DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

Our Privacy Policy

auth:system_user_workaround

Use Linux system users for login

I wanted to integrate the Wiki with it's user-account-management in an established linux-environment. After I searched for methods and didn't find a working one, I wrote a script which copies usernames and passwords from /etc/passwd and /etc/shadow to the dokwiki's user-file. So users can login with their system-account, can only change their passwords through the linux-environment and not in the dokuwiki itself. In the dokuwiki, users should only be able to edit their mail adresses. I set up a cron-job so that every five minutes, usernames und password-changes get updated to the wiki.

The script - users2dokuwiki.sh

#!/bin/bash
#
# v0.1
# by André Ludwig, andre att bluesalamand dooott de, Feb. 2008
#
# USE AT YOUR OWN RISK!
# can be distributed freely under the GPL
#
# This script synchronizes the linux users to an installed
# DokuWiki system. It extracts the usernames and encrypted
# passwords from /etc/shadow with additional infos from
# /etc/passwd and generates and appropiate users.auth.conf
# (plain-auth mode in DokuWiki).
#
# WARNING: make shure, that your users.auth.conf lies
# in a secure place of your webserver, otherwise strangers
# could get most of your /etc/shadow-file!
# where your shadow- and passwd-file is located
SHDW_FILE=/etc/shadow
PSWD_FILE=/etc/passwd
# where your DokuWiki-auth-file should be outputted
BASE_FILE=/var/www/localhost/htdocs/wiki/conf/users.auth.php_base # must exist! base auth-file with possibly defined admin-user
DEST_FILE=/var/www/localhost/htdocs/wiki/conf/users.auth.php # must already exist!
DW_GROUPS=user # default groups for every user,comma,separated
# directory for temporary files (must exist)
TMP_DIR=/tmp
# username and group your webserver runs with (for restrictive permissions)
WEBSERVER_USR=apache
WEBSERVER_GRP=apache
#
# END OF CONFIGURATION-SECTION
#
#
# Run as root, of course.
if [ "$UID" -ne 0 ]
then
  echo "Must be root to run this script."
  exit $E_NOTROOT
fi
#
# create tmp-file with correct permissions
TMP_FILE=$TMP_DIR/users_dokuwiki.conf
cp $BASE_FILE $TMP_FILE
chmod 0600 $TMP_FILE
#
# extract usernames from PSWD_FILE
for name in $(grep ':1\w\w\w:' $PSWD_FILE | sed 's/:x:.*//')
do 
	if [ "$(grep '^'$name':[!:]' $SHDW_FILE)" = "" ]; then	# only include active accounts with password!
		echo $(grep '^'$name':' $SHDW_FILE | sed 's/:[0-9][0-9:]*$//'):$(grep '^'$name':' $PSWD_FILE | sed 's/^.*[0-9]://' | sed 's/,*:\/.*$//'):$(grep '^'$name':' $DEST_FILE | grep -o '[a-zA-Z0-9_.-]\{1,\}@[a-zA-Z0-9-]\{1,\}\(\.[a-zA-Z0-9-]\{1,\}\)\{1,2\}'):$DW_GROUPS >> $TMP_FILE
fi
done
#
# adjust permissions to webserver user
chown $WEBSERVER_USR:$WEBSERVER_GRP $TMP_FILE
#
# move tmp-file to destination
mv $TMP_FILE $DEST_FILE
#
exit 0

Additional infos

The script uses every user with id > 1000 and copies the shadowed passwords from /etc/shadow to the dokuwiki-user-file. It's great that dokuwiki understands the encryption, you don't have to set up something separately. The script uses a base-file where you predefine extra-users, for example the admin. Afterwards, the script takes the mail-adresses from the existing dokuwiki-user-file. That's it!

DokuWiki must run in plain-auth-mode, to prevent misunderstandings, you should disable the possibility for the user to change the passwords and real name. Edit inc/auth/plain.class.php and change section to:

# inc/auth/plain.class.php
[...]
   $this->cando['addUser']      = false;
   $this->cando['delUser']      = false;
   $this->cando['modLogin']     = false;
   $this->cando['modPass']      = false;
   $this->cando['modName']      = false;
   $this->cando['modMail']      = true;
[...]

To make this work, you also have to edit inc/html.php, add disabled=“disabled” to the first fullname field:

    <input type="text" name="fullname" disabled="disabled" class="edit" size="50" value="<?php echo formText($_SERVER['REMOTE_USER'])?>" />

To disable the usage of HTTP-Auth-usernames and password (perhaps you want to put the wiki in a .htaccess-secured place), edit inc/auth.php:

# inc/auth.php
[...]
  if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){
     // $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];  // !!! comment these lines out!!!
     // $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
    }
[...]

Works with

I tested this script with dokuwiki-2007-06-26b.

auth/system_user_workaround.txt · Last modified: 2008-04-06 14:39 by 217.224.251.127