This sounds like a good thing to possibly integrate with my LDAP patch (http://bugzilla.wikipedia.org/show_bug.cgi?id=814). Many organizations are going to smart cards, and use LDAP for authentication. Thomas and I are working on integrating his email notification with my LDAP patch, maybe I'll be able to integrate this as well.
Ryan Lane Naval Oceanographic Office
-----Original Message----- From: wikitech-l-bounces@wikimedia.org [SMTP:wikitech-l-bounces@wikimedia.org] On Behalf Of Frank Wales Sent: Thursday, February 17, 2005 11:23 PM To: Wikimedia developers Subject: [Wikitech-l] Client certificate-based user login mechanism
On Wed, 2005-02-16 at 07:20 +0100, Thomas Gries wrote:
I have such a patch for loadFromSession() see http://bugzilla.wikimedia.org/show_bug.cgi?id=1360 Auto-login / Auto-account-creation by hostname for intranet MediaWikis. The patch code itself has not yet been uploaded but is rather short.
Brion and Marcus: let me know, if you are interested - pls .study for this the text on the bugzilla; then I would revisited my code and upload
the patch as a diff.
In related news, I've just written a first working version of a patch to loadFromSession() which logs you in as the Common Name from a client certificate presented by your browser as part of the SSL handshake to a secure Apache server. Not very elegant yet, but it seems to work okay. In effect, it punts the problem of getting the user's credentials up to Apache, but for what we're doing, that makes more sense anyway.
My questions are:
anyone interested in the patch (with documentation on how to set up Apache to pass in the bits MW needs, etc., once I get the time to scribble some down)?
ought I to append it to Thomas's bug #1360 discussion, or should this go elsewhere?
Note that I'm still in the middle of tweaking this for production use, and since I only started looking at MW's code a few hours ago, I probably have some cleaning up to do before it's very presentable.
But I'm happy to toss it out with some notes anyway for comment, especially if it turns out that I'm doing something majorly wrong. -- Frank Wales [frank@limov.com]
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Ryan,
Thanks for replying.
On Fri, 2005-02-18 at 08:29 -0600, Lane, Ryan wrote:
This sounds like a good thing to possibly integrate with my LDAP patch (http://bugzilla.wikipedia.org/show_bug.cgi?id=814). Many organizations are going to smart cards, and use LDAP for authentication. Thomas and I are working on integrating his email notification with my LDAP patch, maybe I'll be able to integrate this as well.
Sure, why not? How should I proceed? Shall I e-mail you a patch and some notes on what I've done, and you can quickly give me your opinion on the approach, or shall I go ahead and add them as a comment to bug 814, which might seem somewhat tangential to anyone reading it who doesn't see this exchange? I note that the bug includes patches for a version I'm not currently using (my patch is against 1.3.9) -- I'm happy to move to the latest CVS version on a dev box and redo it, if User.php is a lot different since 1.3.9. Let me know, so I don't clutter up the bug commentary; thanks.
[I presume just posting stuff on this list would be overly noisy for others, so I won't follow up more here. Anyone else interested in the details of what I've done should just ping me directly.]
wikitech-l@lists.wikimedia.org