[pmwiki-users] HTTP Authentication and use of login name

Patrick R. Michaud pmichaud at pobox.com
Wed Jun 7 13:03:48 CDT 2006


On Wed, Jun 07, 2006 at 10:46:29AM -0700, Hartl, Bob wrote:
> Patrick, thanks for your quick reply.  Here are answers to your
> questions:
> 
> You asked: 
> "do the userids that come back from HTTP authentication actually have
> the backslash in them?  I'm guessing that AuthUser isn't recognizing the
> backslash as a valid username character, and that we might need to add
> that."
> 
> Yes, names come back as domainname\userid.  I have confirmation of this
> -- because I use "id:domainname\userid" for setting permissions and this
> works.  Curiously the initial value of Author (for editing pages) did
> NOT include the backslash (this was the case BEFORE I starting using
> author.php at your suggestion (below) to set the Author field initially
> to blank).  

PmWiki strips "invalid" characters such as backslashes from author names.

> Yes, absolutely you can strip away "domainname\" and leave only the
> userid.  That would be great!  Much easier to work with.

Okay, that simplifies things a lot then.  Try the following:

    ##  get the authenticated id from HTTP
    include_once('scripts/httpauth.php');

    ##  strip any leading "domain\" component, leaving just userid
    if ($AuthId) { $AuthId = preg_replace('/^.*\\\\/', '', $AuthId); }

    ##  load the AuthUser routine to handle @group authorizations
    include_once('scripts/authuser.php');

    ##  Tell AuthUser to use the $AuthId value from HTTP
    AuthUserId($pagename, $AuthId);

Eventually I'm hoping the final explicit call to AuthUserId at the
end will go away, but for the moment it's required.

This sequence will also cause the "Author" field to default to
the login name (without the "domain\" part).  If you still want to 
have the Author field blank until the author enters a value, put
include_once('scripts/author.php'); before the above sequence.

> By the way, I have been following the "authentication confusion" thread
> too -- in particular regarding LDAP.  [...]

I'm still thinking about how I want to handle this -- I'd also like
there to be a convenient mechanism for people to obtain common
names from sources other than LDAP (i.e., the Site.AuthUser file).
But whatever I come up with will easily be able to handle the scenario
you've described.

Let me know how the above works (or doesn't work).

