version=pmwiki-2.2.0-beta57 ordered=1 urlencoded=1
agent=Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.4) Gecko/20061023 SUSE/2.0.0.4-1.1 Firefox/2.0.0.4
author=Pm
charset=ISO-8859-1
csum=update for 2.2.0b58
host=76.183.97.54
name=PmWiki.AuthUser
rev=82
targets=PmWiki.Passwords,PmWiki.AdminTask,SiteAdmin.AuthUser,PmWiki.PasswordsAdmin,PmWiki.DocumentationIndex,PmWiki.AuthUser,Profiles.Lordmundi
text=(:Summary:Authorization system that uses usernames and passwords:)%0a%25audience%25 administrators (intermediate)%0a%0aAuthUser is PmWiki's identity-based authorization system that allows access to pages to be controlled through the use of usernames and passwords.  AuthUser can be used in addition to the [[Passwords | password-based]] scheme that is PmWiki's default configuration.%0a%0aAuthUser is a very flexible system for managing access control on pages, but flexibility can also bring complexity and increased maintenance overhead to the wiki administrator.  This is why PmWiki defaults to the simpler password-based system.  For some thoughts about the relative merits of the two approaches, see [[PmWiki:ThoughtsOnAccessControl]].%0a%0aSee also:  [[Cookbook:Quick Start for AuthUser]]%0a%0a!! Activating AuthUser%0a%0a%0aTo activate PmWiki's identity-based system, add the following line%0ato ''local/config.php'':%0a%0a    include_once("$FarmD/scripts/authuser.php");%0a%0aEnsure that you have [[PmWiki/AdminTask#setSWPWE | set a site wide admin password]], otherwise you will not be able to edit [[SiteAdmin.AuthUser]].%0a%0a->%25note%25 Note: Older versions of PmWiki (before 2.2.0-beta58) use ''Site.AuthUser''.%0a%0a!! Creating user accounts%0a%0aMost of AuthUser's configuration is performed via the [[SiteAdmin.AuthUser]] page.  To change the AuthUser configuration, simply edit this page like any other wiki page (you'll typically need to use the site's admin password for this).%0a%0aTo create a login account, simply add lines to SiteAdmin.AuthUser that look like:%0a%0a    username: [=(:=]encrypt ''password'':)%0a%0aFor example, to create a login account for "alice" with a password of "wonderland", enter:%0a%0a    alice: [=(:=]encrypt wonderland:)%0a%0aWhen the page is saved, the "@@[=(:=]encrypt wonderland:)@@" part of the text will be replaced by an encrypted form of the password "wonderland".  This encryption is done so that someone looking at the SiteAdmin.AuthUser page cannot easily determine the passwords stored in the page.  %0a%0aTo change or reset an account's password, simply replace the encrypted string with another @@[=(:=]encrypt:)@@ directive.%0a%0a%0a!! Controlling access to pages by login%0a%0aPages and groups can be protected based on login account by using "passwords" of the form [@id:username@] in the password fields of [@?action=attr@] (see [[PmWiki.Passwords]]).  For example, to restrict a page to being edited by Alice, one would set the password to "[@id:alice@]".%0a%0aIt's possible to use multiple "id:" declarations and passwords in the [@?action=attr@] form, thus the following setting would allow access to Alice, Carol, and anyone who knows the password "quick":%0a%0a    quick id:alice,carol%0a%0aTo allow access to anyone who has successfully logged in, use "[@id:*@]".%0a%0aOne can also perform site-wide restrictions based on identity in the $DefaultPasswords array: e.g.%0a%0a    # require valid login before viewing pages%0a    $DefaultPasswords['read'] = 'id:*';%0a    # Alice and carol may edit%0a    $DefaultPasswords['edit'] = 'id:alice,carol';%0a    # All admins and Fred may edit%0a    $DefaultPasswords['edit'] = array('@admins', 'id:Fred');%0a%0aYou can change the $DefaultPasswords array in local customization files such as:%0a* local/config.php (for entire wiki)%0a* farmconfig.php (for entire wikifarm)%0a%0a%0a!! [[#auth_groups]] Organizing accounts into groups%0a%0aAuthUser also makes it possible to group login accounts together into authorization groups, indicated by a leading "@" sign.  As with login accounts, group memberships are maintained by editing the SiteAdmin.AuthUser page.  Group memberships can be specified by either listing the groups for a login account (person belongs to groups) or the login accounts for a group (group includes people).  You can repeat or mix-and-match the two kinds as desired:%0a%0a    @writers: alice, bob%0a    carol: @writers, @editors%0a    @admins: alice, dave%0a    %0aThen, to restrict page access to a particular group, simply use "[@@group@]" as the "password" in [@?action=attr@] or the $DefaultPasswords array, similar to the way that "[@id:username@]" is used to restrict access to specific login accounts.