Initial Success Report

Ryan et al.:

Congrats on Extension:LDAP_Authentication, You're doing some great work
here.

Our systems are: 
 - FreeBSD 6.x / amd64
 - OpenLDAP 2.3.4x
 - Apache 2.3
 - PHP 5.2.5
 - WM 1.11.0 from Ports

- TLS works 
- Proxy User works
- I've managed to make things work with our non-standard LDAP tree

So far the only problems that I've encountered 

- "Proxy Agent" is ambiguous and even misleading.  If you look at
  something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these
  as "bindpw" and "bindcn" -- or even a better name is "MetaUser" since
  LDAP as a whole is ambiguous as to what constitutes a user or identity
  (a DN).

- WRT groups, It isn't entirely clear which settings control which group
  a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how
  meta-group member _WITHIN_ media-wiki is determined (PADL call it
  $nss_base_group)

- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd

Re: Initial Success Report

> Ryan et al.:
> 
> Congrats on Extension:LDAP_Authentication, You're doing some 
> great work
> here.
> 

Thanks.

> Our systems are: 
>  - FreeBSD 6.x / amd64
>  - OpenLDAP 2.3.4x
>  - Apache 2.3
>  - PHP 5.2.5
>  - WM 1.11.0 from Ports
> 
> - TLS works 
> - Proxy User works
> - I've managed to make things work with our non-standard LDAP tree
> 
> So far the only problems that I've encountered 
> 
> - "Proxy Agent" is ambiguous and even misleading.  If you look at
>   something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these
>   as "bindpw" and "bindcn" -- or even a better name is 
> "MetaUser" since
>   LDAP as a whole is ambiguous as to what constitutes a user 
> or identity
>   (a DN).
> 

Re: Initial Success Report

> 
> Yeah, this is slightly ambiguous. In some cases it does actually act
> like a proxy user though. I've thought about changing it in the past,

[.... such is the way of things... ]

> 	http://www.mediawiki.org/wiki/Ldap#Group_options
> 
> Once the wiki knows how to find groups, you can tell the wiki to
> syncronize groups with mediawiki's groups using:
> 
> 	$wgLDAPUseLDAPGroups

I have found, that, for the moment it would be best to use locally
administered groups instead of LDAP groups since:

 1) As you said, no LDAP Schema is yet defined to keep the user_options
    array found in SQL in LDAP instead

 2) My POSIX group membership wont be 1:1 with my MediaWiki group
    membership, so I'm going to have to log in as a local admin to
    adjust group membership anyway.

    I'll definitely probably take the time to set a new ou=wikiGroups
    once prefs can be stored in LDAP, but that's not really
    high-priority for me ATM.

I did notice that when you populate the UID in SQL from an LDAP user,
you are not utilizing the posixAccount objectClass value "uidNumber",

Re: Initial Success Report

> > 	http://www.mediawiki.org/wiki/Ldap#Group_options
> > 
> > Once the wiki knows how to find groups, you can tell the wiki to
> > syncronize groups with mediawiki's groups using:
> > 
> > 	$wgLDAPUseLDAPGroups
> 
> I have found, that, for the moment it would be best to use locally
> administered groups instead of LDAP groups since:
> 
>  1) As you said, no LDAP Schema is yet defined to keep the 
> user_options
>     array found in SQL in LDAP instead
> 

Groups are handled seperately from user_options. The plugin does update
group membership in the local database.

>  2) My POSIX group membership wont be 1:1 with my MediaWiki group
>     membership, so I'm going to have to log in as a local admin to
>     adjust group membership anyway.
>   
>     I'll definitely probably take the time to set a new ou=wikiGroups
>     once prefs can be stored in LDAP, but that's not really
>     high-priority for me ATM.
> 

You can make new posix groups that are meant for the wiki, or you can
use something other than posix groups.

Re: Initial Success Report

On Wed, 2008-01-09 at 10:12 -0600, Lane, Ryan wrote:
> One attribute I desperately need is an external_id attribute in
> MediaWiki's user table. I'll probably try again to get this added to
> the schema.

Out of curiosity, what was the objection last time?

--

-- 
Greg Sabino Mullane greg@...
End Point Corporation 610-983-9073

_______________________________________________
Mediawiki-enterprise mailing list
Mediawiki-enterprise@...
http://lists.wikimedia.org/mailman/listinfo/mediawiki-enterprise

Re: Initial Success Report

> > One attribute I desperately need is an external_id attribute in
> > MediaWiki's user table. I'll probably try again to get this added to
> > the schema.
> 
> Out of curiosity, what was the objection last time?

I didn't officially get denied. I asked the developers in IRC, and got a
few "it might be ok", and a few "your plugin should just create a
table".

I'll ask around again, and if I get any good responses I'll put in a
ticket. I'll have to find a developer willing to commit a schema change
though; I don't like to muck around the core code, and very much don't
want to make a schema change.