[MediaWiki-commits] [Gerrit] Prevent searching for AD groups for non AD LDAP - change (mediawiki...LdapAuthentication)

[Ryan Lane (Code Review)]

Ryan Lane has submitted this change and it was merged.

Change subject: Prevent searching for AD groups for non AD LDAP
......................................................................


Prevent searching for AD groups for non AD LDAP

Searching non AD LDAP domains for AD groups will result in many entries
in the error.log. A new setting has been added to make it easier to
differentiate between AD and posix LDAP. Default is AD to make sure
currently functionality is not changed and ensure save upgrade.

Example usage:
$wgLDAPActiveDirectory = array(
    'testADLDAPDomain' => true, 'testPosixLDAPDomain' => false
);

Change-Id: Id7eb016a3c105fa9e08592f876bd5a8726416b68
---
M LdapAuthentication.php
1 file changed, 6 insertions(+), 3 deletions(-)

Approvals:
  Ryan Lane: Verified; Looks good to me, approved
  jenkins-bot: Checked



diff --git a/LdapAuthentication.php b/LdapAuthentication.php
index 084fe2d..3a4c114 100644
--- a/LdapAuthentication.php
+++ b/LdapAuthentication.php
@@ -73,8 +73,9 @@
 $wgLDAPAutoAuthUsername = "";
 $wgLDAPAutoAuthDomain = "";
 $wgPasswordResetRoutes['domain'] = true;
+$wgLDAPActiveDirectory = array();
 
-define( "LDAPAUTHVERSION", "2.0d" );
+define( "LDAPAUTHVERSION", "2.0e" );
 
 /**
  * Add extension information to Special:Version
@@ -466,6 +467,9 @@
                case 'AutoAuthDomain':
                        global $wgLDAPAutoAuthDomain;
                        return $wgLDAPAutoAuthDomain;
+               case 'ActiveDirectory':
+                       global $wgLDAPActiveDirectory;
+                       return self::setOrDefault( $wgLDAPActiveDirectory, 
$domain, false );
                }
                return '';
        }
@@ -1694,8 +1698,7 @@
                $groups = array( "short" => array(), "dn" => array() );
 
                // AD does not include the primary group in the list of groups, 
we have to find it ourselves.
-               // TODO: find a way to only do this search for AD domains.
-               if ( $dn != "*" ) {
+               if ( $dn != "*" && $this->getConf('ActiveDirectory')) {
                        $PGfilter = 
"(&(distinguishedName=$value)(objectclass=user))";
                        $this->printDebug( "User Filter: $PGfilter", SENSITIVE 
);
                        $PGinfo = LdapAuthenticationPlugin::ldap_search( 
$this->ldapconn, $base, $PGfilter );

-- 
To view, visit https://gerrit.wikimedia.org/r/65865
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id7eb016a3c105fa9e08592f876bd5a8726416b68
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/extensions/LdapAuthentication
Gerrit-Branch: master
Gerrit-Owner: Peterbruin <pe...@bruin.sg>
Gerrit-Reviewer: DamianZaremba <dam...@damianzaremba.co.uk>
Gerrit-Reviewer: Guillaume Beaudoin <mediaw...@soli.ca>
Gerrit-Reviewer: No-L <n...@hadiko.de>
Gerrit-Reviewer: Peterbruin <pe...@bruin.sg>
Gerrit-Reviewer: Ryan Lane <rl...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits