[pmwiki-users] HTTP Authentication and use of login name

Patrick R. Michaud pmichaud at pobox.com
Wed Jun 7 11:38:55 CDT 2006


On Wed, Jun 07, 2006 at 09:33:10AM -0700, Hartl, Bob wrote:
> I added this line:
>     include("$FarmD/scripts/authuser.php");  # only if you're using
> authuser
> And defined groups in Site.AuthUser.
> 
> ... But this didn't help -- my groups that I defined in Site.AuthUser
> didn't seem to get recognized -- because I got prompted for username AND
> password.  I want to use strictly "http authentication" but be able to
> use groups (i.e. @groupname) whose members are of the form e.g.
> domain\userid.   I am successful using "id:domain\userid" to set
> read/edit permissions, but I'd much perfer to use groups, whose members
> are domain\userid.
> 
> Is there a way to use http authentication with groups as I suggest?

We can probably make it work.  But a quick question -- do the
userids that come back from HTTP authentication actually have the
backslash in them?  I'm guessing that AuthUser isn't recognizing
the backslash as a valid username character, and that we might
need to add that.

Alternately, would it hurt if PmWiki eliminated the "domain\" portion
of what is returned by HTTP authentication, leaving just "userid"?
Then that could be easily used for setting author names and for
authorization and groups.