%0a%0a!!! Excluding individuals from password groups%0a%0aGroup password memberships are maintained by editing the SiteAdmin.AuthUser page. To specify a password group that allows access to anyone who is authenticated, you can specify:%0a%0a    @wholeoffice: *%0a%0aIf you need to keep "Fred" out of this password group, you might try:%0a%0a    @wholeoffice: *, -Fred%0a%0a... but this does %25red%25'''not'''%25%25 work. You can, however, get the desired result by using the first setting (@wholeoffice: *) on the SiteAdmin.AuthUser page and then setting the password for the page or group you wish to protect in [@?action=attr@] or the $DefaultPasswords array to "[@id:*, -Fred@]".%0a%0a%0a!! Getting account names and passwords from external sources%0a%0aThe AuthUser script has the capability of obtaining username/password pairs from places other than the SiteAdmin.AuthUser page, such as passwd-formatted files (usually called '.htpasswd' on Apache servers), [[#LDAP|LDAP]] servers, or even the ''local/config.php'' file.%0a%0a%0a!!! Passwd-formatted files (.htpasswd/.htgroup)%0a%0aPasswd-formatted files, commonly called ''.htpasswd'' files in Apache, are text files where each line contains a username and an encrypted password separated by a colon.  A typical ''.htpasswd'' file might look like:%0a%0a    alice:vK99sgDV1an6I%0a    carol:Q1kSeNcTfwqjs%0a%0aTo get AuthUser to obtain usernames and passwords from a ''.htaccess'' file, add the following line to SiteAdmin.AuthUser, replacing "/path/to/.htpasswd" with the filesystem path of the ''.htpasswd'' file:%0a%0a    htpasswd: /path/to/.htpasswd%0a%0aCreation and maintenance of the ''.htpasswd'' file can be performed using a text editor, or any number of other third-party tools available for maintaining ''.htpasswd'' files.  The Apache web server typically includes an ''htpasswd'' command for creating accounts in .htpasswd:%0a%0a    $ htpasswd /path/to/.htpasswd alice%0a    New password:%0a    Re-type new password:%0a    Adding password for user alice%0a    $%0a%0aSimilarly, one can use ''.htgroup'' formatted files to specify group memberships.  Each line has the name of a group (without the "@"), followed by a colon, followed by a space separated list of usernames in the group.%0a%0a    writers: carol%0a    editors: alice carol bob%0a    admins: alice dave%0a%0aNote that the groups are still "@writers", "@editors", and "@admins" in PmWiki even though the file doesn't specify the @ signs.  To get AuthUser to load these groups, use a line in SiteAdmin.AuthUser like:%0a%0a    htgroup: /path/to/.htgroup%0a%0a    %0a!!! Configuration via ''local/config.php''%0a%0aAuthUser configuration settings can also be made from the ''local/config.php'' file in addition to the SiteAdmin.AuthUser page.  Such settings are placed in the $AuthUser array, and ''must be set prior to including the ''authuser.php'' script''. Some examples:%0a%0a    # set a password for alice%0a    $AuthUser['alice'] = crypt('wonderland');%0a    # set a password for carol%0a    $AuthUser['carol'] = '$1$CknC8zAs$dC8z2vu3UvnIXMfOcGDON0';%0a    # define the @editors group%0a    $AuthUser['@editors'] = array('alice', 'carol', 'bob');%0a    # Use local/.htpasswd for usernames/passwords%0a    $AuthUser['htpasswd'] = 'local/.htpasswd';%0a    # Use local/.htgroup for group memberships%0a    $AuthUser['htgroup'] = 'local/.htgroup';%0a%0a[[#LDAP]]%0a!!! Configuration via LDAP%0a%0aAuthentication can be performed via an external LDAP server -- simply set an entry for "ldap" in either SiteAdmin.AuthUser or the ''local/config.php'' file.%0a%0a    # use ldap.airius.com for authentication%0a    $AuthUser['ldap'] = 'ldap://ldap.airius.com/ou=People,o=Airius?cn?sub';%0a%0aLDAP authentication in AuthUser closely follows the model used by Apache 2.0's [[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html|mod_auth_ldap]] module; see especially the documentation for  [[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#authldapurl|AuthLDAPUrl]] for a description of the url format.%0a%0aFor servers that don't allow anonymous binds, AuthUser provides $AuthLDAPBindDN and $AuthLDAPBindPassword variables to specify the binding to be used for searching.%0a%0a!! Setting the Author Name%0aBy default, PmWiki will use a login name in the Author field of the edit form, but allows the author to change this value prior to saving.  