[pmwiki-users] HTTP Authentication and use of login name
Hartl, Bob
hartl.r at ghc.org
Wed Jun 7 12:46:29 CDT 2006
Patrick, thanks for your quick reply. Here are answers to your
questions:
You asked:
"do the userids that come back from HTTP authentication actually have
the backslash in them? I'm guessing that AuthUser isn't recognizing the
backslash as a valid username character, and that we might need to add
that."
Yes, names come back as domainname\userid. I have confirmation of this
-- because I use "id:domainname\userid" for setting permissions and this
works. Curiously the initial value of Author (for editing pages) did
NOT include the backslash (this was the case BEFORE I starting using
author.php at your suggestion (below) to set the Author field initially
to blank). Moreover when I much earlier used the
"(@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];"
statement, then Author got set to domainname\userid (i.e. with the
backslash). More proof that the backslash is included.
Yes, absolutely you can strip away "domainname\" and leave only the
userid. That would be great! Much easier to work with.
By the way, I have been following the "authentication confusion" thread
too -- in particular regarding LDAP. That thread is close to, although
I'm not sure it's exactly the same as my interest. My interest is in
using LDAP post-authentication (authentication already done by http
authentication) to grab the "common name" (firstname lastname) for the
userid. This capability isn't absolutely essential for my purposes (I
have a working workaround by forcing the Author field to be blank which
forces users to enter their author name), but it would be a terrific
feature to be able to get commmon name from userid -- more convenience
and impersonation could be prevented. (In my case, accessing
information from the LDAP server is non-anonymous.)
Thanks
Bob Hartl
-----Original Message-----
From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
Sent: Wednesday, June 07, 2006 9:39 AM
To: Hartl, Bob
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
On Wed, Jun 07, 2006 at 09:33:10AM -0700, Hartl, Bob wrote:
> I added this line:
> include("$FarmD/scripts/authuser.php"); # only if you're using
> authuser And defined groups in Site.AuthUser.
>
> ... But this didn't help -- my groups that I defined in Site.AuthUser
> didn't seem to get recognized -- because I got prompted for username
> AND password. I want to use strictly "http authentication" but be
> able to use groups (i.e. @groupname) whose members are of the form
e.g.
> domain\userid. I am successful using "id:domain\userid" to set
> read/edit permissions, but I'd much perfer to use groups, whose
> members are domain\userid.
>
> Is there a way to use http authentication with groups as I suggest?
We can probably make it work. But a quick question -- do the userids
that come back from HTTP authentication actually have the backslash in
them? I'm guessing that AuthUser isn't recognizing the backslash as a
valid username character, and that we might need to add that.
Alternately, would it hurt if PmWiki eliminated the "domain\" portion of
what is returned by HTTP authentication, leaving just "userid"? Then
that could be easily used for setting author names and for authorization
and groups.
Pm
> -----Original Message-----
> From: pmwiki-users-bounces at pmichaud.com
> [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> Sent: Tuesday, June 06, 2006 5:03 PM
> To: Patrick R. Michaud
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
>
>
> Patrick, I followed your suggestion (below) and used this:
> include("$FarmD/scripts/author.php");
> include("$FarmD/scripts/httpauth.php");
>
> But I have NOT yet included this:
> include("$FarmD/scripts/authuser.php"); # only if you're using
> authuser You suggested that I include this ONLY if I was using
> authuser - and I wasn't. I'm using strictly http authentication.
>
> Using the first two lines above meets the goal as I stated it below.
> Thanks!
>
> However there is one thing that doesn't work. I was hoping to using
> "authorization groups" -- e.g. "@writers". I set these up in
> Site.AuthUser, put they don't seem to get recognized. Is this because
> I have NOT included authuser.php above? Would including authuser.php
> enable me to use groups? But would including authuser.php (for the
> purpose of using these authorization groups) compromise in any way the
> use of http authentication? If so, is there a preferred way to use
> authorization groups with http authentication?
>
> Thanks
> Bob Hartl
>
> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> Sent: Wednesday, May 24, 2006 12:52 PM
> To: Hartl, Bob
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] HTTP Authentication and use of login name
>
>
> On Wed, May 24, 2006 at 12:42:57PM -0700, Hartl, Bob wrote:
> > In the meantime as a backup solution, I am using http-authentication
> > and setting $EnablePostAuthorRequired to 1 to require users to enter
> > a
>
> > non-blank author name. The slight problem is that the initial value
> > of the Author field is "DOMAINNAMEusername" -- ideally I would like
> > the initial value of Author field to be blank, so that the user
> > would be forced (via the $EnablePostAuthorRequired setting) to enter
> > an author name (and my hope would be that they enter a "proper"
> > author name -- i.e. "firstname lastname". Is there a way, when
> > using http-authentication, for the Author field to be inially blank?
>
> Try including scripts/author.php *before* any include of httpauth.php
> or
> authuser.php:
>
> include("$FarmD/scripts/author.php");
> include("$FarmD/scripts/httpauth.php");
> include("$FarmD/scripts/authuser.php"); # only if you're using
> authuser
>
> Pm
>
> > -----Original Message-----
> > From: pmwiki-users-bounces at pmichaud.com
> > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > Sent: Monday, May 22, 2006 3:49 PM
> > To: Patrick R. Michaud
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > name
> >
> >
> > Patrick,
> >
> > Thanks again for you reply. The LDAP approach sure sounds best. I
> > agree -- this would be a great addition to the core.
> >
> > Would the approach be to come up with an "LDAP" alternative to this
> > statement in config.php?
