GRASS GIS wiki: connect to OSGeo LDAP

[neteler]

Given the tons of spam registrations, we would like to see the GRASS GIS wiki connected to OSGeo's LDAP.

Perhaps the approach of the main OSGeo Wiki could be cloned here?

[robe]

@neteler,

How many accounts do you have in Grass GIS Wiki so far. I'm thinking for Grass, might be easier to just have the LDAP plugin and I manually merge the existing accounts to their LDAP.

Or we could do the same. Anyway I can setup a dev for this on our dev server with ldap and wikitoldap plugin installed and see if that works okay.

[neteler]

Looking at ​https://grasswiki.osgeo.org/w/index.php?title=Special:ListUsers

there are currently 748 users plus some hundred blocked spammers. However, only a fraction of these > 700 users registered since 2008 will be still valid/active.

[neteler]

@robe: we'd be happy to proceed on the grasswiki-ldap connection. If you see a chance...

[robe]

Yap I'll try to get the ball rolling probably sometime this weekend or later in the week.

[robe]

I set up a dev server to get the ball rolling which is just snapshot of prod

​https://grasswiki.staging.osgeo.org/wiki/GRASS-Wiki

I'll test out upgrading the wiki and then incorporating LDAP authentication on this. I'll let you know once it's ready to test out.

[robe]

Still working thru this as I feared because grasswiki is running mediawiki 1.37, getting I think it might be the same error i got when trying to upgrade wiki past 1.3.5

[19455a4cf382d9ed0706a41e] /wiki/Special:PluggableAuthLogin Error: Call to a member function getAuthManager() on null

Backtrace:

from /var/www/grass/grass-wiki/w/extensions/LDAPAuthentication2/src/PluggableAuth.php(280)
#0 /var/www/grass/grass-wiki/w/extensions/WikiToLDAP/includes/PluggableAuth.php(54): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->getAuthManager()
#1 /var/www/grass/grass-wiki/w/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\WikiToLDAP\PluggableAuth->authenticate()
#2 /var/www/grass/grass-wiki/w/includes/specialpage/SpecialPage.php(647): PluggableAuthLogin->execute()
#3 /var/www/grass/grass-wiki/w/includes/specialpage/SpecialPageFactory.php(1366): SpecialPage->run()
#4 /var/www/grass/grass-wiki/w/includes/MediaWiki.php(314): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
#5 /var/www/grass/grass-wiki/w/includes/MediaWiki.php(930): MediaWiki->performRequest()
#6 /var/www/grass/grass-wiki/w/includes/MediaWiki.php(564): MediaWiki->main()
#7 /var/www/grass/grass-wiki/w/index.php(53): MediaWiki->run()
#8 /var/www/grass/grass-wiki/w/index.php(46): wfIndexMain()
#9 {main}

Anyway it sounds like there might have been a major change with newer PlugabbleAuth so I may need to set some other items ​https://www.mediawiki.org/wiki/Extension:PluggableAuth

as discussed there:

Versions 6.0 and 7.0.0 of PluggableAuth are significant upgrades. The configuration variable $wgPluggableAuth_Config is required in version 6.0 and later. The plugins must be compatible with the version of PluggableAuth installed.

So I need to check the versions of things to make sure I am running the right things

[annakrat]

Any update on this? Signing up for GRASS wiki is rather difficult due to all the spam. Thanks

[robe]

Sadly not yet. Plan to work on this some more this weekend.

[robe]

Okay I finally got ldap working on the staging server. I don't have a local account so not sure the wikiToLDAP migration piece is working, since it would only kick in for existing accounts. But I was able to log in with my OSGeo account.

As part of the process I also upgraded to wiki 1.39, since 1.37 is no longer considered LTS.

Please give a try here: ​https://grasswiki.staging.osgeo.org

and let me know if all seems to be working. The renaming accounts does seem to have worked. They are all prefixed with triangles (the default prefix of wikiToLdap)

[neteler]

Great work, robe!

I could successfully login and edit (see ​https://grasswiki.staging.osgeo.org/wiki/Special:RecentChanges).

[robe]

Replying to neteler:

Great work, robe!

I could successfully login and edit (see ​https://grasswiki.staging.osgeo.org/wiki/Special:RecentChanges).

Not sure this is an issue, I do see your old account is gone as expected, but your new account doesn't seem to be member of bureaucrat or adminstrator. Do you have admin rights you see or no?

If not have to figure out what went wrong there.

[robe]

Okay maybe it's just a security thing it doesn't show those on the user page.