Pm



> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com] 
> Sent: Wednesday, June 07, 2006 9:39 AM
> To: Hartl, Bob
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> 
> 
> On Wed, Jun 07, 2006 at 09:33:10AM -0700, Hartl, Bob wrote:
> > I added this line:
> >     include("$FarmD/scripts/authuser.php");  # only if you're using 
> > authuser And defined groups in Site.AuthUser.
> > 
> > ... But this didn't help -- my groups that I defined in Site.AuthUser 
> > didn't seem to get recognized -- because I got prompted for username 
> > AND password.  I want to use strictly "http authentication" but be 
> > able to use groups (i.e. @groupname) whose members are of the form
> e.g.
> > domain\userid.   I am successful using "id:domain\userid" to set
> > read/edit permissions, but I'd much perfer to use groups, whose 
> > members are domain\userid.
> > 
> > Is there a way to use http authentication with groups as I suggest?
> 
> We can probably make it work.  But a quick question -- do the userids
> that come back from HTTP authentication actually have the backslash in
> them?  I'm guessing that AuthUser isn't recognizing the backslash as a
> valid username character, and that we might need to add that.
> 
> Alternately, would it hurt if PmWiki eliminated the "domain\" portion of
> what is returned by HTTP authentication, leaving just "userid"? Then
> that could be easily used for setting author names and for authorization
> and groups.
> 
> Pm
> 
> 
> 
> 
> > -----Original Message-----
> > From: pmwiki-users-bounces at pmichaud.com 
> > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > Sent: Tuesday, June 06, 2006 5:03 PM
> > To: Patrick R. Michaud
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> > 
> > 
> > Patrick, I followed your suggestion (below) and used this:
> >     include("$FarmD/scripts/author.php");
> >     include("$FarmD/scripts/httpauth.php");
> > 
> > But I have NOT yet included this:
> >     include("$FarmD/scripts/authuser.php");  # only if you're using 
> > authuser You suggested that I include this ONLY if I was using 
> > authuser - and I wasn't.  I'm using strictly http authentication.
> > 
> > Using the first two lines above meets the goal as I stated it below. 
> > Thanks!
> > 
> > However there is one thing that doesn't work.  I was hoping to using 
> > "authorization groups" -- e.g. "@writers".  I set these up in 
> > Site.AuthUser, put they don't seem to get recognized.  Is this because
> 
> > I have NOT included authuser.php above?  Would including authuser.php 
> > enable me to use groups?  But would including authuser.php (for the 
> > purpose of using these authorization groups) compromise in any way the
> 
> > use of http authentication?  If so, is there a preferred way to use 
> > authorization groups with http authentication?
> > 
> > Thanks
> > Bob Hartl
> > 
> > -----Original Message-----
> > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > Sent: Wednesday, May 24, 2006 12:52 PM
> > To: Hartl, Bob
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> > 
> > 
> > On Wed, May 24, 2006 at 12:42:57PM -0700, Hartl, Bob wrote:
> > > In the meantime as a backup solution, I am using http-authentication
> 
> > > and setting $EnablePostAuthorRequired to 1 to require users to enter
> 
> > > a
> > 
> > > non-blank author name.  The slight problem is that the initial value
> 
> > > of the Author field is "DOMAINNAMEusername" -- ideally I would like 
> > > the initial value of Author field to be blank, so that the user 
> > > would be forced (via the $EnablePostAuthorRequired setting) to enter
> 
> > > an author name (and my hope would be that they enter a "proper" 
> > > author name -- i.e. "firstname lastname".  Is there a way, when 
> > > using http-authentication, for the Author field to be inially blank?
> > 
> > Try including scripts/author.php *before* any include of httpauth.php 
> > or
> > authuser.php:
> > 
> >     include("$FarmD/scripts/author.php");
> >     include("$FarmD/scripts/httpauth.php");
> >     include("$FarmD/scripts/authuser.php");  # only if you're using 
> > authuser
> > 
> > Pm
> > 
> > > -----Original Message-----
> > > From: pmwiki-users-bounces at pmichaud.com 
> > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > > Sent: Monday, May 22, 2006 3:49 PM
> > > To: Patrick R. Michaud
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > > name
> > > 
> > > 
> > > Patrick,
> > > 
> > > Thanks again for you reply.  The LDAP approach sure sounds best.  I 
> > > agree -- this would be a great addition to the core.
> > > 
> > > Would the approach be to come up with an "LDAP" alternative to this 
> > > statement in config.php?
> > > (@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];
> > > 
> > > Or is the approach more complicated -- perhaps the httpauth.php 
> > > script
> > 
> > > must be modified to grab the author name from the LDAP server?
> > > 
> > > One of my colleagues retrieved active directory information via LDAP
> 
> > > in a .NET application, and he discovered that for our LDAP server, 
> > > first name is property "givenname" and last name is property "sn" 
> > > (as in surname).  I don't know if this is standard or not.  His .NET
> 
> > > code provides a username and password (which I also have access to) 
> > > in order to make a non-anonymous inquiry to get "givenname" and "sn"
> 
> > > for the provided username.
> > > 
