User talk:Ryan lane/LQT Archive 1

SmoothGallery
Hi, are there any examples of how Extension:SmoothGallery looks and works? It would be cool if you could link to a test/example page for this extension. Thanks --128.250.80.15 01:40, 10 January 2007 (UTC)


 * Yeah, I wish I had a publicly available test site. I may look into getting one. The SmoothGallery site has examples of SmoothGallery in action, but nothing that is user modifiable like this extension allows. --Ryan lane 21:32, 11 January 2007 (UTC)


 * I have one now. It is at my sandbox. --Ryan lane 06:55, 3 March 2007 (UTC)

Hi, I get a problem with your smoothgallery extension installed on a Spanish interface wiki http://es.antropologia.diwiki.org. When I edit any article, around 10 "undefined" labels appear after the normal edit button bar.s!? Benjamin bois 17:21, 25 June 2007 (UTC)


 * Yeah, this is a known bug, and the fix is documented on the extension page (Extension:SmoothGallery). This is fixed in MediaWiki 1.10+. --Ryan lane 19:26, 6 July 2007 (UTC)

Memorize
Hi, Ryan.

I've added references to your memorize extension to Wikiversity's quiz project. We're mainly centered around the quiz extension at the moment, but the quiz extension isn't really designed to do pair matching, and your memorize extension looks excellent (the matching mode is great).

Perhaps you could join the quiz project and tell us a bit about how your extension is developing. What stage is it at? Might it be implemented on Wikiversity? Have you got people giving you feedback about it?

Cheers,

McCormack 06:36, 15 April 2007 (UTC)


 * Hello,


 * The memorize extension is a really simple extension. It essentially just adds a parser extension tag, and adds the Memorizable javascript into the headers. People can create regular tables, and add the tag into the table headers. Most of the real development work is over at Memorizable. I believe the license on the javascript would be compatible with the Wikiversity project, and the license on the extension is GPL. If it is added to Wikiversity, I'd be happy to offer any further development necessary.


 * The extension is currently stable. The only change really needed is to make the javascript only output when the extension is actually in use on a page (which is an easy fix).


 * It would be nice if the javascript could handle more than two columns of data, and I may add support for that in the future (if memorizable will accept patches that is). --Ryan lane 13:31, 16 April 2007 (UTC)


 * Hi Ryan. I see that the JS file is released under an "X11 (aka MIT) open source license". Is this compatible with Wikimedia projects? Do you have any contact with the copyright holder of the JS file? McCormack 04:54, 3 May 2007 (UTC)


 * Suggested changes before moving to Wikiversity...
 * It should be able to start in "matching mode".
 * It should be possible to remove the choice between modes.
 * It should be possible not to have the options. (Optional options)


 * McCormack 04:59, 3 May 2007 (UTC)


 * I'll take a look at the javascript to work these changes into the extension. As for the license, it is probably up to Wikiversity whether or not they'll want to use it. The license given says it is fine to use the software in any way as long as the help section, and links to memorizable.org are kept. I'll talk to the developers about how we can meet their license requirements and still be able to modify the code how we like. --Ryan lane 18:10, 4 May 2007 (UTC)


 * One of the things I noticed on reading the licence is that it is a custom version of the X11 open source - and the custom bit is a requirement for a visible credit to the programmer (in the options section). I suspect this would have to go, although I'm sure that information about the origin of the script would be given in the help page we would build for it. Thanks for following up on this! McCormack 18:21, 4 May 2007 (UTC)

Hello, are you sure your extension works with MW 1.11 ? (please, have a look at my question. --Henrique 10:53, 3 November 2007 (UTC)


 * This extension is so simple, the chances of it not working in 1.11 is slim. I haven't tested it, but I commented on the talk page; you don't have it configured properly. --Ryan lane 13:52, 5 November 2007 (UTC)
 * Hello, here is a french translation of your extention, working here, hope it will be ok. --Henrique 18:17, 12 November 2007 (UTC)


 * The javascript itself is from memorizable.org. For international support, you may want to work with them. I'd imagine they'd love a translation. I'll work the internationalization into the plugin; thanks for the help. --Ryan lane 19:44, 15 November 2007 (UTC)

LDAP Authentication
Hi Ryan. Any idea when you might be able to get to "1.1f: Add options to specifiy search bases for users, and groups"? We need to specify a different base for our groups. &mdash;JEREMY 16:05, 6 June 2007 (UTC + 8.00)


 * I'm out of the country for work right now. I've been working on the plugin some out here though, and I just added that in a couple of days ago. I'll send it up to the SVN server when I get back (a few days from now). --Ryan lane 05:15, 10 June 2007 (UTC)


 * Good stuff! Thanks for that! &mdash;JEREMY 15:45, 11 June 2007 (UTC + 8.00)


 * Sorry for the wait, I've added that change in the latest SVN version. The version in SVN (revision 23338) is currently stable. I'll be releasing it soon, but you don't really need to wait for the release. Just make sure to use revision 23338. --Ryan lane 21:06, 24 June 2007 (UTC)


