auth:ggauth
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
auth:ggauth [2013-06-18 16:34] – Klap-in | auth:ggauth [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Experimental Auth Backends ====== | ||
- | Available auth plugins, required since the release 2013-05-10 “Weatherwax” | ||
- | ^old Auth Type ^ new comparable Auth Plugin ^ | ||
- | |[[# | ||
- | |[[# | ||
- | |[[#http]]| [[plugin: | ||
- | |||
- | For releases 2012-10-13 “Adora Belle” and older see info below. | ||
- | |||
- | \\ \\ | ||
- | This is a package of auth backends for Dokuwiki. | ||
- | |||
- | ^AuthType^Extends^Description^ | ||
- | |[[# | ||
- | |[[#split]] ( login / groups )|simple|Delegates authentication to one backend (login auth), authorisation to another (groups auth)| | ||
- | |[[# | ||
- | |[[# | ||
- | |[[# | ||
- | |[[# | ||
- | |[[# | ||
- | |||
- | All of these are compatible with user profile updates and the User Manager plugin, as best make sense (to me). | ||
- | |||
- | **Note** dokuwiki is just a hobby for me. dokuwiki security might be critical to you. If so you should take a good look at and understand the code before letting this stuff loose on the internet, particularly as you've just downloaded it from a random internet site. I monitor the mailing list, and periodically check this page and am very happy to take feedback. Perhaps if you like this stuff it might one day make its way into the core of dokuwiki. | ||
- | |||
- | --- // | ||
- | |||
- | ^**Update** I am no longer maintaining these backends. Very happy to answer questions and for others to port to the new auth plugin structures.\\ --- [[grant@lastweekend.com.au|Grant Gardner]] // | ||
- | |||
- | |||
- | ===== Requirements ===== | ||
- | |||
- | Last comprehensively tested with __dokuwiki-2008-05-05__, | ||
- | |||
- | ===== Installation ===== | ||
- | |||
- | Unpack [[http:// | ||
- | |||
- | //For dokuwiki versions prior to 2010-11-07a " | ||
- | |||
- | In '' | ||
- | |||
- | Refer to the sections below for configuration of the specific backend | ||
- | |||
- | ===== Known issues ===== | ||
- | |||
- | Nasty use of cleanID by the plain backend, **outside of the object instance** will remove " | ||
- | |||
- | auth.php - update profile does not properly separate auth capabilities in that if your backend does not respond to both modMail and modName it will fail because one of them will be empty (TODO: raise issue with patch) | ||
- | |||
- | ---- | ||
- | |||
- | The '' | ||
- | |||
- | Replacing the // | ||
- | <file php> | ||
- | function retrieveUsers($start=0, | ||
- | $users = $this-> | ||
- | | ||
- | foreach ($users as $name => &$user) { | ||
- | $groups_user = $this-> | ||
- | if ($groups_user !== false) { | ||
- | if ($this-> | ||
- | $user[' | ||
- | } | ||
- | else { | ||
- | $user[' | ||
- | } | ||
- | } | ||
- | } | ||
- | | ||
- | return $users; | ||
- | } | ||
- | </ | ||
- | ===== The Backends ===== | ||
- | |||
- | ==== Simple ==== | ||
- | |||
- | Abstract base class of all backends | ||
- | |||
- | It provides a getDefaultUser() method for constructing a user with a default name (the userid) and email address (user@< | ||
- | |||
- | An authentication only backend can be created by extending this class and implementing only the '' | ||
- | |||
- | Many of the other user contributed backends ([[auth: | ||
- | |||
- | Assumes there is no way to test for existence of a user so every request for a specific user returns a default user. If you can test for existence, then you are likely overriding getUserData() anyway. | ||
- | |||
- | === Configuration === | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | ==== Split ==== | ||
- | Since the release 2013-05-10 “Weatherwax” see [[plugin: | ||
- | |||
- | Split authentication/ | ||
- | |||
- | > There is a plugin called [[plugin: | ||
- | |||
- | Extends: [[#simple]] | ||
- | |||
- | === Configuration === | ||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | If auth login supports the ' | ||
- | |||
- | See also configuration of [[#simple]] | ||
- | |||
