[Moin-user] integrated authentication (Moin, Bugzilla, Gitosis, etc)

Thomas Waldmann tw at waldmann-edv.de
Fri Feb 24 05:30:28 EST 2012 

> - Moin uses a numeric `user id' value that appears in the page
> revisions, and then it stores email address, name (e.g. DanielPocock)
> and an alias

For the usual login ("MoinAuth"), moin asks for name and password. Based
on that, it looks up the corresponding user profile and puts the userid
(filename of the profile) into the session cookie.

There are quite some other auth methods, though, see MoinMoin/auth/...

> - can anyone point me to an existing howto or blog about building
> something like this?

There are likely no howtos fur such complex/specific stuff. You can try
google, though.

> - although they do not appear to be the primary key, do the `name' and
> `alias' values have to be unique?

name is checked for uniqueness. Otherwise one would be in trouble with
ACLs.

You shouldn't use alias for anything except being some sort of "display
name" - e.g. in case the login name is cryptic.

E.g. name == jd001, alias == Joe Doe

> I'm guessing that is the case, but as
> it will be a publicly accessible system, it is quite possible there will
> be people with the same name - any suggestions on how to handle this in
> a nice way?

Use their middle initials or some other way to make the name unique.

> - management of the user files: I notice Moin creates a file for each
> user: is it better to let Moin manage these files (e.g.
> creating/updating them on each login attempt), or to write a script to
> create them pro-actively when a user is registered in the central system?

You for sure should let moin do that. MoinMoin's auth methods usually
have some autocreate flag that let them autocreate the user profile if
it does not already exist.

In general you rather should NOT access moin's storage files directly.
You could do that, but if something goes wrong, you own the pieces.

> - can I keep the users in a MySQL or Postgres table rather than having
> them in disk files?

No.

BTW, those files moin is using for users serve 2 purposes:
a) they are used to store the encrypted password for MoinAuth. Note that
you are not required to use MoinAuth, there are other auth methods also.
b) they are referred from the session's userid and store all sorts of
other user profile / user related data that is needed by moin.

> - I want to allow the users to have both password and OpenID access -
> and I thought that maybe I can just enable OpenID in Moin, my central
> registration system could act as OpenID provider for the
> password-authenticated users, and the users who have OpenID could
> authenticate directly: but using OpenID URL's as identifiers, do the
> users still potentially need unique WikiNames as well?

Yes, usernames in the wiki need to be unique as they might be used in
ACLs.

> Any feedback is really appreciated, and however I get this up and
> running, I am also keen to document it and share some of the scripts
> that are developed.

You have to differentiate whether you do SSO (single sign on, one login
total, everything else is automatic) or just have a common place where
you keep accounts and passwords and against which you can authenticate,
but you still log into each system separately. Of course SSO is more
comfortable, but also it is more effort to get it.

Looking at what moin can already do:

GivenAuth - use some given user name (e.g. apache REMOTE_USER). Can
optionally strip windows or email domain, remove blanks, titlecase.
There are a lot of apache modules you can use this with, but the only
thing moin will get from this is a authenticated user name.

CAS authentication - against a CAS server (don't ask me about that,
looks like it could be helpful)

ldap_login - LDAP server = common place to store credentials and some
user profile data (like email address), but no SSO with non-moin systems

openidrp - does OpenID auth (try it, can't help much with that either)

sslclientcert - uses SSL client certs for auth

MoinAuth - direct login into moin, does not help you

http basic auth done by moin - does not help you

interwiki auth - does not help you for integration with non-moin systems

mysql_group - does not help (don't ask me about that)

php_session - made to read the session cookie of eGroupware

smb_mount - special, does not help you


Other than these, you can write your own MoinMoin auth module (and do
whatever you want there) or modify an existing auth method, if you need
it slightly different. Basic Python skills needed.

If you run multipe moin wikis, they can share the cookie (the session)
and the user profiles. Make sure you do that right from the beginning or
it will have diverging userids.

The MoinMoin.user module has some lookup functions to find users not
only by name, but also by email or openid address.

If you need help, feel free to join us on #moin on chat.freenode.net IRC
channel.

More information about the Moin-user mailing list