The following 314 words could not be found in the dictionary of 615 words (including 615 LocalSpellingWords) and are highlighted below:

activate   add   added   address   aka   aliasname   all   All   already   an   and   Apache   application   applications   apps   archive   attributes   auth   Auth   authenticate   authenticated   authenticating   Authentication   authentication   auto   autocreate   automated   automatically   based   Basic   basic   be   before   being   bit   But   but   by   call   called   can   case   certificate   certificates   check   checking   client   combinations   combine   Combining   combining   commented   complicated   config   configuration   configure   contain   continue   contrib   cookie   corporate   course   created   creation   currently   database   default   deleted   denied   determined   did   Digest   directly   distribution   does   doing   Domain   don   easy   egw   either   else   enabled   enforced   enter   entering   environments   ever   everything   exactly   example   examples   Except   existing   experimental   expires   external   externalcookie   externally   extract   fairly   Fast   few   file   files   flag   following   For   for   form   fragment   freely   from   function   gets   gives   Groupware   handles   happened   header   himself   historically   how   How   if   If   import   In   in   indeed   information   integrates   integration   interwiki   into   just   keep   kind   known   last   ldap   let   like   lines   list   log   login   logout   look   make   Making   match   matching   means   method   methods   might   modpy   modular   module   modules   more   mount   multiple   must   name   necessary   need   needs   Negotiate   new   no   normalize   nothing   now   object   of   off   offered   often   On   on   one   only   option   or   order   Other   other   own   page   parameters   passed   password   path   php   plugins   possible   Preferences   prefix   Presently   processed   profile   profiles   provided   purposes   put   python   reads   reality   recreate   reliably   remember   request   restrictions   return   returned   run   running   search   see   See   sense   server   Server   servers   sess   session   set   sets   setup   share   Shipped   short   should   Sign   Single   smb   so   So   some   something   split   sslclientcert   Starting   stay   stored   strictly   stuff   summary   supported   supporting   supports   systems   that   The   the   then   there   therefore   These   they   This   this   thus   title   tmp   to   To   tries   True   try   Twisted   umount   unfinished   unknown   until   up   update   usage   use   used   useful   User   user   userinterface   Username   username   users   uses   using   usually   valid   value   values   via   want   was   we   web   Well   were   what   When   when   wikiconfig   will   with   works   xmlrpc   yes   You   you   your  

Clear message

    HelpOnAuthentication

How Authentication works with MoinMoin

MoinMoin historically has used some cookie-based authentication: you log in via the form on page UserPreferences, moin sets a cookie and from then on this cookie is used for authenticating you - until you log off and the cookie gets deleted (or until the cookie expires).

For running moin in corporate environments this is often no option as access restrictions have to be enforced reliably. Starting with 1.3 moin could also use HTTP basic auth based authentication, when being run with some web servers (like Apache) supporting it.

Starting with 1.5 moin now has freely configurable and kind of modular authentication. You use the auth configuration value to set up a list of authentication methods that are processed in exactly that order.

When an external user database is used you do not want to recreate all users in moin. For this case the configuration option user_autocreate was added to moin 1.5. If you set it to True a new user profile will be created automatically when a new user has passed authentication (and the auth method supports auto creation).

Presently the following authentication methods are supported:

  • Server setup

    Authentication

    Auth method in moin

    All

    by moin via own cookie

    MoinMoin.auth.moin_cookie

    by moin via external cookie

    see contrib/auth_externalcookie/

    Apache with CGI, modpy or FastCgi

    by Apache modules: HTTP Basic, HTTP Digest, SSPI (aka NTLM) or LDAP

    MoinMoin.auth.http

    by moin via LDAP

    MoinMoin.auth.ldap_login (must combine with moin_cookie to keep the session)

    Apache+SSL with CGI, modpy or FastCgi

    by Apache via SSL client certificate

    MoinMoin.auth.sslclientcert

    Twisted

    HTTP Basic (but does not request authentication by header, so this is currently only useful for automated stuff, not for browser use)

    MoinMoin.auth.http

    IIS

    (?)

    (?)

Other "auth" methods

These are not strictly auth methods, as they don't authenticate users, but use auth information for other purposes:

  • MoinMoin.auth.log

    will just log login/logout/name, nothing else

    MoinMoin.auth.smb_mount

    mount some smb share using user/password from login, umount on logout

MoinMoin.auth.interwiki is unfinished, experimental code - don't use.

Shipped plugins

moin_cookie auth (default)

   1     from MoinMoin.auth import moin_cookie
   2     auth = [moin_cookie]

This is the default auth list moin uses (so if you just want that, you don't need to configure it). It means that moin just tries to use the MOIN_ID cookie as it ever did.

For doing that, moin will just call the MoinMoin.auth.moin_cookie function. This function will look if there is a valid cookie:

  • if yes, it will use it to make and return a valid user object. The user is known now.
  • if no, the function does not return a user object. As as moin_cookie is the only auth method in the list, there is no other auth method to try and the user will stay unknown for that case.

http auth

To activate http authentication you have to add following lines to wikiconfig.py: 

   1     from MoinMoin.auth import http
   2     auth = [http]

For HTTP basic auth used with a web server like Apache, the web server handles authentication before moin gets called. You either enter a valid username and password or your access will be denied by the web server.

So moin's http auth method will just check if user authentication happened:

  • if yes, it will return a user object based on the authenticated user name.
  • if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.

Well, in reality, it is a bit more complicated indeed:

  • For Twisted we use the username and password stored in the moin user profile. Except wiki xmlrpc usage this is currently not used.
  • For NTLM and Negotiate, we split off everything before the last "\" (usually it is "Domain\username") and we also use title() to normalize "username" to "Username".

    (!) You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.

sslclientcert auth

To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py: 

   1     from MoinMoin.auth import sslclientcert
   2     auth = [sslclientcert]

For SSL client certificate auth used with a web server like Apache, the web server handles authentication before moin gets called. You either have a valid SSL client certificate or your access will be denied by the web server.

So moin's sslclientcert auth method will just check if user authentication happened:

  • if yes, it will return a user object based on the email address or user name in the certificate.
  • if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.

    (!) You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.

php_auth

To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.

To use this module, use the following lines of code in your configuration: 

   1     from MoinMoin.auth import php_auth
   2     auth = [php_auth()]

php_auth has the following parameters: 

   1 php_auth(apps=['egw'], s_path="/tmp", s_prefix="sess_")

  • apps is a list of enabled applications

  • s_path is the path of the PHP session files

  • s_prefix is the prefix of the PHP session files

The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session.

Combining multiple auth methods

For combining e.g. http and cookie authentication, your wikiconfig.py might contain: 

   1     from MoinMoin.auth import http, moin_cookie
   2     auth = [http, moin_cookie]

In this example, moin will first check if the http auth method gives a valid user. If yes, it will use just that. If not and continue_flag returned by http auth method is True, it will continue checking other auth list method - moin_cookie in this case... ( /!\ needs update /!\ )

  • (!) Not all combinations make sense, of course.

Making your own auth method

See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth.py in your moin distribution archive for examples of how to do authentication.

Here is just a short summary of what's currently possible:

  • use UserPreferences login form as userinterface for your own auth method for entering name and password

  • search existing user profiles for a "matching" user (the match needs not be the name, it can also be the email address or something you put into aliasname)

  • create a user object and let it remember what attributes were determined by auth method (and thus should not be offered on UserPreferences)

  • update values in user's profile from externally provided data
  • autocreate user profiles
Recent