I want to have one account for modifying both a LDAP directory and a Mediawiki. What tactic would you you use to do it?
On Thu, 2017-11-16 at 11:26 -0500, John Lewis wrote:
I want to have one account for modifying both a LDAP directory and a Mediawiki. What tactic would you you use to do it?
I'm not sure this is a tough issue: the access controls are seperate in these cases.
On one hand from the LDAP directory management side, you only need the ACI/ACL's in place on the config/tree that would allow writes to appropriate locations. There is plenty of docs on aci/acl placement and construction for this.
From the mediawiki side, you can search users and use an ldap backend
to do password checks (binds) and then use groups to provide authorization control as to "who" can access the wiki.
I hope that helps you,
On Fri, 2017-11-17 at 12:51 +1000, William Brown wrote:
On Thu, 2017-11-16 at 11:26 -0500, John Lewis wrote:
I want to have one account for modifying both a LDAP directory and a Mediawiki. What tactic would you you use to do it?
I'm not sure this is a tough issue: the access controls are seperate in these cases.
On one hand from the LDAP directory management side, you only need the ACI/ACL's in place on the config/tree that would allow writes to appropriate locations. There is plenty of docs on aci/acl placement and construction for this.
From the mediawiki side, you can search users and use an ldap backend to do password checks (binds) and then use groups to provide authorization control as to "who" can access the wiki.
I hope that helps you,
Is that configuration self serviceable, as in the user can request their own account with the permissions I deem them to have?
On Fri, 2017-11-17 at 07:46 -0500, John Lewis wrote:
On Fri, 2017-11-17 at 12:51 +1000, William Brown wrote:
On Thu, 2017-11-16 at 11:26 -0500, John Lewis wrote:
I want to have one account for modifying both a LDAP directory and a Mediawiki. What tactic would you you use to do it?
I'm not sure this is a tough issue: the access controls are seperate in these cases.
On one hand from the LDAP directory management side, you only need the ACI/ACL's in place on the config/tree that would allow writes to appropriate locations. There is plenty of docs on aci/acl placement and construction for this.
From the mediawiki side, you can search users and use an ldap backend to do password checks (binds) and then use groups to provide authorization control as to "who" can access the wiki.
I hope that helps you,
Is that configuration self serviceable, as in the user can request their own account with the permissions I deem them to have?
What do you mean by this? As in "make it so anyone can login to the wiki"? Just don't add access controls IE group membership or filter tests in the media wiki ldap config. Then "anyone with a valid ldap account" can login, with NO aci changes needed for openldap,
Hope that helps, if I recall, media wiki has great ldap connection docs,
On Mon, 2017-11-20 at 12:28 +0100, William Brown wrote:
What do you mean by this? As in "make it so anyone can login to the wiki"? Just don't add access controls IE group membership or filter tests in the media wiki ldap config. Then "anyone with a valid ldap account" can login, with NO aci changes needed for openldap,
Hope that helps, if I recall, media wiki has great ldap connection docs,
I mean a standard email account, like the kind in any Internet forum, but the user can also manipulate the an LDAP tree using the same credentials.
I did a lot of research over the weekend including looking at the slides of the LDAP conferences over the last couple years for clues.
The only already done thing that may do what I want seems to be the proprietary version of LAM https://www.ldap-account-manager.org/lamcms/ .
I think I may be better off writing a plugin to web2ldap and or mediawiki so I can be sure it does what I want because I can test and fix it without asking for permission.
openldap-technical@openldap.org
-
John Lewis -
William Brown