Using Mediawiki Authentication for an external system

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Mediawiki Authentication for an external system

Chris Earle (CBL)
Hey all,

This is the reverse of one of the most popular questions on here--

I like the MW user table/authentication system -- and was wondering if it
would be possible to use it as with an external system?  I want to build an
intranet AROUND mediawiki ... or something like that.  I figure since I've
already got a large userbase created in MW, I should just use that and go
from there.

Most people on here ask if they can use an external auth system to log in to
MW -- I want the reverse :-)

Thoughts appreciated.  Direct me to a MW meta page if there's something
useful floating around


--
Chris Earle


--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Using Mediawiki Authentication for an external system

Domas Mituzas
>
> I like the MW user table/authentication system -- and was wondering  
> if it
> would be possible to use it as with an external system?  I want to  
> build an

well, I don't really get the problem.
If you want, password hash function is trivial, you can access tables  
directly.
If you want, you can build your own web services (as a specialpage,  
if you want higher level, or build your own entry point).

Then just interface it all. What is the question? :)

Domas
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Using Mediawiki Authentication for an external system

Rob Lanphier
In reply to this post by Chris Earle (CBL)
Hi Chris,

As Domas pointed out, there's a lot of ways to skin this cat.

I've put some thought into this in the past, and some of the work I've
done here may be of help to you:
http://auth.robla.net/wiki/Table_of_Access_Control_Models_in_Targeted_Web_Applications

This may help you map the different auth systems onto each other,
assuming any of the apps that you want are on the list.

I'm assuming you want MediaWiki at the hub because you've got an
existing base of MediaWiki users, and you are looking to provide other
services (e.g. normal discussion board, blog, etc), without forcing them
to create another account, right?

One thing that really, really sucks about using MediaWiki as a hub: case
sensitive usernames that force an uppercase first letter.  Other systems
aren't necessarily going to distinguish between "CEarle" and "cearle",
so you may find yourself somehow building a extension/customization for
MediaWiki anyway just to get case-insensitivity.

Good luck!
Rob



On Wed, 2006-07-26 at 15:40 -0400, Chris Earle (CBL) wrote:

> Hey all,
>
> This is the reverse of one of the most popular questions on here--
>
> I like the MW user table/authentication system -- and was wondering if it
> would be possible to use it as with an external system?  I want to build an
> intranet AROUND mediawiki ... or something like that.  I figure since I've
> already got a large userbase created in MW, I should just use that and go
> from there.
>
> Most people on here ask if they can use an external auth system to log in to
> MW -- I want the reverse :-)
>
> Thoughts appreciated.  Direct me to a MW meta page if there's something
> useful floating around
>
>
> --
> Chris Earle
>
>

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Using Mediawiki Authentication for an external system

Rick DeNatale
On 7/26/06, Rob Lanphier <[hidden email]> wrote:

> Hi Chris,
>
> As Domas pointed out, there's a lot of ways to skin this cat.
>
> I've put some thought into this in the past, and some of the work I've
> done here may be of help to you:
> http://auth.robla.net/wiki/Table_of_Access_Control_Models_in_Targeted_Web_Applications
>
> This may help you map the different auth systems onto each other,
> assuming any of the apps that you want are on the list.
>
> I'm assuming you want MediaWiki at the hub because you've got an
> existing base of MediaWiki users, and you are looking to provide other
> services (e.g. normal discussion board, blog, etc), without forcing them
> to create another account, right?

While that list is helpful, it really only talks about the different
authorization models.  The other problem is authentication.

If you wanted to really use the MW authentication system as the basis
for an intranet, I suppose that you're going to have to figure out how
to authenticate users not just for web applications but also for
accounts in general.  This probably means authenticating them for
Linux shell accounts and/or Windows accounts.

I suppose you might be able to do Linux by writing a custom pam module
to do authentication against the MW database.  I don't know enough
about Windows authentication to know if something similar is possible
there.

As an alternative one might think about writing something which would
export the user information from a MW database to something standard
like LDIF which could then be imported into an LDAP server and would
then be useable by anything which could authenticate agains LDAP,
including Linux, Windows (Active Directory), and MW with one of the
LDAP extensions.

