Contents
MoinMoin supports configurable, modular authenticators to support all sorts of builtin and 3rd party authentication methods.
You use the auth configuration value to set up a list of authenticators that are processed in exactly that order.
When an external user database is used, you do not want to recreate all users in moin manually. For this case the authenticator objects which support user profile creation/updating have a parameter autocreate. If you set it to True a new user profile will be created/updated automatically when a (new) user has passed authentication.
Presently the following authenticators are supported:
Server setup
Authentication
Authenticator class in moin
All
by moin via username/password
MoinMoin.auth.MoinAuth
by PHP session
MoinMoin.auth.php_session.PHPSessionAuth
by moin via external cookie
see contrib/auth_externalcookie/ and HelpOnAuthentication/ExternalCookie
by OpenID
MoinMoin.auth.openidrp.OpenIDAuth
OpenID verification by http://botbouncer.com/
MoinMoin.auth.botbouncer.BotBouncer
by moin via LDAP
MoinMoin.auth.ldap_login.LDAPAuth
by moin via a remote moin wiki
MoinMoin.auth.interwiki - still experimental
by moin configuration, fixed username
MoinMoin.auth.GivenAuth
any Web Server setting REMOTE_USER
e.g. for HTTP Basic, HTTP Digest, SSPI (aka NTLM) or LDAP auth
Apache+SSL
by Apache via SSL client certificate
MoinMoin.auth.sslclientcert.SSLClientCertAuth
Other pseudo-authenticators - These are not strictly authenticators, as they don't authenticate users, but use auth information for other purposes:
MoinMoin.auth.log.AuthLog
will just log login/logout/request, nothing else
MoinMoin.auth.smb_mount.SMBMount
mount some smb share using user/password from login, umount on logout
This is the default auth list moin uses (so if you just want that, you don't need to configure it).
1 from MoinMoin.auth import MoinAuth 2 auth = [MoinAuth()]
Webservers (like e.g. Apache) often support all sorts of authentication plugins (e.g. HTTP basic auth). If the webserver is configured for authentication, it handles authentication before moin gets called. When visiting a resource requiring authentication, you get queried for username/password by a dialog box of your browser. When you submit, 2 things can happen:
username/password is incorrect, usually it will just ask again (if you cancel, it will deny access with a 401 not authorized error)
Moin's GivenAuth authenticator will, by default, just try to log in the user with the username it recieved from REMOTE_USER.
To activate usage of REMOTE_USER for authentication you have to add following lines to wikiconfig.py:
1 from MoinMoin.auth import GivenAuth 2 auth = [GivenAuth(autocreate=True)]
Instead of reading the username from REMOTE_USER, moin can also read it from some other environment variable:
1 from MoinMoin.auth import GivenAuth 2 auth = [GivenAuth(env_var='WHATEVER', autocreate=True)]
REMOTE_USER (or whatever you specify as env_var) is a encoded string and needs to be decoded to unicode. If you don't specify the coding, moin will try 'utf-8' and 'latin-1' (in that order). For non-ASCII characters, this might lead to incorrect results if another coding was used by the web server.
If it fails, you can specify the coding manually:
1 auth = [GivenAuth(env_var='WHATEVER', autocreate=True, coding='cp850')]
Sometimes the user name we receive in REMOTE_USER needs some transformation, so it can sanely be used in the wiki.
GivenAuth has some flags to support some standard transformations, enable whatever you like (give True - the default is all False, meaning disabled transformation):
Flag
Input
Output
strip_maildomain
joe@example.org
joe
strip_windomain
DOMAIN\joe
titlecase
joe doe
Joe Doe
remove_blanks
JoeDoe
The transformations (if enabled) will happen in the order shown.
For example, for some windows domain environments, this might make sense:
1 auth = [GivenAuth(autocreate=True, strip_windomain=True, titlecase=True, remove_blanks=True)]
You can also hardcode a username into your configuration:
1 from MoinMoin.auth import GivenAuth 2 auth = [GivenAuth(user_name=u'Joe Doe', autocreate=True)]
Everyone and everything accessing the wiki will now be logged in as user Joe Doe automatically.
To activate authentication via SSL client certificates you have to add following lines to wikiconfig.py:
1 from MoinMoin.auth.sslclientcert import SSLClientCertAuth 2 auth = [SSLClientCertAuth()]
SSL client certification authentication must be used with a web server like Apache that handles the SSL bits and just presents a few environment variables to Moin.
The SSLClientCertAuth authenticator has a few parameters that you pass to the constructor (example below):
Parameter
Default
Meaning
authorities
None
a list of authorities that are accepted, or None to accept all
email_key
True
indicates whether the email in the certificate should be used to find the Moin user
name_key
indiciates whether the name in the certificate should be used to find the Moin user
use_email
False
if set to True, the account email cannot be changed and is forced to the one given in the certificate
use_name
if set to True, the account name cannot be changed and is forced to the one given in the certificate
autocreate
if set to True, automatically create moin user profiles
For example, to accept only certificates that Apache has verified and that are signed by a certain authority, use:
1 from MoinMoin.auth.sslclientcert import SSLClientCertAuth 2 auth = [SSLClientCertAuth(authorities=['my.authority.tld'])]
or similar.
