Le seguenti 369 parole non sono state trovate nel dizionario di 1275 termini (includendo 1275 LocalSpellingWords) e sono evidenziate qui sotto:
accounts   action   activate   Active   address   aka   aliasname   allow   already   always   anon   another   Apache   application   applications   apply   apps   attributes   auth   Auth   authenticate   authenticated   authenticating   Authentication   authentication   auto   autocreate   automated   automatically   based   Basic   basic   be   before   being   bit   But   but   by   Call   called   can   cannot   case   certificate   certificates   chain   check   checking   client   coding   combinations   combine   Combining   combining   command   commandline   commented   complicated   config   configuration   configure   contact   contain   continue   contrib   cookie   Cookie   corporate   course   created   creation   currently   database   debug   default   deletes   denied   determined   dev   Digest   dir   directly   directories   display   distribution   does   domain   Domain   don   easy   egw   either   else   enabled   encoding   enter   entering   environment   even   everything   exactly   example   examples   Except   existing   expires   external   External   externalcookie   externally   extract   fairly   Fast   few   field   file   files   filesystem   flag   following   For   for   form   fragment   freely   from   get   gets   gives   Groupware   handles   happened   header   himself   homewiki   how   How   if   If   import   included   indeed   information   insecure   Installing   instructions   integrates   integration   intercepts   interface   Interwiki   interwiki   into   introduced   iocharset   iso8859   its   just   keep   know   last   ldap   let   library   like   lines   list   localhost   log   logging   login   logout   make   Making   manages   map   match   matching   mc   member   method   methods   might   mnt   mode   modpy   modular   module   modules   more   mount   mounted   mounting   mountpoint   Multi   multiple   name   Name   necessary   need   needed   needs   Negotiate   new   none   normalize   nothing   now   null   object   off   offered   On   on   one   only   or   order   out   output   own   owner   page   parameters   passed   password   path   php   plugins   possible   Preferences   prefix   Presently   probably   processed   profile   profiles   prove   provided   Proxy   pseudo   purposes   put   python   quotes   reads   reality   really   recreate   redirect   remember   request   resolve   result   return   returned   run   running   secret   See   see   sense   servers   sess   session   Sessions   set   sets   Setting   setup   share   shared   Shipped   short   should   Sign   since   Single   smb   so   So   some   something   special   specific   split   sslclientcert   state   stay   stored   strictly   stuff   summary   support   supported   supports   system   systems   that   then   there   Therefore   therefore   These   they   this   This   thus   title   tmp   to   To   token   Token   traditionally   transfer   True   trusted   Twisted   umounting   unknown   unreliable   until   up   update   usage   use   used   useful   user   User   Username   username   users   uses   Using   using   usually   valid   value   values   verbose   very   via   want   we   Well   were   what   when   where   which   wikiconfig   wikisync   wikiurl   will   win32   Win32with   windows   with   without   works   would   wwwrun   xmlrpc   xmlrpc2   xmlrpclib   yes  

Nascondi questo messaggio

Italiano English
Locked History Actions

HelpOnAuthentication

Le sedi di Ninux sono:

a Roma presso il FusoLab

  • Fusolab

a Pisa all'EigenLab

  • Eingelab

a Cosenza presso la sede dell'Hacklab Cosenza

  • HLCS

a Catanzaro presso la sede dell'Hacklab Catanzaro

  • HLCZ

a Firenze presso l'exfila

  • exfila

a Bologna presso il makerspace di RaspiBO

  • NinuxBO

Ninux.org partecipa al World IPv6 day

  • WorldIpv6Day

How Authentication works with MoinMoin

MoinMoin has traditionally used cookie-based authentication: you log in via the form on page UserPreferences, then MoinMoin sets a cookie for authenticating you - until you log off which deletes the cookie (or until the cookie expires).

For running MoinMoin in a corporate environment this cookie-based system would prove unreliable and insecure. Therefore, MoinMoin can also use HTTP basic auth based authentication, when being run with web servers (e.g. Apache) that support it.

MoinMoin now has freely configurable modular authentication. Using the auth configuration value will set up a list of authentication methods that are processed in exactly that order.

When an external user database is used, you may not want to recreate all of the user accounts in MoinMoin. In this case the configuration option user_autocreate can be used. Setting it to True will allow a new user profile to be created automatically when a new user has passed authentication (and the auth method supports auto creation).

Presently the following authentication methods are supported:

  • Server setup

    Authentication

    Auth method in moin

    All

    by moin via own cookie

    MoinMoin.auth.moin_login and MoinMoin.auth.moin_session

    by moin via external cookie

    see contrib/auth_externalcookie/ or HelpOnAuthentication/ExternalCookie

    Apache with CGI, modpy or FastCgi

    by Apache modules: HTTP Basic, HTTP Digest, Active Directory (via SSPI), or LDAP

    MoinMoin.auth.http.http

    by moin via LDAP

    MoinMoin.auth.ldap_login.ldap_login (must combine with moin_session to keep the session)

    Apache+SSL with CGI, modpy or FastCgi

    by Apache via SSL client certificate

    MoinMoin.auth.sslclientcert.sslclientcert

    Twisted

    HTTP Basic (but does not request authentication by header, so this is currently only useful for automated stuff, not for browser use)

    MoinMoin.auth.http.http

    IIS

    HTTP Basic, SSPI (aka NTLM), (?)

    MoinMoin.auth.http.http, (?)

