Ryan et al.:
Congrats on Extension:LDAP_Authentication, You're doing some great work here.
Our systems are: - FreeBSD 6.x / amd64 - OpenLDAP 2.3.4x - Apache 2.3 - PHP 5.2.5 - WM 1.11.0 from Ports
- TLS works - Proxy User works - I've managed to make things work with our non-standard LDAP tree
So far the only problems that I've encountered
- "Proxy Agent" is ambiguous and even misleading. If you look at something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these as "bindpw" and "bindcn" -- or even a better name is "MetaUser" since LDAP as a whole is ambiguous as to what constitutes a user or identity (a DN).
- WRT groups, It isn't entirely clear which settings control which group a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how meta-group member _WITHIN_ media-wiki is determined (PADL call it $nss_base_group)
- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd password -- I've resorted to storing it in cleartext. Will debug later.
- $wgLDAPRetrievePrefs isn't documented well -- or it is defaulting to off. It should say/document something like "Enable to extract CN attribute / value pairs from LDAP"
- It is not entirely clear how other mediawiki settings not defined in the posixAccount or inetOrgPerson foundation ObjectClasses for things such as Skins and Editing preferences should be stored (semi-overlapping entries in the SQL database side?)
I will examine these closer during the day today.
~BAS
PS. On that topic of LDAP<->MW prefs, it might be recommended to use a wiki table to map SQL columns in mediawiki.wmuser SQL table to LDAP attributes!
wikidb-# \d mediawiki.mwuser;
Table "mediawiki.mwuser" Column | Type | Modifiers --------------------------+--------------------------+------------------------------------------------------------------ user_id | integer | not null default nextval('mediawiki.user_user_id_seq'::regclass) user_name | text | not null user_real_name | text | user_password | text | user_newpassword | text | user_newpass_time | timestamp with time zone | user_token | character(32) | user_email | text | user_email_token | character(32) | user_email_token_expires | timestamp with time zone | user_email_authenticated | timestamp with time zone | user_options | text | user_touched | timestamp with time zone | user_registration | timestamp with time zone | user_editcount | integer | Indexes: "mwuser_pkey" PRIMARY KEY, btree (user_id) "mwuser_user_name_key" UNIQUE, btree (user_name) "user_email_token_idx" btree (user_email_token)
Ryan et al.:
Congrats on Extension:LDAP_Authentication, You're doing some great work here.
Thanks.
Our systems are:
FreeBSD 6.x / amd64
OpenLDAP 2.3.4x
Apache 2.3
PHP 5.2.5
WM 1.11.0 from Ports
TLS works
Proxy User works
I've managed to make things work with our non-standard LDAP tree
So far the only problems that I've encountered
- "Proxy Agent" is ambiguous and even misleading. If you look at something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these as "bindpw" and "bindcn" -- or even a better name is
"MetaUser" since LDAP as a whole is ambiguous as to what constitutes a user or identity (a DN).
Yeah, this is slightly ambiguous. In some cases it does actually act like a proxy user though. I've thought about changing it in the past, but unfortunately, changing options causes serious support/documentation issues. I could keep backwards compatability, and assign the new variable to the old one in the code, but then the code will start to get messy (and messy usually equals buggy).
- WRT groups, It isn't entirely clear which settings control
which group a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how meta-group member _WITHIN_ media-wiki is determined (PADL call it $nss_base_group)
Essentially, you use the group settings to let the plugin know how your groups are defined using:
http://www.mediawiki.org/wiki/Ldap#Group_options
Once the wiki knows how to find groups, you can tell the wiki to syncronize groups with mediawiki's groups using:
$wgLDAPUseLDAPGroups
If you want to restrict login access to specific groups, you define those groups in:
$wgLDAPRequiredGroups (this attribute serves the same purpose as pam_groupdn)
If you want the plugin to search inside of specific ou instead of using the basedn, you define:
$wgLDAPGroupBaseDNs (this attribute serves the same purpose as nss_base_group)
I *should* have modeled my plugin a little more off of PADL, but overall the way things work in the plugin arent too far off. PADL has a set of defaults that is geared to a Linux/Unix style LDAP setup; my plugin doesn't, which is why you need to set more options.
- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd password -- I've resorted to storing it in cleartext. Will debug later.
I may have been crazy when I wrote that using hashes works. I know at some point in time I tried it and it worked, but I haven't been able to get that to work in quite a while. I'm considering removing that info from the documentation. If you get it working, please let me know.
- $wgLDAPRetrievePrefs isn't documented well -- or it is defaulting to off. It should say/document something like "Enable to extract CN attribute / value pairs from LDAP"
Essentially everything in the plugin except using TLS defaults to off (and I only default to TLS because I'm paranoid). It does pretty much what it suggests though. It syncs selected preferences from LDAP to MediaWiki (and optionally the opposite way).
