How Authentication works with MoinMoin
MoinMoin has traditionally used cookie-based authentication: you log in via the form on page UserPreferences, then MoinMoin sets a cookie for authenticating you - until you log off which deletes the cookie (or until the cookie expires).
For running MoinMoin in a corporate environment this cookie-based system would prove unreliable and insecure. Therefore, MoinMoin can also use HTTP basic auth based authentication, when being run with web servers (e.g. Apache) that support it.
MoinMoin now has freely configurable modular authentication. Using the auth configuration value will set up a list of authentication methods that are processed in exactly that order.
When an external user database is used, you may not want to recreate all of the user accounts in MoinMoin. In this case the configuration option user_autocreate can be used. Setting it to True will allow a new user profile to be created automatically when a new user has passed authentication (and the auth method supports auto creation).
Presently the following authentication methods are supported:
Server setup
Authentication
Auth method in moin
All
moin built-in login
MoinMoin.auth.moin_login
by moin via external cookie
see contrib/auth_externalcookie/ or HelpOnAuthentication/ExternalCookie
Apache with CGI, modpy or FastCgi
by Apache modules: HTTP Basic, HTTP Digest, Active Directory (via SSPI), or LDAP
MoinMoin.auth.http.http
by moin via LDAP
MoinMoin.auth.ldap_login.ldap_login
Apache+SSL with CGI, modpy or FastCgi
by Apache via SSL client certificate
MoinMoin.auth.sslclientcert.sslclientcert
Twisted
HTTP Basic (but does not request authentication by header, so this is currently only useful for automated stuff, not for browser use)
MoinMoin.auth.http.http
IIS
HTTP Basic, SSPI (aka NTLM)
MoinMoin.auth.http.http
Other "auth" methods
These are not strictly auth methods, as they don't authenticate users, but use auth information for other purposes:
MoinMoin.auth.log.log
will just log login/logout/name, nothing else
Shipped plugins
moin_login and moin_session auth (default)
This is the default auth list moin uses (so if you just want that, you don't need to configure it).
moin_session should always be included since it manages the session cookie which is useful even if you don't authenticate using it since it manages session state. See HelpOnSessions for more information.
moin_anon_session
See HelpOnSessions.
http auth
To activate http authentication you have to add following lines to wikiconfig.py:
For HTTP basic auth used with a web server like Apache, the web server handles authentication before moin gets called. You either enter a valid username and password or your access will be denied by the web server.
So moin's http auth method will just check if user authentication happened:
- if yes, it will return a user object based on the authenticated user name.
- if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.
Well, in reality, it is a bit more complicated indeed:
- For Twisted we use the username and password stored in the moin user profile. Except wiki xmlrpc usage this is currently not used.
- For NTLM and Negotiate, we split off everything before the last "\" (usually it is "Domain\username") and we also use title() to normalize "username" to "Username".
You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.
See also HelpOnInstalling/ApacheOnWin32withDomainAuthentication for some win32-specific instructions.
sslclientcert auth
To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py:
For SSL client certificate auth used with a web server like Apache, the web server handles authentication before moin gets called. You either have a valid SSL client certificate or your access will be denied by the web server.
So moin's sslclientcert auth method will just check if user authentication happened:
- if yes, it will return a user object based on the email address or user name in the certificate.
- if no, it will not return a user object. In this example, there are no other auth methods, so the user will stay unknown.
You usually do want to set user_autocreate = True for this auth method. moin will then auto create a user profile if the authenticated user does not already have one. So the user does not need to create the moin profile himself.
php_session
To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.
To use this module, use the following lines of code in your configuration:
php_session has the following parameters:
1 php_session(apps=['egw'], s_path="/tmp", s_prefix="sess_")
apps is a list of enabled applications
s_path is the path of the PHP session files
s_prefix is the prefix of the PHP session files
The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session.
Interwiki auth
Your moin 1.6 wiki can contact another moin 1.6 wiki to authenticate users (and transfer user profiles):
If you want to use this, you have to enter "OtherWiki UserName" into the login field (without the quotes), the password field gets the password for the user UserName on the wiki OtherWiki.
OtherWiki must be in your interwiki map, so moin can resolve it and it also must be a member of the trusted_wikis list in your wiki configuration.
LDAP auth
See /LDAP.
SMB pseudo-auth method
This method does not really do authentication, it just intercepts user/password from the auth chain to do its own stuff - mounting some smb share on login, umounting on logout:
smb_server = "smb.example.org" # smb server name smb_domain = 'DOMAIN' # smb domain name smb_share = 'FILESHARE' # smb share we mount smb_mountpoint = u'/mnt/wiki/%(username)s' # where we mount the smb filesystem smb_display_prefix = u"S:" # where //server/share is usually mounted for your windows users (display purposes only) smb_dir_user = "wwwrun" # owner of the mounted directories smb_dir_mode = "0700" # mode of the mounted directories smb_file_mode = "0600" # mode of the mounted files smb_iocharset = "iso8859-1" # "UTF-8" > cannot access needed shared library! smb_coding = 'iso8859-1' # coding used for encoding the commandline for the mount command smb_verbose = True # if True, put SMB debug info into log smb_log = "/dev/null" # where we redirect mount command output to
This is for very special applications. If you don't know for what to use it, you probably don't need it.
wiki auth
This method was introduced with wikisync.
1 import xmlrpclib
2
3 name = "TestUser"
4 password = "secret"
5 wikiurl = "http://localhost:8080"
6
7 homewiki = xmlrpclib.ServerProxy(wikiurl + "?action=xmlrpc2", allow_none=True)
8 auth_token = homewiki.getAuthToken(name, password)
9
10 mc = xmlrpclib.MultiCall(homewiki)
11 mc.applyAuthToken(auth_token)
12 result = mc()
Combining multiple auth methods
For combining e.g. http and cookie authentication, your wikiconfig.py might contain:
In this example, moin will first check if the http auth method gives a valid user. If yes, it will use just that. If not and continue_flag returned by http auth method is True, it will continue checking other auth list method - moin_login and moin_session in this case...
Not all combinations make sense, of course.
Making your own auth method
See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth/*.py in your moin distribution archive for examples of how to do authentication.
Here is just a short summary of what's currently possible:
use ?action=login login form as user interface for your own auth method for entering name and password
use ?action=logout logout action for logging out with your own auth method
- search existing user profiles for a "matching" user (the match needs not be the name, it can also be the email address or something you put into aliasname)
create a user object and let it remember what attributes were determined by auth method (and thus should not be offered on UserPreferences)
- update values in user's profile from externally provided data
- autocreate user profiles