[SAC] [MOTION] refresh SAC LDAP group: vote to remain !

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

  https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

  +1 strk

--strk;

  Libre GIS consultant/developer
  https://strk.kbt.io/services.html

On Wed, 7 Sept 2022 at 10:33, Sandro Santilli <strk@kbt.io> wrote:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

  https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

I can see it but I'm not part of SAC

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

  +1 strk

I'm not part of SAC but I support the idea

--strk;

--
ciao
Luca

www.lucadelu.org

On Wed, Sep 07, 2022 at 10:45:27AM +0200, Luca Delucchi wrote:

On Wed, 7 Sept 2022 at 10:33, Sandro Santilli <strk@kbt.io> wrote:
>
> I know we want the "bus factor" to be high but the current list
> of "SAC" members in LDAP doesn't really reflect the reality:
>
> https://id.osgeo.org/ldap/shell?group=sac
>
> The page should only be visible to SAC members (I think, but please
> report here if you can see the page and are NOT in that list).

I can see it but I'm not part of SAC

Thanks, can you also see the checkboxes to delete members and the
input box to add members ?

> The list counts 34 people but only an handful of these people wrote
> to this mailing list in the last 6 months (ballpark estimate, not
> scientifically conducted). Also only 23 are listed as "active members"
> here: https://wiki.osgeo.org/wiki/SAC#Active
>
> There's no documented procedure for removing SAC members from the LDAP
> group here: https://wiki.osgeo.org/wiki/SAC#Procedures
>
> So I thought maybe we can drop names of all members who do not
> reply to this mail with an indication of their LDAP username ?
>
> Please vote for the motion of removing anyone who does not respond
> before the end of September 2022 AND write your LDAP username.
> I'll start:
>
> +1 strk

I'm not part of SAC but I support the idea

Thanks.
Meanwhile I've realized that the "sac" group is documented (and possibly
also used) to grant shell access to osgeo infrastructure, according to the
LDAP group description (maybe we should print that description from
the web python script) but I'm not sure nowadays which hosts really
use that information. Regina might know better.

--strk;

On 2022-09-07 5:32 a.m., Sandro Santilli wrote:

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.

+1 jmckenna

+1 warmerdam

On Wed, 7 Sept 2022 at 10:33, Sandro Santilli <strk@kbt.io> wrote:
>
> I know we want the "bus factor" to be high but the current list of
> "SAC" members in LDAP doesn't really reflect the reality:
>
> https://id.osgeo.org/ldap/shell?group=sac
>
> The page should only be visible to SAC members (I think, but please
> report here if you can see the page and are NOT in that list).
>

I can see it but I'm not part of SAC

> The list counts 34 people but only an handful of these people wrote to
> this mailing list in the last 6 months (ballpark estimate, not
> scientifically conducted). Also only 23 are listed as "active members"
> here: https://wiki.osgeo.org/wiki/SAC#Active
>
> There's no documented procedure for removing SAC members from the
LDAP
> group here: https://wiki.osgeo.org/wiki/SAC#Procedures
>
> So I thought maybe we can drop names of all members who do not reply
> to this mail with an indication of their LDAP username ?
>
> Please vote for the motion of removing anyone who does not respond
> before the end of September 2022 AND write your LDAP username.
> I'll start:
>
> +1 strk

+1 Regina

+1 djay

Le 7 sept. 2022 à 10:32, Sandro Santilli <strk@kbt.io> a écrit :

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

+1 strk

--strk;

Libre GIS consultant/developer
https://strk.kbt.io/services.html
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

On Wed, 07. Sep 2022 at 10:32:54 +0200, Sandro Santilli wrote:

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

  +1 strk

+1 jef

Jürgen

--
Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31
Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50
Software Engineer D-26506 Norden https://www.norbit.de
QGIS release manager (PSC) Germany IRC: jef on Libera|OFTC

On Wed, Sep 7, 2022 at 10:33 AM Sandro Santilli <strk@kbt.io> wrote:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

  https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

  +1 strk

--strk;

  Libre GIS consultant/developer
  https://strk.kbt.io/services.html

+1 Markus

--
Markus Neteler, PhD
https://www.mundialis.de - free data with free software
https://grass.osgeo.org
https://courses.neteler.org/blog

I’m on the list and do not need SAC access so you can remove me.

Michael Smith

On Sep 7, 2022, at 4:33 AM, Sandro Santilli <strk@kbt.io> wrote:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

+1 strk

--strk;

Libre GIS consultant/developer
https://strk.kbt.io/services.html
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

________________________________
From: Sac <sac-bounces@lists.osgeo.org> on behalf of Michael Smith <michael.smith.erdc@gmail.com>
Sent: Wednesday, September 7, 2022 12:04 PM
To: System Administration Committee Discussion/OSGeo <sac@lists.osgeo.org>
Subject: Re: [SAC] [MOTION] refresh SAC LDAP group: vote to remain !

