Page MenuHomePhabricator

Group sync does not work when user is authenticated implicitly (Auth_remoteuser)
Open, HighPublic

Description

This applies to certain configurations of the LDAP Stack. The groups are synched on UserLoggedIn, which is called by Extension:Auth_remoteuser. Unfortunately when authenticated by Auth_remoteuser the ldap_domains database table is not being updated properly (as Auth_remoteuser has no concept of LDAPProvider being enabled). Therefore no domain is associated with the user and groups can not be fetched in UserLoggedIn.

Event Timeline

Osnard created this task.Jan 18 2019, 8:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 18 2019, 8:53 AM
Osnard triaged this task as Medium priority.Jan 18 2019, 8:54 AM
Osnard reassigned this task from Osnard to Intracomof.Apr 30 2019, 2:02 PM
Osnard raised the priority of this task from Medium to High.
Osnard moved this task from Backlog to Doing on the LDAP-Extensions board.

This is mainly covered by https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPAuthorization/+/485198/ and https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPProvider/+/485197/

So what needs to be done?

The LDAPProvider needs to have the logic for splitting a REMOTE_USER string into "username" and "domain". It can only to so if Auth_remoteuser is activated in the stack, therefore it should bind to that extensions' hook. This way the domain can be properly set for the current user an extensions like LDAPGroups and LDAPUserInfo can work properly.

Question to be answered: Do we need to keep the domain as a volatile information or should we persist it into the database? If we persist we need to make sure that this does not happen to often. And we need to find the appropriate time for peristing (as a user id needs to be available).

Osnard added a comment.Jan 9 2020, 7:34 AM

As a workaround one can patch the file LDAPProvider/src/UserDomainStore.php like this:

/**
* @param User $user to get domain for
* @return string|null
*/
public function getDomainForUser( User $user ) {
    return "<the-domain>";
    $userId = $user->getId();
...

See https://www.mediawiki.org/wiki/Topic:Veh461dvf9f3kl2s