[Moin-user] Problem with GivenAuth configuration, through Apache digest?

Paul Boddie paul at boddie.org.uk
Tue Nov 6 17:07:16 EST 2012 

On Tuesday 06 November 2012 21:13:31 fero14041 wrote:
>
> [Wishes]
> As there could be other services provided by the server,
> such as Mercurial's repositories, an instance of Trac, etc.
> I'd like the users to log themselves to each with same shared account
> across them (one per user), ideally managed by Apache's digest
> authentication. MoinMoin's doc clearly points how this could be possible,
> with ``GivenAuth`` authentication method.
> This seems to not be sufficient::
>
>     auth = [GivenAuth(autocreate=True)], MoinAuth()]
>     auth_methods_trusted = ['given']

I'm not familiar with the auth_methods_trusted setting, but I think this only 
affects the Trusted ACL group.

> [Problem and tries]
> I did not succeed in letting Apache give
> authentication to MoinMoin. I tried:
> - different installs (with packages provided by server's distribution,
> or from source);
> - carefully reading the documentation (many times, perhaps not enough ?-);
> - testing different configuration variants;
> - searching for similar report in bugs and mailing list archives
> (Google Groups) or
> - through the web (found few:
> http://blog.nyaruka.com/apache2-http-digest-auth-and-moinmoin, also
> https://gist.github.com/498124).
> So I highly suspected remaining problem simply occurs in a bad
> configuration.

You have certainly done a lot of preparation. :-)

> [Tech. context]
> This server runs on Debian Squeeze (up to date),
> web pages are served by Apache (2.2.16-6+squeeze8), mod_wsgi (3.3-2)
> and Python 2.6.6
>
> [Demonstration]
> In order to give you most informations,
> configuration template files used are provided at:
>     http://moin.poeulfs.org/hg/pb_apache_digest_auth/file/tip/
> and specially ``etc/wikiconfig.py`` for Moin instance config.,
> and ``etc/httpd.conf`` for Apache's one.
> I also put two instances of Moin from different version, and same config,
> one at version 1.9.4 provided by Debian package (in current Squeeze
> backports), and the other in a dedicated virtualenv with latest stable
> release 1.9.5.: http://moin.poeulfs.org/test/moin194/
>     http://moin.poeulfs.org/test/moin195/

I tried these with the "user" account and found that after selecting "Login by 
Apache" and logging in, only the "login" page is given the credentials: 
navigating to another page shows "Login" instead of "user" as the username in 
the navigation bar.

> For each instance, there are:
> - following users and groups:
>   - one superuser (``fero14041admin``),
>   - one ``AdminGroup`` with one admin user (``admin``, password like
> login), - one ``TestGroup`` with two regular users (``user`` (pwd id.) and
> ``fero14041``);
>   - all default rights are defined in config by::
>
>         acl_rights_default = (u"AdminGroup:read,write,delete,revert "
>                               u"TestGroup:read,write "
>                               u"All:")
>
> - a theme derived from `modernized`, putting in page's header an additional
>   link to ``login`` page and requiring Apache authentication.
>
> Finally, those instances' logs, and specially that related to login,
> are readable at:
>      http://moin.poeulfs.org/test/viewlogs/logs

I suppose I'm seeing successful authentication in the logs, but I think your 
problem is actually in your Web server configuration:

<Location /wiki/login>
    Require valid-user
</Location>

This only enforces authentication for the login resource, meaning that you 
only ever activate authentication for that resource, and the credentials 
never get passed to the Wiki for anything else, such as /wiki/FrontPage and 
so on.

HTTP authentication can be infuriating in cases like this. If you change the 
above to this...

<Location /wiki>
    Require valid-user
</Location>

...then you won't be able to let users in without authenticating with Apache. 
Thus, logging in using Apache becomes "all or nothing".

Of course, you could publish the same Wiki at multiple locations and protect 
one of them, so that you would have the above for authenticated users and 
something else for people who are anonymous or who might log in via MoinMoin 
itself, exposed at /wiki-public or whatever. That's not very elegant, I know.

Maybe there's a way of having a separate login resource that performs some 
kind of authentication, sets some kind of authentication token, and then Moin 
can be made to read that token and authenticate people. That sounds a bit 
like OpenID, but I'm thinking of something much less complicated.

> So, I would appreciate any help your could provide, to understand
> what I am doing wrong ^^;) (or if it's a bug and requires a report)...
> and of course share with my users all the power of MoinMoin!
> And thank you for reading this long message.
>
> Cheers,
>
> -- fero14041
>
>
> PS: Please excuse strange wordings and/or phrasings, as English is not
> my mother language.

It would take me a long time to write a response in French, but your message 
is very clear and comprehensible. I hope at least some of what I've written 
makes as much sense and is somewhat helpful. :-)

Paul

More information about the Moin-user mailing list