[ZendTo] upgrade script and LDAP authentication values

Jules Jules at Zend.To
Wed Jul 22 18:08:00 BST 2020 

John,

On 22/07/2020 17:59, John Thurston via ZendTo wrote:
> But I _am_ using the LDAP authenticator, and I have those values 
> commented out because I don't want them.
But if you are using the LDAP authenticator, surely you have to define 
those values for the authenticator to work at all.
I don't quite see how you are using the LDAP authenticator successfully 
with no settings for it whatsoever.

Jules.


>
> The way I see it, the application defines those values as 'not 
> required' while the upgrade-script defines those values as 'must be 
> present'. My business case is caught in the crack between those two 
> parsing rules. It looks like I have options:
>
> A) create and maintain a service account in my directory so these 
> values can be defined and the upgrade script will work as expected
>
> B) switch to AD authentication and also implement option (A)
>
> C) write my own post-upgrade script to re-comment these values
>
> I'm definitely leaning towards (C) as that is simple, direct, and easy 
> to add to our in-house documentation.
>
> -- 
> Do things because you should, not just because you can.
>
> John Thurston    907-465-8591
> John.Thurston at alaska.gov
> Department of Administration
> State of Alaska
>
> On 7/22/2020 5:58 AM, Jules wrote:
>> John,
>>
>> The upgrade script doesn't know much about comments, except that they 
>> are the block of lines immediately before a setting in 
>> preferences.php (and zendto.conf, with a different syntax).
>> It certainly can't actually parse them to see what you may have 
>> commented out.
>>
>> The upgrade script also has no prior knowledge of what settings 
>> should be there, and what shouldn't. There is no "list of all the 
>> possible settings". It learns all that for itself, by reading your 
>> old preferences.php and the newly supplied one.
>>
>> What's happening is that you are commenting out the only definition 
>> of 'authLDAPStartTLS', for example, so it thinks this is a new 
>> setting that has just appeared in the very latest preferences.php 
>> (and it wasn't set in your previous one), so it adds it as a new 
>> setting.
>>
>> But the 1 and only setting for (for example) 'authLDAPStartTLS' won't 
>> have any effect unless you also have set
>>      'authenticator' => 'LDAP',
>> so I don't quite see what you achieve by commenting them out. It will 
>> only use the authenticator settings for your chosen authenticator. 
>> All the others will simply have no effect.
>>
>> Sorry about the 'authLDAP' naming clash between the LDAP and AD 
>> authenticators, that's for historic reasons from when I first forked 
>> the project from udel's "Dropbox" a long time ago in a galaxy far 
>> away. And yes, they sadly called it Dropbox, nothing to do with the 
>> "other" Dropbox. So I can't change that now.
>> The difference is that all the AD settings end with a number (1,2,3) 
>> whereas the LDAP settings don't.
>>
>> Leaving the LDAP settings in place will have no effect *at all* on 
>> the AD authenticator.
>>
>> Does that help explain the situation?
>>
>> Cheers,
>> Jules.
>>
>> On 21/07/2020 00:00, John Thurston via ZendTo wrote:
>>> Is there some way for me to designate some values in preferences.php 
>>> as "Just ignore me, please. Don't try to correct this." ?
>>>
>>> With each update, the upgrade script detects my commented out values 
>>> and does me the service of re-enabling them and supplying default 
>>> values. I then have to go diff the files, confirm nothing has 
>>> actually changed, and re-comment the attributes I don't want.
>>>
>>> >   //'authLDAPStartTLS'      => false,
>>> >   //'authLDAPBindDn'        => 'o=MyOrganization,uid=MyUser',
>>> >   //'authLDAPBindPass'      => 'SecretPassword',
>>> >   //'authLDAPOrganization'  => 'My Organization',
>>> >   //'authLDAPUsernameAttr'  => 'uid',
>>> >   //'authLDAPEmailAttr'     => 'mail',
>>>
>>> I tried setting each of these to null strings, hoping that might 
>>> trigger the code to ignore the values and also let the upgrade 
>>> script leave them unchanged. Bzzzt. I couldn't authenticate.
>>>
>>> I understand the difficulty in trying to detect what a customer is 
>>> trying to do, and how to distinguish "new values" from 
>>> "intentionally absent values". It is frustrating, though, to have to 
>>> repeat the same manual steps, potentially missing something, with 
>>> every update.
>>>
>>> Maybe there could be a magic string to denote a line not just as a 
>>> comment but as a "leave me as a comment" line.
>>> Maybe triple-slash
>>> Maybe //!/
>>>
>>> Or is there already some way to do this that I haven't figured out?
>>>
>>>
>>
>> Jules
>>
>> -- 
>> Julian Field MEng CEng CITP MBCS MIEEE MACM
>>
>> 'Ensanguining the skies
>>   How heavily it dies
>>   Into the west away;
>>   Past touch and sight and sound
>>   Not further to be found,
>>   How hopeless under ground
>>     Falls the remorseful day.' - A.E.Houseman
>>
>> www.Zend.To
>> Twitter: @JulesFM
>>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'When I read Shakespeare I am struck with wonder
  That such trivial people should muse and thunder
  In such lovely language.' - D.H. Lawrence

www.Zend.To
Twitter: @JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200722/b3198803/attachment.html>

More information about the ZendTo mailing list