 * Thanks again. Err... So, how do we actually go about implementing groups search? Where do we specify the base, for example? &mdash;JEREMY 11:41, 26 June 2007 (UTC + 8.00)


 * Wow, you want documentation too!? ;) Kidding of course. I just added the config options to Extension:LDAP Authentication --Ryan lane 14:27, 28 June 2007 (UTC)


 * When we $wgLDAPUseLDAPGroups = array("Interzone"=>true); we get Warning: in_array: Wrong datatype for second argument in LdapAuthentication.php on line 1401. Where we should start debugging? &mdash;JEREMY 10:32, 04 July 2007 (UTC + 8.00)


 * Well, that looks like a bug, but it may be happening because you may be missing some configuration. What does the rest of your configuration look like?


 * Like this:

$wgLDAPDomainNames = array("Interzone"); $wgLDAPServerNames = array("Interzone"=>"spike.per.[SLD].[TLD]"); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array("Interzone"=>"clear"); $wgLDAPSearchAttributes = array("Interzone"=>"uid"); $wgLDAPBaseDNs = array("Interzone"=>"ou=People,dc=[SLD],dc=[TLD]"); $wgLDAPGroupBaseDNs = array("Interzone"=>"ou=Groups,dc=[SLD],dc=[TLD]"); $wgLDAPGroupUseFullDN = array("Interzone"=>"false"); $wgLDAPLowerCaseUsername = array("Interzone"=>true); $wgLDAPGroupObjectclass = array("Interzone"=>"posixGroup"); $wgLDAPGroupAttribute = array("Interzone"=>"memberUid"); $wgLDAPGroupNameAttribute = array("Interzone"=>"cn");
 * 1) $wgLDAPUseLDAPGroups = array("Interzone"=>true);
 * (Actual [SLD] and [TLD] redacted.)
 * When we uncomment the $wgLDAPUseLDAPGroups line, we get the error. &mdash;JEREMY 10:34, 10 July 2007 (UTC + 8.00)


 * I've summed up how to do group synchronization as well here: Extension:LDAP_Authentication I'll try to track down the bug, make it output a warning, and fail gracefully. --Ryan lane 19:24, 6 July 2007 (UTC)


 * Ah; it's the quotes around "false" in the line following the one commented-out in the listing above. We remove those and it works!&mdash;JEREMY 14:38, 12 July 2007 (UTC + 8.00)

Working with the Access Control extension?
Hi Ryan. We've got the group restrictions stuff working (thanks!) but we're now trying to use the LDAP groups with the Access Control extension. It's not working out of the box, and we're having difficulty verifying that the LDAP groups are actually being exposed to mediawiki in such a way that the GBAC extension can see them. Any tips for beginners?&mdash;JEREMY 15.06, 18 July 2007 (UTC + 8.00)


 * Hmm... I haven't looked at this much (as those extensions really just provide an illusion of security). I think the author of the plugin wrote a patch to work with the LDAP plugin. Although, I may be thinking of another one of those access control extensions. I'll take a look when I get a chance. --Ryan lane 21:08, 23 July 2007 (UTC)


 * Is there some easy way for us to view/expose the groups that your plugin has grepped from the directory?&mdash;JEREMY 12.20, 01 August 2007 (UTC + 8.00)


 * As far as I can remember, the groups are actually created in the wiki when you add group permissions in LocalSettings.php. Once the groups have permissions associated, they should be exposed in the interface. --Ryan lane 19:06, 6 August 2007 (UTC)


 * Thanks very much; we're all sorted now. Great work, btw! &mdash;JEREMY 18.50, 13 August 2007 (UTC + 8.00)

Password Encryption
Ryan, In your example you have the following

$wgLDAPProxyAgentPassword = array( "testLDAPdomain"=>"{SHA}KqYKj/f81HPTIeAUav2eJt85UUc=" );

What method are you using to encrypt the password? And are there any requirements for changes made to a core mediawiki install to allow for this?


 * Although this should work, it seems to be hit or miss depending on the LDAP server and configuration. I got that password using phpldapadmin though. --Ryan lane 21:06, 23 July 2007 (UTC)

Ryan, your extention effectively "authenticates" by pulling the userPassword value. This isn't actual authentication. A) This requires userPassword attribute be exposed to *everybody* - this is the LDAP equivalent of leaving your shadow password file world readable. It's a "Really bad idea."

Here's a debug log from slapd after I've spent 3 hours tracking down "Why isn't ldap allowing auth?"

=> access_allowed: auth access to "uid=daemon,dc=example,dc=com" "userPassword" requested => acl_get: [1] attr userPassword access_allowed: no res from state (userPassword) => acl_mask: access to entry "uid=daemon,dc=example,dc=com", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=manager,dc=example,dc=com <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => access_allowed: auth access granted by auth(=xd) send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 conn=0 op=0 RESULT tag=97 err=49 text= daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read active on 11 connection_get(11) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 connection_read(11): input error=-2 id=0, closing. Basically, what this translates to, is a protocol violation. Your extention doesn't understand ldap saying "No, I'm not going to let you see your userPassword hash until you auth." your extention attempts to pull down the userPassword again, ldap says "I'm granting you permission to authenticate" at which point your extention basically slams the connection closed.