- | === User Manager Integration === | ||
- | |||
- | List of users comes from groups auth unless '' | ||
- | |||
- | Create/ | ||
- | Obviously this is not transactional so you may find difficulties if errors occur on one but not the other. | ||
- | |||
- | It is also possible that the authoritative backend for password, name, or email does not accept updates but the non-authoritative one does, the updates will be successful but you won't see the result. | ||
- | |||
- | ==== Chained ==== | ||
- | Since the release 2013-05-10 “Weatherwax” see [[plugin: | ||
- | |||
- | Extends: [[#simple]] | ||
- | |||
- | Delegates to the first backend in a list that responds to getUserData() with a non empty user. | ||
- | |||
- | Alternatively it can be configured to attempt authentication (user/pass) on each link in the chain until one passes. This is useful in the case of a backend that returns a default user for every request (eg [[#pam]], below; and sometimes " | ||
- | |||
- | Since version 0.4, now supports " | ||
- | |||
- | The *Profile* option is made available depending on the capabilities of the backend that represents the current user. | ||
- | |||
- | One of the backends can be specified as the one to use with the User Manager plugin. | ||
- | |||
- | |||
- | |||
- | === Configuration === | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | == Using " | ||
- | |||
- | If " | ||
- | |||
- | ==== HTTP ==== | ||
- | Since the release 2013-05-10 “Weatherwax” see [[plugin: | ||
- | |||
- | Extends: [[#simple]] | ||
- | |||
- | Supports external authentication via PHP_AUTH_USER and PHP_AUTH_PW as supplied via your webserver. | ||
- | |||
- | Note that the following config options should be set, as these features don't play nice with external authentication. | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | ==== HTTPBasic ==== | ||
- | |||
- | Extends: [[#http]] | ||
- | |||
- | This backend attempts to provide a logoff function for BASIC authentication. | ||
- | |||
- | It does not send the WWW: | ||
- | |||
- | === Configuration === | ||
- | |||
- | <code php> | ||
- | | ||
- | | ||
- | </ | ||
- | |||
- | === NOTE === | ||
- | * Logout is not strictly possible with BASIC auth (see apache docs), and this is a very poor user unfriendly alternative | ||
- | * @TODO try out the techniques mentioned here http:// | ||
- | |||
- | ==== HTAccess ==== | ||
- | |||
- | Use htaccess formatted password and groups files common to other web applications. | ||
- | |||
- | Extends: [[# | ||
- | |||
- | Finds and reads a ”.htaccess” file then uses the AuthUserFile and AuthGroupFile directives to point to the list of users and groups respectively. A 3rd, non-standard, | ||
- | |||
- | === Configuration === | ||
- | <code php> | ||
- | | ||
- | # | ||
- | # name of .htaccess file, must exist if absolute, if relative will search for this file up to the document root. | ||
- | | ||
- | # | ||
- | # name of file to store names and emails for each user. if relative assumed same directory as " | ||
- | | ||
- | </ | ||
- | |||
- | Also refer to [[# | ||
- | |||
- | A typical .htaccess file would live in the dokuwiki root directory or somewhere further up the path and look something like... | ||
- | <code .htaccess> | ||
- | |||
- | AuthName Dokuwiki | ||
- | AuthUserFile / | ||
- | AuthGroupFile / | ||
- | |||
- | # Use Basic authentication | ||
- | AuthType Basic | ||
- | <Limit GET POST> | ||
- | satisfy all | ||
- | require valid-user | ||
- | </ | ||
- | </ | ||
- | |||
- | AuthUserFile must point to an existing (possibly empty) file. | ||
- | |||
- | AuthGroupFile is optional, but omitting it will only make sense if you set $conf[' | ||
- | |||
- | These files must be writable by your webserver user if you want to add new users, allow users to change passwords etc... | ||
- | |||
- | Although this backend extends httpbasic and will work effectively behind BASIC authentication, | ||
- | |||
- | You will lose single sign-on capability between applications but things like openregister and resendpasswd will work as dokuwiki intends. | ||
- | |||
