I'm trying to integrate Apache2 authentication to MT. This setup is working for other apps, in the case of MT I'm being asked for user/passwd by apache2, the authentication succeeds, but MT is not happy....
The message I get (in spanish, sorry):
---------
Lo sentimos, pero no tiene permisos para acceder a ninguno de los blogs en esta instalaciĆ³n. Si cree que este mensaje se le muestra por error, por favor, contacte con su administrador de Movable Type.
---------
Part of mt-config.cgi:
---------
# == Auth ==
AuthenticationModule BasicAuth
ExternalUserManagement 1
---------
Any ideas?
Reported on Movable Type 4.2
http://www.sixapart.com/movabletype/docs/3.3/d_configuration_directives/authenticationmodule.html says that AuthenticationModule is only supported in MT Enterprise. What version of MT are you using?
The OpenSource version?
That doc is for MT v3.3, supposedly the BasicAuth is available in the free version as it relies on Apache2 basic authentication only. Adding that configuration directives makes the login form from MT disappear, but it doesn't like the authenticated user apparently....
Ref: http://www.movabletype.org/documentation/developer/mtauth.html
You may want to bring this to the attention of MTOS-dev (http://www.movabletype.org/opensource/mailing-lists.html ) in the event that it is outdated or incomplete documentation.
Just opened a bug report....
Ref: http://bugs.movabletype.org/default.asp?100341
The bug tracking system isn't as important as in other OS projects apparently... No assignment or comments so far...
Movable Type has a smaller development team than most OS projects, and many of 6A's engineers are focused on various projects like Vox, LiveJournal and upcoming releases like Motion.
Also tried with the developer mail list without luck... This is supposed to be a working feature, i'm not asking for something new. Hope someone gets some minutes to check it out...
Regards,
http://www.movabletype.org/documentation/appendices/config-directives/ is the latest list of config directives, and it says that ExternalUserManagement is MT-Enterprise only.
It doesn't state "ExternalUserManagement is MT-Enterprise only.", I can see it has a "enterprise" tag, but that document is from 2007.
Well, that parameter is only to autocreate the users if they are authenticated by other methods. Let's assume I comment it out, I already created my user in MT before attempting external auth.
I downloaded the free version and from the code I can see the BasicAuth module is included.
lib/MT/Auth/
BasicAuth.pm
LiveJournal.pm
MT.pm
OpenID.pm
TypeKey.pm
Vox.pm
Hi
I just took a look in Ciro's problem and i found the problem.
when you install MT or MTOS, you create an admin user.
in my case i called it mixel.
after install, and set up mt ot use the BasicAuth, and log in as mixel via http basic auth, mt toldme exaclty what Ciro saids.
A little view in the mt_author table give as the reason, we have 2 users called mixel, the first is the created by mt on the instalation with a id 1, and the other, is the created for the BasicAuth.
What you can do is simply change the author_auth_type from the first from MT to BasicAuth, and delete the second user.
After the change you can relogin into mt and now you are the full admin of mt.
I talked with ciro last night and this solved his problem.
Kind regards
Was there no way to assign the privileges on your original user to the second user from within the CMS?
Nope, as the regular login form disappears when Apache2 authentication was in place.
So basically, the current workaround for Apache authentication involves setting author_auth_type='BasicAuth' (direct database edit) for the first admin user after setting up the authentication.
Also apparently found a bug, when external authentication is used, you can't submit changes to fields "Public name" and "e-mail" as all the password related fields disappear and the form still thinks "Password Hint" is mandatory
That still doesn't address the issue. The feature is functionally broken in its current state because you couldn't assign Movable Type privileges to the second user when you switched the authentication mechanism. What this means is that you can authenticate a user, but not authorize a user, in this package, and that's a problem because authentication is only the first step.
Well there is a workaround, if you really want to give to the second user the full admin privileges, so just comment out the BasicAuth, login as normal admin, give all the privileges to the other user and move back to BasicAuth.
Not perfect but it works.
It is a "good workaround," but I think it shows a critical lack of functionality here.
Yes i agree.
What about if the admin could change the way the users login?
For example you can just intall your mt, setup all your blogs, maybe some users, then change the your own way to login to BasicAuth. Then you can setup everything to use BasicAuth and you are done.
When you need to come back for some reason to normal login you can do it whit a simple change in your user. So no dangerous changes in the database or workarounds.
The simplest approach would be to make it so that when you login as a BasicAuth user, it creates a new mt_author entry for that user, and then in the Manage Users area under system view, you can assign privileges to that user.
mmm well but this is exactly the way that mt works with BasicAuth.
when you login for first time into mt via BasicAuth, mt creates an entry into mt_author, but with no privileges.
As system administrator you can give any privilege to that user.
Basically the main problem is for the first user, the full adminstrator, that can't sing using BasicAuth.
Kind Regards
Pd sorry for typos in previous comments.
thanks
perfect forum site, thanks.
Thanx
Thank you