[pmwiki-users] Authentication confusion

Patrick R. Michaud pmichaud at pobox.com
Sun Jun 4 16:11:45 CDT 2006


On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> I've been looking at AuthUser, UserAuth, httpauth, and have gotten
> myself pretty confused as to how to accomplish what I'm trying to do.
> Essentially what I would like to do is use http authentication, and
> place the authenticated user IDs into pmwiki groups. I'd also like to
> used LDAP to obtain the users display name (e.g. fn/sn) as the author
> for any page edits.  Lastly, I'd like to disallow any changes to the
> "author" field when editing pages to be used, do avoid impersonation
> issues).

To use http authentication is just:

    include_once('scripts/httpauth.php');

So, to use http authentication with PmWiki's authorization groups
should be:

    include_once('scripts/httpauth.php');
    include_once('scripts/authuser.php');
    AuthUserId($pagename, $AuthId);

To then prevent changes to the "author" field:

    include_once('scripts/httpauth.php');
    include_once('scripts/authuser.php');
    AuthUserId($pagename, $AuthId);
    $Author = $AuthId;

Getting the author's display name from LDAP is a bit more work,
as it involves querying the LDAP server and knowing the distinguished
name for the identity.  If you have that sort of information available,
I should be able to write that part fairly quickly.

> Based on what I've read on the pmwiki site, AuthUser appears to support
> ldap, but how does this work in conjunction with http authentication,
> and does it ultimately fill in the author variable?  

LDAP is just another form of authentication separate from http
authentication.  HTTP authentication expects the web server to
have performed the authentication *before* PmWiki is executed and
store the result in the 'REMOTE_USER' environment variable, while
PmWiki's LDAP authentication module queries an LDAP server to
authenticate an identity.


> Can it also support
> placing the user authentication id in pmwiki groups?  

Yes.

> AuthUser also
> appears to be less intuitive to use than UserAuth because it seems that
> you need to enter permissions individually on each wikigroup and/or wiki
> page.

PmWiki's philosophy is that individual authors may wish to set
permissions on pages and groups, as opposed to having it centrally
controlled by the wiki administrator.  Whether this is "more intuitive"
depends on the application -- for most of the sites I run, letting
authors set access control permissions is a lot more natural than
trying to control it from a central page.

> Is what I'm trying to accomplish possible?  Have I overlooked something?
> What seems to be missing on the pmwiki site is authentication scenario
> examples.  The examples currently describe the capabilities of each
> module, but leave it to the reader to put it all together.
> Configuration scenario examples would certainly help.

I totally agree we could use more configuration scenario descriptions;
part of the trouble is that the scenarios people want are as varied
as the sites that use them.  Off the top of my head I can think of
over a dozen different scenarios that are currently in use.  It might
be nice if we could develop a "decision-tree" page or set of pages
that could walk a person through some of the more travelled scenarios.

Pm




More information about the pmwiki-users mailing list