mahara-contributors team mailing list archive

Thread
Date

[Bug 1160093] Re: Don't display a remote username on /admin/users/edit.php if no remote username exists

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1160093@xxxxxxxxxxxxxxxxxx>
Date: Thu, 29 Aug 2013 04:19:20 -0000
Reply-to: Bug 1160093 <1160093@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So, while researching some stuff relating to ldapsync, I gained a bit
more insight into how the remote username & parent authority work and
work together:

1. The only auth plugins that use "remote username" are XMLRPC and SAML
(optionally for SAML)

2. These are both services where you *don't* enter your username into
the Mahara login form. Instead, you log in via an external service, and
then it communicates the username to Mahara during the SSO process.

3. Where "remote username" comes in, is that when a username logs in via
one of these processes, it checks for a record in the auth_remote_user
table for this authinstance and that username. That record will point to
a usr.id value for the Mahara user account that it should authenticate
them to.

4. It kinda only makes sense for auth instances where you don't enter
the username directly into Mahara. Otherwise, at the login screen, you
may find yourself wondering, do I enter my Mahara username, or my LDAP
username?

Now, how does parent authority work?

1. Only XMLRPC has a parent authority.

2. If a user has that XMLRPC as their auth instance, they can also log
in using the parent authority -- and get to the same Mahara account! And
vice versa.

3. In terms of user creation, the first time you roam over from the
XMLRPC remote server, if the XMLRPC auth instance has a parent, it will
create your account with the parent as your authinstance rather than the
XMLRPC.

4. On subsequent logins, it checks auth_remote_user for a user with the
matching remote username, and either the XMLRPC or its parent as their
auth instance, and it logs you in as that user.

So, based on this a user will need to set up a remote username if:

1. Their auth instance is XMLRPC
2. Their auth instance is parent to an XMLRPC. (And note that any auth type can be parent to XMLRPC -- even internal)
3. Their auth instance is a SAML with the remote username feature enabled.

So, I'm putting together a patch that adds a "needs_remote_username()"
method to the Auth class, which will indicate whether a particular auth
instance needs a remote username or not. And then we'll display the
external username field on the account settings page based on the value
returned by that function. I'm also changing the create_user() function
so that it automatically checks whether the new user's auth instance
needs a remote username and supplies it if so.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1160093

Title:
Don't display a remote username on /admin/users/edit.php if no remote
username exists

Status in Mahara ePortfolio:
In Progress

Bug description:
Per default, Mahara displays the "Username for external
authentication" on the user account admin page no matter whether the
account has actually set a remoteuser value or not. This is confusing
when you want to check if an auth instance works correctly because you
will have to check the database (in 2 different places) or at least do
a user report which pulls the remotuser value from the "correct" DB
table.

Mahara should only display a remoteuser if it really exists.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1160093/+subscriptions