HTTP Basic authentication with IIS

Is it possible to use HTTP Basic authentication with IIS? In IIS config GUI, in the properties of my website -> Directory Security Tab -> Authentication and access control Edit.. button, I removed everything except Basic authentication. I'm using MoinMoin 1.5, Python 2.4.2 and IIS 6 on Windows 2003. -- RemyRoy 2006-01-24 21:56:24

from MoinMoin.auth import http
class Config(DefaultConfig):
    user_autocreate = True
    auth = [http]
    #...

Thanks, it works! -- RemyRoy 2006-01-25 16:21:06

Problems with http authentication

The docs for enabling authentication via http auth specify adding the following to wikiconfig.py

from MoinMoin.auth import http
auth = [http]

This is misleading. To make http auth work, at the *top* of the file add:

from MoinMoin.auth import http

And *inside* the Config class, add

auth = [http]

Note that it appears that the http authentication mechanism is broken in moinmoin 1.5.7-3. I had to use the method defined at http://moinmoin.wikiwikiweb.de/MoinMoinQuestions/Administration (search for Can apache REMOTE_USER replace moinmoin login?) on that page.

Also, the main authentication help page at http://moinmaster.wikiwikiweb.de/HelpOnAuthentication cites wrong code:

from MoinMoin.auth.http import http
from MoinMoin.auth import moin_session
auth = [http, moin_session]

should be replaced with:

from MoinMoin.auth import http
auth = [http]

This has already been done (corrected?) at http://moinmoin.wikiwikiweb.de/HelpOnAuthentication

Hmm, is it wrong on the new site http://moinmo.in/HelpOnAuthentication ? -- PascalR 2008-01-29 10:49:03

This don't work on MoinMoin 1.7, I get the error 'module' object has no attribute 'name' -- fho

This works thx Reimar :) -- fho

How to set .htaccess file for HTTP Basic auth with Apache

I'm running MoinMoin 1.6 on Apache and Python 2.4.4. My ISP is allowing only FTP access to my /htdocs and /cgi-bin directory, there is only HTTP Basic Authentication and the only way to configure Apache are the .htaccess files in my directorys.

I have the moin.py file in the /cgi-bin directory and the rest of MoinMoin is in /htdocs/moin160. In the /cgi-bin directory the Apache configuration trough the .htaccess file does not work. Does the Authentication with HTTP Basic works with .htaccess settings in the /htdocs/moin160 directory? In case it is possible, how should my .htaccess file look like? -- PascalR 2008-01-29 10:49:03

How do I implement LDAP authentication through Apache

One way to achieve this is to use basic authentication in Apache and http auth in moinmoin (better if you configure ssl in Apache so that password in basic authentication is not in cleartext)

I put the configuration produced below inside a VirtualHost directive in apache site-configuration (e.g., /etc/apache2/sites-available/default on Ubuntu; of course, I had first made sure LDAP server was up and running fine and the LDAP module was loaded properly in Apache; also note that in Ubuntu, in the simplest default setup, speaking of version 7.10, the LDAP search query below should have cn instead of uid though that is a bad strategy and you should instead configure LDAP properly and use uid attribute instead of cn; also in case you do not have a domain, Ubuntu will setup the initial LDAP entries under the domain named nodomain instead of somedomain):

        <IfModule !mod_fastcgi.c>
        ScriptAlias /MyWiki "/usr/share/moin/mywiki/moin.cgi"
        Alias /wiki/ "/usr/share/moin/htdocs/"
        </IfModule>
        <IfModule mod_fastcgi.c>
        AddHandler fastcgi-script .fcgi .fcg
        ScriptAlias /MyWiki "/usr/share/moin/mywiki/moin.fcg"
        Alias /wiki/ "/usr/share/moin/htdocs/"
        </IfModule>
        <Directory "/usr/share/moin/mywiki">
                Order allow,deny
                allow from all

