[Wikitech-l] Scheduled database maintenance (9 Feb)

2016-02-09 Thread Jaime Crespo 
Between 23:00 and 23:59 UTC, February 9th 2016 there is a scheduled
maintenance window that will affect some of the wikis hosted by the
Wikimedia Foundation. The maintenance is needed in order to perform
necessary hardware, operating system and database upgrades. During the
upgrade, content on affected wikis will be available at all times, but
edits may fail during approximately 5 minutes within that schedule
(these wikis will be in "read only mode"). The following wikis will be
affected:

bg.wikipedia.org
bg.wiktionary.org
cs.wikipedia.org
en.wikiquote.org
en.wiktionary.org
eo.wikipedia.org
fi.wikipedia.org
id.wikipedia.org
it.wikipedia.org
nl.wikipedia.org
no.wikipedia.org
pl.wikipedia.org
pt.wikipedia.org
sv.wikipedia.org
th.wikipedia.org
tr.wikipedia.org
zh.wikipedia.org

All other wikis will *not* be affected by this maintenance.

I apologize in advance for this disruption and will try to minimize
the duration of the maintenance work.

I will update 

after the maintenance has finished.
-- 
Jaime Crespo


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread Ryan Lane 
The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is
just LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do
auto-auth using kerberos. You still need LDAP for things like group
membership, username conversion, and other integrations.

- Ryan

On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud 
wrote:

> Hello,
>
> To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain,
> the best MediaWiki extension I could find was NTLMActiveDirectory.
> https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
>
> However, I had two peeves with this extension:
> 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> 2) Its use of LDAP; feels too much like a wart on Windows!
>
> See, I'm sitting on an IIS box on a Windows domain with Integrated Windows
> Authentication enabled. By the time the MW extension gets hit, IIS has
> already authenticated the user, so why not just leverage that instead?
>
> I therefore used NTLMActiveDirectory as a starting point, but threw out
> all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted
> handler to get the AD group membership for the already authenticated user.
> Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> required for authorization.
>
> Personally, I find this solution much simpler and intuitive for AD
> integration when hosting MW on a Windows/IIS box.
>
> Does this make sense to others in the community?
> Do others feel there was a need for a better AD integration extension?
> Would others in the community benefit from such an extension?
>
> If so, I would be happy to share my work, following instructions found
> here:
> https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
>
> Regards,
>
> François
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Download link to properly packed extension

2016-02-09 Thread Stephan Gambke 
I now used 
https://github.com/wikimedia/mediawiki-extensions-FooBar/archive/someTag.zip
Github will put the files in a folder named
mediawiki-extensions-FooBar-someTag, which is not ideal, but better
than risking a mess in the .../extensions folder.
If there is a better solution I'd still be interested.

Stephan

On 8 February 2016 at 23:51, Stephan Gambke  wrote:
> It is possible to download extensions in ZIP format from the WMF repo
> using a link like this:
>
>   
> http://git.wikimedia.org/zip/?r=mediawiki/extensions/FooBar.git=someTag=zip
>
> However, this will produce a package with the extension's files in its
> root folder. An unsuspecting user will probably simply extract this
> package into the .../extensions folder with all its files ending up
> there instead of in the extensions subfolder.
>
> The ExtensionDistributor will provide correctly built packages, but it
> is apparently only working on MW release tags, e.g. REL1_26.
>
> Is there any way to download correctly built packages with tags other
> than the MW relases?
>
> Stephan

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Download link to properly packed extension

2016-02-09 Thread Addshore 
Hi!

Take a look at https://www.mediawiki.org/wiki/Special:ExtensionDistributor

And thus http://extdist.wmflabs.org/dist/extensions/

Addshore

On 9 February 2016 at 08:16, Stephan Gambke  wrote:

> I now used
> https://github.com/wikimedia/mediawiki-extensions-FooBar/archive/someTag.zip
> Github will put the files in a folder named
> mediawiki-extensions-FooBar-someTag, which is not ideal, but better
> than risking a mess in the .../extensions folder.
> If there is a better solution I'd still be interested.
>
> Stephan
>
> On 8 February 2016 at 23:51, Stephan Gambke  wrote:
> > It is possible to download extensions in ZIP format from the WMF repo
> > using a link like this:
> >
> >
> http://git.wikimedia.org/zip/?r=mediawiki/extensions/FooBar.git=someTag=zip
> >
> > However, this will produce a package with the extension's files in its
> > root folder. An unsuspecting user will probably simply extract this
> > package into the .../extensions folder with all its files ending up
> > there instead of in the extensions subfolder.
> >
> > The ExtensionDistributor will provide correctly built packages, but it
> > is apparently only working on MW release tags, e.g. REL1_26.
> >
> > Is there any way to download correctly built packages with tags other
> > than the MW relases?
> >
> > Stephan
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



-- 
Addshore
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread François St-Arnaud 
Hello,

To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the 
best MediaWiki extension I could find was NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory

However, I had two peeves with this extension:
1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
2) Its use of LDAP; feels too much like a wart on Windows!

