Page MenuHomePhabricator

LDAP authentication also applied to local users
Closed, ResolvedPublic

Description

If "local login" is enabled, all users are authorized against the LDAP backend. For "local user accounts" this will most likely fail.

See https://www.mediawiki.org/w/index.php?title=Topic:W34l84vvtb7pukm7

Event Timeline

Osnard triaged this task as Medium priority.Feb 23 2021, 1:22 PM

Thanks for working on this. The issue is that I'm unable to login using a 'local' MediaWiki account once I've enabled the LDAPAuthorization extension on a wiki site. If I disable the LDAPAuthorization extension then "local" logins work fine.

We have multiple wiki sites and each site is restricted via a specific LDAP group so we need to use LDAPAuthorization to configure the required LDAP group. However, we also have a need to create and manage "local" users without LDAP authentication/authorization for guests/visitors.

Please let me know when we can expect a fix.

Change 666516 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[mediawiki/extensions/PluggableAuth@master] Allow authentication plugins to indicate authorization should be bypassed

https://gerrit.wikimedia.org/r/666516

Change 666517 had a related patch set uploaded (by Cicalese; owner: Cicalese):
[mediawiki/extensions/LDAPAuthentication2@master] Allow bypass of authorization on local login

https://gerrit.wikimedia.org/r/666517

The two patches are an untested experiment but might do the trick. It seems to me that the fix should be in PluggableAuth and LDAPAuthentication2, not LDAPAuthoriztion. @Osnard, what do you think?

Is there an indication when this patch is tested and available as official download?

We ultimately decided that it was not a good idea for an authentication plugin to prevent authorization. The fix for this should be made in the LDAPAuthorization extension.

Change 666517 abandoned by Cicalese:

[mediawiki/extensions/LDAPAuthentication2@master] Allow bypass of authorization on local login

Reason:

it is not a good idea for an authentication plugin to prevent authorization

https://gerrit.wikimedia.org/r/666517

Change 666516 abandoned by Cicalese:

[mediawiki/extensions/PluggableAuth@master] Allow authentication plugins to indicate authorization should be bypassed

Reason:

it is not a good idea for an authentication plugin to prevent authorization

https://gerrit.wikimedia.org/r/666516

Hi

We need this bug to be fixed. Unfortunately we do not have the capacity to do it ourselves. We will however pay for the work to be done.

Sincerely

Niklaus Hofer

We ultimately decided that it was not a good idea for an authentication plugin to prevent authorization. The fix for this should be made in the LDAPAuthorization extension.

So.. who is responsible for the LDAPAuthorization plugin ? Is that team being notified ?

Regards,
Sjoerd

It's up to each individual who they want to set up their notification settings. https://www.mediawiki.org/wiki/Extension:LDAPAuthorization lists some authors.

Hi

We are currently in contact with the author of the LDAPAuthorization about this issue.

Sincerely

Niklaus Hofer

Hi

We are currently in contact with the author of the LDAPAuthorization about this issue.

Sincerely

Niklaus Hofer

Excellent

@stepping_stone_AG There was a patch for this issue in Extension:LDAPAuthentication2. The patch was applied to REL1_31, REL1_35 and master branch. You can download the new version from Special:ExtensionDistributor on mwdiawiki.org[1] , via github [2] or using composer [3].

[1] https://www.mediawiki.org/wiki/Special:ExtensionDistributor/LDAPAuthentication2
[2] https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/tree/REL1_35
[3] https://packagist.org/packages/mediawiki/ldap-authentication-2

@Osnard Thaks. We tested it yesterday and it works as expected.

Thanks for the feedback