Extension:ConfirmAccount/Integration with LDAP Authentication extension

From MediaWiki.org
Jump to navigation Jump to search

This page explains how to integrate with LDAP.

Issue[edit]

Using this extension together with the LDAP Authentication extension is not optimal. We want to achieve LDAP authentication for users that have passed the ConfirmAccount steps ie been approved by the wiki sysop. So we have turned off the autocreation of users that tries to logon to the wiki and use their LDAP password, if they now use the Confirmaccount request form the username they fill in will be checked against the LDAP server and the message back is that the username already exists. That's true that it exist in LDAP but not in the wiki, this scenario is good but lacks one thing and that is that the request form can't be sent.

The check against LDAP is good, we now know that it's a real id on the account form, and now we need to be able to send the account request to the wiki sysop that will apply or reject the request. After an apply of the request the user can login with his username and ldap password.

there should be an check, if the username doesn't exist in the wiki database but exists in LDAP the request form should be sent. If the username doesn't exist in LDAP the request form should not be sent. And if the username exist in wiki database or in request queue , the request form should not be sent.

For the moment I just commented the code that made the check if user exist in LDAP and it works as I want, but I loose the possibility to just allow LDAP users to make requests. Any comments/advise on this ?

regards Hex

I can make a configuration variable for this. However, it will need to check that the local and global (ldap) accounts have the same password. Aaron 15:28, 23 August 2008 (UTC)
I do not see why the account password in the wiki must match the ldap password.

After the account is created, the user will logon with his ldap userid (which will be the same as is wiki id) and the password will be authenticated against the ldap server.

The user will not receive the created wiki password in the confirmation mail, so he/she will be unaware of it or at least not know it.

The local password will not be used at logon. Only ldap authentication is allowed.

We don't have access to add a LDAp id, just userid/password validation.

The matrix of how we wanted to have the account creation in wiki when using LDAPAutentication and ConfirmAccount together.

WIKIid         LDAPid           Result account creation

No             NO               Deny creation of account in wiki  (request form will say nothing for the moment)

NO             YES              Allow creation of account in wiki

Yes            NO               Dup id in wiki deny creation in wiki (request form will say userexists)

YES            YES              DUP id in wiki deny creation in wiki (request form will say userexists)

I have now altered the code in RequestAccount_body.php like this around line 261

This let the user submit the reuquest form without getting the message that the account exists (in LDAP)

He will unfortunatly not get a message that the account doesn't exist in LDAP if it's really doesn't exist in LDAP, but the form can't be submitted.

# Check if already in use disabled code by hex new code below
#	if( 0 != $u->idForName() || $wgAuth->userExists( $u->getName() ) ) {
#		$this->showForm( wfMsgHtml('userexists') );
#		return;
#	}
# new code by hex
               if( 0 != $u->idForName() ) {
                  $this->showForm( wfMsgHtml('userexists') );
	          return;
					}
	        if( !$wgAuth->userExists( $u->getName() ) ) {
		   			 return;
	        }
	        
	        
Also needed to change ConfirmAccount_body.php around line 432
This let the sysop to confirm the request and get the wiki account created, the same goes here about the message to the sysop if the ldap account really doesn't exist
(should only happened if ldap account is deletet since the request was done).

		# Check if already in use disabled code by hex new code below
		#	if( 0! = $user->idForName() || $wgAuth->userExists( $user->getName() ) ) {
		#		$this->showForm( wfMsgHtml('userexists') );
		#		return;
		#	}
		    # new code by hex
	    if( 0 != $user->idForName() ) {
	       $this->showForm( wfMsgHtml('userexists') );
         return;
		 		}
	    if( !$wgAuth->userExists( $user->getName() ) ) {
		    return;
        }

I must also say thank You for this extension

/hex

If you don't check the passwords, then any person can create an account in the name of an LDAP users and then be treated as that user. Aaron 22:32, 28 August 2008 (UTC)
We do validation against LDAP, so if someone creates an account request of another id and that reguest is approved and the user has confirmed the email address, then when logging on with the ldap id you must know the password of the ldap id, not the local password (never used and is never mailed out to user, ie local password id unknown to all)