Revamp LDAP :

* Move ldap config to json file
* enable all extensions
* rename options

Author: Félix Piédallu

conf/LocalSettings.php

@@ -135,59 +135,54 @@
 # End of automatically generated settings.
 # Add more configuration options below.
 
-# Enabled extensions. Most of the extensions are enabled by adding
-# wfLoadExtensions('ExtensionName');
-# to LocalSettings.php. Check specific extension documentation for more details.
+# LDAP Settings
+# See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration
 
-# LDAPProvider
-# https://www.mediawiki.org/wiki/Extension:LDAPProvider
+# wfLoadExtension( 'LDAPAuthorization' );
+wfLoadExtension( 'LDAPAuthentication2' );
+wfLoadExtension( 'LDAPGroups' );
 wfLoadExtension( 'LDAPProvider' );
-
-# PluggableAuth
-# https://www.mediawiki.org/wiki/Extension:PluggableAuth
+wfLoadExtension( 'LDAPUserInfo' );
 wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'Auth_remoteuser' );
 
-$wgPluggableAuth_EnableLocalLogin = true;
+# Yunohost configuration values for config_panel
+$public_wiki = __PUBLIC_WIKI__;
+$local_accounts = __LOCAL_ACCOUNTS__;
+$yunohost_accounts = __YUNOHOST_ACCOUNTS__;
+
+# Configuration of the generic PluggableAuth extension
+$wgPluggableAuth_EnableLocalLogin = $local_accounts;
 $wgPluggableAuth_EnableLocalProperties = true;
+$wgPluggableAuth_EnableFastLogout = true;
+# $wgPluggableAuth_ButtonLabel = "Log In";
 
-# LDAPAuthentication2
-# https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2
-wfLoadExtension( 'LDAPAuthentication2' );
+# Configuration of the Yunohost LDAP+SSO
+if ($yunohost_accounts) {
+  $LDAPProviderDomainConfigs = "$IP/ldapproviders.json";
+  $LDAPProviderDefaultDomain = "yunohost.local";
 
-# Note(decentral1se): leaving here in case we need them one day
-# LDAPGroups
-# https://www.mediawiki.org/wiki/Extension:LDAPGroups
-# wfLoadExtension( 'LDAPGroups' );
+  $wgPluggableAuth_Config["Log In with Yunohost"] = [
+    "plugin" => "LDAPAuthentication2",
+    "data" => [ "domain" => "yunohost.local" ]
+  ];
 
-# Note(decentral1se): leaving here in case we need them one day
-# LDAPUserInfo
-# https://www.mediawiki.org/wiki/Extension:LDAPUserInfo
-# wfLoadExtension( 'LDAPUserInfo' );
+  $wgAuthRemoteuserUserUrls = [
+    'logout' => 'https://__DOMAIN__/yunohost/sso/?action=logout'
+  ];
+}
 
-# Note(decentral1se): leaving here in case we need them one day
-# LDAPAuthorization
-# https://www.mediawiki.org/wiki/Extension:LDAPAuthorization
-# wfLoadExtension( 'LDAPAuthorization' );
+# Auth_remoteuser will read the REMOTE_USER http header (for Yunohost SSO)
+$wgAuthRemoteuserUserName = [
+  getenv('REMOTE_USER'),
+];
 
-# LDAP configuration
-$LDAPProviderDomainConfigProvider = function() {
-  $config = [
-    "LDAP" => [
-      "connection" => [
-        "server" => "localhost",
-        "port" => "389",
-        "basedn" => "dc=yunohost,dc=org",
-        "groupbasedn" => "ou=users,dc=yunohost,dc=org",
-        "userbasedn" => "ou=groups,dc=yunohost,dc=org",
-        "searchattribute" => "uid",
-        "usernameattribute" => "uid",
-        "realnameattribute" => "cn",
-        "emailattribute" => "mail"
-      ]
-    ]
-  ];
+# Allow users to login as other than SSO logged in user
+$wgAuthRemoteuserAllowUserSwitch = true;
 
