auth:pam
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
auth:pam [2015-06-06 15:45] – ach | auth:pam [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== PAM Authentication Backend ====== | ||
- | I wanted to authenticate users without have a separate set of passwords. I found [[tips: | ||
- | |||
- | :?: Is anybody supporting or " | ||
- | --- // | ||
- | |||
- | > I doubt it as this is now over 7 years old. But best try contacting the author directly. If you update it, please make sure to make an auth plugin out of it, see [[devel: | ||
- | |||
- | ===== Operation ===== | ||
- | |||
- | The backend extends the [[auth: | ||
- | |||
- | ===== PHP PAM Module ===== | ||
- | |||
- | The backend requires the PHP [[http:// | ||
- | |||
- | ==== Ubuntu ==== | ||
- | |||
- | Ubuntu has this module available in a package. To install it and setup PAM simply run the following commands: | ||
- | |||
- | sudo aptitude install php5-auth-pam | ||
- | sudo cp / | ||
- | |||
- | Remember to restart your webserver. | ||
- | |||
- | |||
- | ===== Install pam.class.php ===== | ||
- | |||
- | Save the following file as '' | ||
- | |||
- | <file php pam.class.php> | ||
- | <?php | ||
- | /** | ||
- | * PAM authentication backend | ||
- | * @author | ||
- | * @license GPL2 http:// | ||
- | * @version 0.2 | ||
- | * @date March 2008 | ||
- | */ | ||
- | |||
- | # This class requires the PHP PAM module | ||
- | # The Ubuntu package renames it to " | ||
- | if ( !extension_loaded(' | ||
- | if ( !dl(' | ||
- | msg( "PHP PAM module cannot be loaded", | ||
- | |||
- | define(' | ||
- | require_once(DOKU_AUTH.'/ | ||
- | |||
- | class auth_pam extends auth_plain | ||
- | { | ||
- | |||
- | /** | ||
- | * Constructor | ||
- | * | ||
- | * Calls the auth_plain constructor which sets the backend' | ||
- | * The change password capability is then removed since we can't change | ||
- | * passwords through PAM without knowing the current password. | ||
- | * | ||
- | */ | ||
- | function auth_pam() | ||
- | { | ||
- | // Call parent constructor | ||
- | if (method_exists($this, | ||
- | parent:: | ||
- | |||
- | // Remove change password capability | ||
- | $this-> | ||
- | } | ||
- | |||
- | /** | ||
- | * Checks the provided username and password using PAM. | ||
- | * | ||
- | * @param | ||
- | * @param | ||
- | * @return | ||
- | */ | ||
- | function checkPass( $user, $pass ) | ||
- | { | ||
- | // Check that user exists | ||
- | if ( parent:: | ||
- | return false; | ||
- | |||
- | // Check password | ||
- | else if( pam_auth( $user, $pass, &$error ) ) | ||
- | return true; | ||
- | |||
- | // Authentication failed | ||
- | else | ||
- | return false; | ||
- | } | ||
- | |||
- | /** | ||
- | * Creates a new user. | ||
- | * | ||
- | * Uses the createUser() method in auth_plain to actually add the user. | ||
- | * This only adds the user to the list of DokuWiki users -- they must | ||
- | * separately be added to PAM and assigned a password. | ||
- | * | ||
- | * @param | ||
- | * @param | ||
- | * @param | ||
- | * @param | ||
- | * @param | ||
- | * @return | ||
- | */ | ||
- | function createUser($user, | ||
- | { | ||
- | // createUser() returns the password if successful. We therefore need to | ||
- | // set it to something non-empty otherwise it gets treated as false | ||
- | return parent:: | ||
- | } | ||
- | |||
- | } | ||
- | </ | ||
- | |||
- | > | ||
- | --- // | ||
- | >> It does not have any repercussions since the pass-by-reference is already in the signature of the function. | ||
- | |||
- | ===== Patch User Manager ===== | ||
- | |||
- | You then need to fix (what I think is) a bug in the User Manager. It won't create a user if no password is specified, but if the authentication backend cannot set passwords then the password box is disabled! The following patch makes the User Manager ignore empty passwords if the authentication backend can't change passwords. Save this in a file called '' | ||
- | |||
- | <code diff> | ||
- | --- admin.php.orig | ||
- | +++ admin.php | ||
- | @@ -339,7 +339,8 @@ | ||
- | |||
- | | ||
- | if (empty($user)) return false; | ||
- | - if (empty($pass) || empty($name) || empty($mail)){ | ||
- | + // PATCH: Don't fail on empty password if auth backend can't change passwords | ||
- | + if ( (empty($pass)&& | ||
- | | ||
- | | ||
- | } | ||
- | </ | ||
- | > This patch of the user manager is not neccesary anymore, recent codebases already have a check for this (checked for 2010-11-07a). Old versions might require it though. | ||
- | ===== Configure DokuWiki ===== | ||
- | |||
- | You then need to configure DokuWiki to use this authentication backend. Add the following line to '' | ||
- | |||
- | $conf[' | ||
- | |||
- | If you want to prevent users from registering themselves, add the following line as well: | ||
- | |||
- | $conf[' | ||
- | |||
- | ===== Applicable Version(s)? ===== | ||
- | I've attempted to duplicate this setup using DokuWiki versions 2008-05-05 and 2007-06-26b on a SAMP stack (Solaris, Apache, MySQL, & PHP provided by CoolStack). | ||
- | |||
- | * Solaris 10 6/06 (Update 2) | ||
- | * Apache 2.2.3 | ||
- | * PHP 5.2.0 (cli) (built: Feb 16 2007 08: | ||
- | * MySQL 5.0.33-standard | ||
- | |||
- | I've added the account that Apache is using to the group that can access /etc/shadow and / | ||
- | |||
- | < | ||
- | php auth requisite / | ||
- | php auth required / | ||
- | php account required / | ||
- | </ | ||
- | |||
- | So far I've been able to break ' | ||
- | Has anyone had any recent success with this PAM method? | ||
- | |||
- | --- // |
auth/pam.1433598316.txt.gz · Last modified: 2015-06-06 15:45 by ach