Page MenuHomePhabricator
Create Task
Maniphest T110453

Update LdapAuthentication to use AuthManager
Closed, ResolvedPublic
Actions

Description

See parent task and T110414#1578206.

Details

SubjectRepoBranchLines +/-
Update for AuthManager, somewhatmediawiki/extensions/LdapAuthenticationREL1_27+468 -0
Update for AuthManager, somewhatmediawiki/extensions/LdapAuthenticationmaster+468 -0
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved DeskanaT75616 Tracking: API/backend issues blocking Wikipedia app development
 ResolvedAnomieT32788 Allow triggering of user password reset email via the API
 OpenNoneT90925 General authentication improvements for MediaWiki
 ResolvedAnomieT48179 Allow a challenge stage during authentication
 OpenNoneT5709 Refactoring to make external authentication and identity systems easier
 ResolvedTgrT43201 UserLoadFromSession considered evil
 ResolvedAnomieT67493 Session is started by EditAction (problem for extensions using UserLoadFromSession hook)
 OpenFeatureNoneT55156 Provide option to force a login session to end within a certain time
 OpenNoneT89459 Modernize MediaWiki authentication system (AuthManager)
 OpenNoneT110291 Update all extensions to use AuthManager
 Resolved demonT135498 Release AuthManager with MediaWiki 1.27
 ResolvedTgrT138910 Backport AuthManager-related changes to 1.27
 ResolvedNoneT130340 [Reading Infrastructure 2015-16 Q4] Enable two-factor authentication via AuthManager on the Wikimedia cluster
 Resolved Mattflaschen-WMFT68699 Increase "remember me" login cookie expiry from 30 days to 1 year on Wikimedia wikis
 ResolvedTgrT135504 Enable AuthManager in WMF production
 ResolvedAnomieT110282 Update extensions which are deployed on the Wikimedia cluster to use AuthManager
 ResolvedAnomieT110288 Update OpenStackManager to use AuthManager
 ResolvedAnomieT110453 Update LdapAuthentication to use AuthManager
 Resolvedbd808T128501 Create role for testing/developing LDAPAuth

Event Timeline

Tgr created this task.Aug 27 2015, 2:21 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: Reading-Infrastructure-Team-Old (Don't use), MediaWiki-Core-AuthManager, MediaWiki-extensions-LdapAuthentication.
Tgr added subscribers: Liuxinyu970226, Krenair, Billinghurst and 2 others.
bd808 moved this task from Backlog to AuthManager Backlog on the MediaWiki-Core-AuthManager board.Aug 28 2015, 5:25 PM
Tgr added a parent task: T110288: Update OpenStackManager to use AuthManager.Sep 4 2015, 2:58 AM
Tgr merged a task: T110284: Update LdapAuthentication to use AuthManager.
Liuxinyu970226 set Security to None.Sep 4 2015, 9:22 AM
Billinghurst unsubscribed.Dec 14 2015, 11:41 AM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptDec 14 2015, 11:41 AM
Kc5vcx subscribed.Feb 24 2016, 1:52 PM
bd808 added a subtask: T128501: Create role for testing/developing LDAPAuth.Mar 1 2016, 7:00 PM
bd808 closed subtask T128501: Create role for testing/developing LDAPAuth as Resolved.Apr 2 2016, 6:11 PM
gerritbot subscribed.May 11 2016, 8:50 PM

Change 286705 had a related patch set uploaded (by Anomie):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

gerritbot added a project: Patch-For-Review.May 11 2016, 8:50 PM
Anomie moved this task from Backlog to Needs Review/Feedback on the Reading-Infrastructure-Team-Old (Don't use) board.May 25 2016, 6:52 PM
gerritbot added a comment.May 31 2016, 3:28 PM

Change 286705 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

Anomie closed this task as Resolved.May 31 2016, 3:31 PM
Anomie claimed this task.
ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)).Jun 1 2016, 3:01 AM
Liuxinyu970226 unsubscribed.Jun 2 2016, 5:17 AM
gerritbot added a comment.Jun 29 2016, 12:32 PM

Change 296559 had a related patch set uploaded (by Gergő Tisza):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

gerritbot added a comment.Jun 29 2016, 12:34 PM

Change 296559 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

Fjalapeno edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Reading-Infrastructure-Team-Old (Don't use).Jun 7 2017, 2:57 PM
Osnard subscribed.Sep 22 2017, 10:58 AM

Is there any documentation on when and how to use "LdapPrimaryAuthenticationProvider"? On the official extension page I did not find any information about it.

Anomie added a comment.Sep 22 2017, 1:42 PM

There probably isn't, feel free to update the on-wiki documentation.

The basic answer is that instead of doing

$wgAuth = new LdapAuthenticationPlugin();

you instead configure AuthManager to use LdapPrimaryAuthenticationProvider with something like this

$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [ [
            'authoritative' => true, // don't allow local non-LDAP accounts
        ] ],       
        'sort' => 50, // must be smaller than local pw provider
    ],     
];

Or, if you're already setting $wgAuthManagerConfig in your configuration, include that bit in the appropriate place there.

Beyond that I can't really help you, the LdapAuthentication extension is badly in need of a redesign and rewrite from someone who understands the stuff it's currently trying to do.

Osnard added a comment.Sep 22 2017, 2:18 PM

@Anomie Thanks for your quick reply! The MediaWiki Stakeholder group is actually working on an appropriate replacement for Extension:LdapAuthentication. It's likely to be a combination of Extension:PluggableAuth and Extension:PuggableSSO (plus some other extensions :) )

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits