X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/3df883ba94d7b06697ce15bed2058768bc8de006..8d7dba2fb274b024e7a8b5d8ce4414d3e5bf7420:/doc/plugins/passwordauth/discussion.mdwn diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn index 8ae960edd..50e21062e 100644 --- a/doc/plugins/passwordauth/discussion.mdwn +++ b/doc/plugins/passwordauth/discussion.mdwn @@ -59,3 +59,93 @@ Any opinion/suggestion/solution to this is welcome and appreciated. -- [[NicolasLimare]] +For a similar use case, I've been intending to implement +[[todo/httpauth_feature_parity_with_passwordauth]], but your idea may +actually be the way to go. IMHO, the Perl sections idea is the +easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally +use a userdb storage backend supported at least by Apache and lighttpd. +--[[intrigeri]] + +Tons of CPAN modules may help, but most of them are specific to `mod_perl`, +and AFAIK, ikiwiki is generally not run with `mod_perl`. It's not clear to me +wether these modules depend on the webapp to be run with `mod_perl` set +as the script handler, or only on `mod_perl` to be installed and loaded. + +* CPAN's `Apache::AuthenHook` allows to plug arbitrary Perl handlers as + Apache authentication providers. +* CPAN's `Apache::Authen::Program` (`mod_perl`) +* [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's + `Apache::AuthTkt` +--[[intrigeri]] + +I've more or less managed to implement something based on `mod_perl` and +`Apache::AuthenHook`, respectively in Debian packages `libapache2-mod-perl2` +and `libapache-authenhook-perl`. + +In the Apache VirtualHost configuration, I have added the following: + + PerlLoadModule Apache::AuthenHook + PerlModule My::IkiWikiBasicProvider + + + AuthType Basic + AuthName "wiki" + AuthBasicProvider My::IkiWikiBasicProvider + Require valid-user + ErrorDocument 401 /test/ikiwiki.cgi?do=signin + + + Satisfy any + + +The perl module lies in `/etc/apache2/My/IkiWikiBasicProvider.pm`: + + package My::IkiWikiBasicProvider; + + use warnings; + use strict; + use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED); + use Storable; + use Authen::Passphrase; + + sub userinfo_retrieve () { + my $userinfo=eval{ Storable::lock_retrieve("/var/lib/ikiwiki/test/.ikiwiki/userdb") }; + return $userinfo; + } + + sub handler { + my ($r, $user, $password) = @_; + my $field = "password"; + + if (! defined $password || ! length $password) { + return Apache2::Const::DECLINED; + } + my $userinfo = userinfo_retrieve(); + if (! length $user || ! defined $userinfo || + ! exists $userinfo->{$user} || ! ref $userinfo->{$user}) { + return Apache2::Const::DECLINED; + } + my $ret=0; + if (exists $userinfo->{$user}->{"crypt".$field}) { + error $@ if $@; + my $p = Authen::Passphrase->from_crypt($userinfo->{$user}->{"crypt".$field}); + $ret=$p->match($password); + } + elsif (exists $userinfo->{$user}->{$field}) { + $ret=$password eq $userinfo->{$user}->{$field}; + } + if ($ret) { + return Apache2::Const::OK; + } + return Apache2::Const::DECLINED; + } + + 1; + +This setup also allows people with the master password to create their own +account. + +I'm not really fluent in Perl, and all this can probably be improved (*or +might destroy your computer as it is* and YMMV). + +-- [[Lunar]]