- It is not entirely clear how other mediawiki settings not defined in the posixAccount or inetOrgPerson foundation ObjectClasses
for things such as Skins and Editing preferences should be stored (semi-overlapping entries in the SQL database side?)
Unfortunately, none of these preferences are pulled/stored from/in LDAP at the current moment. I'll probably need to make a schema specifically for MediaWiki for this kind of functionality. The good thing is, MediaWiki stores a majority of its preferences in a blob in the database; so, I can just map the needed non-blob preferences to existing LDAP attributes, and make one new (binary) attribute for the blob in LDAP. Mapping the preferences back and forth is easy enough, and it done in a completely overlapping way on the SQL database side.
I will examine these closer during the day today.
~BAS
PS. On that topic of LDAP<->MW prefs, it might be recommended to use a wiki table to map SQL columns in mediawiki.wmuser SQL table to LDAP attributes!
wikidb-# \d mediawiki.mwuser;
Table "mediawiki.mwuser" Column | Type | Modifiers
--------------------------+--------------------------+--------
user_id | integer | not null default nextval('mediawiki.user_user_id_seq'::regclass) user_name | text | not null user_real_name | text | user_password | text | user_newpassword | text | user_newpass_time | timestamp with time zone | user_token | character(32) | user_email | text | user_email_token | character(32) | user_email_token_expires | timestamp with time zone | user_email_authenticated | timestamp with time zone | user_options | text | user_touched | timestamp with time zone | user_registration | timestamp with time zone | user_editcount | integer | Indexes: "mwuser_pkey" PRIMARY KEY, btree (user_id) "mwuser_user_name_key" UNIQUE, btree (user_name) "user_email_token_idx" btree (user_email_token)
I've been avoiding adding any tables/columns to the database. I'd like the plugin to be as non-obtrusive as possible. Preferences are thankfully easy to map back and forth. I get them from LDAP, and update the local database. When a user changes their options in the wiki, the wiki updates LDAP (this part is optional). As mentioned earlier, if I add a binary attribute to LDAP for mediawiki preferences, that'll kill most of the issues.
One attribute I desperately need is an external_id attribute in MediaWiki's user table. I'll probably try again to get this added to the schema. If I can't get this added, I'll probably make a seperate table just for that. This is needed for automatic renaming of users when a username changes in LDAP.
Thanks for the feedback!
V/r,
Ryan Lane
Yeah, this is slightly ambiguous. In some cases it does actually act like a proxy user though. I've thought about changing it in the past,
[.... such is the way of things... ]
http://www.mediawiki.org/wiki/Ldap#Group_options
Once the wiki knows how to find groups, you can tell the wiki to syncronize groups with mediawiki's groups using:
$wgLDAPUseLDAPGroups
I have found, that, for the moment it would be best to use locally administered groups instead of LDAP groups since:
1) As you said, no LDAP Schema is yet defined to keep the user_options array found in SQL in LDAP instead
2) My POSIX group membership wont be 1:1 with my MediaWiki group membership, so I'm going to have to log in as a local admin to adjust group membership anyway.
I'll definitely probably take the time to set a new ou=wikiGroups once prefs can be stored in LDAP, but that's not really high-priority for me ATM.
I did notice that when you populate the UID in SQL from an LDAP user, you are not utilizing the posixAccount objectClass value "uidNumber", which would be nice (maybe a feature in the future). The database schema defaults an Index auto-incrementing, but it doesn't require it.
If you want to restrict login access to specific groups, you define those groups in:
$wgLDAPRequiredGroups (this attribute serves the same purpose as pam_groupdn)
Yea, I figured that out. One thing I did notice (This is a behavioral note) :
In PALD (PAM or NSS), the way a groups works is that it is an object-class "posixGroup", with a CN= like:
cn=Wiki,ou=appAccess,o=foo,dc=collaborativefusion,dc=com
Then, there will be a "multi-value" attribute such as:
memberUid
memberUID will contain the Fully Qualified DNs/names of users such:
cn=Joe Blow,ou=People,o=foo,dc=collaborativefusion,dc=com cn=John Brown,ou=People,o=foo,dc=collaborativefusion,dc=com
Where as, when LDAPRequiredGroups runs a query, it searches:
"(&(memberUid=[seklecki])(objectclass=posixGroup))"
- ObjectClass of course is configurable which is nice - memberUID is only being passed the "uid=value" section of a full CN previously searched by the Proxy User
As an example debugging output, you might see:
[ ... log excerpt ... ] Doing a proxy bind Using base: ou=People,o=foo,dc=collaborativefusion,dc=com
userdn is: cn=Brian \ Seklecki,ou=People,o=foo,dc=collaborativefusion,dc=com
Search string: (&(memberUid=seklecki)(objectclass=posixGroup))
[ ... end ... ]
So it's just just chopping an the value of attribute "uid=" out of the 1st matched proxy search result and using that as the search string when checking group membership
... where we differ here from PADL is that they search for entire DN= string previously matched. So here memberUid just contains an itemized list of UIDs.