> > (@$_SERVER['REMOTE_USER']) $Author = $_SERVER['REMOTE_USER'];
> >
> > Or is the approach more complicated -- perhaps the httpauth.php
> > script
>
> > must be modified to grab the author name from the LDAP server?
> >
> > One of my colleagues retrieved active directory information via LDAP
> > in a .NET application, and he discovered that for our LDAP server,
> > first name is property "givenname" and last name is property "sn"
> > (as in surname). I don't know if this is standard or not. His .NET
> > code provides a username and password (which I also have access to)
> > in order to make a non-anonymous inquiry to get "givenname" and "sn"
> > for the provided username.
> >
> > I'd definitely be interested in testing this change!
> >
> > Thanks
> > Bob Hartl
> >
> >
> >
> > -----Original Message-----
> > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > Sent: Monday, May 22, 2006 2:46 PM
> > To: Hartl, Bob
> > Cc: pmwiki-users at pmichaud.com
> > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > name
> >
> >
> > On Mon, May 22, 2006 at 12:41:22PM -0700, Hartl, Bob wrote:
> > > Patrick,
> > >
> > > The httpauth.php script works nicely, thanks. I would however
> > > like to
> >
> > > display the "author name" not login name in the AUTHOR field. Is
> > > this
> >
> > > possible when using HTTP authentication in PmWiki? Two approaches
> > > seem possible to me.
> >
> > The login name is simply displayed by default in the "Author"
> > field--an author can change the value to be something else (and that
> > is the value remembered for future sessions as long as cookies are
> > enabled).
> >
> > > Is it possible to grab a "display name" variable -- or "first
> > > name" and "last name" variables -- instead of the REMOTE_USER
variable?
> > > Is there such a server variable(s) to grab?
> >
> > There aren't such server variables to grab.
> >
> > > 2) Would the storedauthname.php script work with "http
> > > authentication?" From the documentation it appears that it's meant
> > > to work specifically with "AuthUser"
> >
> > It might -- I haven't tried it.
> >
> > > Would a possible approach be to use LDAP to grab the display name
> > > (i.e. author name) from the login name? I can't however do an
> > > anonymous bind to my LDAP server -- but I have credentials with
> > > which to make a non-anonymous request.
> >
> > Sure, that would be possible; it isn't even difficult. It might
> > even be worth a change to the core to support this automatically.
> >
> > Pm
> >
> > > -----Original Message-----
> > > From: pmwiki-users-bounces at pmichaud.com
> > > [mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
> > > Sent: Friday, May 19, 2006 2:58 PM
> > > To: Patrick R. Michaud
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > name
> > >
> > >
> > > Hello Patrick,
> > >
> > > I do not have httpauth.php in my config.php -- this must be what
> > > I'm
>
> > > missing -- thanks! I just read the documentation that says PmWiki
> > > 2
>
> > > uses sesson-based authentication by default.
> > >
> > > The documentation describes http authentication as HTTP-Basic
> > > authentication. My pmwiki website is using "basic authentication"
> > > (anonymous is disabled). I'm using "basic authentication" for
> > > testing
> > > -- but my real goal is to use "integrated windows authentication"
> > > as
> I
> >
> > > have a Windows domain environment. Can I expect that PmWiki's
> > > http authentication will work for "integrated windows
> > > authentication" as well as "basic authentication?" Perhaps I'll
> > > find out the answer to
>
> > > this when I test it.
> > >
> > > Thanks again!
> > > Bob Hartl
> > >
> > > ________________________________
> > >
> > > From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> > > Sent: Fri 5/19/2006 7:09 AM
> > > To: Hartl, Bob
> > > Cc: pmwiki-users at pmichaud.com
> > > Subject: Re: [pmwiki-users] HTTP Authentication and use of login
> > > name
> > >
> > >
> > >
> > > On Thu, May 18, 2006 at 03:12:44PM -0700, Hartl, Bob wrote:
> > > > I'm a new user of PmWiki. I installed PmWiki on Windows using
> > > > ISAPI. So far so good! I'm using HTTP authentication and I've
> > > > had
>
> > > > success
> > in
> > >
> > > > getting the authenticated login name from REMOTE_USER -- i.e.
> > > > PmWiki
> >
> > > > fills the Author field with this login name. (I followed advice
> > > > in Cookbook:RequireAuthor, section HTTP authentication.)
> > > >
> > > > I have a WikiGroup, for which I have restricted editing to
> > > > selected login names (as they appear using REMOTE_USER). My
> > > > hope is that
> if
> > > > the user's login name is one of those permitted-to-edit login
> names,
> >
> > > > then the user is able to immediately edit (without any
> > > > intervening
> > > login form
> > > > from PmWiki). But I am getting the login form (username and
> > > password).
> > > > It seems like I should be able to do this. Am I missing
> > > > something
>
> > > > easy?
> > >
> > > How do you have your site configured for HTTP authentication --
> > > are you using the httpauth.php script in your config.php?
> > >
> > > With what you've described, I don't think that an author should be
> > > getting the password prompt after being logged in. But I'd need
> > > to know a few more details of the setup first.
> > >
> > > Pm
> > >
> > >
> > >
> > > _______________________________________________
> > > pmwiki-users mailing list
> > > pmwiki-users at pmichaud.com
> > > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> > >
> >
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://host.pmichaud.com/mailman/listinfo/pmwiki-users
> >
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://host.pmichaud.com/mailman/listinfo/pmwiki-users
>
More information about the pmwiki-users
mailing list