Page MenuHomePhabricator

Support multiple LDAP filters in the Phabricator UI
ClosedPublic

Authored by epriestley on Feb 7 2014, 12:10 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 8, 1:12 PM
Unknown Object (File)
Fri, Dec 6, 7:20 PM
Unknown Object (File)
Fri, Nov 29, 6:56 AM
Unknown Object (File)
Fri, Nov 29, 6:56 AM
Unknown Object (File)
Fri, Nov 29, 6:56 AM
Unknown Object (File)
Fri, Nov 29, 6:56 AM
Unknown Object (File)
Fri, Nov 29, 6:09 AM
Unknown Object (File)
Fri, Nov 29, 5:36 AM

Details

Reviewers
btrahan
Maniphest Tasks
Restricted Maniphest Task
Commits
Restricted Diffusion Commit
rPba8925a531c7: Support multiple LDAP filters in the Phabricator UI
Summary

Ref T3208. Not ready for prime time yet.

Test Plan

ldap T.T

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

Needs testing in the wild.

epriestley updated this revision to Unknown Object (????).Feb 7 2014, 12:25 AM
  • Add even more explanatory text.

This is still bad news.

Been running this for over a week now on a multi-hundred user installation and it looks solid.

epriestley retitled this revision from [Draft] Support multiple LDAP filters in the Phabricator UI to Support multiple LDAP filters in the Phabricator UI.
epriestley edited edge metadata.

Users say this works, so let's go for it.

This revision is now accepted and ready to land.Mar 17 2014, 10:04 PM
epriestley updated this revision to Diff 20307.

Closed by commit rPba8925a531c7 (authored by @epriestley).

This commit broke our phabricator instance, we are unable to authenticate, or visit the Auth Proviers page. We are able to visit auth/config/edit/1/ directly.

My config prior to his update is as follows.
Allow Registration: True
Allow Linking Accounts: False
Allow Unlinking Accounts: False
ldap hostname: cs.wwu.edu
ldap port: 389
Base Distinguished Name: DC=cs,DC=wwu,DC=edu
Search Attribute: sAMAccountName
Username Attribute: <BLANK>
Realname Attribute: givenName, sn
LDAP Version: 3
Enable Referals: False
Use TLS: False
Search First: False
Anonymous Username: <BLANK>
Anonymous Password: <BLANK>
Active Directory Domain: cs.wwu.edu

What happens when you attempt to authenticate?
What happens when you attempt to visit /auth/?

/auth/ and /login/ return the following

UNRECOVERABLE FATAL ERROR <<<

Call to undefined method PhutilAuthAdapterLDAP::setSearchAttributes()

/usr/local/www/phabricator/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php:44

┻━┻ ︵ ¯\_(ツ)_/¯ ︵ ┻━┻

If I am authenticated as an admin on revision 7167a72 and then checkout revision ba8925a, while I can't authenticate or login, I can edit the config at auth/config/edit/1/, setting an anonymous username and password, as well as entering sAMAccountName for username attribute, does not solve the probelm.

Oh, maybe you didn't upgrade libphutil/ at the same time up upgraded phabricator/? You should keep the three libraries (libphutil, arcanist and phabricator) in sync and pull them all at the same time. That method was added in D8159, immediately before this change.

(If you did update, you might need to restart apache or php-fpm, since they may have a cached version of the old code in APC.)

DOH. That was the problem. I will make sure that is in our list of tasks for our admins. Thank you very much you rock.

Awesome! Let us know if you run into anything else.

yehangjun added inline comments.
src/applications/auth/provider/PhabricatorAuthProviderLDAP.php
191

I ran into problem when I upgraded my storage from an old version (about one year ago).

This patch: resources/sql/patches/20130619.authconf.php, complaint KEY_SEARCH_ATTRIBUTE and KEY_SEARCH_FIRST were NOT defined in PhabricatorAuthProviderLDAP.
I commented out related lines in the patch and seems it worked anyway.