Page MenuHomePhabricator

Update LdapAuthentication to use AuthManager
Closed, ResolvedPublic

Description

See parent task and T110414#1578206.

Related Objects

StatusAssignedTask
ResolvedDeskana
ResolvedAnomie
OpenNone
ResolvedAnomie
OpenNone
ResolvedTgr
ResolvedAnomie
OpenNone
OpenNone
OpenNone
Resolveddemon
ResolvedTgr
ResolvedNone
Resolved Mattflaschen-WMF
ResolvedTgr
ResolvedAnomie
ResolvedAnomie
ResolvedAnomie
Resolvedbd808

Event Timeline

Tgr created this task.Aug 27 2015, 2:21 AM
Tgr updated the task description. (Show Details)
Tgr raised the priority of this task from to Needs Triage.
Tgr added subscribers: Liuxinyu970226, Krenair, Billinghurst and 2 others.
Liuxinyu970226 set Security to None.Sep 4 2015, 9:22 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 14 2015, 11:41 AM
Kc5vcx added a subscriber: Kc5vcx.Feb 24 2016, 1:52 PM

Change 286705 had a related patch set uploaded (by Anomie):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

Change 286705 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

Anomie closed this task as Resolved.May 31 2016, 3:31 PM
Anomie claimed this task.

Change 296559 had a related patch set uploaded (by Gergő Tisza):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

Change 296559 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

Osnard added a subscriber: Osnard.Sep 22 2017, 10:58 AM

Is there any documentation on when and how to use "LdapPrimaryAuthenticationProvider"? On the official extension page I did not find any information about it.

There probably isn't, feel free to update the on-wiki documentation.

The basic answer is that instead of doing

$wgAuth = new LdapAuthenticationPlugin();

you instead configure AuthManager to use LdapPrimaryAuthenticationProvider with something like this

$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [ [
            'authoritative' => true, // don't allow local non-LDAP accounts
        ] ],       
        'sort' => 50, // must be smaller than local pw provider
    ],     
];

Or, if you're already setting $wgAuthManagerConfig in your configuration, include that bit in the appropriate place there.

Beyond that I can't really help you, the LdapAuthentication extension is badly in need of a redesign and rewrite from someone who understands the stuff it's currently trying to do.

@Anomie Thanks for your quick reply! The MediaWiki Stakeholder group is actually working on an appropriate replacement for Extension:LdapAuthentication. It's likely to be a combination of Extension:PluggableAuth and Extension:PuggableSSO (plus some other extensions :) )