DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authenvvars

authenvvars Plugin

Compatible with DokuWiki

  • rc2020-06-01 "Hogfather" unknown
  • 2018-04-22 "Greebo" unknown
  • 2017-02-19 "Frusterick Manners" yes
  • 2016-06-26 "Elenor Of Tsort" unknown

plugin Authentication over webserver environment variables

Last updated on
2020-05-02
Provides
Auth, Action
Repository
Source

Motivation

Many webserver provide modules for authentication. For example, Apache provides mod_authn_dbd, mod_authnz_ldap or mod_auth_basic for different database types. One can configure these modules, to set environment variables after successful authentication (e.g AUTHENTICATE_attributename after ldap-authentication or the well known REMOTE_USER environment variable).

Another Apache authentication module is mod-auth-openidc for authentication against the openid connect protocol. The module places authentication and user information in OIDC_CLAIM_ environment variables.

The goal of this plugin is to bypass the dokuwiki authentication mechanisms an use the webserver environment variables for user information. Not dokuwiki ist responseable for authentication but the webserver.

Installation

Download the zip-file from github an copy the containig directory into the lib/plugins directory of your dokuwiki installation. Rename it to authenvvars.

Or

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin.

Usage

In PHP the environment variables are stored in the global $_SERVER variable. To get the user information, the administrator has to inform the plugin, which environment variable stands for the username. This has to be done in the conf/local.php settings.

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = 'AUTHENTICATE_MEMBERUID';
$conf['plugin']['authenvvars']['groupformat'] = 'json';
$conf['plugin']['authenvvars']['groupattr']   = '';
$conf['plugin']['authenvvars']['groupsep']    = ';';

The correct environment variable depends on the webserver modul. Consult the webserver module documentation for the provided environment variables.

Sometimes it would be helpful to call phpinfo().

Examples

Let's take a look on two Apache-modules and how to use this dokuwiki module to get the user information into dokuwiki. The possible Apache configuration is shown in conjunction with the plugin configuration.

Apache: mod-authnz-ldap

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    AuthLDAPUrl "ldaps://ldap.server/dc=ldap,dc=server?gecos,mail,memberuid?sub?(objectClass=inetOrgPerson)"
    AuthLDAPBindDN cn=search,ou=dn,ou=to,dc=ldap,dc=server
    AuthLDAPBindPassword secret-for-binddn
    AuthLDAPGroupAttribute memberUid
    Require ldap-group cn=valid,ou=groups,dc=ldap,dc=server
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = 'AUTHENTICATE_MEMBERUID';
$conf['plugin']['authenvvars']['groupformat'] = 'csv';
$conf['plugin']['authenvvars']['groupattr']   = '';  // Not used in case of groupformat = csv
$conf['plugin']['authenvvars']['groupsep']    = ';';

Apache: mod-auth-openidc

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    OIDCProviderMetadataURL https://authorization.server/.well-known/openid-configuration
    OIDCProviderIssuer https://authorization.server
    OIDCClientID idfromauthorizationserver
    OIDCClientSecret secretfromauthorizationserver
    OIDCScope "openid profile email groups"
    OIDCRedirectURI http://myvhost.server/redirecturi
    OIDCCryptoPassphrase arandomstring
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'OIDC_CLAIM_preferred_username';
$conf['plugin']['authenvvars']['usernamevar'] = 'OIDC_CLAIM_name';
$conf['plugin']['authenvvars']['emailvar']    = 'OIDC_CLAIM_email';
$conf['plugin']['authenvvars']['groupsvar']   = 'OIDC_CLAIM_groups';
$conf['plugin']['authenvvars']['groupformat'] = 'json';
$conf['plugin']['authenvvars']['groupattr']   = 'act';
$conf['plugin']['authenvvars']['groupsep']    = ';'; // Not used in case of groupformat = json

Configuration and Settings

parameter meaning
useridvar The environment varibale which contains the userid.
usernamevar The environment varibale which contains the users name.
emailvar The environment varibale which contains the users email address.
groupsvar The environment varibale which contains the groups. This plugin expects in case of groupformat=json an array or an object in form of a valid JSON-String. json_decode() decodes the string into an (associated) array. Only the values of that array are important. Or this plugin expects a comma-separated String of groupnames in case of groupformat=csv
groupformat Possible values are json or csv
groupattr In case of groupformat=json:Contains the required key if the values of the group array are (associative) arrays.
groupsep Field seperator in case of groupformat=csv
plugin/authenvvars.txt · Last modified: 2020-05-07 09:00 by physiklehrer