See, I'm sitting on an IIS box on a Windows domain with Integrated Windows 
Authentication enabled. By the time the MW extension gets hit, IIS has already 
authenticated the user, so why not just leverage that instead?

I therefore used NTLMActiveDirectory as a starting point, but threw out all the 
LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to 
get the AD group membership for the already authenticated user. Of 
NTLMActiveDirectory, I kept the AD / MW group mapping configuration required 
for authorization. 

Personally, I find this solution much simpler and intuitive for AD integration 
when hosting MW on a Windows/IIS box.

Does this make sense to others in the community?
Do others feel there was a need for a better AD integration extension?
Would others in the community benefit from such an extension?

If so, I would be happy to share my work, following instructions found here:
https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment

Regards,

François

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread François St-Arnaud 
Thanks, I'll take a closer look at your extension.

Well, although I understand that using LDAP against AD is supposed to work 
mostly seamlessly, I've had troubles trying to use it in our client's domain, 
mostly due to GPOs and other security constraints. For one thing, LDAP, even 
TLS-secured, is not authorized for authentication in the domain. Also, LDAP 
starts to feel like a wart -- or an overkill -- when I have to require and 
configure a PHP LDAP client on the Web server and send LDAP requests when I 
know that the web server I'm sitting on, IIS, has already authentified the user 
via Negotiate/Kerberos and already knows the user's AD group membership and 
other such information.

Hence, I feel that the approach of a simple loopback call from the extension 
back to a .NET ASHX web handler -- which is readily available via an API in 
that environment -- is more elegant. For example, to get the AD group 
membership of the currently logged-in user (some lines removed for clarity):

In PHP, using curl:

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
$result = curl_exec($curl);
$wgAuth->userADGroups = Array($result);

In C#, in a roles.ashx file deployed with the extension on the IIS server:

public void ProcessRequest (HttpContext context) {
  context.Response.ContentType = @"text\json";
  context.Response.Write("[");  
  int i = 0;
  int count = Roles.GetRolesForUser().Length;
  foreach (var role in Roles.GetRolesForUser())
  {
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
  }
  context.Response.Write(']');
  context.Response.End();
}

- François

-Original Message-
From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On Behalf Of 
Ryan Lane
Sent: Tuesday, February 09, 2016 14:43
To: Wikimedia developers 
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I'm not sure why you think LDAP is a wart on Windows. Active Directory is just 
LDAP with Kerberos.

Anyway, the LDAP Authentication extension has examples of how to do auto-auth 
using kerberos. You still need LDAP for things like group membership, username 
conversion, and other integrations.

- Ryan

On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud 
wrote:

> Hello,
>
> To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows 
> Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
> https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
>
> However, I had two peeves with this extension:
> 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> 2) Its use of LDAP; feels too much like a wart on Windows!
>
> See, I'm sitting on an IIS box on a Windows domain with Integrated 
> Windows Authentication enabled. By the time the MW extension gets hit, 
> IIS has already authenticated the user, so why not just leverage that instead?
>
> I therefore used NTLMActiveDirectory as a starting point, but threw 
> out all the LDAP stuff and replaced it with a simple Web call to an 
> IIS-hosted handler to get the AD group membership for the already 
> authenticated user.
> Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration 
> required for authorization.
>
> Personally, I find this solution much simpler and intuitive for AD 
> integration when hosting MW on a Windows/IIS box.
>
> Does this make sense to others in the community?
> Do others feel there was a need for a better AD integration extension?
> Would others in the community benefit from such an extension?
>
> If so, I would be happy to share my work, following instructions found
> here:
> https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
>
> Regards,
>
> François
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread Ryan Lane 
If this is what you'll need, you're going to need to write a custom
extension. None of the existing auth extensions do this.

