Page MenuHomePhabricator

Future of "Extension:LDAP Authentication"
Closed, ResolvedPublic

Description

The popular "Extension:LDAP Authentication" provided an easy way to integrate MediaWiki into an existing intranet infrastructure. But then the developer stopped maintaining the extension and nobody stepped in place. As WMF uses this extension internally, they applied some important changes when AuthManager came around. But WMF has announced that they want to get rid of it and therefore future development is put in jeopardy.

I'd love to talk about LDAP authentication, authorization and Single-Sign-On scenarios in business intranets, share my experiences and hear from others about those topics. Maybe we could work on a roadmap for required future development or compose a best practices document about what is possible with the current extensions/capabilities of MediaWiki.

Additional notes can be found here: https://www.mediawiki.org/wiki/User:Osnard/LDAP

Event Timeline

Osnard created this task.May 15 2017, 7:31 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2017, 7:31 AM

Hi,
you might want to reach out to a project that just started, funded by Austrian Netidee.
http://bit.ly/29p5eiM
https://www.netidee.at/fairlogin
cheers,
Bernhard

Thanks for the hint, Bernhard!

So here are the minutes of our session: https://etherpad.wikimedia.org/p/fixing-ldap

Thanks to all participants!

So here are the minutes of our session: https://etherpad.wikimedia.org/p/fixing-ldap

Copying raw notes into this task as Etherpad has no data safety promises:

Fixing LDAP
https://www.mediawiki.org/wiki/User:Osnard/LDAP

== Current issues ==
* SSO is broken
* Change user is no longer possible
* Usernames are nomralized
* Local accounts cannot change passwords
* Issues with underscore

== Attempts to fill the gap ==
* PluggableAuth (c.cicalese)
* LdapAuthorisation (c.cicalese)
* PluggableSSO (hexmode)
* LDAPGroups (hexmode)
* TBD: Mapping attributes LdapSyncAttr

== Experiences ==
* Mark: we should create special pages for any tasks
* Robert: LdapAuthorisation does not work out of the box -> hexmode is working on that

* Local sign on possible? PluggableAuth allows that
* Tgr: reason is LDAPAuthentication was never properly updated to new auth manager

* Markus: Update LDAPAuthentiction or rewrite from scratch?
** Concerns are not separated
** Hard to extend
* Tgr: We need at least test cases / unit tests
--> ACTION: Write unittests

* Robert: A migration path would be good for existing LDAPAuthentication users
-> ACTION: Create migration path Robert

* Robert: There are a lot of configuration files, there are even more extensions by hexmode: LDAP, which connects the various ldap extensions. Configure this one and it passes on the config to the other extensions

* Foundation will cease to care about LDAP Authentication, as they will move their wikis away from it

* There is a consensus among the group that the old extension should be deprecated and we will build upon the new stack of extensions

-> ACTION: Create a requirements document

-> ACTION: Put a deprecation notice on the extension page, but talk to Ryan Lane before

== Architecture of the new set of extensions ==
* Markus: make the set of attributes requested from LDAP extensible, keep a slim core but provied entry points for extensions
* Robert: use a plugin based system to extend
* first use case could be th profile image (used in BlueSpice)

* Where do the extensions live?
-> should be moved to gerrit

At the moment it's hard to find all the extensions needed, e.g. synchronize groups
-> ACTION: Create a LDAP documentation portal on mediawiki.org, see below

== Documentation ==
* Link from old LDAP to new portal
* Name of LDAP hub on mw.o "LDAP hub"
** Two documents: migration document, alternatives to ldap authentication, help desk (Flow discussion page)

== Interested in contributing to this ==
Toniher -> helping migration docs
MeskoBalazs -> testing migration, localization (to Hungarian)

P.S.: T Shrinivasan: Errors should be put out to the user interface (Login page) and not just into the log
Configuring with any LDAP should have a web interface. We should input the LDAP server, DN details etc.
The there should be a test button to check any user's login.

PS.: MeskoBalazs: if possible there should be a (regex based) mapping between LDAP login names and the usernames
in MediaWiki.
Plordi added a subscriber: Plordi.Nov 27 2017, 2:59 PM
cicalese assigned this task to Osnard.Tue, Jul 30, 11:42 PM
cicalese triaged this task as Normal priority.
cicalese moved this task from Inbox to Doing on the MediaWiki-Stakeholders-Group board.

No objections. Actually This might also be closed as there is LDAP Stack now, which I consider to be the future. At least for me 😆.

cicalese closed this task as Resolved.Wed, Jul 31, 1:18 PM

Marking as resolved, since LDAP Stack is ready for use. For more information, see LDAP Hub.