[pmwiki-users] Problem with AuthUser

Patrick R. Michaud pmichaud at pobox.com
Tue Dec 6 13:36:05 CST 2005


On Tue, Dec 06, 2005 at 07:45:34PM +0100, Hsing-Foo Wang wrote:
> is there somebody who can explain in simple words what kind of 
> authentication ways there are(incl cookbook), and specifically for what 
> usage. I know the wiki says it all, but I would like to get a grasp of 
> it at a 'meta level'

As far as I know, there are three basic authorization mechanisms 
available for PmWiki:  
   1. passwords on pages, 
   2. AuthUser (scripts/authuser.php), and 
   3. UserAuth (http://www.pmwiki.org/wiki/Cookbook/UserAuth).

Both #2 and #3 are built on top of PmWiki's page password mechanism,
so that it's possible to have both identity-based authorizations and
password-based authorizations on pages.  

Personally, I always use method #1 for my sites.  While it's true that
many people somehow feel more "comfortable" with systems where each 
author has a separate username and password, I know from long experience
as a system administrator that the number one maintenance item is
helping people recover lost passwords or usernames.  Since my sites
generally have a small number of authors for any given section, using 
a single shared password for groups of pages is *much* more convenient 
for me and my authors than trying to manage multiple separate accounts.
This method has even worked well on sites consisting of hundreds of
authors (especially since authors are able to set their own passwords
and share them with trusted colleagues).

For sites that need identity-based authorization, PmWiki provides the
AuthUser script (#2), which has just undergone some major improvements 
for PmWiki 2.1 (thus the Cookbook.AuthUser page is a little out of date).
AuthUser overloads the basic protection scheme to also allow access
based on an authenticated identity ("id:alice") or membership in a 
defined group of identities ("@editors").  The best place to see 
what AuthUser currently offers is the Site.AuthUser page at
http://www.pmwiki.org/wiki/Site/AuthUser .

At present, usernames and passwords for AuthUser come from an 
"external" source of some sort, which can be any of the Site.AuthUser
page, local Apache .htpasswd files, LDAP servers, MySQL databases, 
or the local/config.php file.  AuthUser is also extensible to allow 
other authentication sources.

I'm not very familiar with UserAuth (#3), but I'll provide my
understanding of how it works (and others can correct me as
appropriate).  UserAuth takes a different approach in that 
authenticated users can be given permissions that override any
passwords that may be placed on pages.  Thus, an administrator
can say, for example, that "alice" is able to edit certain groups
or pages regardless of any passwords set for them.  Unlike AuthUser,
UserAuth can only get its usernames and passwords from an Apache
.htpasswd file.  However, UserAuth also provides form-based
interfaces to allow authors to change passwords, as well as a form-based
system for admins to add new accounts or change account permissions.

Form-based interfaces for registering new accounts and allowing 
authors to change passwords are planned for AuthUser (#2), but 
aren't completed yet.

I hope this helps!  I'd like to take the above information and put 
it into the PmWiki docs somewhere, so any comments, questions,
or suggestions on the above descriptions would be greatly appreciated.

Pm




More information about the pmwiki-users mailing list