[pmwiki-users] Problem with AuthUser
hsing-foo.wang at star-support.com
Tue Dec 6 13:52:16 CST 2005
Highly appreciating your swift and clear explanation Patrick!
Patrick R. Michaud wrote:
> On Tue, Dec 06, 2005 at 07:45:34PM +0100, Hsing-Foo Wang wrote:
>> is there somebody who can explain in simple words what kind of
>> authentication ways there are(incl cookbook), and specifically for what
>> usage. I know the wiki says it all, but I would like to get a grasp of
>> it at a 'meta level'
> As far as I know, there are three basic authorization mechanisms
> available for PmWiki:
> 1. passwords on pages,
> 2. AuthUser (scripts/authuser.php), and
> 3. UserAuth (http://www.pmwiki.org/wiki/Cookbook/UserAuth).
> Both #2 and #3 are built on top of PmWiki's page password mechanism,
> so that it's possible to have both identity-based authorizations and
> password-based authorizations on pages.
> Personally, I always use method #1 for my sites. While it's true that
> many people somehow feel more "comfortable" with systems where each
> author has a separate username and password, I know from long experience
> as a system administrator that the number one maintenance item is
> helping people recover lost passwords or usernames. Since my sites
> generally have a small number of authors for any given section, using
> a single shared password for groups of pages is *much* more convenient
> for me and my authors than trying to manage multiple separate accounts.
> This method has even worked well on sites consisting of hundreds of
> authors (especially since authors are able to set their own passwords
> and share them with trusted colleagues).
> For sites that need identity-based authorization, PmWiki provides the
> AuthUser script (#2), which has just undergone some major improvements
> for PmWiki 2.1 (thus the Cookbook.AuthUser page is a little out of date).
> AuthUser overloads the basic protection scheme to also allow access
> based on an authenticated identity ("id:alice") or membership in a
> defined group of identities ("@editors"). The best place to see
> what AuthUser currently offers is the Site.AuthUser page at
> http://www.pmwiki.org/wiki/Site/AuthUser .
> At present, usernames and passwords for AuthUser come from an
> "external" source of some sort, which can be any of the Site.AuthUser
> page, local Apache .htpasswd files, LDAP servers, MySQL databases,
> or the local/config.php file. AuthUser is also extensible to allow
> other authentication sources.
> I'm not very familiar with UserAuth (#3), but I'll provide my
> understanding of how it works (and others can correct me as
> appropriate). UserAuth takes a different approach in that
> authenticated users can be given permissions that override any
> passwords that may be placed on pages. Thus, an administrator
> can say, for example, that "alice" is able to edit certain groups
> or pages regardless of any passwords set for them. Unlike AuthUser,
> UserAuth can only get its usernames and passwords from an Apache
> .htpasswd file. However, UserAuth also provides form-based
> interfaces to allow authors to change passwords, as well as a form-based
> system for admins to add new accounts or change account permissions.
> Form-based interfaces for registering new accounts and allowing
> authors to change passwords are planned for AuthUser (#2), but
> aren't completed yet.
> I hope this helps! I'd like to take the above information and put
> it into the PmWiki docs somewhere, so any comments, questions,
> or suggestions on the above descriptions would be greatly appreciated.
More information about the pmwiki-users