chris Lambertus  wrote:
>> 
>> 
>> On Apr 4, 2017, at 4:38 PM, sebb > mailto:seb...@gmail.com >> wrote:
>> 
>> There are some other issues with the sn field:
>> 
>> 
>> 
>> I don’t see any issues in your output. To improve LDAP tooling and
>> functionality as we bring more LDA

Re: Bug in account creation process?

[Pono Takamori]

This was a previous bug in acreq which has since been fixed.  I manually
created these accounts and forgot to update iclas.txt with their
corresponding availids.  I've fixed iclas.txt after verifying the ldap
accounts.
The only problem is that Ray DeCampo has 2 accounts, the first rdecampo
created 20090519 and the second rdecampo created 20170125.  As it stands
his ICLA only holds the rdecampo uid.

On Wed, Apr 5, 2017 at 5:27 PM, Craig Russell 
wrote:

> Hi Chris,
>
> Sorry about that. /me assumes everyone in infra can see what i can see.
> And I don't know how to grant permission. :(
>
> These are the accounts that I believe are simply missing the proper
> availid in the iclas.txt file. I figured you folks wanted to investigate
> why this happened. I'm happy to simply add the missing availid if you don't
> want to hone your forensic skills.
>
> Craig
>
> Only in LDAP
> idcnmail
> codingcat  Nan Zhu
> zhunanmcg...@gmail.com
> jeremydyer  Jeremy
> Dyer jdy...@gmail.com
> kirk-pepperdine
>  Kirk
> Pepperdine kirk.pepperd...@gmail.com
> nswamy  Naveen Swamy
> mnnav...@gmail.com
> pluskid  Chiyuan Zhang
> plus...@gmail.com
> raydecampo  Raymond
> DeCampo r...@decampo.org
> rmonk  Richard Monk
> rm...@redhat.com
> sdutry  Stefaan Dutry
> stefaan.du...@gmail.com
> testsebb  Test
> Sebastian Bazley sebbaz+t...@gmail.com
> zihaolucky  Zihao
> Zheng zihaolu...@gmail.com
>
>
>
> On Apr 5, 2017, at 4:19 PM, Chris Lambertus  wrote:
>
> I don’t have access to that URL. If you or Sam or whomever can grant it, I
> can investigate further.
>
> Presuming you’re referring to the iclas.txt notinavailid issue, that
> wasn’t what I was specifically going to fix, but I mentioned it to Pono
> just now, and we’re looking into it. My fix involves updating the accounts
> in LDAP with a correct surname field where currently it is the uid. Copying
> private@infra so Pono can see the thread. Dunno if he’s on dev@whimsical.
>
> -Chris
>
>
>
> On Apr 5, 2017, at 3:28 PM, Craig Russell 
> wrote:
>
> Hi Chris,
>
> If I understand your message, you are going to go through the list of
> accounts in https://whimsy.apache.org/secretary/public-names /whimsy.apache.org/secretary/public-names> that are marked as Only in
> LDAP and synchronize that with iclas.txt.
>
> Please confirm.
>
> Regards,
>
> Craig
>
> On Apr 4, 2017, at 7:58 PM, Chris Lambertus  wrote:
>
>
> On Apr 4, 2017, at 4:38 PM, sebb  mailto:seb...@gmail.com >> wrote:
>
> There are some other issues with the sn field:
>
>
>
> I don’t see any issues in your output. To improve LDAP tooling and
> functionality as we bring more LDAP-based services online, I fixed the
> ap-adduser script to add a valid givenName and sn to new accounts based on
> extracted values of $FULLNAME (cn.) This only affects accounts created
> after the script change. I’m in the process of verifying that there are no
> unexpected consequences, then will re-populate the remaining sn attributes
> for older accounts with their valid surname. Prior to my change, the script
> inserted the uid as the sn for unknown reasons.
>
> I am aware of one case of a user with no apparent surname. The adduser
> changes will not affect old accounts. New accounts which arrive with a
> single name will be rejected and will need to be manually processed.
>
> Users in LDAP with no valid surname will not have their sn field modified
> (i.e. they will remain $uid.)
>
> -Chris
>
>
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org  http://db.apache.
> org/jdo 
>
>
>
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org http://db.apache.org/jdo
>
>

Re: Bug in account creation process?

[Craig Russell]

Hi Chris,

Sorry about that. /me assumes everyone in infra can see what i can see. And I 
don't know how to grant permission. :(

These are the accounts that I believe are simply missing the proper availid in 
the iclas.txt file. I figured you folks wanted to investigate why this 
happened. I'm happy to simply add the missing availid if you don't want to hone 
your forensic skills.

