Jump to content

User:Osnard/LDAP/Proposed Stack

From mediawiki.org

Extension:Auth_remoteuser

[edit]
  • Handles all SSO functionality by implementing a SessionProvider
  • Feature rich (plenty of configurations)
    • Auto creation of users on first time authentication
    • Works for different entry points(index.php, api.php)
    • Allows local account login
  • Actively Maintained?
  • Lacks firing of hook UserLoggedIn. But this can be fixed.

Extension:LDAPProvider

[edit]
  • Provides Domain-specific connection settings and a client interface for all LDAP related extensions

Extension:LDAPGroups

[edit]
  • Binds on hook "UserLoggedIn"
  • Uses client from Extension:LDAPProvider to synchronize user groupson login (be it explicit by Extension:LDAPAuthentication, or implicit by Extension:Auth_remoteuser)

Extension:LDAPUserInfo

[edit]
  • Binds on hook "UserLoggedIn"
  • Uses client from Extension:LDAPProvider to synchronize user information (realname, e-mail, gender, ...) on login (be it explicit by Extension:LDAPAuthentication, or implicit by Extension:Auth_remoteuser)
  • Allows to register callbacks to query any arbitrary LDAP attribute and do whatever you want with it (e.g. write to user preferences or on the user page...)

Extension:LDAPAuthentication

[edit]
  • Injects a Domain selectbox on the login form of Special:Userlogin (@Cindy: Can we do that with PluggableAuth? Can we provide a custom AuthenticationRequest with field definitions?)
    • Allows selection of "local" to skip LDAP
  • Uses client from Extension:LDAPProvider and user provided username/password to bind to LDAP resource to determine whether a user is authenticated or not
  • BIG QUESTION: Build on PluggableAuth or implement independently as PrimaryAuthenticationProvider?

Extension:LDAPAuthorization

[edit]
  • Has a list of LDAP groups as configuration option (to match Extension:LdapAuthentication functionality maybe even two lists: "RequiredGroups" and "ExcludeGroups")
  • Uses client from Extension:LDAPProvider to get all groups (also resolving nested groups!) of the user, after successful authentication.Then compares those groups to the groups in the configured lists to determine whether the user is authorized or not
  • BIG QUESTION: Build on PluggableAuth or implement independently as SecondaryAuthenticationProvider?

(Extension:PluggableAuth)

[edit]
  • Depends on the answer to the BIG QUESTIONS above.