Table of Contents
authenvvars Plugin
Compatible with DokuWiki
- 2023-04-04 "Jack Jackrum" unknown
- 2022-07-31 "Igor" unknown
- 2020-07-29 "Hogfather" yes
- 2018-04-22 "Greebo" unknown
Motivation
Many webserver provide modules for authentication. For example, Apache provides mod_authn_dbd, mod_authnz_ldap or mod_auth_basic for different database types. One can configure these modules, to set environment variables after successful authentication (e.g AUTHENTICATE_attributename after ldap-authentication or the well known REMOTE_USER environment variable).
Another Apache authentication module is mod-auth-openidc for authentication against the openid connect protocol. The module places authentication and user information in OIDC_CLAIM_ environment variables.
The goal of this plugin is to bypass the dokuwiki authentication mechanisms and use the webserver environment variables for user information. Not dokuwiki ist responseable for authentication but the webserver.
Installation
Download the zip-file from github an copy the containig directory into the lib/plugins directory
of your dokuwiki installation. Rename it to authenvvars
.
Or
Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin.
Be sure to enable authennvars by setting $conf['authtype'] = 'authenvvars' in conf/dokuwiki.php.
Usage
In PHP the environment variables are stored in the global $_SERVER variable. To get the user information, the administrator has to inform the plugin, which environment variable stands for the username. This has to be done in the conf/local.php settings.
$conf['plugin']['authenvvars']['useridvar'] = 'REMOTE_USER'; $conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS'; $conf['plugin']['authenvvars']['emailvar'] = 'AUTHENTICATE_MAIL'; $conf['plugin']['authenvvars']['groupsvar'] = 'AUTHENTICATE_MEMBERUID'; $conf['plugin']['authenvvars']['groupformat'] = 'json'; $conf['plugin']['authenvvars']['groupattr'] = ''; $conf['plugin']['authenvvars']['groupsep'] = ';';
The correct environment variable depends on the webserver modul. Consult the webserver module documentation for the provided environment variables.
Sometimes it would be helpful to call phpinfo().
Examples
Let's take a look on two Apache-modules and how to use this dokuwiki module to get the user information into dokuwiki. The possible Apache configuration is shown in conjunction with the plugin configuration.
Apache: mod-authnz-ldap
vhost.conf
of the webserver:
<VirtualHost *:443> SSLCertificateFile /etc/ssl/path/to/cert SSLCertificateKeyFile /etc/ssl/path/to/key SSLCertificateChainFile /etc/ssl/path/to/bundle ServerName myvhost.server DocumentRoot /var/www/html/mydocroot AuthLDAPUrl "ldaps://ldap.server/dc=ldap,dc=server?gecos,mail,memberuid?sub?(objectClass=inetOrgPerson)" AuthLDAPBindDN cn=search,ou=dn,ou=to,dc=ldap,dc=server AuthLDAPBindPassword secret-for-binddn AuthLDAPGroupAttribute memberUid Require ldap-group cn=valid,ou=groups,dc=ldap,dc=server </VirtualHost>
conf/local.php
of dokuwiki:
$conf['plugin']['authenvvars']['useridvar'] = 'REMOTE_USER'; $conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS'; $conf['plugin']['authenvvars']['emailvar'] = 'AUTHENTICATE_MAIL'; $conf['plugin']['authenvvars']['groupsvar'] = 'AUTHENTICATE_MEMBERUID'; $conf['plugin']['authenvvars']['groupformat'] = 'csv'; $conf['plugin']['authenvvars']['groupattr'] = ''; // Not used in case of groupformat = csv $conf['plugin']['authenvvars']['groupsep'] = ';';
Apache: mod-auth-openidc
vhost.conf of the webserver:
<VirtualHost *:443> SSLCertificateFile /etc/ssl/path/to/cert SSLCertificateKeyFile /etc/ssl/path/to/key SSLCertificateChainFile /etc/ssl/path/to/bundle ServerName myvhost.server DocumentRoot /var/www/html/mydocroot OIDCProviderMetadataURL https://authorization.server/.well-known/openid-configuration OIDCProviderIssuer https://authorization.server OIDCClientID idfromauthorizationserver OIDCClientSecret secretfromauthorizationserver OIDCScope "openid profile email groups" OIDCRedirectURI http://myvhost.server/redirecturi OIDCCryptoPassphrase arandomstring </VirtualHost>
conf/local.php of dokuwiki:
$conf['plugin']['authenvvars']['useridvar'] = 'OIDC_CLAIM_preferred_username'; $conf['plugin']['authenvvars']['usernamevar'] = 'OIDC_CLAIM_name'; $conf['plugin']['authenvvars']['emailvar'] = 'OIDC_CLAIM_email'; $conf['plugin']['authenvvars']['groupsvar'] = 'OIDC_CLAIM_groups'; $conf['plugin']['authenvvars']['groupformat'] = 'json'; $conf['plugin']['authenvvars']['groupattr'] = 'act'; $conf['plugin']['authenvvars']['groupsep'] = ';'; // Not used in case of groupformat = json
Configuration and Settings
parameter | meaning |
---|---|
useridvar | The environment varibale which contains the userid. |
usernamevar | The environment varibale which contains the users name. |
emailvar | The environment varibale which contains the users email address. |
groupsvar | The environment varibale which contains the groups. This plugin expects in case of groupformat=json an array or an object in form of a valid JSON-String. json_decode() decodes the string into an (associated) array. Only the values of that array are important. Or this plugin expects a comma-separated String of groupnames in case of groupformat=csv |
groupformat | Possible values are json or csv |
groupattr | In case of groupformat=json :Contains the required key if the values of the group array are (associative) arrays. |
groupsep | Field seperator in case of groupformat=csv |