                AuthType Basic
                AuthBasicProvider ldap
                AuthName "Wiki"
                # tweak this ldap query to return a unique user name
                AuthLDAPURL "ldap://localhost:389/dc=somedomain?uid"
                Require ldap-user AnLDAPUser
        </Directory>
        <Directory "/usr/share/moin/htdocs">
                Order allow,deny
                allow from all

                AuthType Basic
                AuthBasicProvider ldap
                AuthName "Wiki"
                # tweak this ldap query to return a unique user name
                AuthLDAPURL "ldap://localhost:389/dc=somedomain?uid"
                Require ldap-user AnLDAPUser
        </Directory>

For basic authentication, I also disabled the login/logout link (was no point having it there): see http://moinmoin.wikiwikiweb.de/HelpOnConfiguration to learn how to do it.

How do I implement LDAP authentication

I have MoinMoin setup and running fine...I would like to use our Active Directory server via LDAP to authenticate and create users. I have read a few pages in this Wiki about it but they don't seem to work. Can someone give me some step by step instructions as in which files to edit/download? Thanks in advance.

How do I integrate LDAP authentication with moin moin? (1)

I read several pages on this site that MoinMoin can be integrated with LDAP but none of them seem to be explanatory on what needs to be changed, One page lists the wikiconfig other pages just list python code but dont say what file the code needs to be placed in. Can someone please help me with some instructions.

Thanks

Chris

When authenticating against Microsoft AD with LDAP username is not casesensitive but MM is. It can cause some trouble like users login some time with lower and some time with uppercase. MM creates two profiles with different settings, so when a User edits a page he might get a diff-email when the other profile has an abonnement on that page. To change all usernames to lowercase add following entries to auth.py

These changes are for 1.5.x only, newer versions authenticate another way

about line 131 add

should look like this

    def moin_cookie(request, **kw):
    """ authenticate via the MOIN_ID cookie """
    username = kw.get('name')
    if username: username = username.lower()

about line 331 (ldap_login) add

should look like this

    username = kw.get('name')
    if username: username = username.lower()

after this names in all profiles (data/user) must be lowercase, uppercase should be changed to lowercase.

LDAP or Active Directory?

Is a Userauthentification over LDAP and/or Active Directory possible? Thanks -- Pablo

http + ldap authentication (NTLM + Active Directory)

Autologin with auth.http is working on IIS6 with NTLM (Integrated Windows Authentication). Manual login with auth.ldap_login + auth.moin_cookie works, too. Is it possible to combine these methods to autologin with NTLM/http and get aliasname and email from LDAP?

How do I integrate LDAP authentication with moin moin? (2)

I have seen DeronMeranda post but need more infomation.

I understand I have to add the following line in my wikiconfig.py for LDAP authentication

    from MoinMoin.auth import ldap_login, moin_cookie
    auth = [ldap_login, moin_cookie]

Looking at MoinMoin/auth.py in MoinMoin were do I place the following parameters: ldap_coding, ldap_uri, ldap_binddn, ldap_bindpw, ldap_base, ldap_scope, ldap_timeout, ldap_name_attribute, ldap_email_attribute.

How do I debug this? By setting ldap_verbose in the same place as the above parameters ?

Were do the debug messages appear ?.

Is there any other place I can be pointed to for LDAP authentication in MoinMoin.

Help will be greatly appreciated.-- Jehan

Why bother with banging your head to get MoinMoin to talk to your Active Directory LDAP server?

Use Apache's LDAP authentication module instead, and pass it to MoinMoin's HTTP authentication method!

My .htaccess:

AuthName "My Wiki"
AuthBasicProvider ldap
AuthLDAPBindDN " user@doamin.tld "
AuthLDAPBindPassword "mypassword"
AuthType Basic AuthLDAPURL "ldap://mydc.domain.tld:389/DC=Domain,DC=tld?sAMAccountName?sub?(objectClass=user)" NONE Require ldap-attribute objectClass=user

How do I integrate LDAP authentication with moin moin? (3)

Looking at MoinMoin/auth.py in MoinMoin were do I place the following parameters: ldap_coding, ldap_uri, ldap_binddn, ldap_bindpw, ldap_base, ldap_scope, ldap_timeout, ldap_name_attribute, ldap_email_attribute.

