[pmwiki-users] HTTP Authentication and use of login name

Hartl, Bob hartl.r at ghc.org
Wed Jun 7 14:13:14 CDT 2006


Thanks Patrick, this works just as you suggested!  I'm using the full
solution (including using author.php):
    ##  get the authenticated id from HTTP
    include_once('scripts/httpauth.php');

    ##  strip any leading "domain\" component, leaving just userid
    if ($AuthId) { $AuthId = preg_replace('/^.*\\\\/', '', $AuthId); }

    ##  load the AuthUser routine to handle @group authorizations
    include_once('scripts/authuser.php');

    ##  Tell AuthUser to use the $AuthId value from HTTP
    AuthUserId($pagename, $AuthId);

    Eventually I'm hoping the final explicit call to AuthUserId at the
end will go
    but for the moment it's required.

    This sequence will also cause the "Author" field to default to the
login name
    (without the "domain\" part).  If you still want to have the Author
field
    blank until the author enters a value, put
include_once('scripts/author.php');
    before the above sequence.

Patrick, you also said: I'm still thinking about how I want to handle
this [getting "common name" from userid] -- I'd also like there to be a
convenient mechanism for people to obtain common names from sources
other than LDAP (i.e., the Site.AuthUser file). But whatever I come up
with will easily be able to handle the scenario you've described.

I look forward to hearing about this solution.

I have a possible workaround to the above.  One of my colleagues wrote a
.NET WebService that returns the "common name" for the userid.  Would it
be possible to use a .NET WebService from PHP?

Thanks
Bob Hartl


-----Original Message-----
From: Patrick R. Michaud [mailto:pmichaud at pobox.com] 
Sent: Wednesday, June 07, 2006 11:04 AM
To: Hartl, Bob
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] HTTP Authentication and use of login name


On Wed, Jun 07, 2006 at 10:46:29AM -0700, Hartl, Bob wrote:
> Patrick, thanks for your quick reply.  Here are answers to your
> questions:
> 
> You asked:
> "do the userids that come back from HTTP authentication actually have
> the backslash in them?  I'm guessing that AuthUser isn't recognizing
the
> backslash as a valid username character, and that we might need to add
> that."
> 
> Yes, names come back as domainname\userid.  I have confirmation of 
> this
> -- because I use "id:domainname\userid" for setting permissions and
this
> works.  Curiously the initial value of Author (for editing pages) did
> NOT include the backslash (this was the case BEFORE I starting using
> author.php at your suggestion (below) to set the Author field
initially
> to blank).  

PmWiki strips "invalid" characters such as backslashes from author
names.

> Yes, absolutely you can strip away "domainname\" and leave only the 
> userid.  That would be great!  Much easier to work with.

Okay, that simplifies things a lot then.  Try the following:

    ##  get the authenticated id from HTTP
    include_once('scripts/httpauth.php');

    ##  strip any leading "domain\" component, leaving just userid
    if ($AuthId) { $AuthId = preg_replace('/^.*\\\\/', '', $AuthId); }

    ##  load the AuthUser routine to handle @group authorizations
    include_once('scripts/authuser.php');

    ##  Tell AuthUser to use the $AuthId value from HTTP
    AuthUserId($pagename, $AuthId);

Eventually I'm hoping the final explicit call to AuthUserId at the end
will go away, but for the moment it's required.

This sequence will also cause the "Author" field to default to the login
name (without the "domain\" part).  If you still want to 
have the Author field blank until the author enters a value, put
include_once('scripts/author.php'); before the above sequence.

> By the way, I have been following the "authentication confusion" 
> thread too -- in particular regarding LDAP.  [...]

I'm still thinking about how I want to handle this -- I'd also like
there to be a convenient mechanism for people to obtain common names
from sources other than LDAP (i.e., the Site.AuthUser file). But
whatever I come up with will easily be able to handle the scenario
you've described.

Let me know how the above works (or doesn't work).

Pm



> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> Sent: Wednesday, June 07, 2006 9:39 AM
> To: Hartl, Bob
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
> 
> 
> On Wed, Jun 07, 2006 at 09:33:10AM -0700, Hartl, Bob wrote:
> > I added this line:
> >     include("$FarmD/scripts/authuser.php");  # only if you're using
> > authuser And defined groups in Site.AuthUser.
> > 
> > ... But this didn't help -- my groups that I defined in 
> > Site.AuthUser
> > didn't seem to get recognized -- because I got prompted for username

> > AND password.  I want to use strictly "http authentication" but be 
> > able to use groups (i.e. @groupname) whose members are of the form
> e.g.
> > domain\userid.   I am successful using "id:domain\userid" to set
> > read/edit permissions, but I'd much perfer to use groups, whose
> > members are domain\userid.
> > 
> > Is there a way to use http authentication with groups as I suggest?
> 
> We can probably make it work.  But a quick question -- do the userids 
> that come back from HTTP authentication actually have the backslash in

