Opened 15 years ago
Last modified 15 years ago
#116 new enhancement
Certificate login fallback to password
Reported by: | foley | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
I've run into this situation a number of times on setting up wiki/CMS for MIT student groups. Most people have certs, but there a few non-affiliates who can't get them. This means I can't just use the certificate capability of scripts to limit access. What I'd like is either:
- It tries certs, and falls back to asking for a password
or
- There's a cert interface and a password interface (ala mailman)
Particularly for media wiki, but a general solution would also be nice.
Change History (2)
comment:1 Changed 15 years ago by mitchb
- Priority changed from major to minor
comment:2 Changed 15 years ago by adehnert
The work on #1 (available at https://scripts-demo.scripts.mit.edu:444/mediawiki/w/Main_Page) would fix this for Mediawiki. (Also, wow. Extension:SSL_Authentication looks like it might have been a more pleasant starting place than AutomaticREMOTE_User... Oh, well.)
It sounds like this is going to become a CMS-specific issue (of making them use Remote_User), so if you have other CMS's you want solutions for, you should say what they are.
Though it sounds like this isn't well documented, this was pointed out on zephyr when this conversation came up:
======================================================================== Auth: yes Time: Tue Feb 16 12:28:00 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>
We do actually support having cert auth fall through
Auth: yes Time: Tue Feb 16 12:28:22 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>
I'm afraid it's poorly documented; http://scripts.mit.edu/news/79/new-features-on-scriptsmitedu
Auth: yes Time: Tue Feb 16 12:29:17 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>
(i.e., if you add the lines
AuthSSLCertAuthoritative off AuthOptional? on
to your .htaccess file, it will allow you to not present a cert. Hopefully MediaWiki? will then let you still use a password login.) ===================================================================
Does that combined with http://www.mediawiki.org/wiki/Extension:SSL_authentication get you what you're looking for? I think that if you set that up and point your cert users at port 444, they'll get logged in automatically (and autocreated, if you want), and your non-cert users on port 80 or 443 would be able to use the regular password-based login mechanism with accounts set up by a sysop. It's admittedly been a while since I've worked on such a setup, but I think it's doable.