[ZendTo] upgrade script and LDAP authentication values

[John Thurston]

On 7/23/2020 3:51 AM, Jules wrote:
> John,
> 
> Please don't comment out settings you don't want to specify (such as the 
> service account credentials, etc). Just leave them set to an empty 
> string. Then 'upgrade' will be happy.

As mentioned in my original note, "I tried setting each of these to null 
strings, hoping that might trigger the code to ignore the values and 
also let the upgrade script leave them unchanged. Bzzzt. I couldn't 
authenticate. "

But taking your advice, I tried it again...and got the same result. So 
went to my ldap logs to see what queries were being performed, and dug 
in the code to see how the settings are being used. The crux of the 
problem is an empty string does not result in the same behavior as an 
undefined value.

The LDAP authenticator works perfectly for us with those settings 
_undefined_. But, if defined, the value of 'authLDAPUsernameAttr' and 
'authLDAPEmailAttr' must _not be empty strings_. If they are undefined, 
the code in NSSLDAPAuthenticator.php assumes reasonable values for those 
two settings:

   protected $_ldapUNA = 'uid';
   protected $_ldapEMA = 'mail';

which happened to align perfectly well with our directory.



I will uncomment those attributes in preferences. That will make the 
upgrade script happy.

I will leave the default values for those two attributes, and set the 
other string values to empty. That will make authentication work.

And with those steps, I think my future version upgrades will be much 
easier!


I will also report a bug:
The upgrade script requires the presence of at least two attributes in 
preferences.php, which the LDAP authentication code treats as optional.


--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska