Attached is an initial patch to get ldap_sso into a workable state.

Please note:

  • Unlike the other patches I did not test them in a real setup yet, due to Kerberos issues.
  • I started refactoring more heavily in this module due to its isolated and incomprehensible nature. Though functionally it should be unmodified.
  • Except for arg(0) == logout. As far as I know this was incorrect before and should have been the equivalent to arg(1).
CommentFileSizeAuthor
#7 update_ldap_sso-2728821-7.patch20.63 KBgrahl
#2 update_ldap_sso-2728821-2.patch18.83 KBgrahl
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

grahl created an issue. See original summary.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl at Namics commented
FileSize
update_ldap_sso-2728821-2.patch18.83 KB
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Department of Justice & Community Safety, Victoria commented
Assigned: Unassigned » queenvictoria 
  1. +++ b/ldap_sso/ldap_sso.module
@@ -5,6 +5,10 @@
+define(DETAILED_WATCHDOG_LOG, \Drupal::config('ldap_help.settings')->get('watchdog_detail'));
+define(AUTO_LOGIN_NO, 'do not auto login');
+define(AUTO_LOGIN_YES, 'auto login');

    constants should be prefixed with the module namespace to avoid collisions. Even better, define them as class or interface constants and we can auto-load them in tests. Eg. LdapSsoInterface::NO_AUTO_LOGIN 

  2. +++ b/ldap_sso/ldap_sso.module
@@ -21,26 +25,29 @@ function ldap_sso_menu() {
+    $_SESSION['seamless_login'] = AUTO_LOGIN_NO;

    We should be using the session bag on the request stack, not the superglobals 

  3. +++ b/ldap_sso/ldap_sso.module
@@ -21,26 +25,29 @@ function ldap_sso_menu() {
  * Implements hook_boot().

    hook_boot is dead, so this code won't run 

  4. +++ b/ldap_sso/ldap_sso.module
@@ -51,36 +58,47 @@ function ldap_sso_boot() {
+function _ldap_sso_boot_assume_sso_boot() {

    This needs a docblock 

  5. +++ b/ldap_sso/ldap_sso.module
@@ -51,36 +58,47 @@ function ldap_sso_boot() {
+  $path_args = explode('/', \Drupal::current_path());

    Core has a path matcher service. We should make this into a service and inject that. 

  6. +++ b/ldap_sso/ldap_sso.module
@@ -51,36 +58,47 @@ function ldap_sso_boot() {
+  } ¶

    trailing whitespace 

  7. +++ b/ldap_sso/ldap_sso.module
@@ -51,36 +58,47 @@ function ldap_sso_boot() {
+    require_once(DRUPAL_ROOT . '/includes/common.inc');
+    require_once(DRUPAL_ROOT . '/includes/path.inc');

    Is this needed? the kernel loads these in D8 

  8. +++ b/ldap_sso/ldap_sso.module
@@ -51,36 +58,47 @@ function ldap_sso_boot() {
+      drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE);

    drupal_bootstrap is gone too, the kernel booting does all this 

  9. +++ b/ldap_sso/ldap_sso.module
@@ -220,140 +234,190 @@ function ldap_sso_user_login_sso() {
+  drupal_goto('<front>');

    drupal_goto is gone too

Personally I vote ldap_sso is split into its own module and no longer part of the main ldap module on D8 - thoughts?

Assigning to @queenvictoria.

queenvictoria’s picture

queenvictoria CreditAttribution: queenvictoria at Holly commented
Assigned: queenvictoria » Unassigned

Hi @grahl.

It was our intention to remove LDAP SSO from the LDAP module. Potentially it should be reimplemented as an LDAP plugin for another SSO module (like Bakery or Connector) similar to the way LDAP Authorization works with the Authorization module.

It should probably become a sandbox module. Would you be able to create one? I'd like to git rm the module soon. So please let me know if you'd like to take it on.

Thanks!

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl commented
Assigned: Unassigned » grahl

Hi queenvictoria

Sorry for not responding earlier and thanks for the rapid feedback.

I agree with your assessment and will provide a sandbox by next week that contains the current state and will work on it from there. I will likely bring it into a usable state in a 1.x branch that aligns closely with the current solution (just to have something working) and then look into your suggestions of reimplementing it in another fashion.

queenvictoria’s picture

queenvictoria CreditAttribution: queenvictoria at Holly commented

Super thanks @grahl! Let's keep this ticket open until the code has moved. And thank you for stepping up!

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl at Namics commented
Status: Active » Needs review
FileSize
update_ldap_sso-2728821-7.patch20.63 KB

Hi

Sandbox is ready: https://www.drupal.org/sandbox/grahl/2729937 attached is a patch that removes the ldap_sso module.

A few notes on that:

  • @larowlan: Your notes were extremely helpful. For one, they highlighted that the module wasn't really ported at all yet and that several architectural changes would be useful. Basically I restructured everything cleanly and many obtuse issues with the code vanished once that was done.
  • I especially like how I can now move auth_config and watchdog setting into the constructor and it becomes vastly more readable. That might be something for ldap_user, too.
  • I have not yet tested that against an actual Kerberos setup so expect a few more fixes in that sandbox before that actually is reliable.
  • Due to a namespace conflict I had to go with ldap_sso2 as a composer source but have kept ldap_sso as a module name for now. I'd appreciate your input if you think taking over that namespace is realistic or if you otherwise had a better naming suggestion than ldap_sso2.
  • I noticed that there is some code (such as tests) in ldap_authentication), which we should move at some point but I personally am not in a hurry, if ldap_authentication is being restructured further.

Status: Needs review » Needs work

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

The last submitted patch, 7: update_ldap_sso-2728821-7.patch, failed testing.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext for Department of Justice & Community Safety, Victoria commented

I think posting an issue in the ldap_sso project asking to revive the project for d8 is a good idea. It was merged into this module in D7, but I think it should live on its own given @queenvictoria and I don't want to maintain it.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl at Namics commented
Related issues: +#2730833: Request to maintain ldap_sso for Drupal 8

queenvictoria’s picture

queenvictoria CreditAttribution: queenvictoria at Holly commented
Status: Needs work » Fixed

Thanks Grahl. Removing ldap_sso now.

hotspoons’s picture

hotspoons CreditAttribution: hotspoons commented

Original owner of ldap_sso here. I unfortunately haven't thought about this module or used Drupal in several years. Grahl contacted me today - if he will be able to steward the module and it will be maintained, please take it over and port it to D8. Thanks!

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl at Namics commented

Reassignment successful, 8.x branch should be available some time tomorrow.

Ideally, I'd like to move the 7.x branch to that project, too, so that issues can be assigned in a uniform manner. I'm not going to do that for now since I expect users would easily miss that change during updates. Please let me know if you'd like me to remove it anyway.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl at Namics commented
Status: Fixed » Closed (fixed)