This stems from a discussion between Lonny, Curt Beckmann, and myself (Chriswaterguy). We agreed to seek input from Mel Chua (User:Mchua). Nevertheless, others may feel free to add/comment.
- It's worth noting that there are 2 related issues: User Profile (including Preferences, i.e. data related to the user) and User Authentication (the secure way of "knowing" that the user is who they claim to be). This distinction comes up a bit later.
- If cross-login were really easy, we would like to do it now, but seems it might be wiser to wait, and only fiddle with login databases once. Later thought: If we did find a way that MediaWiki is in control of the database , that shouldn't be an issue, as the original database won't be modified, just accessed.
- Note: given that MediaWiki is the existing database, and Drupal uses a different format, this may be a problem we need to address at some point anyway.
- Chris would be keen to launch ASAP (like, yesterday) but recognizes that it doesn't look practical. We agreed to chat to Mel, but don't expect an easy answer.
- OpenID in Drupal 6 is a suggested solution - do we wait for this?
- OpenID only really addresses the Authentication question, and perhaps bits and pieces of User Profile
- What's security like? I'm worried about OpenID... if one OpenID provider is compromised then aren't all OpenID's suspect, and so we have to send all OpenID users through captcha at least once? (though using captcha this way shouldn't be too hard, I suspect.) (CurtB thinks the Security is such a core issue for OpenID that they MUST have addressed it already...but no harm in proving that :-)
- creation of OpenID account - harder than a regular MediaWiki account (for really non-geeky people)? (CurtB believes this will be a piece of cake, and once someone has established their OpenID credentials, logins at new sites will be easier than the current "create account" process)
- ease and speed of login with OpenID- has this improved?
- Do we want to completely rely on OpenID? This means people have to have OpenID to sign in to the Drupal site - this bothers me, as it's a barrier and will turn some people off. Should we have our own shared MediaWiki/Drupal database as well?
Proposed short term solution[edit | edit source]
- We get the latest stable version of Drupal (5.3) and/or Drupal 6 Beta, and play with it.
- On Drupal 6 Beta, not all modules are available yet. The modules we'd really like are:
- Email notification
- Image assist/inline imaging (rolled into 6.0?), to display an image without being forced to use the upload/attach feature. (took 2 modules to do this?
- Custom filter - to allow wiki style formating
- Views (rolled into 6.0?)
- On Drupal 6 Beta, not all modules are available yet. The modules we'd really like are:
- Launch the blog publicly and go full speed with that, but have login switched off for commenters - people put in their details each time and go through captcha.
- Start a forum trial phase.
- Invite only "inner circle", knowing that it's possible we'll have to get them to re-register later. (Is it possible that we'll lose content; of course we would at archive it in some form so it would still be searchable and readable, but better not to lose it, esp if the trial gets going in an active way.)
- To experiment with (and get benefit from) the effects on search engine rankings, move the entire Drupal system to Appropedia domain. Don't link to the forum from mainspace, but link from a few Project space pages (those with the Appropedia: prefix).
- Have a big banner that says "Alpha (not even Beta yet)" (for the non-geeks), and gives appropriate warnings, but still invites people to join in if they want.
MW master[edit | edit source]
Update: it looks most likely that we'll be trying to use OpenID to handle the cross-login. See the chat with Pyutaros for more info on this. Of course if there is another solution, we're open to that as well.
It's possible (and for our purposes, since MW is the main part of the site, possibly better) to have Drupal authenticate against another program instead of the other way around.
- Drupal can be modified to use an external user table such as one from Mediawiki. This looks like it would take a decent Drupal hacker several days of work.
- this is one way to check remote user tables (not directly applicable to our case but potentially helpful for understanding drupal auth code later on).
Recent discussion about using MW master[edit | edit source]
Edited transcript of a chat, on 11 Jan 2008, with Pyutaros (who set up http://web.archive.org/web/20170925040225/http://kfol.org/, a Drupal-based wiki & forum site, among other sites, and is now working on http://drupal.org/project/family ):
- pyutaros: You guys having luck with your Drupal site?
- pyutaros: There's a couple single sign-on solutions out there.
- Chriswaterguy: ...we're starting with an existing MW login database
- pyutaros: Does OpenID work for MediaWiki?
- Chriswaterguy: … yes
- pyutaros: Drupal 6 is already out.
- pyutaros: That's your solution.
- … I have a test site here.
- Chriswaterguy: k
- Chriswaterguy: which means logging in separately, though?
- pyutaros: Yes, but you're halfway there.
- … Then you'd only need to find a way to pass your session cookie from one to the other.
- Chriswaterguy: any idea how?
