[pmwiki-users] Authentication confusion

Patrick R. Michaud pmichaud at pobox.com
Sun Jun 4 20:32:16 CDT 2006


On Sun, Jun 04, 2006 at 09:17:17PM -0400, Vedvik, Gary wrote:
> Let me see if I understand the function of the entries you suggest. The
> httpauth grabs the web browser variables, and authuser enables user
> based authentication, and setting "$Author = $AuthId" sets the author
> variable to the authenticating id (e.g. domain\account in a windows
> environment).  What does the AuthUserId function accomplish?  

It sets any PmWiki authorization group memberships that may be
defined (i.e., according to group membership settings in Site.AuthUser).

Pm


> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com] 
> Sent: Sunday, June 04, 2006 5:12 PM
> To: Vedvik, Gary
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] Authentication confusion
> 
> On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> > I've been looking at AuthUser, UserAuth, httpauth, and have gotten 
> > myself pretty confused as to how to accomplish what I'm trying to do.
> > Essentially what I would like to do is use http authentication, and 
> > place the authenticated user IDs into pmwiki groups. I'd also like to 
> > used LDAP to obtain the users display name (e.g. fn/sn) as the author 
> > for any page edits.  Lastly, I'd like to disallow any changes to the 
> > "author" field when editing pages to be used, do avoid impersonation 
> > issues).
> 
> To use http authentication is just:
> 
>     include_once('scripts/httpauth.php');
> 
> So, to use http authentication with PmWiki's authorization groups should
> be:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
> 
> To then prevent changes to the "author" field:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
>     $Author = $AuthId;
> 
> Getting the author's display name from LDAP is a bit more work, as it
> involves querying the LDAP server and knowing the distinguished name for
> the identity.  If you have that sort of information available, I should
> be able to write that part fairly quickly.
> 
> > Based on what I've read on the pmwiki site, AuthUser appears to 
> > support ldap, but how does this work in conjunction with http 
> > authentication, and does it ultimately fill in the author variable?
> 
> LDAP is just another form of authentication separate from http
> authentication.  HTTP authentication expects the web server to have
> performed the authentication *before* PmWiki is executed and store the
> result in the 'REMOTE_USER' environment variable, while PmWiki's LDAP
> authentication module queries an LDAP server to authenticate an
> identity.
> 
> 
> > Can it also support
> > placing the user authentication id in pmwiki groups?  
> 
> Yes.
> 
> > AuthUser also
> > appears to be less intuitive to use than UserAuth because it seems 
> > that you need to enter permissions individually on each wikigroup 
> > and/or wiki page.
> 
> PmWiki's philosophy is that individual authors may wish to set
> permissions on pages and groups, as opposed to having it centrally
> controlled by the wiki administrator.  Whether this is "more intuitive"
> depends on the application -- for most of the sites I run, letting
> authors set access control permissions is a lot more natural than trying
> to control it from a central page.
> 
> > Is what I'm trying to accomplish possible?  Have I overlooked
> something?
> > What seems to be missing on the pmwiki site is authentication scenario
> 
> > examples.  The examples currently describe the capabilities of each 
> > module, but leave it to the reader to put it all together.
> > Configuration scenario examples would certainly help.
> 
> I totally agree we could use more configuration scenario descriptions;
> part of the trouble is that the scenarios people want are as varied as
> the sites that use them.  Off the top of my head I can think of over a
> dozen different scenarios that are currently in use.  It might be nice
> if we could develop a "decision-tree" page or set of pages that could
> walk a person through some of the more travelled scenarios.
> 
> Pm
> 




More information about the pmwiki-users mailing list