Honestly, I would deal with this above MediaWiki, because otherwise
you will end up with maintenance work going forward, in addition to
possibly having to repeat this for other business areas going forward.
Easiest way is to get them into a central AD, Domain Trusts will
probably be the easiest way for the orgs that already have AD in place
and for the the organisations that are currently not using AD, I would
recommend just setting one up for them (whether it is completely
separate to your existing one, a tree/forest of your current org, or
just in your current organisational AD).
That way you don't create a larger maintenance burden in your
MediaWiki installation.
On 5 January 2017 at 02:34, Daniel Barrett <danb(a)cimpress.com> wrote:
I'm wondering if anyone has dealt with the problem
of wiki usernames no longer being unique. I'll explain....
In our company, we store usernames in Active Directory and use LDAP for MediaWiki
authentication. This has worked reliably for years. Everyone has email addresses ending in
"(a)company.com".com", and the person with email address "foobar(a)company.com"
automatically gets the MediaWiki username "foobar".
Now, our company has started acquiring other companies, and each one has its own internet
domain (and they don't all use Active Directory, so we are experimenting with Auth0
for multidomain authentication). Suddenly, we can have users named foobar(a)company.com,
foobar(a)anothercompany.com, and foobar(a)thirdcompany.com. If we keep our current solution
for creating usernames, all three of these addresses map to the username
"foobar", and we have A Bad Situation.
Has anyone else encountered this situation? If so, how did you solve it for MediaWiki?
There are several obvious solutions, none of them perfect:
1. Use the entire email address (which is unique) as the MediaWiki username. This affects
all existing accounts as well as new accounts. One side-effect is that some people have
multiple email addresses (me(a)company.com, me(a)anothercompany.com) and these would be
considered different wiki users. That's not a deal-breaker... we can live with it.
2. Somehow map every email address globally to a unique ID, say, with a database table,
and use that ID as the MediaWiki username.
3. Force every domain to use Active Directory, insert a unique ID into some Active
Directory field, and use it as the MediaWiki username. This is not going to happen. We
can't change every company's authentication mechanism.
4. Stop creating usernames automatically, and have users invent their own unique
usernames. Not great in a corporate environment. When usernames don't match real
names, it's inconvenient to locate the real people behind wiki edits.
5. ...?
Any tips appreciated from anyone who has been there before.
Thank you,
DanB
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l