User:Osnard/LDAP

From mediawiki.org

/Proposed Stack

How it was in the past[edit]

Once there was Extension:LDAP Authentication. Besides a lot of other things it provided the following features

  • Login based on one or more LDAP/AD backends/domains (obviously requiring PHP's ldap extension)
    • Login capability could be restricted to a certain group membership within the LDAP resource
  • Implicit/Automatic Login (SSO) in conjunction with $_SERVER['REMOTE_USER'] (provided by either Apache mod_auth_kerb, IIS NTLM/Kerberos authentification or some other mechanism)
    • IMPORTANT: This needs also to be possible using entrypoints other than index.php (e.g. api.php or img_auth.php and thumb.php)
  • Several user information could be fetched from the LDAP resource and automatically be fed into MediaWiki database. E.g. user_real_name, user_email and most important ...
    • .. group membership set in the LDAP resource could be set in the MediaWiki database (as long as the group actually existed in the wiki configuration; Manual:$wgGroupPermissions)
  • In the past it also allowed login with a local user account that only existed in the MediaWiki database but not in the LDAP resource. In later versions this got very problematic.

But then User:Ryan lane stopped maintaining the extension and nobody stepped in place. As WMF uses this extension internally, they applied some important changes when AuthManager came around. But WMF has announced that they want to get rid of it and therefore future development is put in jeopardy.

There are still some open issues left that should be addressed in future development

  • Currently all usernames get normalized to lowercase. This means that if you had a user "WikiSysop" before you installed the extension, you will not be able to log nito the wiki locally because it will be implicitly changed to "Wikisysop" and therefore not be recognized by MediaWiki. Normalization should only apply to users that were created from the LDAP resource.
  • Local user accounts can not change their password anymore, once the extension is installed
  • If a username in the LDAP resource contains an underscore (e.g. "Paul_Atreides") it will be persisted that way to the MediaWiki database (e.g. "Paul_atreides"). Unfortunately underscores are not allowed in MediaWiki usernames and therefore some things (like CSFR token retrieval) break (because lookups are made with "Paul atreides").

So what are the alternatives?[edit]

There are some extensions from User:Cindy.cicalese and User:MarkAHershberger that seem to be able to fill the gap:

  • Extension:PluggableAuth - Base extension by Cindy, that allows use of "authorization" and "authentication" plugins. Is compatible with AuthManager.
  • Extension:LDAP Authorization - Extension by Cindy, that uses an LDAP resource to authorize a user and therefore allows for group based restrictions. It does not authenticate in any way.
  • Extension:LdapGroups - Extension by Mark, that allows synchronization of LDAP group membership into the local MediaWiki database
  • Extension:PluggableSSO - Extension by Mark, that provides a "authentication" plugin for PluggableAuth and enables SSO (Mark works at the implicit Authentication for entrypoints like api.php)

What needs to be done?[edit]

  • Check if the Cindy/Mark-Stack is suitable to replace "LDAP Authentication" in all aspects listed above
  • If not, what needs to be implemented? And of course: how should it be implemented? New Extension:PluggableLDAP? How to integrate other functionality (SSO, group sync, ...)?