Craig

Only in LDAP

id  cn  mail
codingcat Nan Zhu 
zhunanmcg...@gmail.com
jeremydyer   Jeremy 
Dyer jdy...@gmail.com
kirk-pepperdine 
Kirk Pepperdine kirk.pepperd...@gmail.com
nswamy   Naveen Swamy
mnnav...@gmail.com
pluskid Chiyuan Zhang   
plus...@gmail.com
raydecampo   Raymond 
DeCampo r...@decampo.org
rmonk Richard Monk
rm...@redhat.com
sdutry   Stefaan Dutry   
stefaan.du...@gmail.com
testsebb   Test Sebastian 
Bazley   sebbaz+t...@gmail.com
zihaolucky   Zihao 
Zheng zihaolu...@gmail.com



> On Apr 5, 2017, at 4:19 PM, Chris Lambertus  wrote:
> 
> I don’t have access to that URL. If you or Sam or whomever can grant it, I 
> can investigate further.
> 
> Presuming you’re referring to the iclas.txt notinavailid issue, that wasn’t 
> what I was specifically going to fix, but I mentioned it to Pono just now, 
> and we’re looking into it. My fix involves updating the accounts in LDAP with 
> a correct surname field where currently it is the uid. Copying private@infra 
> so Pono can see the thread. Dunno if he’s on dev@whimsical.
> 
> -Chris
> 
> 
> 
>> On Apr 5, 2017, at 3:28 PM, Craig Russell > > wrote:
>> 
>> Hi Chris,
>> 
>> If I understand your message, you are going to go through the list of 
>> accounts in https://whimsy.apache.org/secretary/public-names 
>> >  > that are marked as Only 
>> in LDAP and synchronize that with iclas.txt.
>> 
>> Please confirm.
>> 
>> Regards,
>> 
>> Craig
>> 
>>> On Apr 4, 2017, at 7:58 PM, Chris Lambertus >> > wrote:
>>> 
>>> 
 On Apr 4, 2017, at 4:38 PM, sebb >>>  >> wrote:
 
 There are some other issues with the sn field:
>>> 
>>> 
>>> I don’t see any issues in your output. To improve LDAP tooling and 
>>> functionality as we bring more LDAP-based services online, I fixed the 
>>> ap-adduser script to add a valid givenName and sn to new accounts based on 
>>> extracted values of $FULLNAME (cn.) This only affects accounts created 
>>> after the script change. I’m in the process of verifying that there are no 
>>> unexpected consequences, then will re-populate the remaining sn attributes 
>>> for older accounts with their valid surname. Prior to my change, the script 
>>> inserted the uid as the sn for unknown reasons.
>>> 
>>> I am aware of one case of a user with no apparent surname. The adduser 
>>> changes will not affect old accounts. New accounts which arrive with a 
>>> single name will be rejected and will need to be manually processed.
>>> 
>>> Users in LDAP with no valid surname will not have their sn field modified 
>>> (i.e. they will remain $uid.)
>>> 
>>> -Chris
>>> 
>> 
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> c...@apache.org  > > http://db.apache.org/jdo 
>>  > >
> 

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org  http://db.apache.org/jdo 

Re: Bug in account creation process?

[Chris Lambertus]

I don’t have access to that URL. If you or Sam or whomever can grant it, I can 
investigate further.

Presuming you’re referring to the iclas.txt notinavailid issue, that wasn’t 
what I was specifically going to fix, but I mentioned it to Pono just now, and 
we’re looking into it. My fix involves updating the accounts in LDAP with a 
correct surname field where currently it is the uid. Copying private@infra so 
Pono can see the thread. Dunno if he’s on dev@whimsical.

-Chris



> On Apr 5, 2017, at 3:28 PM, Craig Russell  wrote:
> 
> Hi Chris,
> 
> If I understand your message, you are going to go through the list of 
> accounts in https://whimsy.apache.org/secretary/public-names 
>   > that are marked as Only 
> in LDAP and synchronize that with iclas.txt.
> 
> Please confirm.
> 
> Regards,
> 
> Craig
> 
>> On Apr 4, 2017, at 7:58 PM, Chris Lambertus > > wrote:
>> 
>> 
>>> On Apr 4, 2017, at 4:38 PM, sebb >> > wrote:
>>> 
>>> There are some other issues with the sn field:
>> 
>> 
>> I don’t see any issues in your output. To improve LDAP tooling and 
>> functionality as we bring more LDAP-based services online, I fixed the 
>> ap-adduser script to add a valid givenName and sn to new accounts based on 
>> extracted values of $FULLNAME (cn.) This only affects accounts created after 
>> the script change. I’m in the process of verifying that there are no 
>> unexpected consequences, then will re-populate the remaining sn attributes 
>> for older accounts with their valid surname. Prior to my change, the script 
>> inserted the uid as the sn for unknown reasons.
>> 
>> I am aware of one case of a user with no apparent surname. The adduser 
>> changes will not affect old accounts. New accounts which arrive with a 
>> single name will be rejected and will need to be manually processed.
>> 
>> Users in LDAP with no valid surname will not have their sn field modified 
>> (i.e. they will remain $uid.)
>> 
>> -Chris
>> 
> 
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org   > http://db.apache.org/jdo  
> >



signature.asc
Description: Message signed with OpenPGP

Re: Bug in account creation process?

