Page MenuHomePhabricator
Create Task
Maniphest T219530

Support use of login user credentials for search (no admin user needed)
Closed, ResolvedPublic
Actions

Description

In LDAPProvider/src/Client.php, the search() function forces the LDAP connection to re-bind to the admin user credentials even if the connection is already bound to the login user's credentials. It does this by calling establishBinding() explicitly rather than just init().

In our environment, which is Active Directory, all users can search. This means it is not necessary to specify a separate admin account for searching. This reduces complexity in those environments. This task is to change the logic in Client.php to determine which user to bind to before searching.

Before any call to ldap_* that requires a user bound to the connection, if the connection is already bound to the admin user, or bound to the login user and there are no admin user credentials, then do nothing. Otherwise get the admin user credentials, if any, and use them to bind. If there are no admin user credentials, then the connection is bound to the anonymous (null) user.

This change in logic allows the login user to be used if no admin user was specified.

Details

SubjectRepoBranchLines +/-
Use login user for search when admin user not givenmediawiki/extensions/LDAPProviderREL1_31+17 -2
Use login user for search when admin user not givenmediawiki/extensions/LDAPProvidermaster+17 -2
Customize query in gerrit

Related Objects

Event Timeline

chiefgeek157 created this task.Mar 28 2019, 4:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2019, 4:32 PM
chiefgeek157 updated the task description. (Show Details)Mar 28 2019, 6:12 PM

Submitted change 499844 with code changes to Client.php.

chiefgeek157 mentioned this in rELDQ86b95292a375: Use login user for search when admin user not given.Mar 28 2019, 7:03 PM
chiefgeek157 mentioned this in rELDQ8bedc8982a16: Use login user for search when admin user not given.
chiefgeek157 mentioned this in rELDQ7fcf2da2e054: Add logic to use the login user's credentials for binding during the search….
gerritbot added a comment.Mar 28 2019, 8:35 PM

Change 499844 had a related patch set uploaded (by Aklapper; owner: Chiefgeek157):
[mediawiki/extensions/LDAPProvider@master] Use login user for search when admin user not given

https://gerrit.wikimedia.org/r/499844

gerritbot added a project: Patch-For-Review.Mar 28 2019, 8:35 PM
Aklapper mentioned this in rELDQe2e4fd5cb312: Use login user for search when admin user not given.Mar 28 2019, 8:36 PM
chiefgeek157 mentioned this in rELDQce9b65ae9346: Use login user for search when admin user not given.Mar 30 2019, 1:47 PM
Osnard claimed this task.Apr 9 2019, 9:23 AM
Osnard triaged this task as Medium priority.
Osnard added a project: LDAP-Extensions.

Thanks for the contribution. I will look at it asap!

gerritbot added a comment.Apr 24 2019, 7:06 AM

Change 506055 had a related patch set uploaded (by Robert Vogel; owner: Chiefgeek157):
[mediawiki/extensions/LDAPProvider@REL1_31] Use login user for search when admin user not given

https://gerrit.wikimedia.org/r/506055

Osnard closed this task as Resolved.Apr 24 2019, 7:07 AM
gerritbot added a comment.Apr 24 2019, 7:15 AM

Change 499844 merged by jenkins-bot:
[mediawiki/extensions/LDAPProvider@master] Use login user for search when admin user not given

https://gerrit.wikimedia.org/r/499844

gerritbot added a comment.Apr 24 2019, 7:15 AM

Change 506055 merged by jenkins-bot:
[mediawiki/extensions/LDAPProvider@REL1_31] Use login user for search when admin user not given

https://gerrit.wikimedia.org/r/506055

Osnard mentioned this in rELDQ0f914ca09b8d: Use login user for search when admin user not given.Apr 24 2019, 7:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL