ReleaseEngineering/How To/Update VPN ACL

From MozillaWiki
Jump to: navigation, search

If you need to grant or revoke VPN access in order to fulfill a machine loan, please follow these instructions:

  • Navigate to https://ldapadmin1.private.scl3.mozilla.com/manage/
  • Click "Groups" at the top, then "List"
  • Click "Edit" on the "cn=vpn-releng-loan" line item
    • any user in the list can connect to any hosts in the list
  • Add a user by starting to type their name and let autocomplete fill in the rest
    • If the user has multiple LDAP accounts, always prefer the @mozilla.com or @mozillafoundation.org accounts
  • Add a host by clicking "Add" at the bottom of the ipHost section
    • Click the text field that appears, then enter the IP address and click "Generate Hostname from DNS" (allowing you to leave the hostname blank)
    • Note: the Host Address or Network field normally is just used with an IP address, but it is possible to put in CIDR notation for networks and it is also possible to restrict certain ports, like "10.1.2.3:22,80,443", but doing that won't allow it to auto-fill the hostname from DNS, so you'll have to enter manually. Play with it, you'll get the idea.
  • When you are done adding/removing the users and hosts as needed, click the big Save button at the bottom of the page and it will make this live in LDAP (always remember that you are writing directly to production LDAP, so if you don't feel comfortable or aren't sure about something, stop and ask).
  • Users will pick up the changes upon their next connection to MozillaVPN (ie. a disconnect/reconnect might be needed)