To force the login name to always be used as the author name, use the following sequence to activate AuthUser:%0a%0a    include_once("$FarmD/scripts/authuser.php");%0a    $Author = $AuthId;%0a%0aTo allow more flexibility, but still enable changes to be linked to the authorized user, one can give the author name a prefix of the $AuthId instead:%0a[@%0a    include_once("$FarmD/scripts/author.php");%0a    include_once("$FarmD/scripts/authuser.php");%0a    if ($Author) {%0a	if (strstr($Author, '-') != false) {%0a	    $Author = "$AuthId-" . preg_replace('/^[^-]*-/', '', $Author);%0a	} else if ($Author != $AuthId) {%0a	    $Author = $AuthId . '-' . $Author;%0a	} else {%0a	    $Author = $AuthId;%0a	}%0a    } else {%0a	$Author = $AuthId;%0a    }%0a    $AuthorLink = "[[~$Author]]";%0a@]%0aThe above will allow the user to put in the author name of their choice, but that will always be replaced by that name prefixed with "$AuthId-".%0aThe reason why $AuthorLink needs to be set is that, if it isn't, the RecentChanges page will have the wrong link in it.%0a%0a!! Authorization, Sessions, and WikiFarms [[#sessions]]%0a%0aPmWiki uses PHP sessions to keep track of any user authorization information.  By default PHP is configured so that all interactions with the same server (as identified by the server's domain name) are treated as part of the same session.%0a%0aWhat this means for PmWiki is that if there are multiple wikis running within the same domain name, PHP will treat a login to one wiki as being valid for all wikis in the same domain.  The easiest fix is to tell each wiki to have use a different "session cookie".  Near the top of a wiki's ''local/config.php'' file, before calling authuser or other recipes, add a line like:%0a%0a-->[@session_name('XYZSESSID');@]%0a%0aThe XYZSESSID can be any unique name (letters only is safest).%0a%0a!! See Also%0a%0a* [[PmWiki.Passwords]]%0a* [[PmWiki.PasswordsAdmin]]%0a* [[Cookbook:AuthUser]] for tips and tricks%0a* [[SiteAdmin.AuthUser]]%0a%0a%25trail%25%3c%3c|[[Documentation Index]]|>>%0a%0a>>faq%3c%3c [[#faq]]%0a%0aQ:  I get http error 500 "Internal Server Error" when I try to log in. What's wrong?%0a%0aA:  This can happen if the encrypted passwords are not created on the web server that hosts the PmWiki.%0aThe crypt function changed during the PHP development, e.g. a password encrypted with PHP 5.2 can not be decrypted in PHP 5.1, but PHP 5.2 can decrypt passwords created by PHP 5.1.%0aThis situation normally happens if you prepare everything on your local machine with the latest PHP version and you upload the passwords to a webserver which is running an older version.%0aThe same error occurs when you add encrypted passwords to local/config.php.%0a%0aSolution: Create the passwords on the system with the oldest PHP version and use them on all other systems.%0a%0aQ:  Can I specify authorization group memberships from with ''local/config.php''?%0a%0aA:  Yes -- put the group definition into the $AuthUser array:%0a%0a        $AuthUser['@editors'] = array('alice', 'carol', 'bob');%0a%0aQ:  I'm running multiple wikis under the same domain name, and logins from one wiki are appearing on other wikis.  Shouldn't they be independent?%0a%0aA:  This is caused by the way that PHP treats sessions.  See [[PmWiki.AuthUser#sessions]] for more details.%0a%0aQ:  How can I access the authorization groups that the current user belongs to in order to test using that as a condition of an if statement?%0a%0aQ: Is there any way to have groups inherit other groups (e.g. @fruits: @apples, @oranges, jack)?%0a%0aQ: Is it possible to list more than one .htpasswd and .htgroup file to be used?  e.g. if I am running a wikifarm and some users are common across various fields, it would be nice if they only needed to update their password once.  Sure I could merge all the passwd & group files, but then I wouldn't be able to support identical user or group names on each independent wikifield..%0a%0aQ: Is there any way to record the time of the last login for each user when using AuthUser?  I need a way to look for stale accounts.%0a%0aA: I wrote a recipe to do something like this.  It records the last action for each user (not necessarily just login actions).  See [[Cookbook:UserLastAction]] for more info. --[[~Lordmundi]] March 23, 2007%0a%0aQ:  I want to allow anyone to edit my wiki, but don't want anyone else to use my name as the author.  Is there a way to "reserve" and password protect certain usernames?  Or basically just require a password when attempting to edit a page with a registered user's name in the author field?
time=1184707927