Pm




> -----Original Message-----
> From: pmwiki-users-bounces at pmichaud.com
> [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> Sent: Tuesday, June 06, 2006 5:03 PM
> To: Patrick R. Michaud
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> 
> 
> Patrick, I followed your suggestion (below) and used this:
>     include("$FarmD/scripts/author.php");
>     include("$FarmD/scripts/httpauth.php");
> 
> But I have NOT yet included this:
>     include("$FarmD/scripts/authuser.php");  # only if you're using
> authuser
> You suggested that I include this ONLY if I was using authuser - and I
> wasn't.  I'm using strictly http authentication.
> 
> Using the first two lines above meets the goal as I stated it below.
> Thanks!
> 
> However there is one thing that doesn't work.  I was hoping to using
> "authorization groups" -- e.g. "@writers".  I set these up in
> Site.AuthUser, put they don't seem to get recognized.  Is this because I
> have NOT included authuser.php above?  Would including authuser.php
> enable me to use groups?  But would including authuser.php (for the
> purpose of using these authorization groups) compromise in any way the
> use of http authentication?  If so, is there a preferred way to use
> authorization groups with http authentication?
> 
> Thanks
> Bob Hartl
> 
> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com] 
> Sent: Wednesday, May 24, 2006 12:52 PM
> To: Hartl, Bob
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> 
> 
> On Wed, May 24, 2006 at 12:42:57PM -0700, Hartl, Bob wrote:
> > In the meantime as a backup solution, I am using http-authentication
> > and setting $EnablePostAuthorRequired to 1 to require users to enter a
> 
> > non-blank author name.  The slight problem is that the initial value
> > of the Author field is "DOMAINNAMEusername" -- ideally I would like 
> > the initial value of Author field to be blank, so that the user would 
> > be forced (via the $EnablePostAuthorRequired setting) to enter an 
> > author name (and my hope would be that they enter a "proper" author 
> > name -- i.e. "firstname lastname".  Is there a way, when using 
> > http-authentication, for the Author field to be inially blank?
> 
> Try including scripts/author.php *before* any include of httpauth.php or
> authuser.php:
> 
>     include("$FarmD/scripts/author.php");
>     include("$FarmD/scripts/httpauth.php");
>     include("$FarmD/scripts/authuser.php");  # only if you're using
> authuser
> 
> Pm
> 
> > -----Original Message-----
> > From: pmwiki-users-bounces at pmichaud.com
> > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > Sent: Monday, May 22, 2006 3:49 PM
> > To: Patrick R. Michaud
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> > 
> > 
> > Patrick,
> > 
> > Thanks again for you reply.  The LDAP approach sure sounds best.  I
> > agree -- this would be a great addition to the core.
> > 
> > Would the approach be to come up with an "LDAP" alternative to this
> > statement in config.php?
> > (@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];
> > 
> > Or is the approach more complicated -- perhaps the httpauth.php script
> 
> > must be modified to grab the author name from the LDAP server?
> > 
> > One of my colleagues retrieved active directory information via LDAP
> > in a .NET application, and he discovered that for our LDAP server, 
> > first name is property "givenname" and last name is property "sn" (as 
> > in surname).  I don't know if this is standard or not.  His .NET code 
> > provides a username and password (which I also have access to) in 
> > order to make a non-anonymous inquiry to get "givenname" and "sn" for 
> > the provided username.
> > 
> > I'd definitely be interested in testing this change!
> > 
> > Thanks
> > Bob Hartl
> > 
> > 
> > 
> > -----Original Message-----
> > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > Sent: Monday, May 22, 2006 2:46 PM
> > To: Hartl, Bob
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> > 
> > 
> > On Mon, May 22, 2006 at 12:41:22PM -0700, Hartl, Bob wrote:
> > > Patrick,
> > > 
> > > The httpauth.php script works nicely, thanks.  I would however like
> > > to
> > 
> > > display the "author name" not login name in the AUTHOR field.  Is
> > > this
> > 
> > > possible when using HTTP authentication in PmWiki?  Two approaches
> > > seem possible to me.
> > 
> > The login name is simply displayed by default in the "Author"
> > field--an author can change the value to be something else (and that 
> > is the value remembered for future sessions as long as cookies are 
> > enabled).
> > 
> > > Is it possible to grab a "display name" variable -- or "first name"
> > > and "last name" variables -- instead of the REMOTE_USER variable?  
> > > Is there such a server variable(s) to grab?
> > 
> > There aren't such server variables to grab.
> > 
> > > 2) Would the storedauthname.php script work with "http
> > > authentication?" From the documentation it appears that it's meant 
> > > to work specifically with "AuthUser"
> > 
> > It might -- I haven't tried it.
> > 
> > > Would a possible approach be to use LDAP to grab the display name
> > > (i.e. author name) from the login name?  I can't however do an 
> > > anonymous bind to my LDAP server -- but I have credentials with 
> > > which to make a non-anonymous request.
> > 
> > Sure, that would be possible; it isn't even difficult.  It might even
> > be worth a change to the core to support this automatically.
> > 
> > Pm
> > 
> > > -----Original Message-----
> > > From: pmwiki-users-bounces at pmichaud.com
> > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > > Sent: Friday, May 19, 2006 2:58 PM
> > > To: Patrick R. Michaud
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > > name
> > > 
> > > 
> > > Hello Patrick,
> > >  
> > > I do not have httpauth.php in my config.php -- this must be what I'm
> 
> > > missing -- thanks!  I just read the documentation that says PmWiki 2
> 
> > > uses sesson-based authentication by default.
> > >  
> > > The documentation describes http authentication as HTTP-Basic
> > > authentication.  My pmwiki website is using "basic authentication" 
> > > (anonymous is disabled).  I'm using "basic authentication" for 
> > > testing
> > > -- but my real goal is to use "integrated windows authentication" as
> I
> > 
> > > have a Windows domain environment.  Can I expect that PmWiki's http
> > > authentication will work for "integrated windows authentication" as 
> > > well as "basic authentication?"  Perhaps I'll find out the answer to
> 
> > > this when I test it.
> > >  
> > > Thanks again!
> > > Bob Hartl
> > > 
> > > ________________________________
> > > 
> > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > Sent: Fri 5/19/2006 7:09 AM
> > > To: Hartl, Bob
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > name
> > > 
> > > 
> > > 
> > > On Thu, May 18, 2006 at 03:12:44PM -0700, Hartl, Bob wrote:
> > > > I'm a new user of PmWiki.  I installed PmWiki on Windows using
> > > > ISAPI. So far so good!  I'm using HTTP authentication and I've had
> 
> > > > success
> > in
> > > 
> > > > getting the authenticated login name from REMOTE_USER -- i.e.
> > > > PmWiki
> > 
> > > > fills the Author field with this login name.  (I followed advice
> > > > in
> > > > Cookbook:RequireAuthor, section HTTP authentication.)
> > > >
> > > > I have a WikiGroup, for which I have restricted editing to
> > > > selected
> > > > login names (as they appear using REMOTE_USER).  My hope is that
> if 
> > > > the user's login name is one of those permitted-to-edit login
> names,
> > 
> > > > then the user is able to immediately edit (without any intervening
> > > login form
> > > > from PmWiki).   But I am getting the login form (username and
> > > password).
> > > > It seems like I should be able to do this.  Am I missing something
> 
> > > > easy?
> > > 
> > > How do you have your site configured for HTTP authentication -- are
> > > you using the httpauth.php script in your config.php?
> > > 
> > > With what you've described, I don't think that an author should be
> > > getting the password prompt after being logged in.  But I'd need to 
> > > know a few more details of the setup first.
> > > 
> > > Pm
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com
> > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > > 
> > 
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> 




More information about the pmwiki-users mailing list