hi,
you are listed on the Extension:LDAPAuthentication2 Page as Author. I want to ask is there a solution for not using a bind account to authenticate against active directory? This was possible with the old extension (Extension:LDAP Authentication). I have no good feelings adding a user an password to json file and have this inside an repo for automatic deployments. Why is this needed? LDAP Selfauth should work also fine.
@Osnard implemented this functionality and perhaps could respond here.
@Cindy.cicalese thx for the fast response. I have send an email to @Osnard yesterday. I'm also found it very annoying to have an json File with credentials in the webserver root. This makes security much more complex.
I also found it very strange that the most of the extensions are not able to install via composer. This makes automatic deployments with dependency tracking much harder as it should be.
$LDAPProviderDomainConfigs to it.@MarkAHershberger @Cindy.cicalese thx for your feedback, I hope you had a nice Easter.
@MarkAHershberger: The composer stuff was not only for this module We have a list of extension we need to use, only a few are available via composer. It would be really god for the future if it where possible to do the complete installation and updates via composer. This would make CI pipelines much better.
@MarkAHershberger: For the json file, I still see not the need why we need a bind user for the extension. Other tools can do it without.
As I wrote we try to deploy our installation as docker images. And hard coded credentials are a mess. I muss now parse two different
config file formats ( Localsettings.php and json) via docker-entrypoint script to put the right credentials in via environment variables.
@Cindy.cicalese @MarkAHershberger @Osnard From my view it would be better to have the stuff in the Localsettings.php and even better don't need a bind user, or make it optional. I have no example for php but for example netbox (open source dcim tool) works without bind user.
LDAP extensions can be installed/updated via composer, but one would need to add a special package-registry. See https://github.com/hallowelt/mediawiki/blob/3.1.x/_bluespice/build/bluespice-ldap/composer.json#L2-L5
AFAIK, MWStake decided to not model inter-extension-dependencies on composer-level, but rather on the extension-manifest
It would be good to get the stalled RFC about extension management with composer moving again: https://phabricator.wikimedia.org/T250406.
@Cindy.cicalese: for me as user this would be a great improvement.
@Osnard: I send you an email some day's before about the ldap question above, why do the extension need a bind user? Have you seen it?
@Osnard @Cindy.cicalese I still got no feedback about the initial question why it needs a bind user?
Well, I don't think there is a particular reason. Anonymous binds or binds as the user that logs in is just an issue in many cases. Usually you need a privileged proxy user account that has permissions to run all required LDAP searches anyways. Please feel free to provide a patch. The respective code can be found here: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/acf7b41f09ba0058ee54a11f3a5e24fb7f220dcb/src/Client.php#L174-L199
@Osnard I think a self bind would make it much more secure. So you don't need any ldap user with global read access. And you have no credentials on your servers. I will take a look into the source code. I'm no php programmer but if it is easy I will try to send an patch.