On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud 
wrote:

> Thanks, I'll take a closer look at your extension.
>
> Well, although I understand that using LDAP against AD is supposed to work
> mostly seamlessly, I've had troubles trying to use it in our client's
> domain, mostly due to GPOs and other security constraints. For one thing,
> LDAP, even TLS-secured, is not authorized for authentication in the domain.
> Also, LDAP starts to feel like a wart -- or an overkill -- when I have to
> require and configure a PHP LDAP client on the Web server and send LDAP
> requests when I know that the web server I'm sitting on, IIS, has already
> authentified the user via Negotiate/Kerberos and already knows the user's
> AD group membership and other such information.
>
> Hence, I feel that the approach of a simple loopback call from the
> extension back to a .NET ASHX web handler -- which is readily available via
> an API in that environment -- is more elegant. For example, to get the AD
> group membership of the currently logged-in user (some lines removed for
> clarity):
>
> In PHP, using curl:
>
> $curl = curl_init();
> curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
> $result = curl_exec($curl);
> $wgAuth->userADGroups = Array($result);
>
> In C#, in a roles.ashx file deployed with the extension on the IIS server:
>
> public void ProcessRequest (HttpContext context) {
>   context.Response.ContentType = @"text\json";
>   context.Response.Write("[");
>   int i = 0;
>   int count = Roles.GetRolesForUser().Length;
>   foreach (var role in Roles.GetRolesForUser())
>   {
> context.Response.Write('"' + role + '"');
> if (++i != count) context.Response.Write(',');
>   }
>   context.Response.Write(']');
>   context.Response.End();
> }
>
> - François
>
> -Original Message-
> From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 14:43
> To: Wikimedia developers 
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> The best option here is:
> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I'm not sure why you think LDAP is a wart on Windows. Active Directory is
> just LDAP with Kerberos.
>
> Anyway, the LDAP Authentication extension has examples of how to do
> auto-auth using kerberos. You still need LDAP for things like group
> membership, username conversion, and other integrations.
>
> - Ryan
>
> On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> fstarn...@logisphere.ca>
> wrote:
>
> > Hello,
> >
> > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > Domain, the best MediaWiki extension I could find was
> NTLMActiveDirectory.
> > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> >
> > However, I had two peeves with this extension:
> > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > 2) Its use of LDAP; feels too much like a wart on Windows!
> >
> > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > Windows Authentication enabled. By the time the MW extension gets hit,
> > IIS has already authenticated the user, so why not just leverage that
> instead?
> >
> > I therefore used NTLMActiveDirectory as a starting point, but threw
> > out all the LDAP stuff and replaced it with a simple Web call to an
> > IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> > Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> > required for authorization.
> >
> > Personally, I find this solution much simpler and intuitive for AD
> > integration when hosting MW on a Windows/IIS box.
> >
> > Does this make sense to others in the community?
> > Do others feel there was a need for a better AD integration extension?
> > Would others in the community benefit from such an extension?
> >
> > If so, I would be happy to share my work, following instructions found
> > here:
> > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> >
> > Regards,
> >
> > François
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Scheduled database maintenance (9 Feb)

2016-02-09 Thread Jaime Crespo 
Upgrade seems to have gone as well. Read-only mode was enabled for a
bit longer than I initially expected: approximately between 23:16 and
23:30, but all within the scheduled maintenance window. Most of the
time was spent monitoring that the switchover was done correctly, and
that traffic was not affected after the fact.

s2 master is now running a modern operating system version (Debian
Jessie) and the latest version of MariaDB 10 on a new host, and no
replication lag or major issues where detected after the failover. I
will continue monitoring that shard and wikis for stability and
performance.

If you find any further issues, please use Phabricator[0] to
communicate this to us.

[0] 

On Tue, Feb 9, 2016 at 8:40 PM, Jaime Crespo  wrote:
> Between 23:00 and 23:59 UTC, February 9th 2016 there is a scheduled
> maintenance window that will affect some of the wikis hosted by the
> Wikimedia Foundation. The maintenance is needed in order to perform
> necessary hardware, operating system and database upgrades. During the
> upgrade, content on affected wikis will be available at all times, but
> edits may fail during approximately 5 minutes within that schedule
> (these wikis will be in "read only mode"). The following wikis will be
> affected:
>
> bg.wikipedia.org
> bg.wiktionary.org
> cs.wikipedia.org
> en.wikiquote.org
> en.wiktionary.org
> eo.wikipedia.org
> fi.wikipedia.org
> id.wikipedia.org
> it.wikipedia.org
> nl.wikipedia.org
> no.wikipedia.org
> pl.wikipedia.org
> pt.wikipedia.org
> sv.wikipedia.org
> th.wikipedia.org
> tr.wikipedia.org
> zh.wikipedia.org
>
> All other wikis will *not* be affected by this maintenance.
>
> I apologize in advance for this disruption and will try to minimize
> the duration of the maintenance work.
>
> I will update 
> 
> after the maintenance has finished.
> --
> Jaime Crespo
> 



-- 
Jaime Crespo


___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread François St-Arnaud 
Right. As mentioned in my first post, I already have created a custom extension 
using this approach and NTLMActiveDirectory as a starting point.
Now, I wonder if it is worth sharing with the community, if others would 
benefit from an LDAP-less SSO solution for MW hosted on IIS?

