X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/ae474d8e14631ff519ed7d54bb64eaa0538f56d9..56f8223f9594ae687099dada0c138d669a6f931f:/doc/plugins/passwordauth/discussion.mdwn?ds=sidebyside

diff --git a/doc/plugins/passwordauth/discussion.mdwn b/doc/plugins/passwordauth/discussion.mdwn
index 3362ae7d2..50e21062e 100644
--- a/doc/plugins/passwordauth/discussion.mdwn
+++ b/doc/plugins/passwordauth/discussion.mdwn
@@ -65,3 +65,87 @@ actually be the way to go. IMHO, the Perl sections idea is the
 easiest to setup, but on the long run, I'd prefer ikiwiki to optionnally
 use a userdb storage backend supported at least by Apache and lighttpd.
 --[[intrigeri]]
+
+Tons of CPAN modules may help, but most of them are specific to `mod_perl`,
+and AFAIK, ikiwiki is generally not run with `mod_perl`. It's not clear to me
+wether these modules depend on the webapp to be run with `mod_perl` set 
+as the script handler, or only on `mod_perl` to be installed and loaded.
+
+* CPAN's `Apache::AuthenHook` allows to plug arbitrary Perl handlers as
+  Apache authentication providers.
+* CPAN's `Apache::Authen::Program` (`mod_perl`)
+* [http://www.openfusion.com.au/labs/mod_auth_tkt/](mod_auth_tkt) along with CPAN's
+  `Apache::AuthTkt`
+--[[intrigeri]]
+
+I've more or less managed to implement something based on `mod_perl` and
+`Apache::AuthenHook`, respectively in Debian packages `libapache2-mod-perl2`
+and `libapache-authenhook-perl`.
+
+In the Apache VirtualHost configuration, I have added the following:
+
+	PerlLoadModule Apache::AuthenHook
+	PerlModule My::IkiWikiBasicProvider
+
+	<Location /test/>
+		AuthType Basic
+		AuthName "wiki"
+		AuthBasicProvider My::IkiWikiBasicProvider
+		Require valid-user
+		ErrorDocument 401 /test/ikiwiki.cgi?do=signin
+	</Location>
+	<LocationMatch "^/test/(ikiwiki\.cgi$|.*\.css$|wikiicons/)">
+		Satisfy any
+	</LocationMatch>
+
+The perl module lies in `/etc/apache2/My/IkiWikiBasicProvider.pm`:
+
+	package My::IkiWikiBasicProvider;
+
+	use warnings;
+	use strict;
+	use Apache2::Const -compile => qw(OK DECLINED HTTP_UNAUTHORIZED);
+	use Storable;
+	use Authen::Passphrase;
+
+	sub userinfo_retrieve () {
+		my $userinfo=eval{ Storable::lock_retrieve("/var/lib/ikiwiki/test/.ikiwiki/userdb") };
+		return $userinfo;
+	}
+
+	sub handler {
+		my ($r, $user, $password) = @_;
+		my $field = "password";
+
+		if (! defined $password || ! length $password) {
+			return Apache2::Const::DECLINED;
+		}
+		my $userinfo = userinfo_retrieve();
+		if (! length $user || ! defined $userinfo ||
+		    ! exists $userinfo->{$user} || ! ref $userinfo->{$user}) {
+			return Apache2::Const::DECLINED;
+		}
+		my $ret=0;
+		if (exists $userinfo->{$user}->{"crypt".$field}) {
+			error $@ if $@;
+			my $p = Authen::Passphrase->from_crypt($userinfo->{$user}->{"crypt".$field});
+			$ret=$p->match($password);
+		}
+		elsif (exists $userinfo->{$user}->{$field}) {
+			$ret=$password eq $userinfo->{$user}->{$field};
+		}
+		if ($ret) {
+			return Apache2::Const::OK;
+		}
+		return Apache2::Const::DECLINED;
+	}
+
+	1;
+
+This setup also allows people with the master password to create their own
+account.
+
+I'm not really fluent in Perl, and all this can probably be improved (*or
+might destroy your computer as it is* and YMMV).
+
+-- [[Lunar]]