[pmwiki-users] Problem with AuthUser

Hsing-Foo Wang hsing-foo.wang at star-support.com
Tue Dec 6 13:52:16 CST 2005 

Highly appreciating your swift and clear explanation Patrick!

thank you,

Hsing-Foo


Patrick R. Michaud wrote:
> On Tue, Dec 06, 2005 at 07:45:34PM +0100, Hsing-Foo Wang wrote:
>> is there somebody who can explain in simple words what kind of 
>> authentication ways there are(incl cookbook), and specifically for what 
>> usage. I know the wiki says it all, but I would like to get a grasp of 
>> it at a 'meta level'
> 
> As far as I know, there are three basic authorization mechanisms 
> available for PmWiki:  
>    1. passwords on pages, 
>    2. AuthUser (scripts/authuser.php), and 
>    3. UserAuth (http://www.pmwiki.org/wiki/Cookbook/UserAuth).
> 
> Both #2 and #3 are built on top of PmWiki's page password mechanism,
> so that it's possible to have both identity-based authorizations and
> password-based authorizations on pages.  
> 
> Personally, I always use method #1 for my sites.  While it's true that
> many people somehow feel more "comfortable" with systems where each 
> author has a separate username and password, I know from long experience
> as a system administrator that the number one maintenance item is
> helping people recover lost passwords or usernames.  Since my sites
> generally have a small number of authors for any given section, using 
> a single shared password for groups of pages is *much* more convenient 
> for me and my authors than trying to manage multiple separate accounts.
> This method has even worked well on sites consisting of hundreds of
> authors (especially since authors are able to set their own passwords
> and share them with trusted colleagues).
> 
> For sites that need identity-based authorization, PmWiki provides the
> AuthUser script (#2), which has just undergone some major improvements 
> for PmWiki 2.1 (thus the Cookbook.AuthUser page is a little out of date).
> AuthUser overloads the basic protection scheme to also allow access
> based on an authenticated identity ("id:alice") or membership in a 
> defined group of identities ("@editors").  The best place to see 
> what AuthUser currently offers is the Site.AuthUser page at
> http://www.pmwiki.org/wiki/Site/AuthUser .
> 
> At present, usernames and passwords for AuthUser come from an 
> "external" source of some sort, which can be any of the Site.AuthUser
> page, local Apache .htpasswd files, LDAP servers, MySQL databases, 
> or the local/config.php file.  AuthUser is also extensible to allow 
> other authentication sources.
> 
> I'm not very familiar with UserAuth (#3), but I'll provide my
> understanding of how it works (and others can correct me as
> appropriate).  UserAuth takes a different approach in that 
> authenticated users can be given permissions that override any
> passwords that may be placed on pages.  Thus, an administrator
> can say, for example, that "alice" is able to edit certain groups
> or pages regardless of any passwords set for them.  Unlike AuthUser,
> UserAuth can only get its usernames and passwords from an Apache
> .htpasswd file.  However, UserAuth also provides form-based
> interfaces to allow authors to change passwords, as well as a form-based
> system for admins to add new accounts or change account permissions.
> 
> Form-based interfaces for registering new accounts and allowing 
> authors to change passwords are planned for AuthUser (#2), but 
> aren't completed yet.
> 
> I hope this helps!  I'd like to take the above information and put 
> it into the PmWiki docs somewhere, so any comments, questions,
> or suggestions on the above descriptions would be greatly appreciated.
> 
> Pm

More information about the pmwiki-users mailing list