This applies to certain configurations of the LDAP Stack. The groups are synched on UserLoggedIn, which is called by Extension:Auth_remoteuser. Unfortunately when authenticated by Auth_remoteuser the ldap_domains database table is not being updated properly (as Auth_remoteuser has no concept of LDAPProvider being enabled). Therefore no domain is associated with the user and groups can not be fetched in UserLoggedIn.
Description
Description
Related Objects
Related Objects
Event Timeline
Comment Actions
This is mainly covered by https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPAuthorization/+/485198/ and https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPProvider/+/485197/
So what needs to be done?
The LDAPProvider needs to have the logic for splitting a REMOTE_USER string into "username" and "domain". It can only to so if Auth_remoteuser is activated in the stack, therefore it should bind to that extensions' hook. This way the domain can be properly set for the current user an extensions like LDAPGroups and LDAPUserInfo can work properly.
Question to be answered: Do we need to keep the domain as a volatile information or should we persist it into the database? If we persist we need to make sure that this does not happen to often. And we need to find the appropriate time for peristing (as a user id needs to be available).
Comment Actions
As a workaround one can patch the file LDAPProvider/src/UserDomainStore.php like this:
/**
* @param User $user to get domain for
* @return string|null
*/
public function getDomainForUser( User $user ) {
return "<the-domain>";
$userId = $user->getId();
...Comment Actions
A workaround has been implemented in T214147 (https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPProvider/+/567430/)