[pmwiki-users] Site.AuthList Questions

Neil Herber (nospam) nospam at eton.ca
Mon Jun 25 22:52:55 CDT 2007


On 2007-06-25 Sivakatirswami is rumoured to have said:
> Looking at Neils system, it's clear enough, but I don't see this as very 
> scaleable.
> I'm already using Apache Basic Authentication now for about 12 users and 
> I don't
> like it... I have one layer of web server task in PLESK (going into the 
> domain,
> adding users and passwords for each one) and then it appears one
> then has another layer  to maintain at Site.Authuser  and you *still*
> are have to set attributes for any given page or group, and then your
> manually maintained list: that's 4 layers!  with PM native system
> i) set group-page attributes
> ii) make a note on your manually maintained list
> 
> that's only two layers.

I am not sure that I can answer all of your questions, but this is my 
attempt ...

PmWiki passwords without AuthUser does not authenticate the user. I need 
to know who has done what and be sure that it really was the person it 
was supposed to be. Hence my choice of Apache BA.

I could just use PmWiki AuthUser, because that *does* authenticate the 
user. However, it does not protect anything "outside" of the wiki. In my 
case, I have file libraries that live outside of the wiki. For example:

neil.eton.ca/libraries/
neil.eton.ca/wiki/

I use Apache BA to protect the entire site, not just the wiki content.

If everything lives inside your wiki, then I would suggest using 
AuthUser alone. You can set up the username/password pairs and set 
groups as well.

If you want to have different users or groups have different access 
privilages, then I cannot see any way around using group attribute 
passwords.

The manual list is just a backup. I simply add new username and password 
combinations to the end of the list. The real control is maintained by 
the Apache .htpasswd file, or, of you take my suggestion above, by 
Site.AuthUser.

One other feature I really like about Apache BA versus AuthUser is that 
the .htaccess file is unservable. The Site.AuthUser page is servable, 
and hence more vulnerable (but not much I suspect).

To reiterate, I use Apache BA to authenticate the users, then I can use 
AuthUser to assign permissions to particular users by name, without 
needing their passwords.

-- 
Neil Herber
Corporate info at http://www.eton.ca/



More information about the pmwiki-users mailing list