[pmwiki-users] pmwiki and Active Directory

Tom info at aurlund.no
Wed May 13 13:52:12 CDT 2009


Hi everybody,

I have a question which goes beyond the normal use of pmwiki (I think), 
but I'll give it a try anyway. (This is a rather long posting, so be 
patient..).

1) pmwiki is installed in an Microsoft Windows 2003 Server (Small 
Business) environment with Active Directory and Internet Information 
Server 6.0.

2)  We have an intranet which is set up with user authentication with 
SSL encryption, hence users have to access the site using https:-protocol.
This is the only protocol allowed from the outside. We use Basic 
Authentication to be able to retrieve the password from the login process.

3) Users are defined in Active Directory with a user-ident and a name 
taken from the distinguished name (the CN-part of it).
I will use "user-ident" and "name" further on. The users are also 
members of different security groups.

4) The users are logging in using a user-ident and a password (both 
defined in AD, of course). When the users have been granted access they are
presented with a default webpage with a URL to the pmwiki-installation 
(../pmwiki/pmwiki.php?n=Main.HomePage).

5) The username and password are fetched as a server system variable, 
and I'm using "include_once("scripts/httpauth.php");" to authenticate 
against pmwiki.
But I need one more option (see item 6):

6)
- If the user is defined as a member of the security group "WIKI"  
he/she should be granted "read only" access site-wide on the wiki.
- If the user is defined as a member of the security group "PMWIKI" 
he/she should be granted "edit" access site-wide on the wiki.
- If the user is defined as a member of the security group 
"Administrators" he/she should be granted "admin" access site-wide on 
the wiki.
(Other access types I should have defined ??).

7) I fetch the group memberships for the different users in a VBScript 
on the intranet site after successfull login, and stores it in a file 
which is stored locally on the web server
(with user-ident as a part of the file name to avoid confusion). This 
file is read from the /local/config.php and the information is fetch and 
used here.

Code snippet from config.php is given below:

## ---------------------------------------------------
## -- Reading parameters from local file on server. --
## ---------------------------------------------------

$username = $_SERVER['REMOTE_USER'];

$FileName = "C:/inetpub/wwwroot/test/temp/" . $username . "-info.tmp";
$OpenAccess = "r";
$file = fopen($FileName,"r") or die("Impossible to open file..");
$index = 1;

 while ( ($line=fgets($file)) !== false )
{
  $line = rtrim($line);
  $idinfo[$index] = $line;
  $index = $index + 1;
}

# ------------------------------------------------------------
# -- Building the correct syntax for $idName and $idCode. --
# ------------------------------------------------------------

$idName = chr(39) . "id:" . $idinfo[1] . chr(39);
$idCode = chr(39) . $idinfo[3] . chr(39);

$DefaultPasswords[$idCode] = $idName;

## ----------------------------------------------------
## Authentication via HTTP Basic Authentication (NTLM).
## ----------------------------------------------------

include_once("scripts/httpauth.php");
$Author = $idinfo[2];

## ----------------------------------------------
## -- Activate logging of all pmwiki activity. --
## ----------------------------------------------

$ActionLogAppend = 'True';

include_once("cookbook/actionlog.php");

## -------------------------
## -- End of config file. --
## -------------------------

8) I want to use the "user-ident" to identify the user and the "name" to 
be used as the $Author-name.
The user should not be allowed to change the $Author-name when changing 
the wiki pages.

I'm able to get the username/password-part to work, but I am stuck with 
a good way to implement the access rights
defined by security group membership. It seems that the code above does 
not work as I expect.
(And what about access rights to i.e. the wiki.d-folder or other folders 
in the pmwiki-structure ??).

Could anyone here enlighten me 'bout other ways (more efficient perhaps) 
to fullfill my needs ?

Thanks anyway.



More information about the pmwiki-users mailing list