Enable LDAP support on mediawiki #122
No reviewers
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#122
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/107-ldap_mediawiki"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I am finishing the initial LDIF file that contains the user accounts for the wiki, including newly generated random passwords.
Users will be able to log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled)
Users will be able change their password using ldappasswd
Ubuntu:
sudo apt install ldap-utils
Fedora:
sudo yum install openldap-clients
macOS: LDAP client tools are already installed
This is not running on andromeda and barnard yet. Once we enable LDAP wiki users that are already logged in will remain logged in, but using their old password will not work to log in once they are logged out.Update: This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account.
Because Mediawiki uses PBKDF2-SHA512 we cannot reuse the existing passwords from the database, so I will have to generate random passwords and send one to each user using XMPP or email with the instructions to set their own password using ldappasswd
Refs #107
What do you think about these instructions? I'm open to any improvement or suggestion
Please also keep in mind that we need to consolidate usernames across services, and as XMPP is already username@kosmos.org, those should be the canonical ones...
Any account that hasn't edited the wiki yet can be deleted outright IMO. Good chance for cleaning up spam accounts too. And maybe we can also set it to login-required-for-editing then, because there's no signup directly on the wiki anymore anyway. Another PITA eliminated.
I have cleaned up the database from spam accounts, now it's only humans that we know: https://wiki.kosmos.org/Special:ListUsers
Only one spam account had managed to create a page, I have deleted it before deleting the account
There are still users who have never edited the wiki, which we should delete, as they don't have to deal with a migration right now.
How does the admin account work after switching to LDAP login? Do we need to be able to log in with it in the first place?
Manuel is the only user that has never edited the wiki now that I have deleted the spam accounts, I will not include him in the migration, we can aways create an account for him when he needs one
The Administrator account is created as part of the Mediawiki installation process, now that our own accounts are also admins we do not need to be able to log in with it. Creating an account for it in LDAP won't be necessary
BTW, this is the most important question, by a wide margin:
If you lock in usernames that somebody doesn't want, it'll be hard to change them later across services.
Good.
re: usernames, there is a Renameuser extension that is shipped with MediaWiki and just needs to be enabled: https://www.mediawiki.org/wiki/Extension:Renameuser, in case someone wants to pick a different username than their Wiki username
@raucao you have two accounts on the wiki (Basti and Raucao). Which one do you want as your LDAP login? We can merge both into the same account using this extension and it will update page histories, etc
I just saw Basti is the one in your IPFS profile for Kredits. Should I merge Raucao into it?
I want raucao to be the canonical name, but all my edits are done by basti at the moment.
Activating an extension doesn't tell someone about us switching to LDAP and them having to think about a canonical username and changing it somewhere beforehand. It's only a handful of users, so nobody should have to do anything themselves. At most, choose a new password, but everything else should be valet service.
I checked and we already have anonymous edits disabled on the Kosmos wiki (
$wgGroupPermissions['*']['edit'] = false;
), so spam will not be a problem anymore with registration closed apart from creating a valid account in LDAPI agree, XMPP accounts make a lot of sense as the canonical account. My wiki account is Gregkare right now, but I'd want it to be greg like my XMPP account.
So the next step would be to send an email to our users who have a wiki account that was used to make at least one edit. I'm going to write an email proposal and post it in this issue so you can edit it and then we can send it some other day
What do you think of this?
Sounds good.
This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account.
I was able to change my password and log in, exactly like described in the email. 👍
This is ready to merge now. I have updated the PR to a large contribution to include all the things that weren't code (gathering the data, emails, etc)
Splendid! 🎉
greg referenced this pull request2020-01-28 17:09:56 +00:00
greg referenced this pull request2020-01-29 17:28:51 +00:00
raucao referenced this pull request2020-01-29 17:37:59 +00:00