-Original Message-
From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On Behalf Of 
Ryan Lane
Sent: Tuesday, February 09, 2016 17:41
To: Wikimedia developers 
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension

If this is what you'll need, you're going to need to write a custom extension. 
None of the existing auth extensions do this.

On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud 
wrote:

> Thanks, I'll take a closer look at your extension.
>
> Well, although I understand that using LDAP against AD is supposed to 
> work mostly seamlessly, I've had troubles trying to use it in our 
> client's domain, mostly due to GPOs and other security constraints. 
> For one thing, LDAP, even TLS-secured, is not authorized for authentication 
> in the domain.
> Also, LDAP starts to feel like a wart -- or an overkill -- when I have 
> to require and configure a PHP LDAP client on the Web server and send 
> LDAP requests when I know that the web server I'm sitting on, IIS, has 
> already authentified the user via Negotiate/Kerberos and already knows 
> the user's AD group membership and other such information.
>
> Hence, I feel that the approach of a simple loopback call from the 
> extension back to a .NET ASHX web handler -- which is readily 
> available via an API in that environment -- is more elegant. For 
> example, to get the AD group membership of the currently logged-in 
> user (some lines removed for
> clarity):
>
> In PHP, using curl:
>
> $curl = curl_init();
> curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = 
> curl_exec($curl); $wgAuth->userADGroups = Array($result);
>
> In C#, in a roles.ashx file deployed with the extension on the IIS server:
>
> public void ProcessRequest (HttpContext context) {
>   context.Response.ContentType = @"text\json";
>   context.Response.Write("[");
>   int i = 0;
>   int count = Roles.GetRolesForUser().Length;
>   foreach (var role in Roles.GetRolesForUser())
>   {
> context.Response.Write('"' + role + '"');
> if (++i != count) context.Response.Write(',');
>   }
>   context.Response.Write(']');
>   context.Response.End();
> }
>
> - François
>
> -Original Message-
> From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On 
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 14:43
> To: Wikimedia developers 
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> The best option here is:
> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I'm not sure why you think LDAP is a wart on Windows. Active Directory 
> is just LDAP with Kerberos.
>
> Anyway, the LDAP Authentication extension has examples of how to do 
> auto-auth using kerberos. You still need LDAP for things like group 
> membership, username conversion, and other integrations.
>
> - Ryan
>
> On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < 
> fstarn...@logisphere.ca>
> wrote:
>
> > Hello,
> >
> > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows 
> > Domain, the best MediaWiki extension I could find was
> NTLMActiveDirectory.
> > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> >
> > However, I had two peeves with this extension:
> > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > 2) Its use of LDAP; feels too much like a wart on Windows!
> >
> > See, I'm sitting on an IIS box on a Windows domain with Integrated 
> > Windows Authentication enabled. By the time the MW extension gets 
> > hit, IIS has already authenticated the user, so why not just 
> > leverage that
> instead?
> >
> > I therefore used NTLMActiveDirectory as a starting point, but threw 
> > out all the LDAP stuff and replaced it with a simple Web call to an 
> > IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> > Of NTLMActiveDirectory, I kept the AD / MW group mapping 
> > configuration required for authorization.
> >
> > Personally, I find this solution much simpler and intuitive for AD 
> > integration when hosting MW on a Windows/IIS box.
> >
> > Does this make sense to others in the community?
> > Do others feel there was a need for a better AD integration extension?
> > Would others in the community benefit from such an extension?
> >
> > If so, I would be happy to share my work, following instructions 
> > found
> > here:
> > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> >
> > Regards,
> >
> > François
> >
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> >

Re: [Wikitech-l] Windows Single Sign-On Extension

2016-02-09 Thread Ryan Lane 
Never hurts :)

On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud 
wrote:

