[pmwiki-users] Re: authuser and .htgroups

H. Fox haganfox at gmail.com
Wed Jun 29 23:39:22 CDT 2005 

On 6/29/05, Jeremy Sproat <sproaticus at gmail.com> wrote:
> On 6/22/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> > It may also be worth keeping in mind that sometime in the not-too-distant-
> > future AuthUser is expected to support authentication via LDAP
> > (and possibly RADIUS):
> >    $AuthUser['ldap'] = 'ldap://ldap.example.com/ou=People?uid=$1'
> 
> I suggest using a separate array for authentication schemes.  We're
> mixing login names and login schemes in $AuthUser.  Hypothetically
> speaking, it is possible for a user to legitimately want the username
> "ldap" but not be able to because that name is used for something
> else.  A more realistic example is "pam" - could be Pamela's login
> name, or we might be checking passwords against Linux-PAM
> (http://www.kernel.org/pub/linux/libs/pam/).

Instead of using 'pam', how about 'Linux-PAM' or even just 'PAM' in
capital letters.

> I recommend leaving the usernames in $AuthUser, and putting the
> authentication schemes in something similar like $AuthMethod, e.g.
> 
> $AuthUser['alice'] = crypt('alicepassword');
> $AuthUser['bob'] = crypt('bobpassword');
> $AuthMethod['htpasswd'] = 'local/.htpasswd';
> $AuthMethod['ldap'] = 'ldap://ldap.example.com/ou=People?uid=$1';

Would it be too confusing if
   $AuthMethod['htpasswd'] = 'local/.htpasswd';
and
   $AuthUser['htpasswd'] = 'local/.htpasswd';
were interchangeable?  In other words the arrays would be combined
into one.  Just a thought.  I suggest that because it could be more
obvious that 'htpasswd' and 'ldap' and 'Linux-PAM' are methods of
authenticating despite the fact that they're special pseudo-users in
the $AuthUser array.

What I'm really wondering is how groups would be specified. :-)

Maybe

   $AuthUser['htgroups'] = 'local/.htgroups';
   $AuthUser['group']['editors'] = array*('alice', 'bob');

Along the same line of thinking as above, $AuthGroup['foo']= could be
equivalent to $AuthUser['group']['foo']= from the standpoint of a
WikiAdministrator.

Since PmWiki already has Groups, maybe 'authgroup' (or similar) is
better than 'group' for this.

I'm hoping (auth)groups support will happen before the stable release
because of how it simplifies administration.  Specifically,
maintaining role-based access controls using groups seems much easier
than keeping track of all users individually.

Hagan

More information about the pmwiki-users mailing list