-  return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
-};
-$createaccount = __CREATE_ACCOUNT__;
-$wgGroupPermissions['*']['createaccount'] = $createaccount;
+# $wgEmailConfirmToEdit = false;
+$wgGroupPermissions['*']['edit'] = $public_wiki;
+$wgGroupPermissions['*']['read'] = $public_wiki;
+$wgGroupPermissions['*']['createaccount'] = $local_accounts;
+$wgGroupPermissions['*']['autocreateaccount'] = true;
+$wgBlockDisablesLogin = true;

conf/ldapproviders.json

@@ -0,0 +1,24 @@
+{
+    "yunohost.local": {
+        "connection": {
+            "server": "localhost",
+            "port": "389",
+            "use-tls": "false",
+            "basedn": "dc=yunohost,dc=org",
+            "userbasedn": "ou=users,dc=yunohost,dc=org",
+            "groupbasedn": "ou=groups,dc=yunohost,dc=org",
+            "searchattribute": "uid",
+            "usernameattribute": "uid",
+            "realnameattribute": "cn",
+            "emailattribute": "mail",
+            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
+            "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
+        },
+        "userinfo": [],
+        "authorization": [],
+        "groupsync": {
+            "mapping": {
+            }
+        }
+    }
+}

config_panel.toml

@@ -3,14 +3,32 @@ version = "1.0"
 [main]
 name = "Mediawiki configuration"
 
-
     [main.config]
     name = "Configuration Options"
 
-        [main.config.create_account]
-        ask = "Create account"
-        type = "boolean"
-        yes = true
-        no = false
-        help = "Set to 'true' to allow account creation."
-        bind = "createaccount:__INSTALL_DIR__/LocalSettings.php"
+    [install.public_wiki]
+    ask.en = "Is this Wiki public ?"
+    ask.fr = "Ce Wiki est-il public ?"
+    help.en = "This visibility is handled by Mediawiki, not Yunohost"
+    help.fr = "Cette visibilité est gérée par Mediawiki, pas Yunohost"
+    type = "boolean"
+    default = true
+    bind = ":__INSTALL_DIR__/LocalSettings.php"
+
+    [install.local_accounts]
+    ask.en = "Allow local accounts (non-Yunohost login) ?"
+    ask.fr = "Autoriser les comptes locaux (non connectés à Yunohost) ?"
+    help.en = "If this is enabled, people without a Yunohost account can create an account, local to the wiki."
+    help.fr = "Si activé, les personnes sans compte Yunohost pourront créer un compte local au wiki."
+    type = "boolean"
+    default = false
+    bind = ":__INSTALL_DIR__/LocalSettings.php"
+
+    [install.yunohost_accounts]
+    ask.en = "Link with Yunohost accounts"
+    ask.fr = "Lier aux comptes Yunohost"
+    help.en = "If this is enabled, Yunohost users will be able to login."
+    help.fr = "Si activé, les utilisateurs Yunohost pourront s'authentifier."
+    type = "boolean"
+    default = true
+    bind = ":__INSTALL_DIR__/LocalSettings.php"

manifest.toml

@@ -38,8 +38,8 @@ ram.runtime = "50M"
     default = "/wiki"
 
     [install.init_main_permission]
-    help.en = "Visibility of the wiki pages"
-    help.fr = "La visibilité des pages du wiki"
+    help.en = "Visibility of the wiki (handled by Yunohost)"
+    help.fr = "La visibilité du wiki (gérée par Yunohost)"
     type = "group"
     default = "visitors"
 
@@ -64,12 +64,42 @@ ram.runtime = "50M"
     type = "string"
     default = "YunoWiki"
 
+    [install.public_wiki]
+    ask.en = "Is this Wiki public ?"
+    ask.fr = "Ce Wiki est-il public ?"
+    help.en = "This visibility is handled by Mediawiki, not Yunohost"
+    help.fr = "Cette visibilité est gérée par Mediawiki, pas Yunohost"
+    type = "boolean"
+    default = true
+
+    [install.local_accounts]
+    ask.en = "Allow local accounts (non-Yunohost login) ?"
+    ask.fr = "Autoriser les comptes locaux (non connectés à Yunohost) ?"
+    help.en = "If this is enabled, people without a Yunohost account can create an account, local to the wiki."
+    help.fr = "Si activé, les personnes sans compte Yunohost pourront créer un compte local au wiki."
+    type = "boolean"
+    default = false
+
+    [install.yunohost_accounts]
+    ask.en = "Link with Yunohost accounts"
+    ask.fr = "Lier aux comptes Yunohost"
+    help.en = "If this is enabled, Yunohost users will be able to login."
+    help.fr = "Si activé, les utilisateurs Yunohost pourront s'authentifier."
+    type = "boolean"
+    default = true
+
+
 [resources]
     [resources.sources]
     [resources.sources.main]
     url = "https://releases.wikimedia.org/mediawiki/1.40/mediawiki-1.40.1.tar.gz"
     sha256 = "e05d419de40c6ad03145aca07e08cf995d1ca1667d97793bb73970e2c11b0a04"
 
