We need to replace the custom SSO implementation.
The state of LDAP for MediaWiki doesn't look that satisfying. Either get it running or search for alternatives (OAuth, SAML etc?)
Christopher told me in Slack that he hasn't so much time, so we have to figure out, how to handle this.
#5 Updated by Bastian Bringenberg almost 2 years ago
I have setup a media wiki today. The system is running and I am able to install Extensions ( tried that with two Extensions ). The extension for LDAP is configured and loading, but the hooks are currently not called so I guess that I need to dig deeper in that and find out why the hooks are not called.
#6 Updated by Chris topher almost 2 years ago
are you using https://www.mediawiki.org/wiki/Extension:LDAP_Authentication?
(For the future, a replacement for this extension is being worked on and progress can be seen here: https://www.mediawiki.org/wiki/LDAP_hub .)
And: Which hooks are not called?
#7 Updated by Bastian Bringenberg almost 2 years ago
shall I give this ticket to you so you are able to go on or shall I do the work?
I was able to use the newest mediawiki with the LDAP Auth Plugin from: https://phabricator.wikimedia.org/diffusion/ELDA/repository/master/
Lets start with adding stuff to the LocalSettings.php:
require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php"; $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( 'ldap.typo3.org' ); $wgLDAPServerNames = array( 'ldap.typo3.org' => '###HOSTNAME###', ); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array( 'ldap.typo3.org' => 'ssl' ); $wgLDAPPort = array( 'ldap.typo3.org' => ###PORT###, ); $wgLDAPSearchStrings = array( 'ldap.typo3.org' => 'uid=USER-NAME,ou=people,dc=typo3,dc=org' ); $wgLDAPWriterDN = array( 'ldap.typo3.org' => 'cn=###ADMINUSER###,dc=services,dc=typo3,dc=org' ); $wgLDAPWriterPassword = array( 'ldap.typo3.org' => '###PASSWORD###' ); $wgLDAPRealPostUsername = true;
Then I was forced to call an Update Script to update database tables:
After this I needed to apply the patch in the attachment because the "_" in my username would have been stripped of without the patch.
Please review this. If you say that it is fine I would try to commit this to media wikis gerrit if you would not love to do this for me.
If you have time tomorrow, we are currently at Mehrwert in Cologne and you could join for a few hours to finish this topic with us =).
#12 Updated by Chris topher almost 2 years ago
thanks to your groundwork, it is basically working now.
The changes from the development server need to be moved to production. That is what I will do. See #81943 for the issue, in which I am tracking, what needs to be done. I will continue with that soon.
And your patch should go to the Wikimedia review system. It would be great, if you could do that.
#13 Updated by Chris topher almost 2 years ago
I have just switched the production server to LDAP.
Attached is version 2 of your patch - now you only need to push it to Code Review.