From 008f1c19ac354b5d9fd2feaaf20913a29d04297d Mon Sep 17 00:00:00 2001
From: NicolasLimare <NicolasLimare@web>
Date: Tue, 17 Feb 2009 16:04:31 -0500
Subject: easy access to the userdb for apache auth?

---
 doc/plugins/passwordauth/discussion.mdwn | 50 ++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

(limited to 'doc/plugins/passwordauth')

diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index f4e7ae7a1..8ae960edd 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -9,3 +9,53 @@ the *Preferences -- Subscriptions*.  --[[tschwinge]]
 >> Aha, then the problem is Firefox, which is automatically filling the
 >> *Password* field with its previous value, but not filling the
 >> *Confirm Password* one.  --[[tschwinge]]
+
+## easy access to the userdb for apache auth?
+
+My use case is:
+
+* restricted ikiwiki
+* read/edit only allowed from the local network (done with apache restrictions)
+* edit only for people authenticated (done with vanilla ikiwiki passwordauth)
+
+I would like to allow people to read/edit the wiki from outside of the
+local network, if and only if they already have an ikiwiki account.
+
+[[httpauth]] doesn't fit since it doesn't allow anonymous local users
+to create their own account. I want a single, local, simple auth
+database.
+
+My (naïve?) idea would be:
+
+* keep the [[passwordauth]] system
+* provide a way for Apache to use the userdb for authentication if
+people want to connect from outside
+
+I looked at the various auth modules for apache2. It seems that none
+can use a "perl Storable data" file. So, I think some solutions could
+be:
+
+* use a sqlite database instead of a perl Storable file
+  * can be used with
+    [mod_auth_dbd](http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html) 
+  * requires a change in ikiwiki module [[passwordauth]]
+* use an external program to read the userdb and talk with
+  [mod_auth_external](http://unixpapa.com/mod_auth_external.html)
+  * requires the maintainance of this external auth proxy over ikiwiki
+    userdb format changes
+  * (I don't know perl)
+* include this wrapper in ikiwiki
+  * something like `ikiwiki --auth user:pass:userdb` check the
+    `user:pass` pair in `userdb` and returns an Accept/Reject flag to
+    Apache 
+  * requires a change in ikiwiki core
+  * still requires
+    [mod_auth_external](http://unixpapa.com/mod_auth_external.html)
+* do it with Apache perl sections
+  * (I don't know perl)
+
+Any opinion/suggestion/solution to this is welcome and appreciated.
+
+--
+[[NicolasLimare]]
+
-- 
cgit v1.2.3


From 786a9e20efbd6e8f3a321e4fde410828904e71bd Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@web>
Date: Mon, 23 Feb 2009 07:02:34 -0500
Subject: link to other todo item, personal opinions

---
 doc/plugins/passwordauth/discussion.mdwn | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'doc/plugins/passwordauth')

diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index 8ae960edd..3362ae7d2 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -59,3 +59,9 @@ Any opinion/suggestion/solution to this is welcome and appreciated.
 --
 [[NicolasLimare]]
 
+For a similar use case, I've been intending to implement
+[[todo/httpauth_feature_parity_with_passwordauth]], but your idea may
+actually be the way to go. IMHO, the Perl sections idea is the
+easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally
+use a userdb storage backend supported at least by Apache and lighttpd.
+--[[intrigeri]]
-- 
cgit v1.2.3


From 50871cf4bd151d2d271128e70a89ebf012f80779 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@web>
Date: Wed, 11 Mar 2009 06:26:25 -0400
Subject: apache vs. passwordauth: done a bit more research

---
 doc/plugins/passwordauth/discussion.mdwn | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'doc/plugins/passwordauth')

diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index 3362ae7d2..e5ea1b922 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -65,3 +65,15 @@ actually be the way to go. IMHO, the Perl sections idea is the
 easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally
 use a userdb storage backend supported at least by Apache and lighttpd.
 --[[intrigeri]]
+
+Tons of CPAN modules may help, but most of them are specific to =mod_perl=,
+and AFAIK, ikiwiki is generally not run with =mod_perl=. It's not clear to me
+wether these modules depend on the webapp to be run with =mod_perl= set 
+as the script handler, or only on =mod_perl= to be installed and loaded.
+
+* CPAN's =Apache::AuthenHook= allows to plug arbitrary Perl handlers as
+  Apache authentication providers.
+* CPAN's =Apache::Authen::Program= (=mod_perl=)
+* [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's
+  =Apache::AuthTkt=
+--[[intrigeri]]
-- 
cgit v1.2.3


From 12432198a68c9fb391c3ec6d284fb152f0fc3d17 Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@web>
Date: Wed, 11 Mar 2009 06:27:41 -0400
Subject: formatting

---
 doc/plugins/passwordauth/discussion.mdwn | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'doc/plugins/passwordauth')

diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index e5ea1b922..672970c21 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -66,14 +66,14 @@ easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally
 use a userdb storage backend supported at least by Apache and lighttpd.
 --[[intrigeri]]
 
-Tons of CPAN modules may help, but most of them are specific to =mod_perl=,
-and AFAIK, ikiwiki is generally not run with =mod_perl=. It's not clear to me
-wether these modules depend on the webapp to be run with =mod_perl= set 
-as the script handler, or only on =mod_perl= to be installed and loaded.
+Tons of CPAN modules may help, but most of them are specific to `mod_perl`,
+and AFAIK, ikiwiki is generally not run with `mod_perl`. It's not clear to me
+wether these modules depend on the webapp to be run with `mod_perl` set 
+as the script handler, or only on `mod_perl` to be installed and loaded.
 
-* CPAN's =Apache::AuthenHook= allows to plug arbitrary Perl handlers as
+* CPAN's `Apache::AuthenHook` allows to plug arbitrary Perl handlers as
   Apache authentication providers.
-* CPAN's =Apache::Authen::Program= (=mod_perl=)
+* CPAN's `Apache::Authen::Program` (`mod_perl`)
 * [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's
-  =Apache::AuthTkt=
+  `Apache::AuthTkt`
 --[[intrigeri]]
-- 
cgit v1.2.3