authenvvars Plugin

Compatible with DokuWiki

2023-04-04 "Jack Jackrum" unknown
2022-07-31 "Igor" unknown
2020-07-29 "Hogfather" yes
2018-04-22 "Greebo" unknown

Authentication over webserver environment variables

Last updated on: 2020-05-02
Provides: Auth, Action
Repository: Source

Tagged with authentication, environment, variables, webserver

By Christian Hoffmann

Motivation

Many webserver provide modules for authentication. For example, Apache provides mod_authn_dbd, mod_authnz_ldap or mod_auth_basic for different database types. One can configure these modules, to set environment variables after successful authentication (e.g AUTHENTICATE_attributename after ldap-authentication or the well known REMOTE_USER environment variable).

Another Apache authentication module is mod-auth-openidc for authentication against the openid connect protocol. The module places authentication and user information in OIDC_CLAIM_ environment variables.

The goal of this plugin is to bypass the dokuwiki authentication mechanisms and use the webserver environment variables for user information. Not dokuwiki ist responseable for authentication but the webserver.

Installation

Download the zip-file from github an copy the containig directory into the lib/plugins directory of your dokuwiki installation. Rename it to authenvvars.

Or

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin.

Be sure to enable authennvars by setting $conf['authtype'] = 'authenvvars' in conf/dokuwiki.php.

Usage

In PHP the environment variables are stored in the global $_SERVER variable. To get the user information, the administrator has to inform the plugin, which environment variable stands for the username. This has to be done in the conf/local.php settings.

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = 'AUTHENTICATE_MEMBERUID';
$conf['plugin']['authenvvars']['groupformat'] = 'json';
$conf['plugin']['authenvvars']['groupattr']   = '';
$conf['plugin']['authenvvars']['groupsep']    = ';';

The correct environment variable depends on the webserver modul. Consult the webserver module documentation for the provided environment variables.

Sometimes it would be helpful to call phpinfo().

Examples

Let's take a look on two Apache-modules and how to use this dokuwiki module to get the user information into dokuwiki. The possible Apache configuration is shown in conjunction with the plugin configuration.

Apache: mod-authnz-ldap

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    AuthLDAPUrl "ldaps://ldap.server/dc=ldap,dc=server?gecos,mail,memberuid?sub?(objectClass=inetOrgPerson)"
    AuthLDAPBindDN cn=search,ou=dn,ou=to,dc=ldap,dc=server
    AuthLDAPBindPassword secret-for-binddn
    AuthLDAPGroupAttribute memberUid
    Require ldap-group cn=valid,ou=groups,dc=ldap,dc=server
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = 'AUTHENTICATE_MEMBERUID';
$conf['plugin']['authenvvars']['groupformat'] = 'csv';
$conf['plugin']['authenvvars']['groupattr']   = '';  // Not used in case of groupformat = csv
$conf['plugin']['authenvvars']['groupsep']    = ';';

Apache: mod-auth-openidc

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    OIDCProviderMetadataURL https://authorization.server/.well-known/openid-configuration
    OIDCProviderIssuer https://authorization.server
    OIDCClientID idfromauthorizationserver
    OIDCClientSecret secretfromauthorizationserver
    OIDCScope "openid profile email groups"
    OIDCRedirectURI http://myvhost.server/redirecturi
    OIDCCryptoPassphrase arandomstring
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'OIDC_CLAIM_preferred_username';
$conf['plugin']['authenvvars']['usernamevar'] = 'OIDC_CLAIM_name';
$conf['plugin']['authenvvars']['emailvar']    = 'OIDC_CLAIM_email';
$conf['plugin']['authenvvars']['groupsvar']   = 'OIDC_CLAIM_groups';
$conf['plugin']['authenvvars']['groupformat'] = 'json';
$conf['plugin']['authenvvars']['groupattr']   = 'act';
$conf['plugin']['authenvvars']['groupsep']    = ';'; // Not used in case of groupformat = json

Configuration and Settings

parameter	meaning
`useridvar`	The environment varibale which contains the userid.
`usernamevar`	The environment varibale which contains the users name.
`emailvar`	The environment varibale which contains the users email address.
`groupsvar`	The environment varibale which contains the groups. This plugin expects in case of `groupformat=json` an array or an object in form of a valid JSON-String. json_decode() decodes the string into an (associated) array. Only the values of that array are important. Or this plugin expects a comma-separated String of groupnames in case of `groupformat=csv`
`groupformat`	Possible values are json or csv
`groupattr`	In case of `groupformat=json`:Contains the required key if the values of the group array are (associative) arrays.
`groupsep`	Field seperator in case of `groupformat=csv`

Table of Contents