summaryrefslogtreecommitdiff
path: root/doc/plugins/passwordauth
diff options
context:
space:
mode:
authorJoey Hess <joey@gnu.kitenet.net>2009-04-04 17:27:48 -0400
committerJoey Hess <joey@gnu.kitenet.net>2009-04-04 17:27:48 -0400
commit8e92468eae9ac0ab8161a0c71ff6c6a0a8aef07a (patch)
tree9e26465e0ca98a5f3cbc6c72a0cace4bf83b93db /doc/plugins/passwordauth
parent78a69e5bd632eb86ef8135e9c1d05d2c48b43362 (diff)
parent08fda4c9d374de1d3de3172a192d4d915d3dc0c1 (diff)
Merge branch 'master'
Conflicts: doc/ikiwiki-makerepo.mdwn
Diffstat (limited to 'doc/plugins/passwordauth')
-rw-r--r--doc/plugins/passwordauth/discussion.mdwn68
1 files changed, 68 insertions, 0 deletions
diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index f4e7ae7a1..672970c21 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -9,3 +9,71 @@ the *Preferences -- Subscriptions*. --[[tschwinge]]
>> Aha, then the problem is Firefox, which is automatically filling the
>> *Password* field with its previous value, but not filling the
>> *Confirm Password* one. --[[tschwinge]]
+
+## easy access to the userdb for apache auth?
+
+My use case is:
+
+* restricted ikiwiki
+* read/edit only allowed from the local network (done with apache restrictions)
+* edit only for people authenticated (done with vanilla ikiwiki passwordauth)
+
+I would like to allow people to read/edit the wiki from outside of the
+local network, if and only if they already have an ikiwiki account.
+
+[[httpauth]] doesn't fit since it doesn't allow anonymous local users
+to create their own account. I want a single, local, simple auth
+database.
+
+My (naïve?) idea would be:
+
+* keep the [[passwordauth]] system
+* provide a way for Apache to use the userdb for authentication if
+people want to connect from outside
+
+I looked at the various auth modules for apache2. It seems that none
+can use a "perl Storable data" file. So, I think some solutions could
+be:
+
+* use a sqlite database instead of a perl Storable file
+ * can be used with
+ [mod_auth_dbd](http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html)
+ * requires a change in ikiwiki module [[passwordauth]]
+* use an external program to read the userdb and talk with
+ [mod_auth_external](http://unixpapa.com/mod_auth_external.html)
+ * requires the maintainance of this external auth proxy over ikiwiki
+ userdb format changes
+ * (I don't know perl)
+* include this wrapper in ikiwiki
+ * something like `ikiwiki --auth user:pass:userdb` check the
+ `user:pass` pair in `userdb` and returns an Accept/Reject flag to
+ Apache
+ * requires a change in ikiwiki core
+ * still requires
+ [mod_auth_external](http://unixpapa.com/mod_auth_external.html)
+* do it with Apache perl sections
+ * (I don't know perl)
+
+Any opinion/suggestion/solution to this is welcome and appreciated.
+
+--
+[[NicolasLimare]]
+
+For a similar use case, I've been intending to implement
+[[todo/httpauth_feature_parity_with_passwordauth]], but your idea may
+actually be the way to go. IMHO, the Perl sections idea is the
+easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally
+use a userdb storage backend supported at least by Apache and lighttpd.
+--[[intrigeri]]
+
+Tons of CPAN modules may help, but most of them are specific to `mod_perl`,
+and AFAIK, ikiwiki is generally not run with `mod_perl`. It's not clear to me
+wether these modules depend on the webapp to be run with `mod_perl` set
+as the script handler, or only on `mod_perl` to be installed and loaded.
+
+* CPAN's `Apache::AuthenHook` allows to plug arbitrary Perl handlers as
+ Apache authentication providers.
+* CPAN's `Apache::Authen::Program` (`mod_perl`)
+* [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's
+ `Apache::AuthTkt`
+--[[intrigeri]]