Can you give me an example of what I need to put in wikiconfig.py for one of the variables lets say ldap_binddn Unfortunately the sample config in wiki/config/more_samples/ is not great at all.

Thank you Jehan

Notes for ldaps

Ubuntu 9.04, MoinMoin 1.8.2 and OpenLDAP server

After following the Ubuntu Documentation on installing MoinMoin (https://help.ubuntu.com/8.04/serverguide/C/moinmoin.html with some minor changes to the Alias entry in the Apache2 config), here's how I got LDAP authentication working on Ubuntu 9.04 which uses MoinMoin 1.8.2 against an OpenLDAP server after installing the python-ldap package (via sudo apt-get install python-ldap).

LDAP (without SSL or TLS)

LDAP with an unencrypted connection was straightforward. I added the following configuration to the end of my wiki config file (/etc/moin/mywiki.py). I've removed all the comments that appeared in the sample LDAP authentication snippet file /usr/share/moin/config/more_samples/ldap_wikiconfig_snippet for brevity. You will definitely need to change the server_uri setting and may need to change other settings such as bind_dn to match your OpenLDAP setup.

from MoinMoin.auth.ldap_login import LDAPAuth
ldap_authenticator1 = LDAPAuth(
    server_uri='ldap://ldap.domainname.com/',
    bind_dn='uid=%(username)s,ou=people,dc=domainname,dc=com',
    bind_pw='%(password)s',
    scope=2,
    referrals=0,
    search_filter='(uid=%(username)s)',
    givenname_attribute='givenName',
    surname_attribute='sn',
    aliasname_attribute='displayName',
    email_attribute='mailRoutingAddress',
    email_callback=None,
    coding='utf-8',
    timeout=10,
    start_tls=0,
    tls_cacertdir=None,
    tls_cacertfile=None,
    tls_certfile=None,
    tls_keyfile=None,
    tls_require_cert=0,
    bind_once=True,
    autocreate=True,
)
auth = [ldap_authenticator1, ]
cookie_lifetime = 1

LDAP over SSL (ldaps)

Using Ubuntu 9.04, I initially tried to get ldaps to work by first getting #LDAP (without SSL or TLS) to work, then to modify the server_uri and tls_cacertfile entries. However, this came back with an LDAP server connect failure error. The problem was that the tls_* config settings that were not being used were set to '' when they needed to be set to None. Commenting them out didn't help as the default values as set in ldap_login.py are also set to ''. I notice that in the current release (MoinMoin 1.8.4 at the time of writing) the default values in ldap_login.py are set to None so that little bug has been fixed. The following settings in /etc/moin/mywiki.py got ldaps working a treat on Ubuntu 9.04 against an OpenLDAP server. You will definitely need to change the server_uri setting and may need to change other settings such as bind_dn and tls_cacertfile to match your OpenLDAP setup.

from MoinMoin.auth.ldap_login import LDAPAuth
ldap_authenticator1 = LDAPAuth(
    server_uri='ldaps://ldap.domainname.com/',
    bind_dn='uid=%(username)s,ou=people,dc=domainname,dc=com',
    bind_pw='%(password)s',
    scope=2,
    referrals=0,
    search_filter='(uid=%(username)s)',
    givenname_attribute='givenName',
    surname_attribute='sn',
    aliasname_attribute='displayName',
    email_attribute='mailRoutingAddress',
    email_callback=None,
    coding='utf-8',
    timeout=10,
    start_tls=0, # ignored when using ldaps
    tls_cacertdir=None,
    tls_cacertfile='/etc/ssl/certs/ca-certificates.crt',
    tls_certfile=None,
    tls_keyfile=None,
    tls_require_cert=0,
    bind_once=True,
    autocreate=True,
)
auth = [ldap_authenticator1, ]
cookie_lifetime = 1

LDAP with TLS (start_tls)