I’m on the list and do not need SAC access so you can remove me.

Michael Smith

On Sep 7, 2022, at 4:33 AM, Sandro Santilli <strk@kbt.io> wrote:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

+1 elil

(I'm on the list but not active so can be removed, there's a logic joke in there somewhere)

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

+1 strk

--strk;

Libre GIS consultant/developer
https://cas5-0-urlprotect.trendmicro.com:443/wis/clicktime/v1/query?url=https%3A%2F%2Fstrk.kbt.io%2Fservices.html&umid=063f94b7-2f83-4fad-8e23-af1c5df86acc&auth=dc2ed28abfc38f9dccdc580b0625a9783b471d36-d6ca6e1d3b883c85dcf0a6bcfa573e91786e02e7
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

On Wed, Sep 07, 2022 at 08:41:49PM +0000, Eli Adam wrote:

> So I thought maybe we can drop names of all members who do not
> reply to this mail with an indication of their LDAP username ?

+1 elil

(I'm on the list but not active so can be removed, there's a logic joke in there somewhere)

Thanks Eli, I've removed you from that list, but since
you're actually evidently active (as the logic suggests)
maybe you can confirm a bug that suggests you can still
log into the machines ?

  Bug to confirm:
  https://trac.osgeo.org/osgeo/ticket/1786

  List we're cleaning up:
  https://id.osgeo.org/ldap/shell?group=sac

  New bug, just discovered:
  https://trac.osgeo.org/osgeo/ticket/2804
  (Eli, I found you in that other list and removed you from there too)

--strk;

On Wed, Sep 07, 2022 at 03:04:37PM -0400, Michael Smith wrote:

I’m on the list and do not need SAC access so you can remove me.

I don't find "msmitherdc" on that list (shell?group=sac)
but I found you on the other list, supposedly related to
telascience which I think we're not using anymore.
I've removed you from there.

See https://trac.osgeo.org/osgeo/ticket/2804 for the
confusion..

--strk;

I don't find "msmitherdc" on that list (shell?group=sac) but I found you on the
other list, supposedly related to telascience which I think we're not using
anymore.
I've removed you from there.

See https://trac.osgeo.org/osgeo/ticket/2804 for the confusion..

--strk;

You sure telascience is not used anymore. I recall being really puzzled by it and realized it was the true name of (shell or sac)
Or so I thought. But maybe I misread that.

On Wed, Sep 07, 2022 at 06:22:20PM -0400, Regina Obe wrote:

> I don't find "msmitherdc" on that list (shell?group=sac) but I found you on the
> other list, supposedly related to telascience which I think we're not using
> anymore.
> I've removed you from there.
>
> See https://trac.osgeo.org/osgeo/ticket/2804 for the confusion..

You sure telascience is not used anymore.

No, I'm not sure.

We are talking about shell, so I wonder:
which host machines to we have ?

Supposedly this page should tell us:
https://wiki.osgeo.org/wiki/SAC_Service_Status
And it tells us Telascience machines are not used:
https://wiki.osgeo.org/wiki/SAC_Service_Status#Historical_servers_.28not_more_in_use.29

How do current machines decide whether or not to allow
shell access ? Was there a wiki page describing that ?
The Sac_Service_Status mentions in a couple of places:

  "You need to be in the shell group"
  "You must be a member of the OSGeo shell group"

But there's no such thing as a "shell group", rather
we have a "sac" group and a "telascience" group, both
being "common names" (cn) in the "shell" organizational
unit. I don't know how to extract other common names in
that organizational unit (if it makes any sense).

The Sac_Service_Status page also links to
https://id.osgeo.org/ldap/shell when referring to
"the shell group" and that's the "telascience" group.

How are machines allowing shell access via LDAP configured ?
This page seems to mention something and also reveal there's
another group "qgis" in the "shell" organizational unit:

  https://wiki.osgeo.org/wiki/SAC:Standard_System_Setup#Enable_LDAP

That "cn" (qgis) is indeed existing and described as:

  Shell Access for QGIS VM

I found these other wiki pages which may (or may not)
be relevant:

  https://wiki.osgeo.org/wiki/SAC:Security_Groups_Policy

We need to bring all these pages up to date with the new
infrastructure, I suppose.

--strk;

On Wed, Sep 07, 2022 at 06:22:20PM -0400, Regina Obe wrote:
> > I don't find "msmitherdc" on that list (shell?group=sac) but I found
> > you on the other list, supposedly related to telascience which I
> > think we're not using anymore.
> > I've removed you from there.
> >
> > See https://trac.osgeo.org/osgeo/ticket/2804 for the confusion..
>
> You sure telascience is not used anymore.