... Basically, your extention needs to be able to handle the situation where anonymous is NOT granted world read access to critical data that must in a hostile network be revealed at most to the person who owns it. Or, where your extention actually attempts to authenticate *before* trying to pull down password hashes. The fact that you recommend putting the pw hash in the LocalSettings.php file alone reveals that you're doing a straight compare - the hash is a salted, one way hash - you cannot derive the pwd from the hash, ergo, you don't know the password... You just compare the hashes.


 * I believe I had support for comparing hashes at some point in time in the plugin (which is likely why the documentation mentioned using hashes), but the support isn't there anymore. I've removed the information in the documentation about using hashes for passwords. Your intepretation of what the plugin does is completely wrong however.


 * To be clear, the plugin will only do one of two things (unless you are using SSL Authentication):
 * Try to bind as the user
 * Bind as a proxyagent, find the user's DN, and then try to bind as the user


 * This is truly the best way to do authentication. Both compares, and/or pulling userPassword are truly bad ideas. When you use a compare, the password can't be salted... This opens you up to rainbow table attacks.


 * A good security practice is to create a user specific to what you need; meaning, the user only has very limited access. In the case of a proxy agent, the user should only have the ability to search for specific attributes needed for finding DNs, or groups, or auth attributes, or whatever preferences you are pulling. In this case, using a clear text password only opens you to a very selective (and known) amount of risk. Either way, it is better than allowing anonymous access.


 * If you still aren't assured that the plugin isn't secure enough for your tastes, you are welcome to peruse the code. I've done security audits of the code a number of times, but it always helps having more eyes looking! --Ryan lane 17:24, 3 March 2008 (UTC)

Error by finding getURL
I have installed SmoothGalery! Upload the SmoothGallery.php in my extensions Folder and the SmoothGallery Folder in extensions folder. And insert this in my LocalSettings.php

$wgUseImageResize = true; include("extensions/SmoothGallery.php"); $wgSmoothGalleryExtensionPath = "/mediawiki/extensions/smoothgallery"; $wgSmoothGalleryDelimiter = "\n" ;

I get the following error:

Fatal error: Call to a member function getUrl on a non-object in /www/htdocs/v110248/other/mediawiki/extensions/SmoothGallery.php on line 241

Line 241 ist: $full_thumb = $full_thumb_obj->getUrl;

What i wan't to do is:

 Image:001.jpg Image:002.jpg


 * I haven't tested smoothgallery with any recent versions of mediawiki. I just finished updating another plugin, so this one is on my todo list next. --Ryan lane 00:38, 20 August 2007 (UTC)


 * THX! Please tell when you fix it! My e-mail is: rpgtiger2k3@msn.com
 * --Kampfschaf 12:36, 20 August 2007 (UTC)


 * It should be working fine. I tested this recently with MediaWiki 1.11; use the newest version from SVN. --Ryan lane 13:46, 18 October 2007 (UTC)

LDAP help
Hi Ryan,

I'm thoroughly confused, trying to figure out from the start how to get your LDAP extension installed and working. Could you provide help here? Thanks! &mdash; Timotab 13:28, 18 October 2007 (UTC)


 * I can only answer questions that address a specific problem. The documentation is there to give you the basics. For the most part you can just copy and paste from the configuration examples, and change a couple settings and it'll work. --Ryan lane 13:47, 18 October 2007 (UTC)

LDAP question
Hello, Ryan! I have a question about your extention. I need, that Wiki tooks user database not from Wiki's DB, but from External DB where is all employees are registered. It is possible to do this with your extension? Idea is that users with his IntraNet logins may login into Wiki!

Best regards Peter Sokolov, psc@elkor.lv


 * If your external database is an LDAP database of some variety, then yes. --Ryan lane 17:34, 29 November 2007 (UTC)

And what if my external database is another MySQL database? It is possible?


 * No, this plugin can't handle that case. --Ryan lane 19:38, 29 November 2007 (UTC)

IBM / Tivoli LDAP support?
Hi Ryan

we currently use IBM/Tivoli Directory services on an iSeries box (AS400, system i5 .. or what ever you currently want to call it), and I wondered if there was going to be any support for this ? We use this LDAP for all our internal things Bugzilla, sametime etc. and I would love to change our wiki over from a clunky java one to the very cool media wiki ... Do you think its worth attempting to try and get it working with our current set up and see what happens or will it npt work at all?

Thanks in advance - Sharon Bellamy Morpheus UK


 * I haven't run into an LDAP server the plugin doesn't support yet. Your search strings/search attributes may look a little different, but I'd imagine most of the configuration examples should work fine. If you need any help, you can email me through this wiki, or you can continue to post questions here, or on the Extension Talk:LDAP Authentication page. --Ryan lane 13:47, 21 July 2008 (UTC)