On 7/26/06, Rob Lanphier <robla(a)robla.net> wrote:
Hi Chris,
As Domas pointed out, there's a lot of ways to skin this cat.
I've put some thought into this in the past, and some of the work I've
done here may be of help to you:
http://auth.robla.net/wiki/Table_of_Access_Control_Models_in_Targeted_Web_A…
This may help you map the different auth systems onto each other,
assuming any of the apps that you want are on the list.
I'm assuming you want MediaWiki at the hub because you've got an
existing base of MediaWiki users, and you are looking to provide other
services (e.g. normal discussion board, blog, etc), without forcing them
to create another account, right?
While that list is helpful, it really only talks about the different
authorization models. The other problem is authentication.
If you wanted to really use the MW authentication system as the basis
for an intranet, I suppose that you're going to have to figure out how
to authenticate users not just for web applications but also for
accounts in general. This probably means authenticating them for
Linux shell accounts and/or Windows accounts.
I suppose you might be able to do Linux by writing a custom pam module
to do authentication against the MW database. I don't know enough
about Windows authentication to know if something similar is possible
there.
As an alternative one might think about writing something which would
export the user information from a MW database to something standard
like LDIF which could then be imported into an LDAP server and would
then be useable by anything which could authenticate agains LDAP,
including Linux, Windows (Active Directory), and MW with one of the
LDAP extensions.
Then again, there are likely to be differences between the MW user
model and the data needed for populating a standard authentication
system. The casing of usernames is one such problem as you point out.
Another is missing info, although this could probably be finessed by
the export program. The big problem is likely to be what to do with
the password. Although the MW password salting algorithm is
well-documented, I'm not sure that it corresponds to anything which
standards like LDAP specifiy.
As in any of these problems, God is in the details.
--
Rick DeNatale
IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/
Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/