No, I'm not sure.

Okay I might have only seen it on that page, and assumed that was what shell
is called.
So perhaps it's not used anymore.

We are talking about shell, so I wonder:
which host machines to we have ?

Supposedly this page should tell us:
https://wiki.osgeo.org/wiki/SAC_Service_Status
And it tells us Telascience machines are not used:
https://wiki.osgeo.org/wiki/SAC_Service_Status#Historical_servers_.28not_m
ore_in_use.29

How do current machines decide whether or not to allow shell access ? Was
there a wiki page describing that ?
The Sac_Service_Status mentions in a couple of places:

  "You need to be in the shell group"
  "You must be a member of the OSGeo shell group"

But there's no such thing as a "shell group", rather we have a "sac" group

and

a "telascience" group, both being "common names" (cn) in the "shell"
organizational unit. I don't know how to extract other common names in

that

organizational unit (if it makes any sense).

The Sac_Service_Status page also links to https://id.osgeo.org/ldap/shell
when referring to "the shell group" and that's the "telascience" group.

How are machines allowing shell access via LDAP configured ?

This is what I have as the setup for the instance images I've been using to
build out the new instances. This is in the /etc/nslcd.conf, which I had
originally copied I think from the old download server.

      base passwd ou=People,dc=osgeo,dc=org
      base shadow ou=People,dc=osgeo,dc=org
      base group ou=Group,dc=osgeo,dc=org
      filter group
(&(objectClass=posixGroup)(cn=sac,ou=Shell,dc=osgeo,dc=org))

This page seems to mention something and also reveal there's another group
"qgis" in the "shell" organizational unit:

  https://wiki.osgeo.org/wiki/SAC:Standard_System_Setup#Enable_LDAP

That "cn" (qgis) is indeed existing and described as:

  Shell Access for QGIS VM

QGIS project manages their own servers on hetzer and we have whitelist rules
in place to allow their servers to authenticate with LDAP. So that all
makes sense.

I found these other wiki pages which may (or may not) be relevant:

  https://wiki.osgeo.org/wiki/SAC:Security_Groups_Policy

We need to bring all these pages up to date with the new infrastructure, I
suppose.

--strk;

Agree needs to be cleaned up.
-- Regina Obe

Am 07.09.22 um 10:32 schrieb Sandro Santilli:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

   https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

I can access the page, but I am not SAC member and not on this list. Ldap name: tfr42

As I am in the role of the OSGeo project officer for OSGeo deegree project and some services are hosted by OSGeo I do observe this mailing list and will make use of access rights for the Nexus repo services (see trac issue
#2498 for example). Don't know if this is related to the permissions to read that page.

Torsten

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

   +1 strk

--strk;

   Libre GIS consultant/developer
   https://strk.kbt.io/services.html
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac

On Wed, Sep 07, 2022 at 07:23:17PM -0400, Regina Obe wrote:

> How are machines allowing shell access via LDAP configured ?

This is what I have as the setup for the instance images I've been using to
build out the new instances. This is in the /etc/nslcd.conf, which I had
originally copied I think from the old download server.

      base passwd ou=People,dc=osgeo,dc=org
      base shadow ou=People,dc=osgeo,dc=org
      base group ou=Group,dc=osgeo,dc=org
      filter group (&(objectClass=posixGroup)(cn=sac,ou=Shell,dc=osgeo,dc=org))

Could you please write this info in this page ?
https://wiki.osgeo.org/wiki/SAC:Standard_System_Setup#Enable_LDAP

From the look of it (cn=sac) none of the people in the

"cn=telascience" group would be allowed to login on those machines.
I verified even the "upload" machine has that entry, so maybe we can
drop the telascience group completely.

--strk;

Sandro Santilli wrote:

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

  +1 martin

--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

+1 wildintellect

On 9/7/22 01:32, Sandro Santilli wrote:

I know we want the "bus factor" to be high but the current list
of "SAC" members in LDAP doesn't really reflect the reality:

   https://id.osgeo.org/ldap/shell?group=sac

The page should only be visible to SAC members (I think, but please
report here if you can see the page and are NOT in that list).

The list counts 34 people but only an handful of these people wrote
to this mailing list in the last 6 months (ballpark estimate, not
scientifically conducted). Also only 23 are listed as "active members"
here: https://wiki.osgeo.org/wiki/SAC#Active

There's no documented procedure for removing SAC members from the LDAP
group here: https://wiki.osgeo.org/wiki/SAC#Procedures

So I thought maybe we can drop names of all members who do not
reply to this mail with an indication of their LDAP username ?

Please vote for the motion of removing anyone who does not respond
before the end of September 2022 AND write your LDAP username.
I'll start:

   +1 strk

--strk;

   Libre GIS consultant/developer
   https://strk.kbt.io/services.html
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/sac