To activate Single-Sign-On integration with PHP applications, use this module. It reads PHP session files and therefore directly integrates with existing PHP authentication systems.
To use this module, use the following lines of code in your configuration:
1 from MoinMoin.auth.php_session import PHPSessionAuth 2 auth = [PHPSessionAuth()]
PHPSessionAuth has the following parameters:
1 PHPSessionAuth(apps=['egw'], s_path="/tmp", s_prefix="sess_")
apps is a list of enabled applications
s_path is the path of the PHP session files
s_prefix is the prefix of the PHP session files
The only supported PHP application is eGroupware 1.2 currently. But it should be fairly easy to add a few lines of code that extract the necessary information from the PHP session, if you do that, please open a feature request with a patch.
The OpenID authentication plugin allows users to sign in using their OpenID and connect that OpenID to a new or existing Moin account. To allow users to sign in with OpenID, add the plugin to the auth list, or to require OpenID with http://botbouncer.com/ verification use:
1 from MoinMoin.auth.openidrp import OpenIDAuth 2 from MoinMoin.auth.botbouncer import BotBouncer 3 auth = [OpenIDAuth(), BotBouncer("your-botbouncer-API-key")]
OpenID authentication requires anonymous sessions, set the first part of the cookie_lifetime tuple to anything bigger than zero (like cookie_lifetime = (2,12)). See HelpOnConfiguration for more details on the value. For OpenID, very little time should be sufficient.
The OpenID RP code can also be configured for two use cases:
Simply configure the OpenIDAuth authenticator like this:
auth = [OpenIDAuth(forced_service='http://myopenid.com/'), ]
Create an OpenIDServiceEndpoint object and use that for the forced_service parameter:
fs = OpenIDServiceEndpoint() fs.type_uris = OPENID_2_0_TYPE fs.server_url = 'http://localhost:8000/openidserver' fs.claimed_id = 'http://specs.openid.net/auth/2.0/identifier_select' auth = [OpenIDAuth(forced_service=fs), ]
You can specify functions to be called in various steps of the OpenID authentication process to, for example, implement Attribute Exchange. For now, this is not documented here, you'll have to look at the file MoinMoin/auth/openidrp.py.
The LDAP authenticator of Moin enables single-sign-on (SSO) - assuming you already have a LDAP directory with your users, passwords, email adresses. On Linux this could be some OpenLDAP server, on a Windows server (usually the domain controller) this is called "Active Directory" (short: AD).
It works like this:
If username/password is ok for LDAP, it creates or updates a user profile with values from ldap (name, alias, email) and creates a user object in the MoinMoin process, then it hands over to the next authenticator...
So, for example, if you are using 'uid=%(username)s,ou=people,dc=foo,dc=com', as the bind_dn and, you are also using some other authenticators ( like the default MoinAuth ) , then the users added through the alternative authententicator won't be able to authenticate. If however you use a single bind DN as bind_dn = 'cn=moinadmin,dc=foo,dc=com', then your alternative authentication methods will be queried as well, and users added through that authenticator will be able to login.
You need to install python-ldap module (and everything it depends on, see its documentation).
You need an LDAP or AD server.
See wiki/config/more_samples/ldap_wikiconfig_snippet.py in your moin dist archive for a snippet you can use in your wiki config.
Please also read the README file in that directory.
MoinMoin support does not know your LDAP server setup, so please follow these steps before asking for help:
Configure DEBUG logging for MoinMoin.auth.ldap_login and look into the log output.
If you're not successful in talking to your LDAP server with such a tool, you don't need to try with MoinMoin.
Maybe look into MoinMoin/auth/ldap_login.py, if you can debug or fix your problem there.
Only ask MoinMoin support if you successfully used ldapsearch (or some similar tool) and you double checked your wiki config and it does still not work with moin.
1 import xmlrpclib 2 3 name = "TestUser" 4 password = "secret" 5 wikiurl = "http://localhost:8080/" 6 7 homewiki = xmlrpclib.ServerProxy(wikiurl + "?action=xmlrpc2", allow_none=True) 8 auth_token = homewiki.getAuthToken(name, password) 9 10 mc = xmlrpclib.MultiCall(homewiki) 11 mc.applyAuthToken(auth_token) 12 # you can add more xmlrpc method calls to the multicall here, 13 # they will run authenticated as user <name>. 14 result = mc()
For combining e.g. SSL client certificate and username/password authentication, your wikiconfig.py might contain:
1 from MoinMoin.auth import MoinAuth 2 from MoinMoin.auth.sslclientcert import SSLClientCertAuth 3 auth = [SSLClientCertAuth(), MoinAuth()]
In that case, any client certificates that the user provides will be used to log him on, but if they do not provide one they still have the option of logging on with their username/password.
See the commented config file fragment contrib/auth_externalcookie/ and MoinMoin/auth/*.py in your moin distribution archive for examples of how to do authentication. Also, the docstring in MoinMoin/auth/__init__.py contains an explanation of what can be done and how it is achieved.
Authenticators can
