[13:32:27] <jbond>	 hi o11y, wanted to pint out the following https://phabricator.wikimedia.org/T286716#7224351.  tl;dr the cloud idp service now proxies authentication to the production idp services so no need to create a local account on idp01
[13:34:40] <lmata>	 Thanks
[13:35:02] <lmata>	 I’ll add it to our things to chat about in our upcoming team meet
[13:36:55] <jbond>	 lmata: ack sounds good, im not sure how much its used but i know godog was playing with it a bit
[13:46:33] <godog>	 jbond: that's super cool and useful, thank you!
[13:46:46] <godog>	 definitely a plus not to have to setup users
[13:48:01] <godog>	 mmhh I'm getting unauthorized messages when trying to browse e.g. https://alerts.monitoring.wmflabs.org/
[13:48:27] <godog>	 unless there's something to update on the cloud idp client's end ?
[13:49:39] <jbond>	 godog: looks like the authentication all went through and something in apache dosn;t like it, what is the actuall server?
[13:50:08] <jbond>	 godog: i suspect its the required_groups bit
[13:50:21] <jbond>	 it probably refrences the labs ldap ou instead of production
[13:50:33] <godog>	 jbond: ah yeah that makes sense, the host is pontoon-icinga-01.monitoring.eqiad1.wikimedia.cloud
[13:55:18] <jbond>	 godog: yes its the require lin " Require cas-attribute memberOf:cn=ops,ou=groups,dc=sso,dc=eqiad1,dc=wikimedia,dc=cloud
[13:55:29] <jbond>	 cant find where its configuered for theses boxes though
[13:56:24] <godog>	 jbond: it is in pontoon, I'll send a review to change the base-dn
[13:56:34] <jbond>	 ack cher
[13:56:36] <jbond>	 rcheers
[13:57:25] <godog>	 actually nevermind no need for a review, I changed it locally
[13:57:32] <jbond>	 cool
[13:57:32] <godog>	 I'll test with the default value
[14:00:37] <godog>	 jbond: all good! thanks again, now https://alerts.monitoring.wmflabs.org/ works as expected with my production token
[14:02:04] <jbond>	 awesome :) \o/, thanks
[14:07:43] <lmata>	 \o/