Many webserver provide modules for authentication. For example, Apache provides mod_authn_dbd, mod_authnz_ldap or mod_auth_basic for different database types. One can configure these modules, to set environment variables after successful authentication (e.g AUTHENTICATE_attributename after ldap-authentication or the well known REMOTE_USER environment variable).

Another Apache authentication module is mod-auth-openidc for authentication against the openid connect protocol. The module places authentication and user information in OIDC_CLAIM_ environment variables.

The goal of this plugin is to bypass the dokuwiki authentication mechanisms an use the webserver environment variables for user information. Not dokuwiki ist responseable for authentication but the webserver.

Download the zip-file from github an copy the containig directory into the lib/plugins directory of your dokuwiki installation. Rename it to authenvvars.

Or

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin.

In PHP the environment variables are stored in the global $_SERVER variable. To get the user information, the administrator has to inform the plugin, which environment variable stands for the username. This has to be done in the conf/local.php settings.

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = 'AUTHENTICATE_MEMBERUID';
$conf['plugin']['authenvvars']['groupattr']   = '';

The correct environment variable depends on the webserver modul. Consult the webserver module documentation for the provided environment variables.

Sometimes it would be helpful to call phpinfo().

Let's take a look on two Apache-modules and how to use this dokuwiki module to get the user information into dokuwiki. The possible Apache configuration is shown in conjunction with the plugin configuration.

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    AuthLDAPUrl "ldaps://ldap.server/dc=ldap,dc=server?gecos,mail?sub?(objectClass=inetOrgPerson)"
    AuthLDAPBindDN cn=search,ou=dn,ou=to,dc=ldap,dc=server
    AuthLDAPBindPassword secret-for-binddn
    AuthLDAPGroupAttribute memberUid
    Require ldap-group cn=valid,ou=groups,dc=ldap,dc=server
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'REMOTE_USER';
$conf['plugin']['authenvvars']['usernamevar'] = 'AUTHENTICATE_GECOS';
$conf['plugin']['authenvvars']['emailvar']    = 'AUTHENTICATE_MAIL';
$conf['plugin']['authenvvars']['groupsvar']   = '';
$conf['plugin']['authenvvars']['groupattr']   = '';

vhost.conf of the webserver:

<VirtualHost *:443>
    SSLCertificateFile    /etc/ssl/path/to/cert
    SSLCertificateKeyFile /etc/ssl/path/to/key
    SSLCertificateChainFile /etc/ssl/path/to/bundle
 
    ServerName myvhost.server
    DocumentRoot /var/www/html/mydocroot
 
    OIDCProviderMetadataURL https://authorization.server/.well-known/openid-configuration
    OIDCProviderIssuer https://authorization.server
    OIDCClientID idfromauthorizationserver
    OIDCClientSecret secretfromauthorizationserver
    OIDCScope "openid profile email groups"
    OIDCRedirectURI http://myvhost.server/redirecturi
    OIDCCryptoPassphrase arandomstring
</VirtualHost>

conf/local.php of dokuwiki:

$conf['plugin']['authenvvars']['useridvar']   = 'OIDC_CLAIM_preferred_username';
$conf['plugin']['authenvvars']['usernamevar'] = 'OIDC_CLAIM_name';
$conf['plugin']['authenvvars']['emailvar']    = 'OIDC_CLAIM_email';
$conf['plugin']['authenvvars']['groupsvar']   = 'OIDC_CLAIM_groups';
$conf['plugin']['authenvvars']['groupattr']   = 'act';