From 9a27d03af6626355d310444afbc74a7285a901a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 14 Jun 2021 13:47:29 -0400
Subject: [PATCH] how to add a sysadmin in ldap and puppet

---
 howto/ldap.md       | 20 ++++++++++++++++++++
 howto/new-person.md |  4 ++--
 howto/puppet.md     |  9 +++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/howto/ldap.md b/howto/ldap.md
index b9ea4f53..a8666d09 100644
--- a/howto/ldap.md
+++ b/howto/ldap.md
@@ -236,6 +236,26 @@ Save the file and exit the editor. `ldapvi` will prompt you to confirm
 the changes, you can review with the <kbd>v</kbd> key or save with
 <kbd>y</kbd>.
 
+### Adding/removing an admin
+
+The LDAP administrator group is a special group that is not defined
+through the `supplementaryGid` field, but by adding users into the
+group itself. With `ldapvi` (see above), you need to add a `member:`
+line, for example:
+
+```
+2 cn=LDAP Administrator,ou=users,dc=torproject,dc=org
+objectClass: top
+objectClass: groupOfNames
+cn: LDAP administrator
+member: uid=anarcat,ou=users,dc=torproject,dc=org
+```
+
+To remove the user from the admin group, remove the line.
+
+The group grants the user access to administer LDAP directly, for
+example making any change through `ldapvi`.
+
 ## Searching LDAP
 
 This will load a text editor with a dump of all the users (useful to
diff --git a/howto/new-person.md b/howto/new-person.md
index ee4a59ea..f0403e16 100644
--- a/howto/new-person.md
+++ b/howto/new-person.md
@@ -133,8 +133,8 @@ Many of those are granted as part of the routine "core tor membership" admission
 
 Other accounts required for full TPA access:
 
- 1. [ ] LDAP admin access
- 2. [ ] [puppet](howto/puppet) git repository access
+ 1. [ ] [LDAP admin access](howto/ldap#adding-removing-an-admin)
+ 2. [ ] [puppet](howto/puppet#adding-removing-a-global-admin) git repository access
  3. [ ] TPA password manager access (`admin/tor-passwords.git` in gitolite)
  4. [ ] Sunet cloud access (e.g. `Message-ID: <87bm1gb5wk.fsf@nordberg.se>`)
  5. [ ] [Nextcloud](https://nc.torproject.net) admin account
diff --git a/howto/puppet.md b/howto/puppet.md
index d5735ecd..39334c7c 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -487,6 +487,15 @@ argument from Hiera. This is how the transition to a managed
     operate a change. You can then examine the output and see if the
     change is legitimate or abort the configuration change.
 
+## Adding/removing a global admin
+
+To add a new sysadmin, you need to add their SSH key to the root
+account everywhere. This can be done in the `profile::admins::key`
+field in `hiera/common.yaml`.
+
+You also need to add them to the `adm` group in LDAP, see [adding
+users to a group in LDAP](howto/ldap#adding-removing-users-in-a-group).
+
 ## Troubleshooting
 
 ### Running Puppet by hand and logging
-- 
GitLab