> them?  I'm guessing that AuthUser isn't recognizing the backslash as a

> valid username character, and that we might need to add that.
> 
> Alternately, would it hurt if PmWiki eliminated the "domain\" portion 
> of what is returned by HTTP authentication, leaving just "userid"? 
> Then that could be easily used for setting author names and for 
> authorization and groups.
> 
> Pm
> 
> 
> 
> 
> > -----Original Message-----
> > From: pmwiki-users-bounces at pmichaud.com
> > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > Sent: Tuesday, June 06, 2006 5:03 PM
> > To: Patrick R. Michaud
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
name
> > 
> > 
> > Patrick, I followed your suggestion (below) and used this:
> >     include("$FarmD/scripts/author.php");
> >     include("$FarmD/scripts/httpauth.php");
> > 
> > But I have NOT yet included this:
> >     include("$FarmD/scripts/authuser.php");  # only if you're using
> > authuser You suggested that I include this ONLY if I was using 
> > authuser - and I wasn't.  I'm using strictly http authentication.
> > 
> > Using the first two lines above meets the goal as I stated it below.
> > Thanks!
> > 
> > However there is one thing that doesn't work.  I was hoping to using
> > "authorization groups" -- e.g. "@writers".  I set these up in 
> > Site.AuthUser, put they don't seem to get recognized.  Is this
because
> 
> > I have NOT included authuser.php above?  Would including 
> > authuser.php
> > enable me to use groups?  But would including authuser.php (for the 
> > purpose of using these authorization groups) compromise in any way
the
> 
> > use of http authentication?  If so, is there a preferred way to use
> > authorization groups with http authentication?
> > 
> > Thanks
> > Bob Hartl
> > 
> > -----Original Message-----
> > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > Sent: Wednesday, May 24, 2006 12:52 PM
> > To: Hartl, Bob
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > name
> > 
> > 
> > On Wed, May 24, 2006 at 12:42:57PM -0700, Hartl, Bob wrote:
> > > In the meantime as a backup solution, I am using 
> > > http-authentication
> 
> > > and setting $EnablePostAuthorRequired to 1 to require users to 
> > > enter
> 
> > > a
> > 
> > > non-blank author name.  The slight problem is that the initial 
> > > value
> 
> > > of the Author field is "DOMAINNAMEusername" -- ideally I would 
> > > like
> > > the initial value of Author field to be blank, so that the user 
> > > would be forced (via the $EnablePostAuthorRequired setting) to
enter
> 
> > > an author name (and my hope would be that they enter a "proper"
> > > author name -- i.e. "firstname lastname".  Is there a way, when 
> > > using http-authentication, for the Author field to be inially
blank?
> > 
> > Try including scripts/author.php *before* any include of 
> > httpauth.php
> > or
> > authuser.php:
> > 
> >     include("$FarmD/scripts/author.php");
> >     include("$FarmD/scripts/httpauth.php");
> >     include("$FarmD/scripts/authuser.php");  # only if you're using
> > authuser
> > 
> > Pm
> > 
> > > -----Original Message-----
> > > From: pmwiki-users-bounces at pmichaud.com
> > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > > Sent: Monday, May 22, 2006 3:49 PM
> > > To: Patrick R. Michaud
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login 
> > > name
> > > 
> > > 
> > > Patrick,
> > > 
> > > Thanks again for you reply.  The LDAP approach sure sounds best.  
> > > I
> > > agree -- this would be a great addition to the core.
> > > 
> > > Would the approach be to come up with an "LDAP" alternative to 
> > > this
> > > statement in config.php?
> > > (@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];
> > > 
> > > Or is the approach more complicated -- perhaps the httpauth.php
> > > script
> > 
> > > must be modified to grab the author name from the LDAP server?
> > > 
> > > One of my colleagues retrieved active directory information via 
> > > LDAP
> 
> > > in a .NET application, and he discovered that for our LDAP server,
> > > first name is property "givenname" and last name is property "sn" 
> > > (as in surname).  I don't know if this is standard or not.  His
.NET
> 
> > > code provides a username and password (which I also have access 
> > > to)
> > > in order to make a non-anonymous inquiry to get "givenname" and
"sn"
> 
> > > for the provided username.
> > > 
> > > I'd definitely be interested in testing this change!
> > > 
> > > Thanks
> > > Bob Hartl
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > Sent: Monday, May 22, 2006 2:46 PM
> > > To: Hartl, Bob
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > name
> > > 
> > > 
> > > On Mon, May 22, 2006 at 12:41:22PM -0700, Hartl, Bob wrote:
> > > > Patrick,
> > > > 
> > > > The httpauth.php script works nicely, thanks.  I would however
> > > > like to
> > > 
> > > > display the "author name" not login name in the AUTHOR field.  
> > > > Is
> > > > this
> > > 
> > > > possible when using HTTP authentication in PmWiki?  Two 
> > > > approaches
> 
> > > > seem possible to me.
> > > 
> > > The login name is simply displayed by default in the "Author"
> > > field--an author can change the value to be something else (and
that
> 
> > > is the value remembered for future sessions as long as cookies are
> > > enabled).
> > > 
> > > > Is it possible to grab a "display name" variable -- or "first
> > > > name" and "last name" variables -- instead of the REMOTE_USER
> variable?
> > > > Is there such a server variable(s) to grab?
> > > 
> > > There aren't such server variables to grab.
> > > 
> > > > 2) Would the storedauthname.php script work with "http
> > > > authentication?" From the documentation it appears that it's
meant
> 
> > > > to work specifically with "AuthUser"
> > > 
> > > It might -- I haven't tried it.
> > > 
> > > > Would a possible approach be to use LDAP to grab the display 
> > > > name
> > > > (i.e. author name) from the login name?  I can't however do an 
> > > > anonymous bind to my LDAP server -- but I have credentials with 
> > > > which to make a non-anonymous request.
> > > 
> > > Sure, that would be possible; it isn't even difficult.  It might
> > > even be worth a change to the core to support this automatically.
> > > 
> > > Pm
> > > 
> > > > -----Original Message-----
> > > > From: pmwiki-users-bounces at pmichaud.com
> > > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl,
Bob
> > > > Sent: Friday, May 19, 2006 2:58 PM
> > > > To: Patrick R. Michaud
> > > > Cc: pmwiki-users at pmichaud.com
> > > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > > name
> > > > 
> > > > 
> > > > Hello Patrick,
> > > >  
> > > > I do not have httpauth.php in my config.php -- this must be what
> > > > I'm
> > 
> > > > missing -- thanks!  I just read the documentation that says 
> > > > PmWiki
> 
> > > > 2
> > 
> > > > uses sesson-based authentication by default.
> > > >  
> > > > The documentation describes http authentication as HTTP-Basic
> > > > authentication.  My pmwiki website is using "basic
authentication"
> 
> > > > (anonymous is disabled).  I'm using "basic authentication" for
> > > > testing
> > > > -- but my real goal is to use "integrated windows
authentication" 
> > > > as
> > I
> > > 
> > > > have a Windows domain environment.  Can I expect that PmWiki's
> > > > http authentication will work for "integrated windows 
> > > > authentication" as well as "basic authentication?"  Perhaps I'll