The problem I described in #LDAP over SSL (ldaps) also occurred for me when using start_tls. Here are the settings I used to get start_tls working on Ubuntu 9.04 against an OpenLDAP server. You will definitely need to change the server_uri setting and may need to change other settings such as bind_dn and tls_cacertfile to match your OpenLDAP setup.

from MoinMoin.auth.ldap_login import LDAPAuth
ldap_authenticator1 = LDAPAuth(
    server_uri='ldap://ldap.domainname.com/',
    bind_dn='uid=%(username)s,ou=people,dc=domainname,dc=com',
    bind_pw='%(password)s',
    scope=2,
    referrals=0,
    search_filter='(uid=%(username)s)',
    givenname_attribute='givenName',
    surname_attribute='sn',
    aliasname_attribute='displayName',
    email_attribute='mailRoutingAddress',
    email_callback=None,
    coding='utf-8',
    timeout=10,
    start_tls=2,
    tls_cacertdir=None,
    tls_cacertfile='/etc/ssl/certs/ca-certificates.crt',
    tls_certfile=None,
    tls_keyfile=None,
    tls_require_cert=0,
    bind_once=True,
    autocreate=True,
)
auth = [ldap_authenticator1, ]
cookie_lifetime = 1

LDAP Groups

I want to permit only members of certain LDAP group to logon to my wiki.

I have modified auth.py like the following:

      try:
            request.log("MEMBER %s" % ldap_dict['memberOf'].index("CN=blob,CN=Users,DC=vmware,DC=com"))
        except:
            request.log("NOT A MEMEBER of blob!")
        else:
            return user_obj, True
        if result_length != 1:

I thought this would work since if the user is a member of blob, it'll return the user object. But currently, it lets everyone log on, just like before. Any suggestions?

Suggestion: Add a filter to your ldap configuration in wikiconfig.py to only return users that are in the desired groups. For example, you could use something like the following.

...
       search_filter='(&(uid=%(username)s)(memberOF=cn=wiki,cn=blob,cn=Users,dc=vmware,dc=com))', 
...

How to require SSL+httpd auth for specific operations

I can get SSL+httpd auth working just fine, but I can't figure out how to set things up so that both are required for write/admin/etc access, but neither are required for read access. Any ideas?

SSL Login

Is it possible for just the login/user create/user preferences portion of a wiki to be redirected to a secure link, but all other pages run in a non-encrypted fashion? -- MichaelLaccetti 2007-02-27 05:19:02

How can you configure moin to require SSL for everything (On apache)? It seems to ignore the RequireSSL flag in httpd.conf. -- Alexander Faucher <<DateDate()>>

Embedding MoinMoin -- Automatic User Login?

I'm looking to embed MoinMoin into an application that uses php, and I was wondering how I could go about using php_session for a single sign on integration. I see that it's currently only supported with eGroupWare 1.2, but examples on how to use php_session to extract session info seems to not be around, as well as trying to get it to work for another application. Any help here? Thanks in advance. StevenM 05-Mar-2008

I'd like to use MoinMoin as a Wiki-based knowledge base by opening an appropriate URL from inside an application. Since my application has a user database built-in, it is necessary to promote the user ID to the wiki. Provided that the MoinMoin user IDs are the same as the application's: Is it possible to embed the user ID (and, optionally, the password) into the URL of the wiki page to be shown? Thx... StefanK 14-Dec-2006

I needed similar functionality to hook salesforce.com into MoinMoin as a knowledge base. Another use for me is for a phone/email list page for my neighborhood. While I don't want to force everyone to create a user profile and login just to get to the phone number list, I also want to deny access to anonymous Internet users that might happen onto my site. I found (url) which has the format for logging in with a one-click URL.

