[pmwiki-users] can you access windows logon id and use it for the author name when editting a page?

Fri Nov 24 00:30:06 CST 2006

On Thu, 23 Nov 2006 13:19:23 -0600
"Patrick R. Michaud" <pmichaud at pobox.com> wrote:

> On Sat, Nov 18, 2006 at 08:20:53PM -0600, Gordon, Andrew wrote:
> > 
> >    Is there an straightforward way to access windows logon id and
> > use it for the author name when editing a page?
> 
> Not really, as the webserver doesn't normally have access to this
> sort of information.  If the webserver is set up to require windows
> authentication prior to accessing the site it may be available,
> but in general it wouldn't be available.

The good message. This would work. The bad: it's not easy. I hope this
description helps.

There where several solutions. Dominique give you the right hints.
Search for NTLM, SSPI, Kerberos.
One perfect site for ntlm is: http://curl.haxx.se/rfc/ntlm.html

For a solution with NTLM you need a Browser how speaks NTLM. IE does
that, but also Firefox 1.0 and later.
Secound: you need a webserver that also speaks NTLM. Under the
following link, you find an apache-modul:
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet

The third thing is an samba/winbind on the webserver. Your webserver
should be in your Domain. Do "net rpc join" for this. Test it with "net
rpc testjoin".

Start your samba/winbind. If this is ok, than test "ntlm_auth --username=yourusername".
If this also works. Congratulation. The rest is easier, I mean.
There should be a directory /var/run/samba/winbindd_privileged.
This directory must be accessible for apache and his children. The
solution: groupadd winbindd
chgrp winbindd /var/run/samba/winbindd_privileged

Configure apache to run with this group. See /etc/apache/httpd.conf for
user/group.

User nobody
Group winbindd

LoadModule auth_ntlm_winbind_module lib/apache/mod_auth_ntlm_winbind.so
<Directory "/var/www/htdocs/pmwiki">
 AuthName "NTLM Authentication thingy" NTLMAuth on
 NTLMAuthHelper "/usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on AuthType
NTLM require valid-user </Directory>

/var/www/pmwiki/local/config.php

#removes domainname from authid
if(isset($_SERVER['REMOTE_USER']))
    $_SERVER['REMOTE_USER'] = preg_replace("/^[^\\\]+\\\/", "",
@$_SERVER['REMOTE_USER']);

include_once("scripts/httpauth.php");//NTLM-Auth, Basic-Auth
include_once("scripts/authuser.php");
$Author = $AuthId;

#new edit-from with fix author
if(isset($_SERVER['REMOTE_USER']))
    SDVA($InputTags['e_author'], array(
           ':html' => "$Author<input type='hidden' \$InputFormArgs />",
           'name' => 'author', 'value' => $Author));

Client-Configuration: IE sends Authentification automaticly. Firefox
should be configured:

about:config
network.automatic-ntlm-auth.trusted-uris = https://your-server

Think about security (https://).

I hope this helps.

PS: There is still no solutions for Groups defined in AuthUser.php with
this method of authentification! Any hints are welcome.

-- 

[root at Linux] chown linux.users /world