Questions answered by this recipe
- My wiki editors are already on a mailing list, can I use that to let them access PmWiki?
- How can I use an external source for authentifying my users?
MailmanAuth lets you use a Mailman mailing list's membership to control user authentication, without requiring any admin access to said mailing list.
When a user logs in to the wiki, MailmanAuth uses their username (email address) and password to send an HTTP POST request to the mailing list's web access, and based on the server's reply can either allow or deny access.
To install this recipe:
- download mailman-auth.phpΔ to your cookbook directory
- add the following line to your configuration file:
mailman: MAILMAN_URL LISTNAME
Where MAILMAN_URL is the mailing list root (without the trailing slash!) and LISTNAME is the name of your mailing list. For example, if you can see your list information at
<http://mailman.example.com/mailman/listinfo.cgi/cool-mailing-list>, you should use the following in SiteAdmin.AuthUser:
mailman: http://mailman.example.com/mailman cool-mailing-list
To check more than one mailing list, put each on its own
What it does
Mailman takes the login information given to it and uses it to compose an HTTP POST request to view the options page for the mailing list. If the details match a user of the mailing list, the reply will include a
Set-Cookie header with specific contents as well as an HTML page that by default has an
<input> field that contains the full name of the user.
- If a
Set-Cookieheader of a specific format is found, the user is authenticated.
- If the full name of the user can be parsed from the reply, that name is stored in the user's browser as a cookie.
The following variables may be set in your config.php file to configure the way MailmanAuth works.
The path from the mailman root to the mailing list. If your server doesn't use the
- The options passed to cURL, see the sourceΔ for the defaults. You may need to change this if using HTTPS.
.cgiextensions, you may need to change this to
It should be obvious that you shouldn't use MailmanAuth if the wiki contains sensitive materials. By using MailmanAuth, you're putting your trust in a completely separate server as well as your connection to said server. If they're both on the same internal network, everything should be fine, but I'm not giving you any guarantees.
The author name is stored in plaintext a cookie in the user's browser (
$AuthorCookie), meaning that they can modify its contents at will. This means that you can't absolutely trust it.
Since the authentication is done using only the user's data, there's no requirement for the PmWiki maintainer to have admin access to the mailing list, or even to have any access at all.
This is an additional authentication interface to AuthUser, meaning that logins local to PmWiki will work as well. The only thing to note is that Mailman uses email addresses to identify users, so to refer to a user authenticated with MailmanAuth you'll need to use their email address as the ID.
It should take minimal work to take the structure of this recipe and use it to authenticate using any web-based access system. All you need to do is figure out the address to request and the form of the POST variables to give it. For security in the connection, use HTTPS.
- 2008-09-02 — first public release