- | ==== PAM ==== | ||
- | |||
- | Extends: [[#simple]] | ||
- | |||
- | Refactored version of [[auth: | ||
- | |||
- | The chpass method is experimental and has not been tested successfully because my pam-unix configuration requires the webserver to run as root to change passwords of other users. | ||
- | |||
- | === Configuration === | ||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | ==== Mock ==== | ||
- | |||
- | Extends: [[#simple]] | ||
- | |||
- | Implements an " | ||
- | |||
- | Obviously only useful for testing (eg with the Modify Headers firefox addon). | ||
- | |||
- | |||
- | ===== Use Cases ===== | ||
- | |||
- | Which backend is right for me? Here are some scenarios to help you out. | ||
- | |||
- | Feel free to make a note about your working combination under the relevant section. | ||
- | |||
- | === Existing external passwords, all users in a default group === | ||
- | |||
- | Soln: Extend [[# | ||
- | |||
- | See [[#pam]] as an example. | ||
- | |||
- | === Existing external passwords (eg RADIUS), more complex access control with multiple groups === | ||
- | |||
- | Soln: [[#split]] (radius/ | ||
- | |||
- | ie, Implement RADIUS auth by extending simple as above, and use that backend for logins, and use '' | ||
- | |||
- | Many of the user contributed backends (eg Radius, PAM, NTLM, imap) (TODO: links) extend plain and override the password check. They could easily be refactored to work in this fashion, thus allowing the use of mysql or something else to store groups. | ||
- | |||
- | === Corporate LDAP server for users, mail and passwords, but manage group outside of LDAP === | ||
- | |||
- | Typically your dokuwiki install is in some dingy corner of the corporate and your dokuwiki admin isn't allowed to play with groups in the Corporate LDAP. | ||
- | |||
- | Soln: [[#split]] (ldap / plain) and configured to get names/email addresses from the ldap backend. | ||
- | |||
- | === Manage internal and external users separately === | ||
- | |||
- | eg. You have a large user base in the campus ldap and some additional external users that you want to give access to a subset of your dokuwiki | ||
- | |||
- | Soln: [[# | ||
- | |||
- | === Internal users authenticated via LDAP, allow other external users and manage groups across both === | ||
- | |||
- | This is getting fun :-) | ||
- | |||
- | Soln: [[#split]] ( [[# | ||
- | |||
- | ie you can use [[# | ||
- | |||
- | Note that this configuration has not been tested. | ||
- | |||
- | == Example: AD for login, Plain for Groups and Other Users == | ||
- | |||
- | This is the configuration we use for our internal Dokuwiki server (since we sometimes want to bring in outside users, and they won't create AD accounts for it. Any AD user will have read abilities, and I configure the groups within Dokuwiki for write permissions*. | ||
- | <file php> | ||
- | <?php | ||
- | /** | ||
- | * This is the advanced authorization settings | ||
- | */ | ||
- | $conf[' | ||
- | |||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | |||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | |||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | // | ||
- | |||
- | </ | ||
- | |||
- | * One issue with this is that you cannot use the user manager to create accounts, and assign them to groups. | ||
- | |||
- | === Webserver configured for BASIC authentication, | ||
- | |||
- | Soln: [[# | ||
- | |||
- | === Webserver configured for BASIC authentication, | ||
- | |||
- | Soln: [[#split]] ( [[# | ||
- | |||
- | === Other applications secured via htaccess password and groups files, re-use for dokuwiki === | ||
- | |||
- | Soln: [[# | ||
- | |||
- | === External authentication (shibboleth) and internal authentication (local account) === | ||
- | |||
- | Soln: [[# | ||
- | |||
- | __Notes__ : I used this [[https:// | ||
- | You can add a shibboleth account and a plain account in the same group. | ||
- | |||
- | --- // | ||
- | |||
- | [[http:// | ||
- | |||
- | --- //Dv 2013/03/07 14:11// |
auth/ggauth.1371566074.txt.gz · Last modified: 2013-06-18 16:34 by Klap-in