[pmwiki-users] Authentication confusion
Hartl, Bob
hartl.r at ghc.org
Wed Jun 7 13:07:31 CDT 2006
Gary, I have a somewhat similar interest in LDAP. I'm using "http
authentication" in my Win2000/IIS5 environment. My interest in using
LDAP would be solely to return "common name" for userid. This way I
could set the author name to "common name" (i.e. firstname lastname).
The additional catch for my situation, is that access to the LDAP server
is non-anonymous. I do have credentials for getting to the LDAP server
though.
-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Patrick R.
Michaud
Sent: Sunday, June 04, 2006 6:32 PM
To: Vedvik, Gary
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion
On Sun, Jun 04, 2006 at 09:17:17PM -0400, Vedvik, Gary wrote:
> Let me see if I understand the function of the entries you suggest.
> The httpauth grabs the web browser variables, and authuser enables
> user based authentication, and setting "$Author = $AuthId" sets the
> author variable to the authenticating id (e.g. domain\account in a
> windows environment). What does the AuthUserId function accomplish?
It sets any PmWiki authorization group memberships that may be defined
(i.e., according to group membership settings in Site.AuthUser).
Pm
-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Vedvik, Gary
Sent: Sunday, June 04, 2006 6:17 PM
To: Patrick R. Michaud
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion
Thanks Patrick, As for the ldap attribute that can be used for the users
display name, there are several attributes that contain a users name, or
parts thereof within Active Directory, the attribute "cn" would be a
good candidate.
The following is a link that identifies some common/useful LDAP
attributes within AD.
http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_direct
ory.htm#LDAP_Attributes_from_Active_Directory_Users_and_Computers
Let me see if I understand the function of the entries you suggest. The
httpauth grabs the web browser variables, and authuser enables user
based authentication, and setting "$Author = $AuthId" sets the author
variable to the authenticating id (e.g. domain\account in a windows
environment). What does the AuthUserId function accomplish?
/gv
> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> Sent: Sunday, June 04, 2006 5:12 PM
> To: Vedvik, Gary
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] Authentication confusion
>
> On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> > I've been looking at AuthUser, UserAuth, httpauth, and have gotten
> > myself pretty confused as to how to accomplish what I'm trying to
do.
> > Essentially what I would like to do is use http authentication, and
> > place the authenticated user IDs into pmwiki groups. I'd also like
to
> > used LDAP to obtain the users display name (e.g. fn/sn) as the
author
> > for any page edits. Lastly, I'd like to disallow any changes to the
> > "author" field when editing pages to be used, do avoid impersonation
> > issues).
>
> To use http authentication is just:
>
> include_once('scripts/httpauth.php');
>
> So, to use http authentication with PmWiki's authorization groups
> should
> be:
>
> include_once('scripts/httpauth.php');
> include_once('scripts/authuser.php');
> AuthUserId($pagename, $AuthId);
>
> To then prevent changes to the "author" field:
>
> include_once('scripts/httpauth.php');
> include_once('scripts/authuser.php');
> AuthUserId($pagename, $AuthId);
> $Author = $AuthId;
>
> Getting the author's display name from LDAP is a bit more work, as it
> involves querying the LDAP server and knowing the distinguished name
> for the identity. If you have that sort of information available, I
> should be able to write that part fairly quickly.
>
> > Based on what I've read on the pmwiki site, AuthUser appears to
> > support ldap, but how does this work in conjunction with http
> > authentication, and does it ultimately fill in the author variable?
>
> LDAP is just another form of authentication separate from http
> authentication. HTTP authentication expects the web server to have
> performed the authentication *before* PmWiki is executed and store the
> result in the 'REMOTE_USER' environment variable, while PmWiki's LDAP
> authentication module queries an LDAP server to authenticate an
> identity.
>
>
> > Can it also support
> > placing the user authentication id in pmwiki groups?
>
> Yes.
>
> > AuthUser also
> > appears to be less intuitive to use than UserAuth because it seems
> > that you need to enter permissions individually on each wikigroup
> > and/or wiki page.
>
> PmWiki's philosophy is that individual authors may wish to set
> permissions on pages and groups, as opposed to having it centrally
> controlled by the wiki administrator. Whether this is "more
> intuitive" depends on the application -- for most of the sites I run,
> letting authors set access control permissions is a lot more natural
> than trying to control it from a central page.
>
> > Is what I'm trying to accomplish possible? Have I overlooked
> something?
> > What seems to be missing on the pmwiki site is authentication
> > scenario
>
> > examples. The examples currently describe the capabilities of each
> > module, but leave it to the reader to put it all together.
> > Configuration scenario examples would certainly help.
>
> I totally agree we could use more configuration scenario descriptions;
> part of the trouble is that the scenarios people want are as varied as
> the sites that use them. Off the top of my head I can think of over a
> dozen different scenarios that are currently in use. It might be nice
> if we could develop a "decision-tree" page or set of pages that could
> walk a person through some of the more travelled scenarios.
>
> Pm
>
_______________________________________________
pmwiki-users mailing list
pmwiki-users at pmichaud.com
http://host.pmichaud.com/mailman/listinfo/pmwiki-users
More information about the pmwiki-users
mailing list