Authentication: Difference between revisions

* Suggestion I: [[LDAP Authentication]]

: by [[User:Ryan lane|Ryan Lane]]

* Suggestion II: [[Web server Authentication]], and PHP/Pear::Auth. that solves the problem with LDAP authentication because if your webserver can LDAP/PAM whatever

: by [[User:Bill Clark|Bill Clark]]

----

Comments by Ryan (published with his permission) --[[User:Nyxos|Tom Gries]] [[{{SERVER}}{{localurl:Special:Emailuser|target=Nyxos}} mail]] 20:20, 4 Nov 2004 (UTC)

It seems to me that our patches are somewhat independent, and use different options in LocalSettings.php. I believe our ideas are two separate but

equally useful ones. Bill's idea is to have a webserver (which can already do authentication of various types) authenticate for the wiki, whereas my

patch with work with LDAP servers directly and can handle multiple domains simultaneously. My patch also gives the option of using the local database

as well as LDAP servers incase a user cares to use the wiki for a transition period, or does not want a user to have an account in LDAP. The use of

either patch would depend on what the end user's network (and management/system admins) allow.

If any of us can think of a good way to combine these patches, I'm all for it, but I'm truthfully somewhat ignorant on using webservers for

authentication, and the way we could merge these patches in such a way that we would have one set of options in LocalSettings.php that would allow both

methods to be used usefully.

I don't personally see a problem with having '''three''' different options for authentication though

# local database (default),

# [[Web Server authentication]] (Bill's patch), and

# [[LDAP Authentication]] (my patch),

# [[bugzilla:1360|Auto-login / Auto-account-creation by hostname for intranet MediaWikis (patch and flowchart)]] based on

## hostname detection with php: gethostbyaddr() and/or

## NTLM authentication to detect a logged-in Windows user by using NTLM HTTP Authentication, see [[en:NTLM]] and http://modntlm.sourceforge.net and http://modntlm.jamiekerwick.co.uk/

as they seem like separate ideas.

I have put some short documentation at [[LDAP_Authentication]] and I have linked to it from the roadmap.

[[User:Ryan lane|Ryan Lane]]

----

I'm interested in using mediawiki in conjunction with an external authentication source, namely, Shibboleth[http://shibboleth.internet2.edu]. A quick bit of thinking about what would need to be done:

(This would also be of use for other sign-on technologies such as pubcookie[http://www.pubcookie.org/]).

# Support external HTTP authentication[http://www.faqs.org/ftp/rfc/rfc2617.txt], which works roughly like this

## user accesses a URI which is defined to be access-controlled by the web server

## web server returns 401 (unauthorized), browser asks user for their credentials

## credentials returned in an ''Authorization:'' header

# There would need to be a bit of hacking around account creation: namely, explicit account creation would be disabled entirely, but if shibboleth presents an authenticated user for which mediawiki knows nothing about, it should silently fill out the default account bits for the user.

# the login challenge would need to be identifiable by a URI so that an apache <Location> header could be applied to it.

Shibboleth hooks into the web server's authentication magic and directs people off to an external source to authenticate. This external server then communicates back with shibboleth, passing information about the user (from their username to whatever else they've agreed to share). At that point, the username and other info can be provided to mediawiki via the HTTP environment variables, e.g. ''REMOTE_USER''.

(Sorry if this seems a bit unclear!)

[[User:Jdowland|Jdowland]] 13:31, 20 Jun 2005 (UTC)

----

See also: [[Access control]]

[[Category:MediaWiki Development]]