On Tuesday 06 November 2012 21:13:31 fero14041 wrote: > > [Wishes] > As there could be other services provided by the server, > such as Mercurial's repositories, an instance of Trac, etc. > I'd like the users to log themselves to each with same shared account > across them (one per user), ideally managed by Apache's digest > authentication. MoinMoin's doc clearly points how this could be possible, > with ``GivenAuth`` authentication method. > This seems to not be sufficient:: > > auth = [GivenAuth(autocreate=True)], MoinAuth()] > auth_methods_trusted = ['given']
I'm not familiar with the auth_methods_trusted setting, but I think this only affects the Trusted ACL group. > [Problem and tries] > I did not succeed in letting Apache give > authentication to MoinMoin. I tried: > - different installs (with packages provided by server's distribution, > or from source); > - carefully reading the documentation (many times, perhaps not enough ?-); > - testing different configuration variants; > - searching for similar report in bugs and mailing list archives > (Google Groups) or > - through the web (found few: > http://blog.nyaruka.com/apache2-http-digest-auth-and-moinmoin, also > https://gist.github.com/498124). > So I highly suspected remaining problem simply occurs in a bad > configuration. You have certainly done a lot of preparation. :-) > [Tech. context] > This server runs on Debian Squeeze (up to date), > web pages are served by Apache (2.2.16-6+squeeze8), mod_wsgi (3.3-2) > and Python 2.6.6 > > [Demonstration] > In order to give you most informations, > configuration template files used are provided at: > http://moin.poeulfs.org/hg/pb_apache_digest_auth/file/tip/ > and specially ``etc/wikiconfig.py`` for Moin instance config., > and ``etc/httpd.conf`` for Apache's one. > I also put two instances of Moin from different version, and same config, > one at version 1.9.4 provided by Debian package (in current Squeeze > backports), and the other in a dedicated virtualenv with latest stable > release 1.9.5.: http://moin.poeulfs.org/test/moin194/ > http://moin.poeulfs.org/test/moin195/ I tried these with the "user" account and found that after selecting "Login by Apache" and logging in, only the "login" page is given the credentials: navigating to another page shows "Login" instead of "user" as the username in the navigation bar. > For each instance, there are: > - following users and groups: > - one superuser (``fero14041admin``), > - one ``AdminGroup`` with one admin user (``admin``, password like > login), - one ``TestGroup`` with two regular users (``user`` (pwd id.) and > ``fero14041``); > - all default rights are defined in config by:: > > acl_rights_default = (u"AdminGroup:read,write,delete,revert " > u"TestGroup:read,write " > u"All:") > > - a theme derived from `modernized`, putting in page's header an additional > link to ``login`` page and requiring Apache authentication. > > Finally, those instances' logs, and specially that related to login, > are readable at: > http://moin.poeulfs.org/test/viewlogs/logs I suppose I'm seeing successful authentication in the logs, but I think your problem is actually in your Web server configuration: <Location /wiki/login> Require valid-user </Location> This only enforces authentication for the login resource, meaning that you only ever activate authentication for that resource, and the credentials never get passed to the Wiki for anything else, such as /wiki/FrontPage and so on. HTTP authentication can be infuriating in cases like this. If you change the above to this... <Location /wiki> Require valid-user </Location> ...then you won't be able to let users in without authenticating with Apache. Thus, logging in using Apache becomes "all or nothing". Of course, you could publish the same Wiki at multiple locations and protect one of them, so that you would have the above for authenticated users and something else for people who are anonymous or who might log in via MoinMoin itself, exposed at /wiki-public or whatever. That's not very elegant, I know. Maybe there's a way of having a separate login resource that performs some kind of authentication, sets some kind of authentication token, and then Moin can be made to read that token and authenticate people. That sounds a bit like OpenID, but I'm thinking of something much less complicated. > So, I would appreciate any help your could provide, to understand > what I am doing wrong ^^;) (or if it's a bug and requires a report)... > and of course share with my users all the power of MoinMoin! > And thank you for reading this long message. > > Cheers, > > -- fero14041 > > > PS: Please excuse strange wordings and/or phrasings, as English is not > my mother language. It would take me a long time to write a response in French, but your message is very clear and comprehensible. I hope at least some of what I've written makes as much sense and is somewhat helpful. :-) Paul ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Moin-user mailing list Moin-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/moin-user
