I volunteer to make the LDAP integration.
I'm an "InActive" SAC member [2].
I've already done so. We need to:
1. Install the LDAP Authentication extension [1];
2. Configure LocalSettings.php
3. Update DB tables
4. Decide if we can write LDAP from wiki (eg. if we allow
'createaccount' permission in mediawiki and update LDAP with the new
account).
This is actually the reason it hasn't happened in the past.
My suggestion is, activate LDAP. Force existing users when they login to
authenticate(link) or create an LDAP account. For any new users only
allow LDAP based login. Does this cause problems if the names don't match?
To go the to other way opens up the possibility that someone could take
over another persons wiki account by creating a matching LDAP account.
Thanks,
Alex
On 09/18/2017 01:51 PM, Jorge Gustavo Rocha wrote:
Hi,
I volunteer to make the LDAP integration.
I'm an "InActive" SAC member [2].
I've already done so. We need to:
1. Install the LDAP Authentication extension [1];
2. Configure LocalSettings.php
3. Update DB tables
4. Decide if we can write LDAP from wiki (eg. if we allow
'createaccount' permission in mediawiki and update LDAP with the new
account).
Thanks for your comment. I need to look at the data to have a better
understanding.
Your suggestion is just to create (or link) LDAP accounts from local
wiki accounts when the user logins, one by one? I thought that we could
try to create new LDAP entries for all local wiki accounts in one batch
and keep the logins restrict to LDAP accounts. Each user would receive
an email with a link to update his LDAP entry.
Regards,
Jorge
On 18-09-2017 23:09, Alex M wrote:
5. Decide how to reconcile existing accounts.
This is actually the reason it hasn't happened in the past.
My suggestion is, activate LDAP. Force existing users when they login to
authenticate(link) or create an LDAP account. For any new users only
allow LDAP based login. Does this cause problems if the names don't match?
To go the to other way opens up the possibility that someone could take
over another persons wiki account by creating a matching LDAP account.
Thanks,
Alex
On 09/18/2017 01:51 PM, Jorge Gustavo Rocha wrote:
Hi,
I volunteer to make the LDAP integration.
I'm an "InActive" SAC member [2].
I've already done so. We need to:
1. Install the LDAP Authentication extension [1];
2. Configure LocalSettings.php
3. Update DB tables
4. Decide if we can write LDAP from wiki (eg. if we allow
'createaccount' permission in mediawiki and update LDAP with the new
account).
I hadn't thought about emailing account holders. Yes you could restrict
to LDAP only login, but there needs to be a page where we can redirect a
user setup their LDAP. If they have a wiki account they would need to
login to verify who they are, unless you were thinking unique url per
email recipient.
There is little hope of trying to figure out LDAP to wiki matches
without user input.
Thanks,
Alex
On 09/18/2017 03:36 PM, Jorge Gustavo Rocha wrote:
Hi Alex,
Thanks for your comment. I need to look at the data to have a better
understanding.
Your suggestion is just to create (or link) LDAP accounts from local
wiki accounts when the user logins, one by one? I thought that we could
try to create new LDAP entries for all local wiki accounts in one batch
and keep the logins restrict to LDAP accounts. Each user would receive
an email with a link to update his LDAP entry.
Regards,
Jorge
On 18-09-2017 23:09, Alex M wrote:
5. Decide how to reconcile existing accounts.
This is actually the reason it hasn't happened in the past.
My suggestion is, activate LDAP. Force existing users when they login to
authenticate(link) or create an LDAP account. For any new users only
allow LDAP based login. Does this cause problems if the names don't match?
To go the to other way opens up the possibility that someone could take
over another persons wiki account by creating a matching LDAP account.
Thanks,
Alex
On 09/18/2017 01:51 PM, Jorge Gustavo Rocha wrote:
Hi,
I volunteer to make the LDAP integration.
I'm an "InActive" SAC member [2].
I've already done so. We need to:
1. Install the LDAP Authentication extension [1];
2. Configure LocalSettings.php
3. Update DB tables
4. Decide if we can write LDAP from wiki (eg. if we allow
'createaccount' permission in mediawiki and update LDAP with the new
account).
On Mon, Sep 18, 2017 at 11:36:40PM +0100, Jorge Gustavo Rocha wrote:
Thanks for your comment. I need to look at the data to have a better
understanding.
Do you have access to that database already ?
Your suggestion is just to create (or link) LDAP accounts from local
wiki accounts when the user logins, one by one? I thought that we could
try to create new LDAP entries for all local wiki accounts in one batch
and keep the logins restrict to LDAP accounts. Each user would receive
an email with a link to update his LDAP entry.
Creating a _new_ LDAP account for eveh WIKI account would be overkill,
as most WIKI users are probably already having a LDAP account.
A match could be found by email, although both LDAP *and* WIKI
accounts did not always verify emails in the past.
Does the LDAP authentication plugin of Wikimedia already allows you
to link a LDAP account to a local account ? Or what are the options
to do that ?
On Mon, Sep 18, 2017 at 11:36:40PM +0100, Jorge Gustavo Rocha wrote:
Thanks for your comment. I need to look at the data to have a better
understanding.
Do you have access to that database already ?
No, I don't.
Your suggestion is just to create (or link) LDAP accounts from local
wiki accounts when the user logins, one by one? I thought that we could
try to create new LDAP entries for all local wiki accounts in one batch
and keep the logins restrict to LDAP accounts. Each user would receive
an email with a link to update his LDAP entry.
Creating a _new_ LDAP account for eveh WIKI account would be overkill,
as most WIKI users are probably already having a LDAP account.
A match could be found by email, although both LDAP *and* WIKI
accounts did not always verify emails in the past.
Only wiki accounts without a matching email in LDAP would be handled.
But I'm just guessing. I need to look at the data.
Does the LDAP authentication plugin of Wikimedia already allows you
to link a LDAP account to a local account ? Or what are the options
to do that ?
The LDAP extension allows us to login using either a valid wiki account
or a valid LDAP account. The extension also allow us to create a LDAP
entry when creating a new wiki account (and it will be an LDAP account
and not a local wiki account). It does not provide any logic to create
an LDAP account after a successful login with a local wiki account.
If we want to link each wiki account after a successful login, we can
provide a hook [1] and write the desired behaviour.
On Tue, Sep 19, 2017 at 11:22:42AM +0100, Jorge Gustavo Rocha wrote:
On 19-09-2017 10:53, Sandro Santilli wrote:
> A match could be found by email, although both LDAP *and* WIKI
> accounts did not always verify emails in the past.
Only wiki accounts without a matching email in LDAP would be handled.
But I'm just guessing. I need to look at the data.
Do you need a full dump of the database or is a view enough ?
Can you provide instructions to create such a export ?
(like, is there a way to "export" data from the UI ?)
> Does the LDAP authentication plugin of Wikimedia already allows you
> to link a LDAP account to a local account ? Or what are the options
> to do that ?
The LDAP extension allows us to login using either a valid wiki account
or a valid LDAP account. The extension also allow us to create a LDAP
entry when creating a new wiki account (and it will be an LDAP account
and not a local wiki account). It does not provide any logic to create
an LDAP account after a successful login with a local wiki account.
We want LDAP account creation to be centralized to the current system
(which requires a mantra) so other entry point for LDAP account creation
should be disabled. Rather, the "register" link should point to http://www.osgeo.org/osgeo_userid
If we want to link each wiki account after a successful login, we can
provide a hook [1] and write the desired behaviour.