Page MenuHomePhabricator

Update LdapAuthentication to use AuthManager
Closed, ResolvedPublic

Description

See parent task and T110414#1578206.

Related Objects

StatusSubtypeAssignedTask
ResolvedDeskana
ResolvedAnomie
OpenNone
ResolvedAnomie
OpenNone
ResolvedTgr
ResolvedAnomie
OpenNone
OpenNone
OpenNone
Resolveddemon
ResolvedTgr
ResolvedNone
Resolved Mattflaschen-WMF
ResolvedTgr
ResolvedAnomie
ResolvedAnomie
ResolvedAnomie
Resolvedbd808

Event Timeline

Change 286705 had a related patch set uploaded (by Anomie):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

Change 286705 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/286705

Anomie claimed this task.

Change 296559 had a related patch set uploaded (by Gergő Tisza):
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

Change 296559 merged by jenkins-bot:
Update for AuthManager, somewhat

https://gerrit.wikimedia.org/r/296559

Is there any documentation on when and how to use "LdapPrimaryAuthenticationProvider"? On the official extension page I did not find any information about it.

There probably isn't, feel free to update the on-wiki documentation.

The basic answer is that instead of doing

$wgAuth = new LdapAuthenticationPlugin();

you instead configure AuthManager to use LdapPrimaryAuthenticationProvider with something like this

$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [ [
            'authoritative' => true, // don't allow local non-LDAP accounts
        ] ],       
        'sort' => 50, // must be smaller than local pw provider
    ],     
];

Or, if you're already setting $wgAuthManagerConfig in your configuration, include that bit in the appropriate place there.

Beyond that I can't really help you, the LdapAuthentication extension is badly in need of a redesign and rewrite from someone who understands the stuff it's currently trying to do.

@Anomie Thanks for your quick reply! The MediaWiki Stakeholder group is actually working on an appropriate replacement for Extension:LdapAuthentication. It's likely to be a combination of Extension:PluggableAuth and Extension:PuggableSSO (plus some other extensions :) )