[18:12:44] <anomie>	 tgr, bd808, robla: "Fun" fact about LdapAuthentication: Even simple stuff like "can we create accounts?" or "can users change passwords?" depends on which domain is currently selected. It's particularly interesting in that **what's displayed on the login/create form** depends on what domain happens to be currently set. Sigh.
[18:13:12] <bd808>	 yeah...
[18:13:42] <bd808>	 which makes sense if you think about all the different ways that LDAP is used in private networks
[18:13:56] <bd808>	 but it makes the auth extension a mess
[18:14:21] <anomie>	 bd808: OTOH, it makes it impossible to know whether you can create an account before you try to create an account, because the domain isn't set yet.
[18:14:41] <anomie>	 Because the @#$% domain selector is part of the account creation form.
[18:14:42] <James_F>	 Could make it a multi-step form?
[18:14:49] <James_F>	 Do domain selection first?
[18:16:09] <bd808>	 Would optimizing the flow for the single configured domain use-case make anything simpler?
[18:16:39] <bd808>	 or even just making it only work for a single domain first
[18:16:41] <anomie>	 The flow probably already is optimized for that case. There's a comment in the code about unspecified bugs that are avoided by configuring it that way.
[18:20:04] <anomie>	 bd808: Does the plan of killing Extension:OpenStackManager extend to no longer using Extension:LdapAuthentication on Wikitech too?
[18:20:17] <bd808>	 eventually, yes
[18:20:19] <tgr>	 on the web UI you could just display all possible fields, if they are iterable in advance, and use AuthChangeFormFields -> hideif to make them show up based on the domain dropdown
[18:20:47] <anomie>	 I think I might just do a best-effort with a @todo that says "someone should make a new LDAP authentication extension that doesn't have 12 years of kludges glommed into it"
[18:25:09] <James_F>	 Ha.
[18:31:53] <bd808>	 anomie: so fix it in MediaWiki 2.0 then? ;)
[19:06:55] <hashar>	 anomie: it would be nice to keep supporting LdapAuthentication though.  It is used in companies since it brings up SUL with Microsoft ActiveDirectory
[19:09:14] <anomie>	 hashar: I know. The problem is that the existing code works with MediaWiki as it is, but I'm not particularly confident in being able to know that it will keep working in a MediaWiki with AuthManager without a major rework that I don't understand LDAP and the myriad ways people use it well enough to do myself. If someone else wants to volunteer to update it for AuthManager, I'd be happy.
[19:31:52] <James_F>	 anomie: Bluntly, my line would be that LdapAuthentication isn't WMF-sponsored and only tangentially WMF-deployed (for wikitech), so it's best efforts only.
[20:07:55] <robla>	 anomie: I suspect James_F is right.  I think the kindest way to do it is to optimize using bd808's case (i.e. support single domain), and then think aloud (i.e. in comments) about where one would add hooks to support the multi-domain case