mod_auth_tkt

a lightweight cookie-based authentication module, for Apache versions 1.3.x and 2.0.x. (currently 2.2.x is supported by the beta version) It implements a single-sign on framework that works across multiple Apache instances and multiple machines. mod_auth_tkt site

Implementation

this actually should work for anything that sets REMOTE_USER or other unique way to detect logged in user.

mod_auth_tkt sets REMOTE_USER environment variable once authenticated. implementation is very simple. I want users who are authenticated by mod_auth_tkt recognized by DokuWiki. Wiki admin users (set in users.auth.php) should be recognized as well. note: my DokuWiki is behind proxy so the REMOTE_USER becomes HTTP_REMOTE_USER in my case. change it to REMOTE_USER based on your situation.

i am mainly a Perl programmer. the code is mostly copy and paste from PunBB, basic, plain auth classes and some of my own code. please let me know if there is anything need to be improved.

save the following code to inc/auth/mod_auth_tkt.class.php

<?php
/**
 * mod_auth_tkt auth backend
 *
 * Uses external Trust mechanism to check against mod_auth_tkt's
 * ENV variable. 
 *
 * @author    Qiang Li <qiangli at cpan.org>
 */
 
define('DOKU_AUTH', dirname(__FILE__));
define('AUTH_USERFILE',DOKU_CONF.'users.auth.php');
 
class auth_mod_auth_tkt extends auth_basic {
 
  /**
   * Constructor.
   *
   * Sets additional capabilities and config strings
   */
  function auth_mod_auth_tkt(){
    $this->cando['external'] = true;
  }
 
  /**
   * Just checks against the $pun_user variable
   */
  function trustExternal($user,$pass,$sticky=false){
    global $USERINFO;
    global $conf;
    $sticky ? $sticky = true : $sticky = false; //sanity check
 
    if( isset($_SERVER['HTTP_REMOTE_USER']) && $_SERVER['HTTP_REMOTE_USER'] != 'guest' ){
      // okay we're logged in - set the globals
      $groups = $this->_getUserGroups($_SERVER['HTTP_REMOTE_USER']);
 
      $USERINFO['name'] = $_SERVER['HTTP_REMOTE_USER'];
      $USERINFO['pass'] = '';
      $USERINFO['mail'] = '';
      $USERINFO['grps'] = $groups;
 
      $_SERVER['REMOTE_USER'] = $_SERVER['HTTP_REMOTE_USER'];
      $_SESSION[$conf['title']]['auth']['user'] = $_SERVER['HTTP_REMOTE_USER'];
      $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
      return true;
    }
 
    return false;
  } 
 
  function _getUserGroups($user){
      if(!@file_exists(AUTH_USERFILE)) return;
 
      $lines = file(AUTH_USERFILE);
      foreach($lines as $line){
        $line = preg_replace('/#.*$/','',$line); //ignore comments
        $line = trim($line);
        if(empty($line)) continue;
 
        $row    = split(":",$line,5);
        $groups = split(",",$row[4]);
 
        if($user == $row[0]) return $groups;
      }
      return;
    }                          
}