[Labs-l] Renaming labs/gerrit users

[Ryan Lane]

On Thu, Aug 29, 2013 at 3:25 AM, Antoine Musso <hashar+wmf at free.fr> wrote:

> Le 28/08/13 23:38, Ryan Lane a écrit :
> > Not without having 3 unique attributes, which is incredibly painful. If
> > you want your git username to be your full name, then use your fullname
> > as your wikitech/gerrit username.
>
> Well we already have uid, sn and cn:
>
>  uid: hashar
>  sn: hashar
>  cn: Hashar
>
> Or for you:
>
>  uid: laner
>  sn: laner
>  cn: Ryan Lane
>
>
sn isn't actually used for anything. inetorgperson requires sn be set
(which is stupid), so it's set. It isn't unique and we could set it to
anything we want.


> Some entries even have a displayName entry which seems to be used by
> gitblit.
>
> Gerrit has:
>
>   # Query to search a user account
>   accountPattern = (&(objectClass=person)(cn=${username}))
>   # The full name field
>   accountFullName = cn
>
> The default Gerrit value for accountFullName is displayName, though that
> is not apparently populated for everyone, it is for a bunch of accounts
> already and I guess that will solve the issue.
>
>
displayName surely shouldn't be set. If it is then it is set by accident
and we should remove the attribute from the account in question.

If we allow people to set their displayName it could be used to impersonate
others, unless we force it to be unique and check it against cn as well,
and that *still* doesn't mean it can't be used to impersonate others.

If someone signs up for an account using "Ryan Lane." we can simply block
the account. If someone briefly changes their displayName to that to sneak
in a change, then changes it back afterwards it's much harder to detect.

Past just that, ensuring unique attributes is hard and having 3 of them is
simply insane.

- Ryan

- Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130829/cf81626b/attachment.html>