Page MenuHomePhabricator

LDAP based login is broken in pywikibot because lgdomain is not set
Closed, ResolvedPublic

Description

Couldn't figure out why core didn't work on my wiki with LDAP login. After some debugging I found out that lgdomain doesn't seem to be set anywhere at all. See https://www.mediawiki.org/w/api.php?action=help&modules=login|query+info

If I just hardcode login_request["lgdomain"] = "mydomain" in api.py, it magically works. The login logic should look in the family file if self.ldapDomain is set and if that's the case include it in the request. Compat doesn't have this problem.

Event Timeline

Multichill raised the priority of this task from to High.
Multichill updated the task description. (Show Details)
Multichill added a subscriber: Multichill.
Restricted Application added subscribers: Aklapper, Unknown Object (MLST). · View Herald TranscriptFeb 20 2015, 3:21 PM
XZise added a subscriber: XZise.Feb 20 2015, 3:25 PM

Can we set lgdomain even without LDAP login?

Dumindux claimed this task.Mar 4 2015, 6:47 AM
Dumindux removed Dumindux as the assignee of this task.
Dumindux set Security to None.
jayvdb added a subscriber: jayvdb.May 30 2015, 5:03 PM

This is pretty good first bug, as it needs to be backwards compatible with compat, so no bikeshedding on names, etc. and it should be two lines of code in core.

compat$ git grep ldapDomain
families/README-family.txt:        #self.ldapDomain = 'domain here'
family.py:        self.ldapDomain = ()
login.py:            if self.site.family.ldapDomain:
login.py:                predata['lgdomain'] = self.site.family.ldapDomain
login.py:            if self.site.family.ldapDomain:     # VistaPrint fix
login.py:                predata["wpDomain"] = self.site.family.ldapDomain

@Multichill, are you able to test patches for this?

Hi, I am interested in working on this bug.
As far as I understand (from the discussions above) there needs to be a check on ldapDomain and lgdomain should be set accordingly, somewhere near line no. 3036 in
api.py
i.e. just after the initialisation.
I'm completely new to this so please correct me if I'm wrong somewhere and should I move ahead resolving this bug?

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptSep 25 2016, 5:16 PM

why in API.py? Can't it be done in the login.py like how it was done in compact?

The modification to api.py outlined here resolved the issue for me:

https://www.linkedin.com/pulse/how-correct-pywikibot-ldap-authentication-error-armando-trinchillo

LDAP authentication worked until I added a second domain to the authentication options in my LocalSettings.php. I have not had an opportunity to revert the change and test, but I wanted to mention it just in case it helps reproduce the issue.

Change 330144 had a related patch set uploaded (by Phantom42):
Fix broken LDAP based login

https://gerrit.wikimedia.org/r/330144

Change 330144 merged by jenkins-bot:
Fix broken LDAP based login

https://gerrit.wikimedia.org/r/330144

MtDu closed this task as Resolved.Jan 5 2017, 5:07 AM
MtDu added a subscriber: MtDu.

Patch has been merged. Hence closing as resolved. Thanks!