HTTPD Auth?

[jimh]

(Heh, they just started playing 99 Luftballons on Radio Paradise. I don't see that on Thorsten's 80s wish list!)

I may be in minority in employing phpMyFAQ on restricted intranet. That is my case, and we use Pubcookie (pubcookie.org) for user authentication against university ID/password, so I always have $SERVER[REMOTE_USER] available.

I see functions.php uses REMOTE_USER to assist with LDAP lookup. My question is whether this could be extended to make password optional (HTTPD Auth) -- even to auto-create non-privileged default user accounts at first visit.

If autocreated accounts, this would allow something like "My Questions" option (maybe that exists and I missed it) but user table would need to be extended to include uid/REMOTE_USER in addition to LDAP cn, I think.

It would be too much to ask a *third* feature question today, so I will just say:

Drupal integration?

I am pleased to be able to get back to setting up this very nice program.

Thanks!

Jim

[matteo]

Hi Jim,
AFAIK no one of the PMF users use a Pubcookie infrastructure: we'll talk internally how and when addressing such a(n interesting) request to balance new features requests, the current tasks plan and, last but not least, the spare time of the Dev Team Members .

Ciao,
Matteo

[jimh]

Hi Jim,
AFAIK no one of the PMF users use a Pubcookie infrastructure: we'll talk internally how and when addressing such a(n interesting) request to balance new features requests, the current tasks plan and, last but not least, the spare time of the Dev Team Members .

Ciao,
Matteo

Thanks.

I think I may be in minority (i.e. intranet/restricted access). Pubcookie is nice, but there are other Apache/Web server auth modules that wiill generate REMOTE_USER. I have seen other systems implement this simply as "WebAuth" or "SSO" where you simply intstruct the system to "trust REMOTE_USER completely". In one open-source application, MRBS, I use "Omni httpd auth" because that was what was already there; it's all the same.

In Drupal I am using a "WebLogin" module simply becuase I found it before I found a specific PubCookie extension. Either one works.

So I think this could be very generic with no special consideration of PubCookie. I have done this in a few small applications and I just use a stub of $userid="jimh"; to test if I am not authenticated and don't have REMOTE_USER but want to test.

Cheers,

Jim

[matteo]

Hi,

Pubcookie is nice, but there are other Apache/Web server auth modules that wiill generate REMOTE_USER. I have seen other systems implement this simply as "WebAuth" or "SSO" where you simply intstruct the system to "trust REMOTE_USER completely". In one open-source application, MRBS, I use "Omni httpd auth" because that was what was already there; it's all the same.

there're also several others SSO infrastructures that use specs like e.g. SAML, being more abstract and with a strong trust model. Generally speaking, trusting REMOTE_USER is not good but I recognize that often everything is trusted inside a LAN context.
Whilst 2.0.0 has a pluggable auth system, 1.6.x needs custom code on project basis. I'll look, time permitted, at how a simple hack could move the current LDAP code to something useful for your needs.

Ciao,
Matteo

[jimh]

Hi,
there're also several others SSO infrastructures that use specs like e.g. SAML, being more abstract and with a strong trust model. Generally speaking, trusting REMOTE_USER is not good but I recognize that often everything is trusted inside a LAN context.
Whilst 2.0.0 has a pluggable auth system, 1.6.x needs custom code on project basis. I'll look, time permitted, at how a simple hack could move the current LDAP code to something useful for your needs.

Ciao,
Matteo

Matteo,

I spent some time looking at 2.x roadmap and I installed 2.0 alpha in parallel. From my standpoint, if you were able to work something like this into auth model for 2.0, I don't see why you would want to spend time working on 1.6. But that's just me. I will try to look at 2.0 auth subsystem as it develops. Thanks! Jim

[jimh]

I just returned from holiday and found the 2.x releases. Woohoo! The 1.6.8->2.0.1 update worked great.

So I guess now would be a good time to resurrect this feature question.

Since my application is a PubCookie-protected intranet that requires a valid user ID (from an Apache authgroupfile), I would like to automatically register users in phpMyFAQ upon first visit and add their LDAP ID/name/EMail with very limited initial privileges. I see some of the basic LDAP functions and the REMOTE_USER short name lookup function, but what would be the sanest way to add "auto user create"?

EDIT: I guess I should also restate that it would be desired to have this REMOTE_USER automatically log in without password. Now that we can assign owners to different categories, I expect we will have many more users who will need to log in to administer their categories' FAQs.

THANKS!

Jim

[Thorsten]

Hi,

we plan to add this - maybe in 2.1.0! The big problem will be that we need some testers for that. Would you like to support us here?

bye
Thorsten

[jimh]

Thorsten,

I would be pleased to do some testing of HTTPD auth functions. I have created 30-40 FAQs, but I have not put phpMyFAQ into general use yet, so I could afford to test on my existing installation.

Thanks!

Jim

[jimh]

I have been sidetracked for a while, but I would still be interested in testing or working on this. It is starting to get dark and cold here -- so a better time to work on such things!

Jim

[Thorsten]

Hi Jim,

if you want to, you can start using phpMyFAQ 2.5.0-dev. Thanmk you very much!

bye
Thorsten

[Thorsten]

Hi,

HTTP Auth is now implemented in phpMyFAQ 2.5.0.

bye
Thorsten

[salnet]

Hello Thorsten,

it's a nice feature, thank you!
How can I use ist? I haven't found anything in Admin-Menu.

Kind regards,
Timo

[Thorsten]

Hi,

just add a .htaccess file in the phpMyFAQ root folder with the auth credentials. phpMyFAQ will automatically detect the authentication done by Apache.

bye
Thorsten

[salnet]

Thanks for the explanation.

I renamed _.htaccess to .htaccess and inserted

Code: Select all

AuthUserFile /var/data/db/users/.htpasswd
AuthType Basic
require valid-user

The .htpasswd is ok, but the it seems not to work. After login with HTTP-Auth I'm still not logged in in pmf, the login-form in pmf is shown. When I insert any data from .htpasswd I can't login.

[Thorsten]

Hi,

okay... the HTTP Auth was a 30 minute hack...

I'll check this.

bye
Thorsten