+    [resources.sources.auth_remoteuser]
+    url = "https://github.com/wikimedia/mediawiki-extensions-Auth_remoteuser/archive/1a72290f4b3f35694a9a0a71d7c17258badca429.tar.gz"
+    sha256 = "4864edde068209a8a72a97238041220d47b3d4cd4c353637dd0857f488b67904"
+    in_subdir = true
+
     [resources.sources.ldap_groups]
     url = "https://github.com/wikimedia/mediawiki-extensions-LDAPGroups/archive/962dcfe5f68241057d6489da2b23f202bf7490f4.tar.gz"
     sha256 = "cd3854f89f240675b14f3472c381a21dcf1254fb11813202879ad25816ddca2b"

scripts/install

@@ -26,13 +26,16 @@ ynh_script_progression --message="Setting up source files..." --weight=4
 
     # Download, check integrity, uncompress and patch the source from app.src
     ynh_setup_source --dest_dir="$install_dir"
+
+    # See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration
+    ynh_setup_source --dest_dir="$install_dir/extensions/Auth_remoteuser" --source_id="auth_remoteuser"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization"
     ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthentication2" --source_id="ldap_authentication2"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups"
     ynh_setup_source --dest_dir="$install_dir/extensions/LDAPProvider" --source_id="ldap_provider"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo"
     ynh_setup_source --dest_dir="$install_dir/extensions/PluggableAuth" --source_id="pluggable_auth"
 
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups"
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo"
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization"
 
 chmod -R o-rwx "$install_dir"
 chown -R $app:www-data "$install_dir"
@@ -94,6 +97,7 @@ mv "$install_dir/LocalSettings.php" "$install_dir/LocalSettings.php.orig"
 wiki_name_underscorified="${wiki_name//[^a-zA-Z0-9]/_}"
 
 ynh_add_config --template="../conf/LocalSettings.php" --destination="$install_dir/LocalSettings.php"
+ynh_add_config --template="../conf/ldapproviders.json" --destination="$install_dir/ldapproviders.json"
 
 # This is required to update database schemas
 "php$phpversion" "$install_dir/maintenance/update.php"

scripts/upgrade

@@ -58,14 +58,15 @@ then
 
     # Download, check integrity, uncompress and patch the source from app.src
     ynh_setup_source --dest_dir="$install_dir"
+
+    # See https://www.mediawiki.org/wiki/Manual:Active_Directory_Integration
+    ynh_setup_source --dest_dir="$install_dir/extensions/Auth_remoteuser" --source_id="auth_remoteuser"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization"
     ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthentication2" --source_id="ldap_authentication2"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups"
     ynh_setup_source --dest_dir="$install_dir/extensions/LDAPProvider" --source_id="ldap_provider"
+    ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo"
     ynh_setup_source --dest_dir="$install_dir/extensions/PluggableAuth" --source_id="pluggable_auth"
-
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPGroups" --source_id="ldap_groups"
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPUserInfo" --source_id="ldap_userinfo"
-    # ynh_setup_source --dest_dir="$install_dir/extensions/LDAPAuthorization" --source_id="ldap_authorization"
-
 fi
 
 chmod -R o-rwx "$install_dir"
@@ -115,6 +116,8 @@ if (( password_length < 10 )); then
     echo "\$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;" >> "$install_dir/LocalSettings.php"
 fi
 
+ynh_add_config --template="../conf/ldapproviders.json" --destination="$install_dir/ldapproviders.json"
+
 # This is required to update database schemas
 "php$phpversion" "$install_dir/maintenance/update.php"