Topic on Extension talk:LDAP Authentication

What are the problems with using wgLDAPUseLocal?

3
Npdoty (talkcontribs)

Most of the users of my wiki have LDAP accounts and so I've set up the LDAP extension with great success. But I also anticipate having a few users that don't have accounts on our LDAP server, but I'd still like to create accounts for them on the wiki.

It appears that the $wgLDAPUseLocal option is available for this case, but it's repeatedly recommended against on this forum and others. What are the problems with using wgLDAPUseLocal? Are there particular security or usability risks I should be aware of? Is it possible to work around these problems for long term use? If I shouldn't set this setting to True for the long term, what is recommended for cases where some users aren't LDAP members?

I would think this is a fairly common use case; here's another request.

Thanks,

Ryan lane (talkcontribs)

The option was meant for transitional purposes. I haven't tested the extension thoroughly with it enabled. Though it works for this, don't be surprised if you run into bugs every once in a while. Notice I've responded in the past often with "won't fix" for bugs related to UseLocal, as they are difficult use cases to solve.

Npdoty (talkcontribs)

Okay, thanks for the info. I'll try to use it just for a single guest account until I can get any new users into our organizational LDAP. So far, so good. I see that the "by email" user creation doesn't work, for example, but that's necessary for the creation of a guest account anyway.

Thanks for your help,

Reply to "What are the problems with using wgLDAPUseLocal?"