> Right. As mentioned in my first post, I already have created a custom
> extension using this approach and NTLMActiveDirectory as a starting point.
> Now, I wonder if it is worth sharing with the community, if others would
> benefit from an LDAP-less SSO solution for MW hosted on IIS?
>
> -Original Message-
> From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 17:41
> To: Wikimedia developers 
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> If this is what you'll need, you're going to need to write a custom
> extension. None of the existing auth extensions do this.
>
> On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <
> fstarn...@logisphere.ca>
> wrote:
>
> > Thanks, I'll take a closer look at your extension.
> >
> > Well, although I understand that using LDAP against AD is supposed to
> > work mostly seamlessly, I've had troubles trying to use it in our
> > client's domain, mostly due to GPOs and other security constraints.
> > For one thing, LDAP, even TLS-secured, is not authorized for
> authentication in the domain.
> > Also, LDAP starts to feel like a wart -- or an overkill -- when I have
> > to require and configure a PHP LDAP client on the Web server and send
> > LDAP requests when I know that the web server I'm sitting on, IIS, has
> > already authentified the user via Negotiate/Kerberos and already knows
> > the user's AD group membership and other such information.
> >
> > Hence, I feel that the approach of a simple loopback call from the
> > extension back to a .NET ASHX web handler -- which is readily
> > available via an API in that environment -- is more elegant. For
> > example, to get the AD group membership of the currently logged-in
> > user (some lines removed for
> > clarity):
> >
> > In PHP, using curl:
> >
> > $curl = curl_init();
> > curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result =
> > curl_exec($curl); $wgAuth->userADGroups = Array($result);
> >
> > In C#, in a roles.ashx file deployed with the extension on the IIS
> server:
> >
> > public void ProcessRequest (HttpContext context) {
> >   context.Response.ContentType = @"text\json";
> >   context.Response.Write("[");
> >   int i = 0;
> >   int count = Roles.GetRolesForUser().Length;
> >   foreach (var role in Roles.GetRolesForUser())
> >   {
> > context.Response.Write('"' + role + '"');
> > if (++i != count) context.Response.Write(',');
> >   }
> >   context.Response.Write(']');
> >   context.Response.End();
> > }
> >
> > - François
> >
> > -Original Message-
> > From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On
> > Behalf Of Ryan Lane
> > Sent: Tuesday, February 09, 2016 14:43
> > To: Wikimedia developers 
> > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
> >
> > The best option here is:
> > https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
> >
> > I'm not sure why you think LDAP is a wart on Windows. Active Directory
> > is just LDAP with Kerberos.
> >
> > Anyway, the LDAP Authentication extension has examples of how to do
> > auto-auth using kerberos. You still need LDAP for things like group
> > membership, username conversion, and other integrations.
> >
> > - Ryan
> >
> > On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> > fstarn...@logisphere.ca>
> > wrote:
> >
> > > Hello,
> > >
> > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > > Domain, the best MediaWiki extension I could find was
> > NTLMActiveDirectory.
> > > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> > >
> > > However, I had two peeves with this extension:
> > > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > > 2) Its use of LDAP; feels too much like a wart on Windows!
> > >
> > > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > > Windows Authentication enabled. By the time the MW extension gets
> > > hit, IIS has already authenticated the user, so why not just
> > > leverage that
> > instead?
> > >
> > > I therefore used NTLMActiveDirectory as a starting point, but threw
> > > out all the LDAP stuff and replaced it with a simple Web call to an
> > > IIS-hosted handler to get the AD group membership for the already
> > authenticated user.
> > > Of NTLMActiveDirectory, I kept the AD / MW group mapping
> > > configuration required for authorization.
> > >
> > > Personally, I find this solution much simpler and intuitive for AD
> > > integration when hosting MW on a Windows/IIS box.
> > >
> > > Does this make sense to others in the community?
> > > Do others feel there was a need for a better AD integration extension?
> > > Would others in the community benefit from such an extension?
> > >
> > > If so, I would be happy to share my work, following

[Wikitech-l] MediaWiki core master now requires 5.5.9+ and other CI changes

2016-02-09 Thread Legoktm 
Hi,

 has been merged, so MediaWiki
core now requires PHP 5.5.9 or higher to run. We had to make some (read:
a lot) of CI changes for that to happen, here's a quick summary:

* php53 jobs are only triggered for REL1_2[3-6] branches
* php55 jobs are only triggered for branches that are not REL1_2[3-6]
* All extensions that previously had php53 tests now run them under both
hhvm and php55
* composer related jobs were renamed to standardize with other CI jobs

Since this is a large change for extensions, I went ahead and ran jobs
for all extensions that have unittests, and collected the results:
. Please
take a look to see if your extension(s) are failing, and fix or file
bugs as needed! Some of the failures aren't even related to HHVM/PHP5.5,
the repos have just been broken.

And if you run into any CI related issues, please file a bug in the
#CI-Config Phab project!

-- Legoktm

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l