Feature #82741

Feature #82641: Relaunch typo3.org

Feature #82649: Replace SSO in *.typo3.org

Replace SSO with LDAP/OAuth for Wiki

Added by Steffen Gebert almost 2 years ago. Updated over 1 year ago.

Status:
Needs Feedback
Priority:
Must have
Target version:
-
Start date:
2017-10-12
Due date:
% Done:

0%


Description

We need to replace the custom SSO implementation.

The state of LDAP for MediaWiki doesn't look that satisfying. Either get it running or search for alternatives (OAuth, SAML etc?)

Christopher told me in Slack that he hasn't so much time, so we have to figure out, how to handle this.

0001-Adding-RealPostUser-config-variable-in-order-to-use-.patch View (2.19 KB) Bastian Bringenberg, 2017-11-25 00:25

0001-Adding-RealPostUser-config-variable-in-order-t_v2.patch View (2.42 KB) Chris topher, 2017-12-01 21:07


Related issues

Related to wiki.typo3.org - Task #81943: Switch to LDAP Resolved 2017-07-23
Precedes Server Team - Bug #83100: Fix headers on wiki server Resolved 2017-10-13 2017-10-13
Precedes wiki.typo3.org - Task #83104: LDAP does not allow creating new accounts Resolved 2017-10-13 2017-10-13

History

#1 Updated by Michael Stucki almost 2 years ago

  • Status changed from New to Accepted

#2 Updated by Michael Stucki almost 2 years ago

  • Priority changed from Should have to Must have

#3 Updated by Bastian Bringenberg almost 2 years ago

  • Assignee set to Bastian Bringenberg

#4 Updated by Bastian Bringenberg almost 2 years ago

  • Status changed from Accepted to In Progress

#5 Updated by Bastian Bringenberg almost 2 years ago

I have setup a media wiki today. The system is running and I am able to install Extensions ( tried that with two Extensions ). The extension for LDAP is configured and loading, but the hooks are currently not called so I guess that I need to dig deeper in that and find out why the hooks are not called.

#6 Updated by Chris topher almost 2 years ago

Hi Bastian,

are you using https://www.mediawiki.org/wiki/Extension:LDAP_Authentication?
(For the future, a replacement for this extension is being worked on and progress can be seen here: https://www.mediawiki.org/wiki/LDAP_hub .)

And: Which hooks are not called?

Cheers!

Christopher

#7 Updated by Bastian Bringenberg almost 2 years ago

Hey Christopher,

shall I give this ticket to you so you are able to go on or shall I do the work?

I was able to use the newest mediawiki with the LDAP Auth Plugin from: https://phabricator.wikimedia.org/diffusion/ELDA/repository/master/

Lets start with adding stuff to the LocalSettings.php:

require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
  'ldap.typo3.org'
);
$wgLDAPServerNames = array(
  'ldap.typo3.org' => '###HOSTNAME###',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'ldap.typo3.org' => 'ssl'
);
$wgLDAPPort = array(
  'ldap.typo3.org' => ###PORT###,
);
$wgLDAPSearchStrings = array(
  'ldap.typo3.org' => 'uid=USER-NAME,ou=people,dc=typo3,dc=org'
);
$wgLDAPWriterDN = array(
  'ldap.typo3.org' => 'cn=###ADMINUSER###,dc=services,dc=typo3,dc=org'
);
$wgLDAPWriterPassword = array(
  'ldap.typo3.org' => '###PASSWORD###'
);
$wgLDAPRealPostUsername = true;

Then I was forced to call an Update Script to update database tables:

php maintenance/update.php

After this I needed to apply the patch in the attachment because the "_" in my username would have been stripped of without the patch.

Please review this. If you say that it is fine I would try to commit this to media wikis gerrit if you would not love to do this for me.

If you have time tomorrow, we are currently at Mehrwert in Cologne and you could join for a few hours to finish this topic with us =).

Greetings,

Bastian

#8 Updated by Bastian Bringenberg almost 2 years ago

  • Status changed from In Progress to Needs Feedback

#9 Updated by Chris topher almost 2 years ago

#10 Updated by Chris topher almost 2 years ago

  • Precedes Bug #83100: Fix headers on wiki server added

#11 Updated by Chris topher almost 2 years ago

  • Precedes Task #83104: LDAP does not allow creating new accounts added

#12 Updated by Chris topher almost 2 years ago

Hi Bastian,

thanks to your groundwork, it is basically working now.

The changes from the development server need to be moved to production. That is what I will do. See #81943 for the issue, in which I am tracking, what needs to be done. I will continue with that soon.

And your patch should go to the Wikimedia review system. It would be great, if you could do that.

#13 Updated by Chris topher almost 2 years ago

I have just switched the production server to LDAP.

Attached is version 2 of your patch - now you only need to push it to Code Review.

#14 Updated by Bastian Bringenberg over 1 year ago

Patch uploaded. Waiting for feedback.

Also available in: Atom PDF