[pmwiki-users] Authentication confusion

Hartl, Bob hartl.r at ghc.org
Wed Jun 7 13:07:31 CDT 2006


Gary, I have a somewhat similar interest in LDAP.  I'm using "http
authentication" in my Win2000/IIS5 environment.  My interest in using
LDAP would be solely to return "common name" for userid.   This way I
could set the author name to "common name" (i.e. firstname lastname).
The additional catch for my situation, is that access to the LDAP server
is non-anonymous.  I do have credentials for getting to the LDAP server
though.


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Patrick R.
Michaud
Sent: Sunday, June 04, 2006 6:32 PM
To: Vedvik, Gary
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion


On Sun, Jun 04, 2006 at 09:17:17PM -0400, Vedvik, Gary wrote:
> Let me see if I understand the function of the entries you suggest. 
> The httpauth grabs the web browser variables, and authuser enables 
> user based authentication, and setting "$Author = $AuthId" sets the 
> author variable to the authenticating id (e.g. domain\account in a 
> windows environment).  What does the AuthUserId function accomplish?

It sets any PmWiki authorization group memberships that may be defined
(i.e., according to group membership settings in Site.AuthUser).

Pm


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Vedvik, Gary
Sent: Sunday, June 04, 2006 6:17 PM
To: Patrick R. Michaud
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion


Thanks Patrick, As for the ldap attribute that can be used for the users
display name, there are several attributes that contain a users name, or
parts thereof within Active Directory, the attribute "cn" would be a
good candidate.

The following is a link that identifies some common/useful LDAP
attributes within AD. 

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_direct
ory.htm#LDAP_Attributes_from_Active_Directory_Users_and_Computers

Let me see if I understand the function of the entries you suggest. The
httpauth grabs the web browser variables, and authuser enables user
based authentication, and setting "$Author = $AuthId" sets the author
variable to the authenticating id (e.g. domain\account in a windows
environment).  What does the AuthUserId function accomplish?  

/gv


> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> Sent: Sunday, June 04, 2006 5:12 PM
> To: Vedvik, Gary
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] Authentication confusion
> 
> On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> > I've been looking at AuthUser, UserAuth, httpauth, and have gotten
> > myself pretty confused as to how to accomplish what I'm trying to
do.
> > Essentially what I would like to do is use http authentication, and 
> > place the authenticated user IDs into pmwiki groups. I'd also like
to 
> > used LDAP to obtain the users display name (e.g. fn/sn) as the
author 
> > for any page edits.  Lastly, I'd like to disallow any changes to the

> > "author" field when editing pages to be used, do avoid impersonation

> > issues).
> 
> To use http authentication is just:
> 
>     include_once('scripts/httpauth.php');
> 
> So, to use http authentication with PmWiki's authorization groups 
> should
> be:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
> 
> To then prevent changes to the "author" field:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
>     $Author = $AuthId;
> 
> Getting the author's display name from LDAP is a bit more work, as it 
> involves querying the LDAP server and knowing the distinguished name 
> for the identity.  If you have that sort of information available, I 
> should be able to write that part fairly quickly.
> 
> > Based on what I've read on the pmwiki site, AuthUser appears to
> > support ldap, but how does this work in conjunction with http 
> > authentication, and does it ultimately fill in the author variable?
> 
> LDAP is just another form of authentication separate from http 
> authentication.  HTTP authentication expects the web server to have 
> performed the authentication *before* PmWiki is executed and store the

> result in the 'REMOTE_USER' environment variable, while PmWiki's LDAP 
> authentication module queries an LDAP server to authenticate an 
> identity.
> 
> 
> > Can it also support
> > placing the user authentication id in pmwiki groups?
> 
> Yes.
> 
> > AuthUser also
> > appears to be less intuitive to use than UserAuth because it seems
> > that you need to enter permissions individually on each wikigroup 
> > and/or wiki page.
> 
> PmWiki's philosophy is that individual authors may wish to set 
> permissions on pages and groups, as opposed to having it centrally 
> controlled by the wiki administrator.  Whether this is "more 
> intuitive" depends on the application -- for most of the sites I run, 
> letting authors set access control permissions is a lot more natural 
> than trying to control it from a central page.
> 
> > Is what I'm trying to accomplish possible?  Have I overlooked
> something?
> > What seems to be missing on the pmwiki site is authentication 
> > scenario
> 
> > examples.  The examples currently describe the capabilities of each
> > module, but leave it to the reader to put it all together.
> > Configuration scenario examples would certainly help.
> 
> I totally agree we could use more configuration scenario descriptions;

> part of the trouble is that the scenarios people want are as varied as

> the sites that use them.  Off the top of my head I can think of over a

> dozen different scenarios that are currently in use.  It might be nice

> if we could develop a "decision-tree" page or set of pages that could 
> walk a person through some of the more travelled scenarios.
> 
> Pm
> 

_______________________________________________
pmwiki-users mailing list
pmwiki-users at pmichaud.com
http://host.pmichaud.com/mailman/listinfo/pmwiki-users




More information about the pmwiki-users mailing list