> > > > find out the answer to
> > 
> > > > this when I test it.
> > > >  
> > > > Thanks again!
> > > > Bob Hartl
> > > > 
> > > > ________________________________
> > > > 
> > > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > > Sent: Fri 5/19/2006 7:09 AM
> > > > To: Hartl, Bob
> > > > Cc: pmwiki-users at pmichaud.com
> > > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > > name
> > > > 
> > > > 
> > > > 
> > > > On Thu, May 18, 2006 at 03:12:44PM -0700, Hartl, Bob wrote:
> > > > > I'm a new user of PmWiki.  I installed PmWiki on Windows using
> > > > > ISAPI. So far so good!  I'm using HTTP authentication and I've

> > > > > had
> > 
> > > > > success
> > > in
> > > > 
> > > > > getting the authenticated login name from REMOTE_USER -- i.e.
> > > > > PmWiki
> > > 
> > > > > fills the Author field with this login name.  (I followed 
> > > > > advice
> 
> > > > > in Cookbook:RequireAuthor, section HTTP authentication.)
> > > > >
> > > > > I have a WikiGroup, for which I have restricted editing to
> > > > > selected login names (as they appear using REMOTE_USER).  My 
> > > > > hope is that
> > if
> > > > > the user's login name is one of those permitted-to-edit login
> > names,
> > > 
> > > > > then the user is able to immediately edit (without any
> > > > > intervening
> > > > login form
> > > > > from PmWiki).   But I am getting the login form (username and
> > > > password).
> > > > > It seems like I should be able to do this.  Am I missing
> > > > > something
> > 
> > > > > easy?
> > > > 
> > > > How do you have your site configured for HTTP authentication --
> > > > are you using the httpauth.php script in your config.php?
> > > > 
> > > > With what you've described, I don't think that an author should 
> > > > be
> 
> > > > getting the password prompt after being logged in.  But I'd need
> > > > to know a few more details of the setup first.
> > > > 
> > > > Pm
> > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > pmwiki-users mailing list
> > > > pmwiki-users at pmichaud.com
> > > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > > > 
> > > 
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com
> > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > > 
> > 
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > 
> 




More information about the pmwiki-users mailing list