I see you listed here - ​https://grasswiki.staging.osgeo.org/wiki/GRASS-Wiki:Administrators

and your's is hyperlinked but Martin's isn't presumably because he has not merged his account.

[martinl]

I tried to log in on staging using my LDAL credentials and it works! Thanks for your effort!

[annakrat]

Thanks! I don't think the user rights work yet, I should be in administrators too, and I don't see neteler there either:

​https://grasswiki.staging.osgeo.org/w/index.php?title=Special%3AUserRights&user=Annakrat

[robe]

Replying to annakrat:

Thanks! I don't think the user rights work yet, I should be in administrators too, and I don't see neteler there either:

​https://grasswiki.staging.osgeo.org/w/index.php?title=Special%3AUserRights&user=Annakrat

Okay I'll investigate this a bit more to see what could be wrong. Are any of you neteler, martinl, annakrat able to do any admin things?

Wondering if it's just the merge is not working so not carrying over your permissions or its just a display issue.

[neteler]

I have way less menu entries in the left side menu.

However, ​https://grasswiki.staging.osgeo.org/wiki/Special:SpecialPages looks the same as in the production wiki.

[robe]

I fear those SpecialPages might not be so special. Not sure how to block them from being seen. I think we have similar issue on wiki.osgeo.org. I'm going to flash back the staging before you all logged in in a bit and see if there is some config thing I missed.

[annakrat]

Replying to robe:

Okay I'll investigate this a bit more to see what could be wrong. Are any of you neteler, martinl, annakrat able to do any admin things?

Wondering if it's just the merge is not working so not carrying over your permissions or its just a display issue.

I don't have entries in More dropdown on a page to Delete and Protect, not sure what else to test.

[robe]

Can you try logging in again. I think I missed the $WikiToLDAPMigrationInProgress = true;

I restored from current prod backup and reran the migration. Please give a try again and see if you have admin rights after you log in.

[annakrat]

Thank you for looking into it, unfortunately, still no admin rights...

[robe]

Moving my prior still open items to the next proposed Milestone

[neteler]

@robe here a wish from the today's GRASS GIS PSC meeting:

We wish to have the OSGeo-LDAP connection enabled so that we can move on (the fact that no logins in the current Wiki are possible is a showstopper for GSoC, NFS POSE grant, and other activities we run).

We may than manually upgrade the few buerocrat accounts manually if they get lost in the transition.

Would it be possible to rank this higher in priority?

[robe]

Okay I think there were some other issues I ran into staging beyond the ldap. The ldap I think was working. You want me to just push ahead to production later this weekend, and we'll deal with whatever issues arise. I'll create a snapshot of the production before I upgrade it so we can always switch back if needed.

[neteler]

This sounds to be the best choice at time since we are fairly stuck with the existing prod version. Thanks for your efforts!

[robe]

Okay I've upgraded grasswiki.osgeo.org to Mediawiki 1.41 with LDAP.

Can you log in and see if you still have admin rights. If not I can fix your account on the backend.

Regarding the issue with ​https://grasswiki.osgeo.org/w/index.php?title=Special:ListUsers&group=bureaucrat being broken. I had tested this before installing LDAP and it was broken too. So I suspect might be an issue with upgrade from MediaWiki 1.37 to 1.41 (1.39 was the one we were testing before and had same issue so figured might as well just upgrade to the latest) data in the db having some invalid timestamp since some groups work. I'll investigate that later.

[robe]

Okay I fixed the issue with this page not showing - ​https://grasswiki.osgeo.org/w/index.php?title=Special:ListUsers&group=sysop

Issue was with the sysop account the user registeration started with a linefeed and was missing the last digit, so was only 13 characters, I updated it using

update user set user_registration = '20060818092431' WHERE user_id = 1;

and that made the page load

[neteler]

Trying to login, I get the following error:

Could not authenticate credentials against domain "OSGeo"

Furthermore, all imagery currently shows 404. e.g.

​https://grasswiki.osgeo.org/w/images/Grasslogo_vector_small.png

and

​https://grasswiki.osgeo.org/wiki/WxPython-based_GUI_for_GRASS

Internal error

[31e0bac11090807f93e97504] /wiki/WxGUI TypeError: Argument 1 passed to ParserOutput::addModules() must be of the type array, string given, called in /var/www/grass/grass-wiki/w/extensions/EmbedVideo/EmbedVideo.hooks.php on line 625
...

Perhaps some extensions need to be updated as well?

