welcome: please sign in

次の514語(ハイライト表示)は、1209語の辞書 1209語のLocalSpellingWordsを含む)中に見つかりませんでした。
28default   3rd   able   aborts   accept   accepted   accessing   account   achieve   achieved   activate   Active   address   administrator   adresses   Advanced   again   against   aka   alias   aliasname   allow   allows   already   alternative   anonymous   another   anything   Apache   application   applications   apply   ask   asking   assuming   Attribute   attributes   auth   Auth   authententicator   authenticate   Authentication   authentication   Authenticator   authenticator   authenticators   Authenticators   authorities   authority   authorized   autocreate   automatically   based   Basic   basic   before   below   bigger   bind   bits   blanks   Bot   botbouncer   Bouncer   box   builtin   But   but   button   by   Call   called   can   cancel   cannot   case   cases   Cert   certain   certificate   certificates   certification   changed   characters   checked   checks   claimed   class   clicks   Client   client   cn   codes   coding   Combining   combining   commented   config   configuration   configure   Configure   configured   connect   constructor   contain   contains   Contents   contrib   controller   cookie   Cookie   correct   cp850   created   creates   creation   currently   database   dc   debug   decoded   decoding   Default   default   deny   depends   details   determined   dialog   Digest   directly   disabled   discovery   dist   distribution   dn   docstring   documentation   documented   Doe   doe   does   domain   don   done   double   easy   egw   else   enable   enabled   enables   encoded   Endpoint   entering   enters   env   environment   environments   establishes   every   Everyone   everything   exactly   example   examples   existing   experimental   explanation   external   External   externalcookie   externally   extract   fails   fairly   False   feature   few   ffffcc   files   find   fix   fixed   Flag   flags   follow   following   For   for   force   forced   form   fragment   from   fs   functions   get   gets   give   given   Given   Groupware   handles   hands   happen   hardcode   help   him   his   homewiki   how   however   id   identifier   if   If   implement   import   incorrect   indicates   indiciates   information   init   Input   installation   Instead   integrates   integration   interface   interwiki   into   its   Joe   joe   just   key   know   latin   latter   ldap   ldapsearch   lead   let   lifetime   like   lines   list   List   little   ll   localhost   Log   log   logged   logging   logout   look   maildomain   make   manually   match   matching   Maybe   mc   Meaning   meaning   methods   might   modular   module   moinadmin   more   Mount   mount   Multi   multiple   myopenid   name   necessary   need   needs   new   next   non   none   None   nothing   now   object   objects   offered   often   ok   On   on   one   only   Only   open   openid   openidrp   openidserver   or   order   ou   out   output   Output   over   own   parameter   Parameter   parameters   part   party   pass   passed   passes   password   passwords   patch   path   people   Please   please   plugin   plugins   preferences   prefix   Presently   presents   problem   Problems   process   processed   profile   profiles   prohibit   provide   provided   provider   provides   Proxy   pseudo   purposes   put   queried   re   read   reading   reads   receive   recieved   recreate   regular   remember   remote   remove   request   require   requires   requiring   resource   result   results   rowbgcolor   samples   sanely   secret   See   see   select   sense   Server   server   service   Service   sess   Session   session   sessions   set   setting   settings   setup   share   Shipped   short   should   shown   sign   Sign   signed   similar   Simply   Single   single   smb   snippet   so   some   something   Sometimes   sorts   specific   specify   specs   sslclientcert   standard   status   steps   still   strictly   string   strip   submit   successful   successfully   such   sufficient   support   supported   supports   systems   Table   talking   than   that   their   then   there   therefore   These   these   they   things   this   This   through   thus   time   titlecase   tld   tmp   to   To   token   Token   tool   transformation   transformations   True   try   tuple   two   type   uid   umount   unicode   up   update   updated   updates   updating   uris   usage   use   used   User   user   username   uses   using   usually   utf   values   var   variable   variables   various   verification   verified   Verify   very   vetoes   via   visiting   want   ways   we   web   webserver   well   were   what   whatever   when   whether   which   wikiconfig   wikiurl   will   windomain   windows   Windows   with   won   work   works   Writing   xmlrpc2   xmlrpclib   zero  

メッセージを消す
location: HelpOnAuthentication

How Authentication works with MoinMoin

MoinMoin supports configurable, modular authenticators to support all sorts of builtin and 3rd party authentication methods.

You use the auth configuration value to set up a list of authenticators that are processed in exactly that order.

When an external user database is used, you do not want to recreate all users in moin manually. For this case the authenticator objects which support user profile creation/updating have a parameter autocreate. If you set it to True a new user profile will be created/updated automatically when a (new) user has passed authentication.