Then again, there are likely to be differences between the MW user
model and the data needed for populating a standard authentication
system.  The casing of usernames is one such problem as you point out.
 Another is missing info, although this could probably be finessed by
the export program.  The big problem is likely to be what to do with
the password.  Although the MW password salting algorithm is
well-documented, I'm not sure that it corresponds to anything which
standards like LDAP specifiy.

As in any of these problems, God is in the details.
--
Rick DeNatale

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Using Mediawiki Authentication for an externalsystem

Lane, Ryan
> As an alternative one might think about writing something which would
> export the user information from a MW database to something standard
> like LDIF which could then be imported into an LDAP server and would
> then be useable by anything which could authenticate agains LDAP,
> including Linux, Windows (Active Directory), and MW with one of the
> LDAP extensions.
>

I think I was supposed to do this at one time for some project that was
started. The project died at some point so I never did this. Doing this
would probably be pretty easy, and I'll look into a good way of doing
it. Making something like this generic is probably pretty hard as you
never really know what objectclasses/attributes anyone is using, and it
varies widely between directory servers.

> Then again, there are likely to be differences between the MW user
> model and the data needed for populating a standard authentication
> system.  The casing of usernames is one such problem as you point out.
>  Another is missing info, although this could probably be finessed by
> the export program.  The big problem is likely to be what to do with
> the password.  Although the MW password salting algorithm is
> well-documented, I'm not sure that it corresponds to anything which
> standards like LDAP specifiy.
>

If the wiki doesn't have any usernames that are the same, with different
case, you can use the renameuser special page to rename all of the users
to lowercase. The LDAP authentication plugin forces usernames to
lowercase when creating them, so this wouldn't be an issue after going
to LDAP.

I agree with using LDAP though. It would be a pain (and a lot of code)
to get everything authenticating off of MW. Why reinvent the wheel? LDAP
is specifically meant for this kind of thing. On an intranet it makes
sense as it is very nice to have *everything* authenticating from one
central repository, including your systems (which already have LDAP
authentication capability).

Unfortunately if you are using Windows you are pretty much stuck using
AD unless you want to use samba+openldap.

V/r,

Ryan Lane
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Using Mediawiki Authentication for an externalsystem

Rob Lanphier
On Thu, 2006-07-27 at 12:41 -0500, Lane, Ryan wrote:

> [person Ryan was responding to wrote]:
> > As an alternative one might think about writing something which would
> > export the user information from a MW database to something standard
> > like LDIF which could then be imported into an LDAP server and would
> > then be useable by anything which could authenticate agains LDAP,
> > including Linux, Windows (Active Directory), and MW with one of the
> > LDAP extensions.
> >
>
> I think I was supposed to do this at one time for some project that was
> started. The project died at some point so I never did this. Doing this
> would probably be pretty easy, and I'll look into a good way of doing
> it. Making something like this generic is probably pretty hard as you
> never really know what objectclasses/attributes anyone is using, and it
> varies widely between directory servers.

That was me that dropped the ball on the project.  I proposed something
like this, but never followed through.

I just didn't have enough personal use for LDAP to motivate
followthrough on this.  More on this in a bit.

> I agree with using LDAP though. It would be a pain (and a lot of code)
> to get everything authenticating off of MW. Why reinvent the wheel? LDAP
> is specifically meant for this kind of thing. On an intranet it makes
> sense as it is very nice to have *everything* authenticating from one
> central repository, including your systems (which already have LDAP
> authentication capability).

I agree assuming this is an enterprise project where an LDAP directory
is laying around.  However, LDAP directories still have a high barrier
to entry, and don't get used a lot outside of an enterprise context
(e.g. hobbyists).  So, a lot of hobbyist-centered projects (e.g.
MediaWiki, WordPress, phpBB, etc) don't use LDAP by default, if at all.

If you're looking for something more web 2.0-y that may find itself as a
central technology in hobbyist-centered open source, my recommendation
would be something that the YADIS folks are working on
(http://yadis.org).

Rob

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l