One-click login requires this format:
 http://someserver.org/moin/moin.cgi/HomePage?action=login&name=somename&password=yourpwd&login=login 

Now I can create a standard 'guest' account and email the one-click URL. The page will be fairly safe from anonymous Internet bad people and the intended recipients have a good end-user experience.- CraigA 4/1/2007

Feedback: the discussion link above showed the way for me: I had to disable the POST-only check for the login action (userform.py, approx. line 90). Now simply GETting the URL works fine. Thank you very much! StefanK 21-Feb-2007

Feedback: This was the best bit of information I have found on the web for a while, works like a charm. Thank you so much for reposting it from the MoinMoinChat link. DominicF 03/12/2009

How can I implement single login for a farm

I would like have users log into all wiki in our farm form one login. The users accounts are already shared across the farm but you have to login to each instance spereratly. I did try setting cookie_domain = 'mainwiki' but this just prevented login form working. I am not sure that I used it correctly.
We are using moin in standalone with one main wiki (mainwiki), and some project specific wikis (projecta.mainwiki and projectb.mainwiki). Cheers, -- ManuPoletti 2008-04-29 00:59:43

I have got the same problem. We run a wikifarm with many wikis. But the question now is: What do i have to do, that one useraccount is able to write/revert whatever in every wiki? Madis R. 09-Sep-2008

Solution:

for more information see HelpOnConfiguration and here HelpOnSessions, bye -- MarcelHäfner 2009-04-04 08:04:02

In answer to my previous post (2008-04-29) you need to set the cookie_domain config item to be the common part of the domain name that your wikis will share. --

ManuPoletti2024-03-28 23:44:16

How do I integrate LDAP authentication with moin moin? (4)

I have combined LDAP/AD authentication with moinmoin auth for cases when the user is not listed in AD.

Firstly, I just added config data from samples followed by  auth = [my_ldap_authenticator, MoinAuth()]  line. But I discovered that if the user connected to LDAP successfully, but could not be authenticated there then according to the  auth/ldap_login.py  the authentication stoped with  CancelLogin .

When I replaced that line with  ContinueLogin , like it is implemented for ldap.SERVER_DOWN exception then everything worked fine.

So I wonder why don't developers use  ContinueLogin  for ldap.INVALID_CREDENTIALS too? -- AlexanderAgibalov 2009-06-30 13:40:55

I thought the usual usecase for LDAP it that it is authoritative about who is able to login and who not, thus it does not set the continue flag if someone is not in the directory. -- ThomasWaldmann 2009-06-30 18:06:58

OK, I see. Then I'll just apply this patch myself for every upgrade of my wiki. The reason why I need this is that we have corporate users who are listed in AD and several contractual employees who are not. Currenly we are using native authentication, but people continue to constantly forget not only their passwords, but usernames too :) But they always remember their AD credentials. -- AlexanderAgibalov 2009-07-01 11:02:18

I have the same usecase for LDAP fall through to native moinmoin authentication, external contractors mixed with AD users. -- diepes 2012-09-11 10:58:55

Authentication drops on IE8

Some users of my MoinMoin 1.8.4 (seems that this mostly concerns users with limited windows accounts) after upgrading to IE8 experience the following problem: they login sucessfully, then navigate to any page and their authentication drops for no reasons, so they have to re-login. Earlier it helped to switch to the IE's "Compatiblity view" (couldn't find how to save this setting), but it seems that with some recent IE patches this doesn't work anymore for most of the users. So I wonder what's the problem is and how to fix it? Any chances that this is fixed in moin 1.9 ? -- AlexanderAgibalov 2009-11-05 08:08:55

The "logged in session" depends on moin's session cookie. So maybe try clearing all moin-related cookies from the user's browser and then log in again. If you can reproduce the problem, please file a bug giving all details about how to reproduce. Whether it works better with 1.9 you could check with 1.9.0rc1 (I don't remember fixing anything related to that, though). -- ThomasWaldmann 2009-11-05 08:20:24

At last found a virtual machine where I experience the issue myself. Discovered that the problem is solved by cleaning up the user Cookies directory MANUALLY. Using the native IE's cleanup mechanism doesn't help. A bit surpised by the cause of this behavior. -- AlexanderAgibalov 2009-11-06 12:03:58

MoinMoin: MoinMoinQuestions/Authentication (last edited 2017-02-01 16:19:46 by pD9E5A773)