Presently the following authenticators are supported:

Server setup

Authentication

Authenticator class in moin

All

by moin via username/password

MoinMoin.auth.MoinAuth

by PHP session

MoinMoin.auth.php_session.PHPSessionAuth

by moin via external cookie

see contrib/auth_externalcookie/ and HelpOnAuthentication/ExternalCookie

by OpenID

MoinMoin.auth.openidrp.OpenIDAuth

OpenID verification by http://botbouncer.com/

MoinMoin.auth.botbouncer.BotBouncer

by moin via LDAP

MoinMoin.auth.ldap_login.LDAPAuth

by moin via a remote moin wiki

MoinMoin.auth.interwiki - still experimental

by moin configuration, fixed username

MoinMoin.auth.GivenAuth

any Web Server setting REMOTE_USER

e.g. for HTTP Basic, HTTP Digest, SSPI (aka NTLM) or LDAP auth

MoinMoin.auth.GivenAuth

Apache+SSL

by Apache via SSL client certificate

MoinMoin.auth.sslclientcert.SSLClientCertAuth

Other pseudo-authenticators - These are not strictly authenticators, as they don't authenticate users, but use auth information for other purposes:

Shipped plugins

MoinAuth (default)

This is the default auth list moin uses (so if you just want that, you don't need to configure it).

   1     from MoinMoin.auth import MoinAuth
   2     auth = [MoinAuth()]

Given authentication

given by REMOTE_USER environment variable

Webservers (like e.g. Apache) often support all sorts of authentication plugins (e.g. HTTP basic auth). If the webserver is configured for authentication, it handles authentication before moin gets called. When visiting a resource requiring authentication, you get queried for username/password by a dialog box of your browser. When you submit, 2 things can happen:

Moin's GivenAuth authenticator will, by default, just try to log in the user with the username it recieved from REMOTE_USER.

To activate usage of REMOTE_USER for authentication you have to add following lines to wikiconfig.py:

   1     from MoinMoin.auth import GivenAuth
   2     auth = [GivenAuth(autocreate=True)]

given by other environment variable

Instead of reading the username from REMOTE_USER, moin can also read it from some other environment variable:

   1     from MoinMoin.auth import GivenAuth
   2     auth = [GivenAuth(env_var='WHATEVER', autocreate=True)]

decoding of the user name

REMOTE_USER (or whatever you specify as env_var) is a encoded string and needs to be decoded to unicode. If you don't specify the coding, moin will try 'utf-8' and 'latin-1' (in that order). For non-ASCII characters, this might lead to incorrect results if another coding was used by the web server.

If it fails, you can specify the coding manually:

   1     auth = [GivenAuth(env_var='WHATEVER', autocreate=True, coding='cp850')]

transformation of the user name

Sometimes the user name we receive in REMOTE_USER needs some transformation, so it can sanely be used in the wiki.

GivenAuth has some flags to support some standard transformations, enable whatever you like (give True - the default is all False, meaning disabled transformation):

Flag

Input

Output

strip_maildomain

joe@example.org

joe

strip_windomain

DOMAIN\joe

joe

titlecase

joe doe

Joe Doe

remove_blanks

Joe Doe

JoeDoe

(!) The transformations (if enabled) will happen in the order shown.

For example, for some windows domain environments, this might make sense:

   1     auth = [GivenAuth(autocreate=True, strip_windomain=True, titlecase=True, remove_blanks=True)]

fixed user given by configuration

You can also hardcode a username into your configuration:

   1     from MoinMoin.auth import GivenAuth
   2     auth = [GivenAuth(user_name=u'Joe Doe', autocreate=True)]

Everyone and everything accessing the wiki will now be logged in as user Joe Doe automatically.

SSL client certification authentication

To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py:

   1     from MoinMoin.auth.sslclientcert import SSLClientCertAuth
   2     auth = [SSLClientCertAuth()]

SSL client certification authentication must be used with a web server like Apache that handles the SSL bits and just presents a few environment variables to Moin.

The SSLClientCertAuth authenticator has a few parameters that you pass to the constructor (example below):

Parameter

Default

Meaning

authorities

None

a list of authorities that are accepted, or None to accept all

email_key

True

indicates whether the email in the certificate should be used to find the Moin user

name_key

True

indiciates whether the name in the certificate should be used to find the Moin user

use_email

False

if set to True, the account email cannot be changed and is forced to the one given in the certificate

use_name

False

if set to True, the account name cannot be changed and is forced to the one given in the certificate

autocreate

False

if set to True, automatically create moin user profiles

For example, to accept only certificates that Apache has verified and that are signed by a certain authority, use:

   1     from MoinMoin.auth.sslclientcert import SSLClientCertAuth
   2     auth = [SSLClientCertAuth(authorities=['my.authority.tld'])]

or similar.

