[pmwiki-users] Authentication confusion

Vedvik, Gary Gary.Vedvik at xerox.com
Thu Jun 8 07:38:27 CDT 2006 

Your scenario sounds nearly identical to mine. You'll likely need the
"domain\" part of the users authentication ID to properly handle an ldap
account lookup (e.g. Active Directory) in a multi-domain
forest/environment.  Without caring about the common name for the
account, I don't have any problems getting the Author field to contain
authentication ID in "domain\account" format.

With the recent addition of yet another authentication recipe, there are
now three different approaches (authuser, userauth, and now externauth).
It also seems there is some confusion about what php files to
"include_once", and what order to include them (and whether we need to
include a specific function call, e.g. Patrick's suggestion of
"AuthUserID($pagename, $AuthId);" in his original reply to my initial
note.

I have a suggestion that might help clear up some of the general
confusion over some of these authentication questions.  That suggestion
would be to create a wiki page called something like "Authentication
Scenarios" that reads more like a detailed FAQ and lists some of the
most common and/or asked about scenarios and what is needed to implement
them.

Even though userauth violates Patrick's original wiki design philosophy,
I still find the concept of userauth more intuitive because everything
is nicely consolidated to one page, which means we don't need to modify
the site.authuser page, then for each group and/or page to apply any
permissions to use "?action=attr" to make those permissions changes.  

However, userauth is not without its faults, as it doesn't support
backslash characters (see my notation on the userauth devel. Page
http://www.pmwiki.org/wiki/Cookbook/UserAuthDevel).  I'm sort of curious
how much effort might be required to resolve the backslash character
problem, and what it might take to add eternal account authentication
(either http-authentication, or direct ldap authentication) and have
that authenticated account be addable to groups on that page.

GaryV


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Hartl, Bob
Sent: Wednesday, June 07, 2006 2:08 PM
To: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion


Gary, I have a somewhat similar interest in LDAP.  I'm using "http
authentication" in my Win2000/IIS5 environment.  My interest in using
LDAP would be solely to return "common name" for userid.   This way I
could set the author name to "common name" (i.e. firstname lastname).
The additional catch for my situation, is that access to the LDAP server
is non-anonymous.  I do have credentials for getting to the LDAP server
though.


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Patrick R.
Michaud
Sent: Sunday, June 04, 2006 6:32 PM
To: Vedvik, Gary
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion


On Sun, Jun 04, 2006 at 09:17:17PM -0400, Vedvik, Gary wrote:
> Let me see if I understand the function of the entries you suggest. 
> The httpauth grabs the web browser variables, and authuser enables 
> user based authentication, and setting "$Author = $AuthId" sets the 
> author variable to the authenticating id (e.g. domain\account in a 
> windows environment).  What does the AuthUserId function accomplish?

It sets any PmWiki authorization group memberships that may be defined
(i.e., according to group membership settings in Site.AuthUser).

Pm


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of Vedvik, Gary
Sent: Sunday, June 04, 2006 6:17 PM
To: Patrick R. Michaud
Cc: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] Authentication confusion


Thanks Patrick, As for the ldap attribute that can be used for the users
display name, there are several attributes that contain a users name, or
parts thereof within Active Directory, the attribute "cn" would be a
good candidate.

The following is a link that identifies some common/useful LDAP
attributes within AD. 

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_direct
ory.htm#LDAP_Attributes_from_Active_Directory_Users_and_Computers

Let me see if I understand the function of the entries you suggest. The
httpauth grabs the web browser variables, and authuser enables user
based authentication, and setting "$Author = $AuthId" sets the author
variable to the authenticating id (e.g. domain\account in a windows
environment).  What does the AuthUserId function accomplish?  

/gv


> -----Original Message-----
> From: Patrick R. Michaud [mailto:pmichaud at pobox.com]
> Sent: Sunday, June 04, 2006 5:12 PM
> To: Vedvik, Gary
> Cc: pmwiki-users at pmichaud.com
> Subject: Re: [pmwiki-users] Authentication confusion
> 
> On Sat, Jun 03, 2006 at 01:02:14PM -0400, Vedvik, Gary wrote:
> > I've been looking at AuthUser, UserAuth, httpauth, and have gotten 
> > myself pretty confused as to how to accomplish what I'm trying to
do.
> > Essentially what I would like to do is use http authentication, and 
> > place the authenticated user IDs into pmwiki groups. I'd also like
to 
> > used LDAP to obtain the users display name (e.g. fn/sn) as the
author 
> > for any page edits.  Lastly, I'd like to disallow any changes to the

> > "author" field when editing pages to be used, do avoid impersonation

> > issues).
> 
> To use http authentication is just:
> 
>     include_once('scripts/httpauth.php');
> 
> So, to use http authentication with PmWiki's authorization groups 
> should
> be:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
> 
> To then prevent changes to the "author" field:
> 
>     include_once('scripts/httpauth.php');
>     include_once('scripts/authuser.php');
>     AuthUserId($pagename, $AuthId);
>     $Author = $AuthId;
> 
> Getting the author's display name from LDAP is a bit more work, as it 
> involves querying the LDAP server and knowing the distinguished name 
> for the identity.  If you have that sort of information available, I 
> should be able to write that part fairly quickly.
> 
> > Based on what I've read on the pmwiki site, AuthUser appears to 
> > support ldap, but how does this work in conjunction with http 
> > authentication, and does it ultimately fill in the author variable?
> 
> LDAP is just another form of authentication separate from http 
> authentication.  HTTP authentication expects the web server to have 
> performed the authentication *before* PmWiki is executed and store the

> result in the 'REMOTE_USER' environment variable, while PmWiki's LDAP 
> authentication module queries an LDAP server to authenticate an 
> identity.
> 
> 
> > Can it also support
> > placing the user authentication id in pmwiki groups?
> 
> Yes.
> 
> > AuthUser also
> > appears to be less intuitive to use than UserAuth because it seems 
> > that you need to enter permissions individually on each wikigroup 
> > and/or wiki page.
> 
> PmWiki's philosophy is that individual authors may wish to set 
> permissions on pages and groups, as opposed to having it centrally 
> controlled by the wiki administrator.  Whether this is "more 
> intuitive" depends on the application -- for most of the sites I run, 
> letting authors set access control permissions is a lot more natural 
> than trying to control it from a central page.
> 
> > Is what I'm trying to accomplish possible?  Have I overlooked
> something?
> > What seems to be missing on the pmwiki site is authentication 
> > scenario
> 
> > examples.  The examples currently describe the capabilities of each 
> > module, but leave it to the reader to put it all together.
> > Configuration scenario examples would certainly help.
> 
> I totally agree we could use more configuration scenario descriptions;

> part of the trouble is that the scenarios people want are as varied as

> the sites that use them.  Off the top of my head I can think of over a

> dozen different scenarios that are currently in use.  It might be nice

> if we could develop a "decision-tree" page or set of pages that could 
> walk a person through some of the more travelled scenarios.
> 
> Pm
> 

_______________________________________________
pmwiki-users mailing list
pmwiki-users at pmichaud.com
http://host.pmichaud.com/mailman/listinfo/pmwiki-users

_______________________________________________
pmwiki-users mailing list
pmwiki-users at pmichaud.com
http://host.pmichaud.com/mailman/listinfo/pmwiki-users

More information about the pmwiki-users mailing list