[Craig Russell]

Hi Chris,

If I understand your message, you are going to go through the list of accounts 
in https://whimsy.apache.org/secretary/public-names 
 that are marked as Only in 
LDAP and synchronize that with iclas.txt.

Please confirm.

Regards,

Craig

> On Apr 4, 2017, at 7:58 PM, Chris Lambertus  wrote:
> 
> 
>> On Apr 4, 2017, at 4:38 PM, sebb > > wrote:
>> 
>> There are some other issues with the sn field:
> 
> 
> I don’t see any issues in your output. To improve LDAP tooling and 
> functionality as we bring more LDAP-based services online, I fixed the 
> ap-adduser script to add a valid givenName and sn to new accounts based on 
> extracted values of $FULLNAME (cn.) This only affects accounts created after 
> the script change. I’m in the process of verifying that there are no 
> unexpected consequences, then will re-populate the remaining sn attributes 
> for older accounts with their valid surname. Prior to my change, the script 
> inserted the uid as the sn for unknown reasons.
> 
> I am aware of one case of a user with no apparent surname. The adduser 
> changes will not affect old accounts. New accounts which arrive with a single 
> name will be rejected and will need to be manually processed.
> 
> Users in LDAP with no valid surname will not have their sn field modified 
> (i.e. they will remain $uid.)
> 
> -Chris
> 

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org  http://db.apache.org/jdo 

Re: Bug in account creation process?

[Chris Lambertus]

> On Apr 4, 2017, at 4:38 PM, sebb  wrote:
> 
> There are some other issues with the sn field:


I don’t see any issues in your output. To improve LDAP tooling and 
functionality as we bring more LDAP-based services online, I fixed the 
ap-adduser script to add a valid givenName and sn to new accounts based on 
extracted values of $FULLNAME (cn.) This only affects accounts created after 
the script change. I’m in the process of verifying that there are no unexpected 
consequences, then will re-populate the remaining sn attributes for older 
accounts with their valid surname. Prior to my change, the script inserted the 
uid as the sn for unknown reasons.

I am aware of one case of a user with no apparent surname. The adduser changes 
will not affect old accounts. New accounts which arrive with a single name will 
be rejected and will need to be manually processed.

Users in LDAP with no valid surname will not have their sn field modified (i.e. 
they will remain $uid.)

-Chris



signature.asc
Description: Message signed with OpenPGP

Re: Bug in account creation process?

[sebb]

On 4 April 2017 at 20:35, Craig Russell  wrote:
> There are a number of "Only in LDAP" entries here: 
> https://whimsy.apache.org/secretary/public-names

I cannot access that; seems to be secretary role only.

>
> I looked at the first couple and it seems that iclas.txt was never updated 
> from notinavail to the apache id.
>
> Is this the result of a broken account creation process?

There are some other issues with the sn field:

$ ldapsearch -x -LLL -s one -b ou=people,dc=apache,dc=org
'(createTimestamp>=2017040100Z)' uid sn givenName cn

dn: uid=saguziel,ou=people,dc=apache,dc=org
uid: saguziel
cn: Alex Guziel
sn: saguziel
givenName: Alex

dn: uid=reddycharan,ou=people,dc=apache,dc=org
uid: reddycharan
cn: Charan Reddy G
sn: reddycharan
givenName: Charan

...

dn: uid=jxue,ou=people,dc=apache,dc=org
uid: jxue
cn: Junkai Xue
sn: Xue
givenName: Junkai

dn: uid=bqiu,ou=people,dc=apache,dc=org
uid: bqiu
cn: Ben Qiu
givenName: Ben
sn: Qiu

Note that the first two entries have sn == uid whereas sn is normally
part of cn.

> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org http://db.apache.org/jdo
>

Bug in account creation process?

[Craig Russell]

There are a number of "Only in LDAP" entries here: 
https://whimsy.apache.org/secretary/public-names

I looked at the first couple and it seems that iclas.txt was never updated from 
notinavail to the apache id.

Is this the result of a broken account creation process? 

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org http://db.apache.org/jdo