[robe]

Replying to neteler:

Trying to login, I get the following error:

Could not authenticate credentials against domain "OSGeo"

Strange seems I can log in fine, but maybe cause I didn't have an account already.

Are you sure you are using your LDAP password and not the old wiki credentials? I did remark out one line thinking that was causing the problem with you gaining your admin. But I can unremark it if you can confirm you are using the right password.

Furthermore, all imagery currently shows 404. e.g.

​https://grasswiki.osgeo.org/w/images/Grasslogo_vector_small.png

Okay let me check on this, I might have missed copying over the images

and

​https://grasswiki.osgeo.org/wiki/WxPython-based_GUI_for_GRASS

Internal error

[31e0bac11090807f93e97504] /wiki/WxGUI TypeError: Argument 1 passed to ParserOutput::addModules() must be of the type array, string given, called in /var/www/grass/grass-wiki/w/extensions/EmbedVideo/EmbedVideo.hooks.php on line 625
...

Perhaps some extensions need to be updated as well?

The EmbedVideo is a very old extension, there wasn't a new one I could find. But let me look at that and see if I can patch it. Sounds like a PHP 8 error which is odd cause the PHP is still 7.4

[robe]

Okay this one is interesting ​https://grasswiki.osgeo.org/w/images/Grasslogo_vector_small.png works fine in firefox which is why I didn't notice it cause I usually use firefox, but for some reason in Google it's giving a 404 error. I'm investigating.

[robe]

Okay I must have had it cached in my firefox browser, images issue should be fixed now. The embed video thing I'm still investigating.

[robe]

For EmbedVideo ​https://gitlab.com/hydrawiki/extensions/EmbedVideo,

I see this extension which appears to be much newer than the EmbedVideo one

​https://www.mediawiki.org/wiki/Extension:Video

I'm going to try to swap out the use of EmbedVideo with this one to see if it fixes the issue.

[robe]

Actually found a fork of the extension here that is relatively new - ​https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo so replaced with that one. I couldn't use the latest version of it since the latest version requires PHP 8, but I used the last version supporting PHP 7.4 which is ​https://github.com/StarCitizenWiki/mediawiki-extensions-EmbedVideo/releases/tag/v3.2.8

Let me know if you'd like to try the Extension:Video I mentioned earlier, and I can install that too so you can compare the two.

[neteler]

So, I managed to login (seems I was too tired last night for the LDAP pw..), great! It looks like I have buerocrat rights, at least I see plenty of special pages.

Re: the email problem - I tested emailing myself:

​https://grasswiki.osgeo.org/wiki/Special:EmailUser

Failed to connect to tls://mail.osgeo.org:587 [SMTP: Failed to connect socket: Connection refused (code: -1, response: )]

Besides that, shall I as some GRASS wiki users to try to login?

[neteler]

I next wanted to check the video topic but searching for "videos" (other search words work) leads to an error: ​https://grasswiki.osgeo.org/w/index.php?search=video&title=Special%3ASearch&go=Go

Internal error

[3d72fe5a99baf5ddbbc34950] /w/index.php?search=video&title=Special%3ASearch&go=Go Wikimedia\Assert\PreconditionException: Precondition failed: This Title instance does not represent a proper page, but merely a link target.

Backtrace:

from /var/www/grass/grass-wiki/w/vendor/wikimedia/assert/src/Assert.php(49)
#0 /var/www/grass/grass-wiki/w/includes/title/Title.php(3934): Wikimedia\Assert\Assert::precondition()
#1 /var/www/grass/grass-wiki/w/includes/title/Title.php(3915): MediaWiki\Title\Title->assertProperPage()
#2 /var/www/grass/grass-wiki/w/includes/Revision/RevisionStore.php(1844): MediaWiki\Title\Title->getId()
...

[robe]

I'll take a look at the search issue later today. Looks like your old account did not get deleted, though your new account got created, but doesn't have bureaucrat and other stuff.

I manually added the administrative groups to your new account. But I'm not seeing a "merge and delete account option" to merge your old account writing into your new account so that might be what's missing. Let me fix that before you have too many admins logging in. I think having new users log in should be fine as they never had any permissions to beging with.

[robe]

Replying to neteler:

So, I managed to login (seems I was too tired last night for the LDAP pw..), great! It looks like I have buerocrat rights, at least I see plenty of special pages.

Re: the email problem - I tested emailing myself:

​https://grasswiki.osgeo.org/wiki/Special:EmailUser

Failed to connect to tls://mail.osgeo.org:587 [SMTP: Failed to connect socket: Connection refused (code: -1, response: )]

Besides that, shall I as some GRASS wiki users to try to login?

