[ZendTo] upgrade script and LDAP authentication values

John Thurston john.thurston at alaska.gov
Wed Jul 22 17:59:30 BST 2020 

But I _am_ using the LDAP authenticator, and I have those values 
commented out because I don't want them.

The way I see it, the application defines those values as 'not required' 
while the upgrade-script defines those values as 'must be present'. My 
business case is caught in the crack between those two parsing rules. It 
looks like I have options:

A) create and maintain a service account in my directory so these values 
can be defined and the upgrade script will work as expected

B) switch to AD authentication and also implement option (A)

C) write my own post-upgrade script to re-comment these values

I'm definitely leaning towards (C) as that is simple, direct, and easy 
to add to our in-house documentation.

--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

On 7/22/2020 5:58 AM, Jules wrote:
> John,
> 
> The upgrade script doesn't know much about comments, except that they 
> are the block of lines immediately before a setting in preferences.php 
> (and zendto.conf, with a different syntax).
> It certainly can't actually parse them to see what you may have 
> commented out.
> 
> The upgrade script also has no prior knowledge of what settings should 
> be there, and what shouldn't. There is no "list of all the possible 
> settings". It learns all that for itself, by reading your old 
> preferences.php and the newly supplied one.
> 
> What's happening is that you are commenting out the only definition of 
> 'authLDAPStartTLS', for example, so it thinks this is a new setting that 
> has just appeared in the very latest preferences.php (and it wasn't set 
> in your previous one), so it adds it as a new setting.
> 
> But the 1 and only setting for (for example) 'authLDAPStartTLS' won't 
> have any effect unless you also have set
>      'authenticator' => 'LDAP',
> so I don't quite see what you achieve by commenting them out. It will 
> only use the authenticator settings for your chosen authenticator. All 
> the others will simply have no effect.
> 
> Sorry about the 'authLDAP' naming clash between the LDAP and AD 
> authenticators, that's for historic reasons from when I first forked the 
> project from udel's "Dropbox" a long time ago in a galaxy far away. And 
> yes, they sadly called it Dropbox, nothing to do with the "other" 
> Dropbox. So I can't change that now.
> The difference is that all the AD settings end with a number (1,2,3) 
> whereas the LDAP settings don't.
> 
> Leaving the LDAP settings in place will have no effect *at all* on the 
> AD authenticator.
> 
> Does that help explain the situation?
> 
> Cheers,
> Jules.
> 
> On 21/07/2020 00:00, John Thurston via ZendTo wrote:
>> Is there some way for me to designate some values in preferences.php 
>> as "Just ignore me, please. Don't try to correct this." ?
>>
>> With each update, the upgrade script detects my commented out values 
>> and does me the service of re-enabling them and supplying default 
>> values. I then have to go diff the files, confirm nothing has actually 
>> changed, and re-comment the attributes I don't want.
>>
>> >   //'authLDAPStartTLS'      => false,
>> >   //'authLDAPBindDn'        => 'o=MyOrganization,uid=MyUser',
>> >   //'authLDAPBindPass'      => 'SecretPassword',
>> >   //'authLDAPOrganization'  => 'My Organization',
>> >   //'authLDAPUsernameAttr'  => 'uid',
>> >   //'authLDAPEmailAttr'     => 'mail',
>>
>> I tried setting each of these to null strings, hoping that might 
>> trigger the code to ignore the values and also let the upgrade script 
>> leave them unchanged. Bzzzt. I couldn't authenticate.
>>
>> I understand the difficulty in trying to detect what a customer is 
>> trying to do, and how to distinguish "new values" from "intentionally 
>> absent values". It is frustrating, though, to have to repeat the same 
>> manual steps, potentially missing something, with every update.
>>
>> Maybe there could be a magic string to denote a line not just as a 
>> comment but as a "leave me as a comment" line.
>> Maybe triple-slash
>> Maybe //!/
>>
>> Or is there already some way to do this that I haven't figured out?
>>
>>
> 
> Jules
> 
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> 
> 'Ensanguining the skies
>   How heavily it dies
>   Into the west away;
>   Past touch and sight and sound
>   Not further to be found,
>   How hopeless under ground
>     Falls the remorseful day.' - A.E.Houseman
> 
> www.Zend.To
> Twitter: @JulesFM
>

More information about the ZendTo mailing list