Ryan et al.:
Congrats on Extension:LDAP_Authentication, You're doing some great work
here.
Our systems are:
- FreeBSD 6.x / amd64
- OpenLDAP 2.3.4x
- Apache 2.3
- PHP 5.2.5
- WM 1.11.0 from Ports
- TLS works
- Proxy User works
- I've managed to make things work with our non-standard LDAP tree
So far the only problems that I've encountered
- "Proxy Agent" is ambiguous and even misleading. If you look at
something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these
as "bindpw" and "bindcn" -- or even a better name is "MetaUser" since
LDAP as a whole is ambiguous as to what constitutes a user or identity
(a DN).
- WRT groups, It isn't entirely clear which settings control which group
a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how
meta-group member _WITHIN_ media-wiki is determined (PADL call it
$nss_base_group)
- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd
password -- I've resorted to storing it in cleartext. Will debug
later.
- $wgLDAPRetrievePrefs isn't documented well -- or it is defaulting to
off. It should say/document something like "Enable to extract CN
attribute / value pairs from LDAP"
- It is not entirely clear how other mediawiki settings not defined in
the posixAccount or inetOrgPerson foundation ObjectClasses for things
such as Skins and Editing preferences should be stored
(semi-overlapping entries in the SQL database side?)
I will examine these closer during the day today.
~BAS
PS. On that topic of LDAP<->MW prefs, it might be recommended to use a
wiki table to map SQL columns in mediawiki.wmuser SQL table to LDAP
attributes!
wikidb-# \d mediawiki.mwuser;
Table "mediawiki.mwuser"
Column | Type | Modifiers
--------------------------+--------------------------+------------------------------------------------------------------
user_id | integer | not null default
nextval('mediawiki.user_user_id_seq'::regclass)
user_name | text | not null
user_real_name | text |
user_password | text |
user_newpassword | text |
user_newpass_time | timestamp with time zone |
user_token | character(32) |
user_email | text |
user_email_token | character(32) |
user_email_token_expires | timestamp with time zone |
user_email_authenticated | timestamp with time zone |
user_options | text |
user_touched | timestamp with time zone |
user_registration | timestamp with time zone |
user_editcount | integer |
Indexes:
"mwuser_pkey" PRIMARY KEY, btree (user_id)
"mwuser_user_name_key" UNIQUE, btree (user_name)
"user_email_token_idx" btree (user_email_token)
--
Brian A. Seklecki <bseklecki(a)collaborativefusion.com>
Collaborative Fusion, Inc.
IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.