I have to figure out why ssl/nor tls even on port 25 (and with lists.osgeo.org) is not working. For time being I've taken that off, so it works until I troubleshoot. Might be missing a php extension or something.

I just sent you a test email to confirm.

[robe]

@Neteler,

I think the WikiToLDAP relies on the UserMerge plugin to to do the merge, cause after I installed on staging, I got a prompt to merge my account. However there is a restriction that sysops can't be merged so it still might not work for admins. At anyrate now that the UserMerge plugin is installed, we can manually merge admins if it doesn't do it automatically.

I've manually merged your old ⚠️Neteler to Neteler.

The UserMerge is here - ​https://grasswiki.osgeo.org/wiki/Special:UserMerge and only available to adminstrators and sysops, so you should be able to use it for merging administrators that log in. In theory other users should automatically merge, hopefully admins to.

If you do need to manually merge people, you need to remove the old user from any admin groups, otherwise will give a notice you can't merge admin account.

[robe]

Forgot to say, go ahead and invite other admins to log in and see if it automatically merges their account.

[robe]

Replying to neteler:

I next wanted to check the video topic but searching for "videos" (other search words work) leads to an error: ​https://grasswiki.osgeo.org/w/index.php?search=video&title=Special%3ASearch&go=Go

Internal error

This one is caused by a bad page, cause search for "videos" works, and if I remark out that title assert in the code, the search also comes up. I'm still trying to figure out which page that is. I'm assuming some sort of redirect page. Anyrate I'm investigating some more.

[3d72fe5a99baf5ddbbc34950] /w/index.php?search=video&title=Special%3ASearch&go=Go Wikimedia\Assert\PreconditionException: Precondition failed: This Title instance does not represent a proper page, but merely a link target.

Backtrace:

from /var/www/grass/grass-wiki/w/vendor/wikimedia/assert/src/Assert.php(49) #0 /var/www/grass/grass-wiki/w/includes/title/Title.php(3934): Wikimedia\Assert\Assert::precondition() #1 /var/www/grass/grass-wiki/w/includes/title/Title.php(3915): MediaWiki\Title\Title->assertProperPage() #2 /var/www/grass/grass-wiki/w/includes/Revision/RevisionStore.php(1844): MediaWiki\Title\Title->getId() ... }}}

[robe]

Okay the page at fault seems to be a page with title Widget:YouTube. My guess is that's a reserved term. To fix I changed the title

UPDATE page SET page_title = 'Something YouTube' WHERE page_id = 2767;

and that seemed to fix the issue, but hopefully didn't cause other issues. We can always revert that if it causes a problem.

[neteler]

Replying to robe:

I've manually merged your old ⚠️Neteler to Neteler.

This looks good now.

The UserMerge is here - ​https://grasswiki.osgeo.org/wiki/Special:UserMerge and only available to adminstrators and sysops, so you should be able to use it for merging administrators that log in.

Cool, thanks. I do see this page.

In theory other users should automatically merge, hopefully admins to.

I have asked Anna (annakrat) to try again.

If you do need to manually merge people, you need to remove the old user from any admin groups, otherwise will give a notice you can't merge admin account.

Alright.

[annakrat]

I can login, but I don't have any special rights.

[neteler]

Replying to robe:

Okay I must have had it cached in my firefox browser, images issue should be fixed now.

Yes, confirmed.

I have now fixed also the wiki logo which needs to go into a different folder:

grass-wiki:/var/www/grass/grass-wiki/w/skins/common/images/

Dunno if in the old wiki version are more files in that folder but I guess no.

[neteler]

A first wiki user has confirmed a successful login :) Great work, Regina!

One more wish:

"Request account" (​https://wiki.osgeo.org/wiki/Special:RequestAccount) in the upper right corner should now point to ​https://id.osgeo.org/ldap/create

I don't know where to modify that.

[robe]

Replying to annakrat:

I can login, but I don't have any special rights.

Yah I was afraid that would happen. Maybe it is because admin group is protected.

Anyrate I merged your old account into your new and gave you new admin priviledges so you should be all set.

[robe]

Replying to neteler:

Replying to robe:

Okay I must have had it cached in my firefox browser, images issue should be fixed now.

Yes, confirmed.

I have now fixed also the wiki logo which needs to go into a different folder:

grass-wiki:/var/www/grass/grass-wiki/w/skins/common/images/

I backed up the old wiki files in /var/www/grass/grass-wiki-old in case I missed anything.

