A required step in T237773: Move Wikitech onto the production MW cluster is ensuring that the main MediaWiki cluster is capable of operating a MediaWiki deployment using MediaWiki-extensions-LdapAuthentication in its AuthManager stack.
Currently php-ldap is only installed via https://github.com/wikimedia/puppet/blob/92f7108cf2815feffb466c5ba351b7e8348d93a5/modules/openstack/manifests/wikitech/web.pp#L26 but it needs to be everywhere
This task misses a rationale, what do we need it for on the non-labweb mw* servers? Anything which will be rolled out in the future?
The rationale is to support T237773: Move Wikitech onto the production MW cluster. The LDAPAuthentication extension used on Wikitech requires php-ldap support.
ldap is already installed in CI, so no need for RelEng to change things from our end.
Just so everyone is on the same page about this task and its parent (T237773: Move Wikitech onto the production MW cluster), the desired long term solution (T161859: Make Wikitech an SUL wiki) will NOT require LDAP for Wikitech. This is an intermediate step towards that longer term goal. We want to move Wikitech into the main cluster to make it less unique in the Wikimedia wiki farm. We hope this will reduce toil for many folks by making it easier for Wikitech to support the full, modern MediaWiki experience with things like VisualEditor and other extensions which depend on RESTBase and microservices. A reasonably large class of bug reports against wikitech.wikimedia.org are related in one way or another to it current unique hosting situation of being deployed on Wikimedia servers, but not being a part of the shared MediaWiki hosting infrastructure.
Today we have no other general purpose system for self-service creation of Developer accounts (aka LDAP accounts), so Wikitech needs to keep its snowflake status of using MediaWiki-extensions-LdapAuthentication & MediaWiki-extensions-OpenStackManager until T196171: Developer account creation without OpenStackManager is solved (possibly by T179463).
I don't know enough about php-ldap at the moment to have an opinion. In itself, adding a php extension to production is a big deal, but it's also easy to undo.
Security considerations aside, I'm not opposing this, as long as we have a rollback option open for some time.
I would explore the possibility of only routing wikitech to a subset of machines (the canaries?) and enable php-ldap only on those, given it's a temporary solution.
Also: how temporary? Do you have a tentative timeline for transitioning wikitech to SUL?
Geologically short, but maybe not short by other measures. We need a new Developer account creation portal first. That has been discussed for at least 3 years, but not resourced by any team yet. I wouldn't count on it being less than 24 months at best before SUL happened.
Fine with me. php-ldap is built from the core PHP package, so this won't need a rebuild in our PHP 7.2 component.
Then I'd definitely go with the idea of installing wikitech on a subset of appservers, at least at first.
@Joe would you also want the php-ldap package limited to a subset of MW servers? I think I can guess that your concern is wikitech somehow degrading performance for project wikis?
Closing in favor of T292707: ☂ Migrate Wikitech to Kubernetes as it makes little sense at this point to consider putting Wikitech into legacy production hosting.