[pmwiki-users] Authentication confusion

Vedvik, Gary Gary.Vedvik at xerox.com
Sun Jun 4 20:17:17 CDT 2006 

Thanks Patrick, As for the ldap attribute that can be used for the users
display name, there are several attributes that contain a users name, or
parts thereof within Active Directory, the attribute "cn" would be a
good candidate.

The following is a link that identifies some common/useful LDAP
attributes within AD. 

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_direct
ory.htm#LDAP_Attributes_from_Active_Directory_Users_and_Computers

Let me see if I understand the function of the entries you suggest. The
httpauth grabs the web browser variables, and authuser enables user
based authentication, and setting "$Author = $AuthId" sets the author
variable to the authenticating id (e.g. domain\account in a windows
environment).  What does the AuthUserId function accomplish?  

/gv

-----Original Message-----
From: Patrick R. Michaud [mailto:pmichaud at pobox.com] 
Sent: Sunday, June 04, 2006 5:12 PM
To: Vedvik, Gary
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion

On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> I've been looking at AuthUser, UserAuth, httpauth, and have gotten 
> myself pretty confused as to how to accomplish what I'm trying to do.
> Essentially what I would like to do is use http authentication, and 
> place the authenticated user IDs into pmwiki groups. I'd also like to 
> used LDAP to obtain the users display name (e.g. fn/sn) as the author 
> for any page edits.  Lastly, I'd like to disallow any changes to the 
> "author" field when editing pages to be used, do avoid impersonation 
> issues).

To use http authentication is just:

    include_once('scripts/httpauth.php');

So, to use http authentication with PmWiki's authorization groups should
be:

    include_once('scripts/httpauth.php');
    include_once('scripts/authuser.php');
    AuthUserId($pagename, $AuthId);

To then prevent changes to the "author" field:

    include_once('scripts/httpauth.php');
    include_once('scripts/authuser.php');
    AuthUserId($pagename, $AuthId);
    $Author = $AuthId;

Getting the author's display name from LDAP is a bit more work, as it
involves querying the LDAP server and knowing the distinguished name for
the identity.  If you have that sort of information available, I should
be able to write that part fairly quickly.

> Based on what I've read on the pmwiki site, AuthUser appears to 
> support ldap, but how does this work in conjunction with http 
> authentication, and does it ultimately fill in the author variable?

LDAP is just another form of authentication separate from http
authentication.  HTTP authentication expects the web server to have
performed the authentication *before* PmWiki is executed and store the
result in the 'REMOTE_USER' environment variable, while PmWiki's LDAP
authentication module queries an LDAP server to authenticate an
identity.


> Can it also support
> placing the user authentication id in pmwiki groups?  

Yes.

> AuthUser also
> appears to be less intuitive to use than UserAuth because it seems 
> that you need to enter permissions individually on each wikigroup 
> and/or wiki page.

PmWiki's philosophy is that individual authors may wish to set
permissions on pages and groups, as opposed to having it centrally
controlled by the wiki administrator.  Whether this is "more intuitive"
depends on the application -- for most of the sites I run, letting
authors set access control permissions is a lot more natural than trying
to control it from a central page.

> Is what I'm trying to accomplish possible?  Have I overlooked
something?
> What seems to be missing on the pmwiki site is authentication scenario

> examples.  The examples currently describe the capabilities of each 
> module, but leave it to the reader to put it all together.
> Configuration scenario examples would certainly help.

I totally agree we could use more configuration scenario descriptions;
part of the trouble is that the scenarios people want are as varied as
the sites that use them.  Off the top of my head I can think of over a
dozen different scenarios that are currently in use.  It might be nice
if we could develop a "decision-tree" page or set of pages that could
walk a person through some of the more travelled scenarios.

Pm

More information about the pmwiki-users mailing list