}}}

Dunno if in the old wiki version are more files in that folder but I guess no.

[robe]

Replying to neteler:

A first wiki user has confirmed a successful login :) Great work, Regina!

One more wish:

"Request account" (​https://wiki.osgeo.org/wiki/Special:RequestAccount) in the upper right corner should now point to ​https://id.osgeo.org/ldap/create

I don't know where to modify that.

Hmm I had copied over the .htaccess from wiki I thought to handle this will check later today maybe I put that in the wrong folder (or I built with nginx, forgot if I used apache or nginx when resetting your new server up.

[robe]

Replying to robe:

One more wish:

"Request account" (​https://wiki.osgeo.org/wiki/Special:RequestAccount) in the upper right corner should now point to ​https://id.osgeo.org/ldap/create

I don't know where to modify that.

This should be set now. I moved the .htaccess stuff into the /etc/apache2/includes/grasswiki.osgeo.org.inc

Let me know if you see anything else amiss

[neteler]

"Request account" now points smoothly to the ldap page.

Seems all completed now. I have added the information that the login procedure changed. Next will be the announcement on the GRASS mailing lists to inform everyone.

[annakrat]

Replying to robe:

Replying to annakrat:

I can login, but I don't have any special rights.

Yah I was afraid that would happen. Maybe it is because admin group is protected.

Anyrate I merged your old account into your new and gave you new admin priviledges so you should be all set.

Looks like it worked!

[neteler]

New login method announced:

​https://lists.osgeo.org/pipermail/grass-announce/2024-February/000185.html

[robe]

Going to close this out and consider it done. Feel free to reopen if you still run into issues.

[veroandreo]

new and old user

[veroandreo]

My login to the grasswiki worked fine, but it seems my old user is not merged with the new one. I did a change to my profile to test it works, and now in my contributions I see only the changes I did today. All the rest is under an old(?) user that has an exclamation mark and apparently does not exist(?). See attachment: ​https://trac.osgeo.org/osgeo/attachment/ticket/2966/image_2024-02-14_09-51-39.png.

Seems to me something went wrong with the merging though I was not prompted to accept any merge... I see other users with exclamation marks in the history of the home page too.

[robe]

Replying to veroandreo:

My login to the grasswiki worked fine, but it seems my old user is not merged with the new one. I did a change to my profile to test it works, and now in my contributions I see only the changes I did today. All the rest is under an old(?) user that has an exclamation mark and apparently does not exist(?). See attachment: ​https://trac.osgeo.org/osgeo/attachment/ticket/2966/image_2024-02-14_09-51-39.png.

Seems to me something went wrong with the merging though I was not prompted to accept any merge... I see other users with exclamation marks in the history of the home page too.

I've merged your account. I'm hoping it's just admins that can't merge, cause in order to merge admins accounts, there is a protection in place. So to merge I do these steps

1) Edit the old account, remove the administrator, bureaucrat groups from it, otherwise it won't let you merge into new account 2) Go to new account and manually add the administrator, bureaucrat, and merged account

3) Then go to ​https://grasswiki.osgeo.org/wiki/Special:UserMerge

Put in the old account (this one I copy from the group list cause it has that unicode thing on it) and new account.

Let me know if you are seeing the same issue with non-admin accounts and I'll investigate.

But for admin accounts, I think those require a manual merge or I take off the default protection.

[robe]

Okay I guess it's not just admin accounts, so I must have something else not configured right. I saw that Luca is not an admin and he had logged in but his account wasn't merged so I merged it with the above instructions. I'll reopen this until I've figured out what is missing unless you feel everyone that existed has already logged in, in which case I think we'll just need to manually merge their accounts.

[veroandreo]

Replying to robe:

Replying to veroandreo:

My login to the grasswiki worked fine, but it seems my old user is not merged with the new one. I did a change to my profile to test it works, and now in my contributions I see only the changes I did today. All the rest is under an old(?) user that has an exclamation mark and apparently does not exist(?). See attachment: ​https://trac.osgeo.org/osgeo/attachment/ticket/2966/image_2024-02-14_09-51-39.png.

Seems to me something went wrong with the merging though I was not prompted to accept any merge... I see other users with exclamation marks in the history of the home page too.

I've merged your account. I'm hoping it's just admins that can't merge, cause in order to merge admins accounts, there is a protection in place. So to merge I do these steps

Thanks Regina! All looks good in my user account now :)