- pyutaros: Not off the top of my head. Basically, you'd have to alter the authentication for both to check to see if your logged into the other.
- … I'd have to look at the code.
- Chriswaterguy: one-way is enough I think.
- … Drupal login can redirect to MW login.
- pyutaros: Not exactly.
- … Since they're independent of each other, the have their own session cookies.
- … I'm curios to see how much differently they store their user info.
- Chriswaterguy: … so... the danger is that if the user was on forums, then much later went to the wiki, they could find that the wiki session had expired due to inactivity?
- pyutaros: something like that yes.
- … So, this may sound Greek to you...
- … But Drupal's user table has this format...
- pyutaros: uid name pass mail mode sort threshold theme signature created access login status timezone language picture init data
- … The only pieces it uses to log in are UID & pass.
- … Just brainstorming out loud.
- … Yikes! There's 114 different authentication modules.
- … Looking through Drupal's modules right now.
- … Well, there's no pre-fab that integrates with MW from Drupal's side.
- … I'm sure your techies knew this.
- … You want Drupal to integrate with MW, not vice versa.
- pyutaros: Hence you need to alter Drupal's code, or use a Drupal module.
- pyutaros: Okay, my eyes are blurring over a little.
- … I think sessions.inc would be a good place to start.
- … It's in the includes directory.
- pyutaros: I think the other place to make modifications would be in the USER module in the MODULES directory.
- … Here's the overall goal:
- … You want to tell Drupal not to look at Drupal's UID and PASS, but instead to look at MW's ??? and ???. Those places I listed are likely candidates.
- … The other catch is that you would have to have Drupal and MW share the same database, which is no problem as long as you assign the drupal items a prefix. (like dru_????)
- … That's about it.
- … Feel free to point your folks to my IM if they have some specific questions.
- pyutaros: Oh, a much simpler way of integrating the two occurred to me.
- … You were saying earlier that you have a module that integrates MW with Drupal (opposite of what you want to do.) [see mw:Extension:AuthDrupal - a signin integration for MediaWiki as slave of Drupal] You could however do a one time copy of the MW db table info into Drupal's tables. Then, you'd have all the user info for MW and keep all your existing profile info.
- … Just an idea either way.
- … Like I said, have them contact if they have questions.
Resources[edit | edit source]
Existing solutions - Drupal master[edit | edit source]
- mw:Extension:AuthDrupal - has been used (successfully, I gather) when setting up MediaWiki at the same time (or after, I guess) Drupal. Uses Drupal login database. Maarten not sure about how to start from existing MediaWiki site. Would require transferring the username database to Drupal, and we don't know if that's possible. Maarten (AuthDrupal's creator) suggested that they might have different formats.
- Emu is a plugin similar to AuthDrupal, but AuthDrupal seems to be more well developed and supported.
Curt said via email: "there are apparently two ways that people currently do it. ... http://drupal.org/node/28217
And there is a methodology whereby both drupal and Mediawiki use LDAP to do authentication." See here for the Mediawiki part. (Mel: I don't know about this route, since we're not currently running LDAP for authentication and it means Yet Another Thing To Set Up.)
Note there has been talk of an option of having two databases and keeping them synched - presumably this means logging on to each separately. Full cross login seems better - being logged in to one means being logged into both. Apart from convenience, it probably minimizes the risk of conflict between two databases (or so it seems to me).
Friendly people who know Drupal[edit | edit source]
- Maarten van Dantzich (a.k.a. Thinkling), creator of AuthDrupal
- pyutaros, owner of kfol.org
- Drupal developer working for EWB-UK, wanted to get MediaWiki and Drupal working together at their Beta site, but has been hard. The "Knowledge" button was hoped to take the user to a MediWiki platform. (Chris will suggest AuthDrupal. Contact via Andrew Lamb, via Chriswaterguy · talk)
Non-Drupal alternatives[edit | edit source]
Ideas being thrown around at: Appropedia:Non-Drupal alternatives for Appropedia forum and blog.
Sharing with other Drupal sites[edit | edit source]
There are various mentions on the web of shared logins between sites - in the case of AuthDrupal it's by passing cookies, not sure about the others. It seemed (though I'm not clear) that they didn't have to be on the same domain. This is mentioned in regard to Drupal sites, and also the AuthDrupal extension's feature of allowing login to multiple wikis - see the note about version 0.4 in the Change History. (But presumably the wikis would all need to be set up together with or after the Drupal site?)
Anyway, this might mean that if we had MediaWiki handle the login, we'd lose the potential advantage of sharing a login with other Drupal sites like WiserEarth & OAN? (OpenID will make this less of an issue, or a complete non-issue, if successful.)