> > > I'd definitely be interested in testing this change!
> > > 
> > > Thanks
> > > Bob Hartl
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > Sent: Monday, May 22, 2006 2:46 PM
> > > To: Hartl, Bob
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > > name
> > > 
> > > 
> > > On Mon, May 22, 2006 at 12:41:22PM -0700, Hartl, Bob wrote:
> > > > Patrick,
> > > > 
> > > > The httpauth.php script works nicely, thanks.  I would however 
> > > > like to
> > > 
> > > > display the "author name" not login name in the AUTHOR field.  Is 
> > > > this
> > > 
> > > > possible when using HTTP authentication in PmWiki?  Two approaches
> 
> > > > seem possible to me.
> > > 
> > > The login name is simply displayed by default in the "Author" 
> > > field--an author can change the value to be something else (and that
> 
> > > is the value remembered for future sessions as long as cookies are 
> > > enabled).
> > > 
> > > > Is it possible to grab a "display name" variable -- or "first 
> > > > name" and "last name" variables -- instead of the REMOTE_USER
> variable?
> > > > Is there such a server variable(s) to grab?
> > > 
> > > There aren't such server variables to grab.
> > > 
> > > > 2) Would the storedauthname.php script work with "http 
> > > > authentication?" From the documentation it appears that it's meant
> 
> > > > to work specifically with "AuthUser"
> > > 
> > > It might -- I haven't tried it.
> > > 
> > > > Would a possible approach be to use LDAP to grab the display name 
> > > > (i.e. author name) from the login name?  I can't however do an 
> > > > anonymous bind to my LDAP server -- but I have credentials with 
> > > > which to make a non-anonymous request.
> > > 
> > > Sure, that would be possible; it isn't even difficult.  It might 
> > > even be worth a change to the core to support this automatically.
> > > 
> > > Pm
> > > 
> > > > -----Original Message-----
> > > > From: pmwiki-users-bounces at pmichaud.com 
> > > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > > > Sent: Friday, May 19, 2006 2:58 PM
> > > > To: Patrick R. Michaud
> > > > Cc: pmwiki-users at pmichaud.com
> > > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > > name
> > > > 
> > > > 
> > > > Hello Patrick,
> > > >  
> > > > I do not have httpauth.php in my config.php -- this must be what 
> > > > I'm
> > 
> > > > missing -- thanks!  I just read the documentation that says PmWiki
> 
> > > > 2
> > 
> > > > uses sesson-based authentication by default.
> > > >  
> > > > The documentation describes http authentication as HTTP-Basic 
> > > > authentication.  My pmwiki website is using "basic authentication"
> 
> > > > (anonymous is disabled).  I'm using "basic authentication" for 
> > > > testing
> > > > -- but my real goal is to use "integrated windows authentication" 
> > > > as
> > I
> > > 
> > > > have a Windows domain environment.  Can I expect that PmWiki's 
> > > > http authentication will work for "integrated windows 
> > > > authentication" as well as "basic authentication?"  Perhaps I'll 
> > > > find out the answer to
> > 
> > > > this when I test it.
> > > >  
> > > > Thanks again!
> > > > Bob Hartl
> > > > 
> > > > ________________________________
> > > > 
> > > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > > Sent: Fri 5/19/2006 7:09 AM
> > > > To: Hartl, Bob
> > > > Cc: pmwiki-users at pmichaud.com
> > > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > > > name
> > > > 
> > > > 
> > > > 
> > > > On Thu, May 18, 2006 at 03:12:44PM -0700, Hartl, Bob wrote:
> > > > > I'm a new user of PmWiki.  I installed PmWiki on Windows using 
> > > > > ISAPI. So far so good!  I'm using HTTP authentication and I've 
> > > > > had
> > 
> > > > > success
> > > in
> > > > 
> > > > > getting the authenticated login name from REMOTE_USER -- i.e. 
> > > > > PmWiki
> > > 
> > > > > fills the Author field with this login name.  (I followed advice
> 
> > > > > in Cookbook:RequireAuthor, section HTTP authentication.)
> > > > >
> > > > > I have a WikiGroup, for which I have restricted editing to 
> > > > > selected login names (as they appear using REMOTE_USER).  My 
> > > > > hope is that
> > if
> > > > > the user's login name is one of those permitted-to-edit login
> > names,
> > > 
> > > > > then the user is able to immediately edit (without any 
> > > > > intervening
> > > > login form
> > > > > from PmWiki).   But I am getting the login form (username and
> > > > password).
> > > > > It seems like I should be able to do this.  Am I missing 
> > > > > something
> > 
> > > > > easy?
> > > > 
> > > > How do you have your site configured for HTTP authentication -- 
> > > > are you using the httpauth.php script in your config.php?
> > > > 
> > > > With what you've described, I don't think that an author should be
> 
> > > > getting the password prompt after being logged in.  But I'd need 
> > > > to know a few more details of the setup first.
> > > > 
> > > > Pm
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > pmwiki-users mailing list
> > > > pmwiki-users at pmichaud.com 
> > > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > > > 
> > > 
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com 
> > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > > 
> > 
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com 
> > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > 
> 




More information about the pmwiki-users mailing list