Just a little bit of knowledge that will help new users accustomed to PADL setup their Wiki.
Thanks again for your efforts!
~BAS
IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
http://www.mediawiki.org/wiki/Ldap#Group_options
Once the wiki knows how to find groups, you can tell the wiki to syncronize groups with mediawiki's groups using:
$wgLDAPUseLDAPGroups
I have found, that, for the moment it would be best to use locally administered groups instead of LDAP groups since:
- As you said, no LDAP Schema is yet defined to keep the
user_options array found in SQL in LDAP instead
Groups are handled seperately from user_options. The plugin does update group membership in the local database.
My POSIX group membership wont be 1:1 with my MediaWiki group membership, so I'm going to have to log in as a local admin to adjust group membership anyway.
I'll definitely probably take the time to set a new ou=wikiGroups once prefs can be stored in LDAP, but that's not really high-priority for me ATM.
You can make new posix groups that are meant for the wiki, or you can use something other than posix groups.
I did notice that when you populate the UID in SQL from an LDAP user, you are not utilizing the posixAccount objectClass value "uidNumber", which would be nice (maybe a feature in the future). The database schema defaults an Index auto-incrementing, but it doesn't require it.
My plugin doesn't create the users in the local database, MediaWiki's core software does.
I wouldn't want the software to mess with the local database's userid, especially since I'd want to be able to store things other than numbers in it. Active Directory, for instance, uses SUIDs and GUIDs, which are non-numeric. Having an external id column in the table would suffice though. Honestly what you *really* want to store in the database is something that uniquely describes your user. If you have multiple domains (like an OpenLDAP, and an Active Directory domain), the uidNumber attribute may not be unique. In this case you may want to store something like "employeeNumber".
This becomes even more important when you start thinking about smartcards, and other auto-login technologies. Your smartcard may not have your username, but may instead have your name+employeeNumber, or name+someOtherUniqueID.
If you want to restrict login access to specific groups, you define those groups in:
$wgLDAPRequiredGroups (this attribute serves the same purpose as pam_groupdn)
Yea, I figured that out. One thing I did notice (This is a behavioral note) :
In PALD (PAM or NSS), the way a groups works is that it is an object-class "posixGroup", with a CN= like:
cn=Wiki,ou=appAccess,o=foo,dc=collaborativefusion,dc=com
Then, there will be a "multi-value" attribute such as:
memberUid
memberUID will contain the Fully Qualified DNs/names of users such:
cn=Joe Blow,ou=People,o=foo,dc=collaborativefusion,dc=com cn=John Brown,ou=People,o=foo,dc=collaborativefusion,dc=com
Where as, when LDAPRequiredGroups runs a query, it searches:
"(&(memberUid=[seklecki])(objectclass=posixGroup))"
- ObjectClass of course is configurable which is nice
- memberUID is only being passed the "uid=value" section of a full CN previously searched by the Proxy User
As an example debugging output, you might see:
[ ... log excerpt ... ] Doing a proxy bind Using base: ou=People,o=foo,dc=collaborativefusion,dc=com
userdn is: cn=Brian \ Seklecki,ou=People,o=foo,dc=collaborativefusion,dc=com
Search string: (&(memberUid=seklecki)(objectclass=posixGroup))
[ ... end ... ]
So it's just just chopping an the value of attribute "uid=" out of the 1st matched proxy search result and using that as the search string when checking group membership
... where we differ here from PADL is that they search for entire DN= string previously matched. So here memberUid just contains an itemized list of UIDs.
You aren't using the regular posix way ;). Normally the openLDAP client is setup to search for the uid attribute in memberUid, not the full DN. If you need to use the full DN, you need to use this option:
$wgLDAPGroupUseFullDN
Notice this is the way Active Directory holds group members as well.
V/r,
Ryan Lane
On Wed, 2008-01-09 at 10:12 -0600, Lane, Ryan wrote:
One attribute I desperately need is an external_id attribute in MediaWiki's user table. I'll probably try again to get this added to the schema.
Out of curiosity, what was the objection last time?
One attribute I desperately need is an external_id attribute in MediaWiki's user table. I'll probably try again to get this added to the schema.
Out of curiosity, what was the objection last time?
I didn't officially get denied. I asked the developers in IRC, and got a few "it might be ok", and a few "your plugin should just create a table".
I'll ask around again, and if I get any good responses I'll put in a ticket. I'll have to find a developer willing to commit a schema change though; I don't like to muck around the core code, and very much don't want to make a schema change.
mediawiki-enterprise@lists.wikimedia.org