Opened 11 years ago

Last modified 11 years ago

#116 new enhancement

Certificate login fallback to password

Reported by: foley Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

I've run into this situation a number of times on setting up wiki/CMS for MIT student groups. Most people have certs, but there a few non-affiliates who can't get them. This means I can't just use the certificate capability of scripts to limit access. What I'd like is either:

  1. It tries certs, and falls back to asking for a password

or

  1. There's a cert interface and a password interface (ala mailman)

Particularly for media wiki, but a general solution would also be nice.

Change History (2)

comment:1 Changed 11 years ago by mitchb

  • Priority changed from major to minor

Though it sounds like this isn't well documented, this was pointed out on zephyr when this conversation came up:

======================================================================== Auth: yes Time: Tue Feb 16 12:28:00 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>

We do actually support having cert auth fall through

Auth: yes Time: Tue Feb 16 12:28:22 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>

I'm afraid it's poorly documented; http://scripts.mit.edu/news/79/new-features-on-scriptsmitedu

Auth: yes Time: Tue Feb 16 12:29:17 2010 Host: LINERVA.MIT.EDU From: Quentin Smith <quentin>

(i.e., if you add the lines

AuthSSLCertAuthoritative off AuthOptional? on

to your .htaccess file, it will allow you to not present a cert. Hopefully MediaWiki? will then let you still use a password login.) ===================================================================

Does that combined with http://www.mediawiki.org/wiki/Extension:SSL_authentication get you what you're looking for? I think that if you set that up and point your cert users at port 444, they'll get logged in automatically (and autocreated, if you want), and your non-cert users on port 80 or 443 would be able to use the regular password-based login mechanism with accounts set up by a sysop. It's admittedly been a while since I've worked on such a setup, but I think it's doable.

comment:2 Changed 11 years ago by adehnert

The work on #1 (available at https://scripts-demo.scripts.mit.edu:444/mediawiki/w/Main_Page) would fix this for Mediawiki. (Also, wow. Extension:SSL_Authentication looks like it might have been a more pleasant starting place than AutomaticREMOTE_User... Oh, well.)

It sounds like this is going to become a CMS-specific issue (of making them use Remote_User), so if you have other CMS's you want solutions for, you should say what they are.

Note: See TracTickets for help on using tickets.