Hey all,
This is the reverse of one of the most popular questions on here--
I like the MW user table/authentication system -- and was wondering if it would be possible to use it as with an external system? I want to build an intranet AROUND mediawiki ... or something like that. I figure since I've already got a large userbase created in MW, I should just use that and go from there.
Most people on here ask if they can use an external auth system to log in to MW -- I want the reverse :-)
Thoughts appreciated. Direct me to a MW meta page if there's something useful floating around
-- Chris Earle
I like the MW user table/authentication system -- and was wondering if it would be possible to use it as with an external system? I want to build an
well, I don't really get the problem. If you want, password hash function is trivial, you can access tables directly. If you want, you can build your own web services (as a specialpage, if you want higher level, or build your own entry point).
Then just interface it all. What is the question? :)
Domas
Hi Chris,
As Domas pointed out, there's a lot of ways to skin this cat.
I've put some thought into this in the past, and some of the work I've done here may be of help to you: http://auth.robla.net/wiki/Table_of_Access_Control_Models_in_Targeted_Web_Ap...
This may help you map the different auth systems onto each other, assuming any of the apps that you want are on the list.
I'm assuming you want MediaWiki at the hub because you've got an existing base of MediaWiki users, and you are looking to provide other services (e.g. normal discussion board, blog, etc), without forcing them to create another account, right?
One thing that really, really sucks about using MediaWiki as a hub: case sensitive usernames that force an uppercase first letter. Other systems aren't necessarily going to distinguish between "CEarle" and "cearle", so you may find yourself somehow building a extension/customization for MediaWiki anyway just to get case-insensitivity.
Good luck! Rob
On Wed, 2006-07-26 at 15:40 -0400, Chris Earle (CBL) wrote:
Hey all,
This is the reverse of one of the most popular questions on here--
I like the MW user table/authentication system -- and was wondering if it would be possible to use it as with an external system? I want to build an intranet AROUND mediawiki ... or something like that. I figure since I've already got a large userbase created in MW, I should just use that and go from there.
Most people on here ask if they can use an external auth system to log in to MW -- I want the reverse :-)
Thoughts appreciated. Direct me to a MW meta page if there's something useful floating around
-- Chris Earle
On 7/26/06, Rob Lanphier robla@robla.net wrote:
Hi Chris,
As Domas pointed out, there's a lot of ways to skin this cat.
I've put some thought into this in the past, and some of the work I've done here may be of help to you: http://auth.robla.net/wiki/Table_of_Access_Control_Models_in_Targeted_Web_Ap...
This may help you map the different auth systems onto each other, assuming any of the apps that you want are on the list.
I'm assuming you want MediaWiki at the hub because you've got an existing base of MediaWiki users, and you are looking to provide other services (e.g. normal discussion board, blog, etc), without forcing them to create another account, right?
While that list is helpful, it really only talks about the different authorization models. The other problem is authentication.
If you wanted to really use the MW authentication system as the basis for an intranet, I suppose that you're going to have to figure out how to authenticate users not just for web applications but also for accounts in general. This probably means authenticating them for Linux shell accounts and/or Windows accounts.
I suppose you might be able to do Linux by writing a custom pam module to do authentication against the MW database. I don't know enough about Windows authentication to know if something similar is possible there.
As an alternative one might think about writing something which would export the user information from a MW database to something standard like LDIF which could then be imported into an LDAP server and would then be useable by anything which could authenticate agains LDAP, including Linux, Windows (Active Directory), and MW with one of the LDAP extensions.
Then again, there are likely to be differences between the MW user model and the data needed for populating a standard authentication system. The casing of usernames is one such problem as you point out. Another is missing info, although this could probably be finessed by the export program. The big problem is likely to be what to do with the password. Although the MW password salting algorithm is well-documented, I'm not sure that it corresponds to anything which standards like LDAP specifiy.
As in any of these problems, God is in the details.
As an alternative one might think about writing something which would export the user information from a MW database to something standard like LDIF which could then be imported into an LDAP server and would then be useable by anything which could authenticate agains LDAP, including Linux, Windows (Active Directory), and MW with one of the LDAP extensions.
I think I was supposed to do this at one time for some project that was started. The project died at some point so I never did this. Doing this would probably be pretty easy, and I'll look into a good way of doing it. Making something like this generic is probably pretty hard as you never really know what objectclasses/attributes anyone is using, and it varies widely between directory servers.
Then again, there are likely to be differences between the MW user model and the data needed for populating a standard authentication system. The casing of usernames is one such problem as you point out. Another is missing info, although this could probably be finessed by the export program. The big problem is likely to be what to do with the password. Although the MW password salting algorithm is well-documented, I'm not sure that it corresponds to anything which standards like LDAP specifiy.
If the wiki doesn't have any usernames that are the same, with different case, you can use the renameuser special page to rename all of the users to lowercase. The LDAP authentication plugin forces usernames to lowercase when creating them, so this wouldn't be an issue after going to LDAP.
I agree with using LDAP though. It would be a pain (and a lot of code) to get everything authenticating off of MW. Why reinvent the wheel? LDAP is specifically meant for this kind of thing. On an intranet it makes sense as it is very nice to have *everything* authenticating from one central repository, including your systems (which already have LDAP authentication capability).
Unfortunately if you are using Windows you are pretty much stuck using AD unless you want to use samba+openldap.
V/r,
Ryan Lane
On Thu, 2006-07-27 at 12:41 -0500, Lane, Ryan wrote:
[person Ryan was responding to wrote]:
As an alternative one might think about writing something which would export the user information from a MW database to something standard like LDIF which could then be imported into an LDAP server and would then be useable by anything which could authenticate agains LDAP, including Linux, Windows (Active Directory), and MW with one of the LDAP extensions.
I think I was supposed to do this at one time for some project that was started. The project died at some point so I never did this. Doing this would probably be pretty easy, and I'll look into a good way of doing it. Making something like this generic is probably pretty hard as you never really know what objectclasses/attributes anyone is using, and it varies widely between directory servers.
That was me that dropped the ball on the project. I proposed something like this, but never followed through.
I just didn't have enough personal use for LDAP to motivate followthrough on this. More on this in a bit.
I agree with using LDAP though. It would be a pain (and a lot of code) to get everything authenticating off of MW. Why reinvent the wheel? LDAP is specifically meant for this kind of thing. On an intranet it makes sense as it is very nice to have *everything* authenticating from one central repository, including your systems (which already have LDAP authentication capability).
I agree assuming this is an enterprise project where an LDAP directory is laying around. However, LDAP directories still have a high barrier to entry, and don't get used a lot outside of an enterprise context (e.g. hobbyists). So, a lot of hobbyist-centered projects (e.g. MediaWiki, WordPress, phpBB, etc) don't use LDAP by default, if at all.
If you're looking for something more web 2.0-y that may find itself as a central technology in hobbyist-centered open source, my recommendation would be something that the YADIS folks are working on (http://yadis.org).
Rob
mediawiki-l@lists.wikimedia.org