PHP session

To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.

To use this module, use the following lines of code in your configuration:

   1     from MoinMoin.auth.php_session import PHPSessionAuth
   2     auth = [PHPSessionAuth()]

PHPSessionAuth has the following parameters:

   1     PHPSessionAuth(apps=['egw'], s_path="/tmp", s_prefix="sess_")

The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session, if you do that, please open a feature request with a patch.

OpenID (with BotBouncer)

The OpenID authentication plugin allows users to sign in using their OpenID and connect that OpenID to a new or existing Moin account. To allow users to sign in with OpenID, add the plugin to the auth list, or to require OpenID with http://botbouncer.com/ verification use:

   1     from MoinMoin.auth.openidrp import OpenIDAuth
   2     from MoinMoin.auth.botbouncer import BotBouncer
   3     auth = [OpenIDAuth(), BotBouncer("your-botbouncer-API-key")]

OpenID authentication requires anonymous sessions, set the first part of the cookie_lifetime tuple to anything bigger than zero (like cookie_lifetime = (2,12)). See HelpOnConfiguration for more details on the value. For OpenID, very little time should be sufficient.

Advanced OpenID RP configuration

The OpenID RP code can also be configured for two use cases:

  1. You can force a specific provider to be used, there are two ways to achieve this:
    • Simply configure the OpenIDAuth authenticator like this:

      auth = [OpenIDAuth(forced_service='http://myopenid.com/'), ]
    • Create an OpenIDServiceEndpoint object and use that for the forced_service parameter:

      fs = OpenIDServiceEndpoint()
      fs.type_uris = OPENID_2_0_TYPE
      fs.server_url = 'http://localhost:8000/openidserver'
      fs.claimed_id = 'http://specs.openid.net/auth/2.0/identifier_select'
      
      auth = [OpenIDAuth(forced_service=fs), ]
    In the latter case, no discovery needs to be done.
  2. You can specify functions to be called in various steps of the OpenID authentication process to, for example, implement Attribute Exchange. For now, this is not documented here, you'll have to look at the file MoinMoin/auth/openidrp.py.

LDAP based user authentication

The LDAP authenticator of Moin enables single-sign-on (SSO) - assuming you already have a LDAP directory with your users, passwords, email adresses. On Linux this could be some OpenLDAP server, on a Windows server (usually the domain controller) this is called "Active Directory" (short: AD).

It works like this:

LDAP auth installation / configuration

You need to install python-ldap module (and everything it depends on, see its documentation).

You need an LDAP or AD server. :)

See wiki/config/more_samples/ldap_wikiconfig_snippet.py in your moin dist archive for a snippet you can use in your wiki config.

(!) Please also read the README file in that directory.

LDAP auth Problems?

MoinMoin support does not know your LDAP server setup, so please follow these steps before asking for help:

/!\ Only ask MoinMoin support if you successfully used ldapsearch (or some similar tool) and you double checked your wiki config and it does still not work with moin.

XMLRPC auth

   1 import xmlrpclib
   2 
   3 name = "TestUser"
   4 password = "secret"
   5 wikiurl = "http://localhost:8080/"
   6 
   7 homewiki = xmlrpclib.ServerProxy(wikiurl + "?action=xmlrpc2", allow_none=True)
   8 auth_token = homewiki.getAuthToken(name, password)
   9 
  10 mc = xmlrpclib.MultiCall(homewiki)
  11 mc.applyAuthToken(auth_token)
  12 # you can add more xmlrpc method calls to the multicall here,
  13 # they will run authenticated as user <name>.
  14 result = mc()

Combining multiple authenticators

For combining e.g. SSL client certificate and username/password authentication, your wikiconfig.py might contain:

   1     from MoinMoin.auth import MoinAuth
   2     from MoinMoin.auth.sslclientcert import SSLClientCertAuth
   3     auth = [SSLClientCertAuth(), MoinAuth()]

In that case, any client certificates that the user provides will be used to log him on, but if they do not provide one they still have the option of logging on with their username/password.

Writing your own authenticator

See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth/*.py in your moin distribution archive for examples of how to do authentication. Also, the docstring in MoinMoin/auth/__init__.py contains an explanation of what can be done and how it is achieved.

Authenticators can