https://bugzilla.wikimedia.org/show_bug.cgi?id=47873
Web browser: ---
Bug ID: 47873
Summary: Nested groups support broken for 1000+ groups
Product: MediaWiki extensions
Version: master
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Unprioritized
Component: LdapAuthentication
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
Mobile Platform: ---
The nested groups support in LdapAuthentication is not feature complete, nor
optimzed.
1) Active Directory (and probably others) support nested group directive in the
filter directly. Example:
(memberOf:1.2.840.113556.1.4.1941:=CN=group,OU=Groups,DC=domain,DC=com) where
the magic numbers means recursive lookup at the server side.
2) Group lookup should support paged ldap search when available (PHP 5.4+),
else you'd run the risk of missing groups when member of 1000+ groups.
3) For pure authorization, not all ldap groups needs to be resolved recursively
if you get a hit on the first search (performance)
4) Group CN converted to all lowercase, thus not finding any groups containing
upppercase character in Active Directory
5) Debug log not accurate;
- Username listed with first char as uppercase, even though input is all
lowercase (search string, and user filter)
- "basedn is not set for this type of entry, trying to get the default
basedn." -> Should contain expected configuration option, and what the default
basedn gets set to
Another limitation currently is SSL certificate issues, which gets masked as
"bind failed". I'd suggest supporting `ldap_set_option(NULL,
LDAP_OPT_DEBUG_LEVEL, 7);` with output to debug log, when debug enabled
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
