Loading...
 

UserPageRadoS

Migrating MediaWiki v1.4.12 to TikiWiki v15.2

target:

  • OS: ubuntu lts (16/04)
  • http: apache2 + php7
  • db: mysql5
  • AD: windows-server 2008/12

required:

  • permissions per groups on collections of resources (pages, images, attachments).
    • solved by use of categories + groups created as workspaces (per templates)
  • ideally AGDLP application (role-based access control).
    • solved by permission inheritance from workspace-groups to AD groups
  • AD integration
    • solved per LDAP setup

choice:

(because of restrictions originating from strict permissions requirement)

  1. creating pages 1st, then assigning to cat.
    • pro: can edit text 1st, put link, follow empty link, create page.
    • contra: requires to assign category manually explicitly.
  2. creating pages directly into cats via structures "Add Page" field/ button.
    • pro: automatically puts new page into cat / structure of page where you use the button.
    • contra: must prepend page-name with cat-name or else name misses cat part; can't use "pro" above.


To avoid accidental misplacement of pages to wrong cat permissions, we selected #2.
Either way requires dealing with global + cat permissions to setup in advance.

major issues:

  • https://dev.tiki.org/item6213 : editing cat permissions fails for names with "~" (namespace separator), e.g. "pe-hh~core" saves new permissions only as "pe-hh".
  • https://dev.tiki.org/item6215 : editing cat permissions titles the page only with the last part of a workspace ("pe-hh~core" -> "core"), not the whole path, can be confusing when you have 2 workspaces with the same name in 2 different templates (areas).
  • https://dev.tiki.org/item6214 : syntax highlighting works OK for all langs in editor, but produced / viewed pages only work with "php", all other langs are mono-colored.
  • https://dev.tiki.org/item5657 : must hack /lib/userslib.php to make group-sync work along Ticket #5657 => replace all occurances.
  • https://dev.tiki.org/item6216 : workspace templates don't cover all possible permissions as globally possible.
  • https://dev.tiki.org/item6217 : need 2 permissions for "create structure" and "edit structure", so to provide structures that can be worked on but not messed up new ones or destroy them altogether.
  • https://dev.tiki.org/item6218 : workspace should create and assign file gallery, too, to keep files separated as pages.
  • https://dev.tiki.org/item6219 : copy&paste from media wiki this char "→" breaks "index rebuilding".
  • https://dev.tiki.org/item5036 : LDAP: clean-up up tiki group+user db when memberships change in AD (differential, not just incremental).
  • https://dev.tiki.org/item6220 : preview looks different from final output, like using "{CODE]..." creates boxes, but used fronts differ.
  • https://dev.tiki.org/item6221 : renaming elements in cat OK for everything but perspective: cat listing still shows old perspective name while showing new wiki page names
    • "profile_symbols" & "objects" tables not updated.
  • https://dev.tiki.org/item6222 : mediawiki importer fails because of "... =& new ...", in php7 the "&" is not allowed.
  • https://dev.tiki.org/item6223 : when renaming cat + homepage of workspace, the homepage property "Namespace" must be changed manually, too, otherwise new pages from the renamed page will be misnamed.
  • https://dev.tiki.org/item6224 : PDF/ office document files are supposed to be indexed while uploading, but indexing + upload fails.
    • "Incorrect string value: '\xFCr Spi...' for column 'search_data' at row 1"
  • https://dev.tiki.org/item6277 : filling cells in sheets wth too much content leaves it empty.

  • rollback fails even though global + cat perms "tiki_p_rollback" is set.
  • menu features require global permissions, although cat permission granted (structures, workspaces, search, tags, file gals).
    • cat permissions override global not only incrementally, but differentially: cat denies -> global doesn't apply.

minor issues:

  • Links to forbidden pages should be indicated as such, not to be required to follow link just to learn afterwards that it's denied.
  • renaming "perspective" because of cat name change doesn't allow/show new cat name and new homepage (to be) assigned.
  • can't create Convene entries editable by groups.
  • "list pages" shows only permitted pages, but indicates more not shown with empty results on pages numbered beyond reach.
  • when setting up LDAP, LDAP config elements are invisible because "style=display:none;" when php-ldap is missing.
    • tiki-check.php just lists this case as "info", not as "bad/ ugly/ failure", which it is when selecting it in the auth method.
    • LDAP external groups hides the elements in the "user" section, but shows them in the "group" section. A hint for the missing php-ldap would be more useful than hiding.
  • disable menu items when insufficient permissions (global yes, cat no).
  • "remember login" fails.
  • "featured links" module has no menu links, must enter URL in browser.
  • when created page is removed from all cats a user has access to (by that user), user can't recover page.
    • not required to be solved, just info.

todo:

  • doc: usecase


LDAP settings:

If user does not exist in Tiki create
Create user if not in LDAP no
Use Tiki authentication for Admin login yes
Use Tiki authentication for users created in Tiki no


LDAP Bind settings

Host
Port
Write LDAP debug Information in Tiki Logs
Use SSL (ldaps)
Use TLS
LDAP Bind Type AD (windows, username@domain)
Search scope subtree
LDAP version 3
Base DN


LDAP User

User DN relative to BaseDN, not full/absolute
User attributesAMAccountName
User OCuser
Realname attributedisplayName
Country attribute
Email attribute mail

LDAP external groups

Use an external LDAP server for groups yes
Host
Port
Write LDAP debug Information in Tiki Logs
Use SSL (ldaps)
Use TLS
LDAP Bind Type AD (windows, user@domain)
Search scope subtree
LDAP version 3
Base DN
User DN relative to BaseDN, not full/absolute
User attribute sAMAccountName
Corresponding user attribute in 1st directorysAMAccountName
User OC user
Synchronize Tiki groups with a directoryyes
Group DN relative to BaseDN, not full/absolute
Group name attribute cn
Group description attribute
Group OC group
Synchronize Tiki users with a directory yes
Member attribute member
Member is DNyes
Group attribute
Group attribute in group entry

Page last modified on Friday 10 February 2017 16:02:39 GMT-0000

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.

Newest Forum Posts

No records to display