git-svn-id: svn://pmwiki.org/pmwiki/trunk@1311 524c5546-5005-0410-9a3e-e25e191bd360

1 files changed, 10 insertions, 0 deletions

diff --git a/wikilib.d/PmWiki.AuthUser b/wikilib.d/PmWiki.AuthUser
new file mode 100644
index 00000000..1727f665
--- /dev/null
+++ b/wikilib.d/PmWiki.AuthUser
@@ -0,0 +1,10 @@
+version=pmwiki-2.1.beta34 ordered=1 urlencoded=1
+agent=pmwikiedit
+author=Pm
+csum=
+host=38.119.121.196
+name=PmWiki.AuthUser
+rev=6
+targets=PmWiki.Passwords,Site.AuthUser,PmWiki.PasswordsAdmin,PmWiki.DocumentationIndex
+text=%25audience%25 administrators (intermediate)%0a%0aAuthUser is PmWiki's identity-based authorization system that allows access to pages to be controlled through the use of usernames and passwords.  AuthUser can be used in addition to the [[Passwords | password-based]] scheme that is PmWiki's default configuration.%0a%0aAuthUser is a very flexible system for managing access control on pages, but flexibility can also bring complexity and increased maintenance overhead to the wiki administrator.  This is why PmWiki defaults to the simpler password-based system.  For some thoughts about the relative merits of the two approaches, see [[PmWiki:ThoughtsOnAccessControl]].%0a%0a%0a!! Activating AuthUser%0a%0aTo activate PmWiki's identity-based system, add the following line%0ato ''local/config.php'':%0a%0a    include_once("$FarmD/scripts/authuser.php");%0a%0a%0a!! Creating user accounts%0a%0aMost of AuthUser's configuration is performed via the [[Site.AuthUser]] page.  To change the AuthUser configuration, simply edit this page like any other wiki page (you'll typically need to use the site's admin password for this).%0a%0aTo create a login account, simply add lines to Site.AuthUser that look like:%0a%0a    username: $1$Oq6.2RKJ$Qi0Y8YpCUSqF2sQxBO9r/.%0a%0aFor example, to create a login account for "alice" with a password of "wonderland", enter:%0a%0a    alice: $1$YdkEu2Jz$hf62oZ6rAEgoyx0pcAJor1%0a%0aWhen the page is saved, the "$1$PHVp8s8r$J5PTSv9lNCI5mI/iKqAd41" part of the text will be replaced by an encrypted form of the password "wonderland".  This encryption is done so that someone looking at the Site.AuthUser page cannot easily determine the passwords stored in the page.  %0a%0a->%25note%25 For greater security, [[Site.AuthUser?action=attr | place a read password]] on the Site.AuthUser page.%0a%0aTo change or reset an account's password, simply replace the encrypted string with another [@$1$HvrJaMvc$0s8AF7dU2GqdDiDWOc5Gb0@] directive.%0a%0a%0a!! Controlling access to pages by login%0a%0aPages and groups can be protected based on login account by using "passwords" of the form [@id:username@] in the password fields of [@?action=attr@] (see [[PmWiki.Passwords]]).  For example, to restrict a page to being edited by Alice, one would set the password to "[@id:alice@]".%0a%0aIt's possible to use multiple "id:" declarations and passwords in the [@?action=attr@] form, thus the following setting would allow access to Alice, Carol, and anyone who knows the password "quick":%0a%0a    quick id:alice,carol%0a%0aTo allow access to anyone that has successfully logged in, use "[@id:*@]".%0a%0aOne can also perform site-wide restrictions based on identity in the $DefaultPasswords array, as in:%0a%0a    # require valid login before viewing pages%0a    $DefaultPasswords['read'] = 'id:*';%0a    # Alice and carol may edit%0a    $DefaultPasswords['edit'] = 'id:alice,carol';%0a%0a%0a!! Organizing accounts into groups%0a%0aAuthUser also makes it possible to group login accounts together into authorization groups, indicated by a leading "@" sign.  As with login accounts, group memberships are maintained by editing the Site.AuthUser file.  Group memberships can be specified by either listing the groups for a login account or the login accounts for a group (and they can be repeated or mixed-and-matched as desired):%0a%0a    @writers: alice, bob%0a    carol: @writers, @editors%0a    @admins: alice, dave%0a    %0aThen, to restrict page access to a particular group, simply use "[@@group@]" as the "password" in [@?action=attr@] or the $DefaultPasswords array, similar to the way that "[@id:username@]" is used to restrict access to specific login accounts.%0a%0a%0a!! Getting account names and passwords from external sources%0a%0aThe AuthUser script has the capability of obtaining username/password pairs from places other than the Site.AuthUser page, such as passwd-formatted files (usually called '.htpasswd' on Apache servers), LDAP servers, or even the ''local/config.php'' file.%0a%0a%0a!!! Passwd-formatted files (.htpasswd)%0a%0aPasswd-formatted files, commonly called ''.htpasswd'' files in Apache, are text files where each line contains a username and an encrypted password separated by a colon.  A typical ''.htpasswd'' file might look like:%0a%0a    alice:vK99sgDV1an6I%0a    carol:Q1kSeNcTfwqjs%0a%0aTo get AuthUser to obtain usernames and passwords from a ''.htaccess'' file, add the following line to Site.AuthUser, replacing "/path/to/.htpasswd" with the filesystem path of the ''.htpasswd'' file:%0a%0a    htpasswd: /path/to/.htpasswd%0a%0aCreation and maintenance of the ''.htpasswd'' file can be performed using a text editor, or any number of other third-party tools available for maintaining ''.htpasswd'' files.  The Apache web server typically includes an ''htpasswd'' command for creating accounts in .htpasswd:%0a%0a    $ htpasswd /path/to/.htpasswd alice%0a    New password:%0a    Re-type new password:%0a    Adding password for user alice%0a    $%0a%0a%0a!!! Configuration via ''local/config.php''%0a%0aAuthUser configuration settings can also be made from the ''local/config.php'' file in addition to the Site.AuthUser page.  Such settings are placed in the $AuthUser array, and ''must be set prior to including the ''authuser.php'' script''. Some examples:%0a%0a    # set a password for alice%0a    $AuthUser['alice'] = crypt('wonderland');%0a    # set a password for carol%0a    $AuthUser['carol'] = '$1$CknC8zAs$dC8z2vu3UvnIXMfOcGDON0';%0a    # Use local/.htpasswd for usernames/passwords%0a    $AuthUser['htaccess'] = 'local/.htpasswd';%0a%0a%0a!! Setting the Author Name%0a%0aBy default, PmWiki will use a login name in the Author field of the edit form, but allows the author to change this value prior to saving.  To force the login name to always be used as the author name, use the following sequence to activate AuthUser:%0a%0a    include_once("$FarmD/scripts/authuser.php");%0a    $Author = $AuthId;%0a%0a!! See Also%0a%0a* [[PmWiki.Passwords]]%0a* [[PmWiki.PasswordsAdmin]]%0a* [[Site.AuthUser]]%0a%0a%25trail%25%3c%3c|[[Documentation Index]]|>>%0a%0a%0a
+time=1141601272