Other "auth" methods

These are not strictly auth methods, as they don't authenticate users, but use auth information for other purposes:

  • MoinMoin.auth.log.log

    will just log login/logout/name, nothing else

Shipped plugins

moin_login and moin_session auth (default)

   1     from MoinMoin.auth import moin_login, moin_session
   2     auth = [moin_login, moin_session]

This is the default auth list moin uses (so if you just want that, you don't need to configure it).

moin_session should always be included since it manages the session cookie which is useful even if you don't authenticate using it since it manages session state. See HelpOnSessions for more information.

moin_anon_session

See HelpOnSessions.

http auth

To activate http authentication you have to add following lines to wikiconfig.py: 

   1     from MoinMoin.auth.http import http
   2     from MoinMoin.auth import moin_session
   3     auth = [http, moin_session]

For HTTP basic auth used with a web server like Apache, the web server handles authentication before moin gets called. You either enter a valid username and password or your access will be denied by the web server.

So moin's http auth method will just check if user authentication happened:

  • if yes, it will return a user object based on the authenticated user name.
  • if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.

Well, in reality, it is a bit more complicated indeed:

  • For Twisted we use the username and password stored in the moin user profile. Except wiki xmlrpc usage this is currently not used.
  • For NTLM and Negotiate, we split off everything before the last "\" (usually it is "Domain\username") and we also use title() to normalize "username" to "Username".

  • (!) You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.

  • See also HelpOnInstalling/ApacheOnWin32withDomainAuthentication for some win32-specific instructions.

sslclientcert auth

To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py: 

   1     from MoinMoin.auth.sslclientcert import sslclientcert
   2     from MoinMoin.auth import moin_session
   3     auth = [sslclientcert, moin_session]

For SSL client certificate auth used with a web server like Apache, the web server handles authentication before moin gets called. You either have a valid SSL client certificate or your access will be denied by the web server.

So moin's sslclientcert auth method will just check if user authentication happened:

  • if yes, it will return a user object based on the email address or user name in the certificate.
  • if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.

    (!) You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.

php_session

To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.

To use this module, use the following lines of code in your configuration: 

   1     from MoinMoin.auth.php_session import php_session
   2     from MoinMoin.auth import moin_session
   3     auth = [php_session(), moin_session]

php_session has the following parameters: 

   1 php_session(apps=['egw'], s_path="/tmp", s_prefix="sess_")

  • apps is a list of enabled applications

  • s_path is the path of the PHP session files

  • s_prefix is the prefix of the PHP session files

The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session.

Interwiki auth

Your moin 1.6 wiki can contact another moin 1.6 wiki to authenticate users (and transfer user profiles): 

   1     from MoinMoin.auth.interwiki import interwiki
   2     from MoinMoin.auth import moin_session
   3     auth = [interwiki, moin_session]
   4     trusted_wikis = ['OtherWiki', ]

If you want to use this, you have to enter "OtherWiki UserName" into the login field (without the quotes), the password field gets the password for the user UserName on the wiki OtherWiki.

OtherWiki must be in your interwiki map, so moin can resolve it and it also must be a member of the trusted_wikis list in your wiki configuration.

LDAP auth

See /LDAP.

SMB pseudo-auth method

This method does not really do authentication, it just intercepts user/password from the auth chain to do its own stuff - mounting some smb share on login, umounting on logout: 

    smb_server = "smb.example.org" # smb server name
    smb_domain = 'DOMAIN' # smb domain name
    smb_share = 'FILESHARE' # smb share we mount
    smb_mountpoint = u'/mnt/wiki/%(username)s' # where we mount the smb filesystem
    smb_display_prefix = u"S:" # where //server/share is usually mounted for your windows users (display purposes only)
    smb_dir_user = "wwwrun" # owner of the mounted directories
    smb_dir_mode = "0700" # mode of the mounted directories
    smb_file_mode = "0600" # mode of the mounted files
    smb_iocharset = "iso8859-1" # "UTF-8" > cannot access needed shared library!
    smb_coding = 'iso8859-1' # coding used for encoding the commandline for the mount command
    smb_verbose = True # if True, put SMB debug info into log
    smb_log = "/dev/null" # where we redirect mount command output to

This is for very special applications. If you don't know for what to use it, you probably don't need it.

wiki auth

This method was introduced with wikisync. 

   1 import xmlrpclib
   2 
   3 name = "TestUser"
   4 password = "secret"
   5 wikiurl = "http://localhost:8080"
   6 
   7 homewiki = xmlrpclib.ServerProxy(wikiurl + "?action=xmlrpc2", allow_none=True)
   8 auth_token = homewiki.getAuthToken(name, password)
   9 
  10 mc = xmlrpclib.MultiCall(homewiki)
  11 mc.applyAuthToken(auth_token)
  12 result = mc()

Combining multiple auth methods

For combining e.g. http and cookie authentication, your wikiconfig.py might contain: 

   1     from MoinMoin.auth import moin_login, moin_session
   2     from MoinMoin.auth.http import http
   3     auth = [http, moin_login, moin_session]

In this example, moin will first check if the http auth method gives a valid user. If yes, it will use just that. If not and continue_flag returned by http auth method is True, it will continue checking other auth list method - moin_login and moin_session in this case...

  • (!) Not all combinations make sense, of course.

Making your own auth method

See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth/*.py in your moin distribution archive for examples of how to do authentication.

Here is just a short summary of what's currently possible:

  • use ?action=login login form as user interface for your own auth method for entering name and password

  • use ?action=logout logout action for logging out with your own auth method

  • search existing user profiles for a "matching" user (the match needs not be the name, it can also be the email address or something you put into aliasname)

  • create a user object and let it remember what attributes were determined by auth method (and thus should not be offered on UserPreferences)

  • update values in user's profile from externally provided data
  • autocreate user profiles