[Pmwiki-users] issue with authentification and page passwd

Patrick R. Michaud pmichaud at pobox.com
Sat May 24 15:11:30 CDT 2003


On Fri, May 23, 2003 at 11:53:01AM +0200, Eric.TOMIO at st.com wrote:

> I have the following  question  :
> I have run pmwiki within a web site without any
> authentification and passwd protection and all features
> regarding pages password is working fine
> 
> But I want the very same within a web area that
> is secured with ldap mod autentification

Hmm, this makes it a bit difficult.  PmWiki's default authentication
uses the same HTTP Basic authentication mechanism that the Apache
web server will use in .htaccess/httpd.conf.  Since a browser will
only supply one HTTP-authentication password per request, the only way
to get both PmWiki's authentication and Apache's authentication to work
together is if the passwords are the same.

However, it wouldn't be too difficult to create a custom PmWiki
authorization routine that would examine Apache's REMOTE_USER
environment variable and accept that as being valid authentication,
but this might make it difficult to have separate passwords for
different actions (i.e., one would need access control lists).
Or, we could have a customized PmWiki authorization routine that
does authentication via ldap instead of having httpd do it.

When I built PmWiki, I went with HTTP Basic Authentication because
it was easy to implement and it worked for all the systems I dealt
with.  However, I'm hearing from more and more people who are having
trouble with it.  The current authentication mechanism won't work
on systems that run PHP as a cgi-bin script (instead of an Apache
module), and it won't work with PHP 4.3.0 and later running in safe_mode.
So I'm wondering if I should modify PmWiki to use an HTML form and
cookie-based approach instead of the HTTP authentication it uses now.
Any comments from others out there?

Also, just so I don't spark a discussion that goes off in a direction 
I'm not ready to go yet, for now I'm going to remain relatively opposed 
to spending effort implementing per-page or per-group access control 
lists (i.e., restricting actions based on usernames instead of 
passwords) as a default feature of PmWiki.  This is not to say that 
PmWiki will never have such a feature--it's just that I'm not 
willing to commit to that level of administrative complexity just 
yet.  On the other hand, I think that with PmWiki's current design 
it's entirely feasible to implement arbitrarily complex 
authentication mechanisms as add-ons to PmWiki.

Pm




More information about the pmwiki-users mailing list