Problems with 2014-05-05b and later
While this plugin works well for me in 2014-05-05a, it is broken for my setup in 2014-05-05b and newer releases. This is most likely due to the fix applied for the Null byte poisoning in LDAP authentication problem described at: http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication
The hotfix was as follows:
diff -r dokuwiki-2014-05-05a/inc/auth.php dokuwiki-2014-05-05b/inc/auth.php 98c98 < // apply cleaning --- > // apply cleaning (auth specific user names, remove control chars) 100c100,101 < $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); --- > $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u')))); > $INPUT->set('p', stripctl($INPUT->str('p'))); 231c232 < if($auth->checkPass($user, $pass)) { --- > if(!empty($pass) && $auth->checkPass($user, $pass)) {
My guess is that the password ($pass
) may be empty during HTTP authentication mechanisms (I'm using LemonLDAP to provide both LDAP and GoogleApps authentication).
A simple fix for my setup was to revert part of this change using:
sed -i 's,if(!empty($pass) && ,if(,' inc/auth.php
Problems mit Server API CGI/FASTCGI
I tried to use this plugin but it failed with error (“No credentials found, is HTTP authentication enabled in your Webserver?”
This is because my PHP is running as CGI / FASTCGI.
you can see this in phpinfo()
Server API CGI/FastCGI
(instead of Server API Apache 2.0 handler)
This website helped me to fix this problem: http://die.netzspielwiese.de/blog/server/2012-03/http-autorisierungsscript-in-php-mit-und-ohne-cgi-mode
How to solve the problem: 1.) Add to your .htaccess
<IfModule mod_rewrite.c> RewriteEngine on RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] </IfModule>
2.) modify the plugin: modify <dokuwiki>/lib/plugins/authhttp/auth.php
Add Line: 56 list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
so that it now reads:
/* Make sure that HTTP authentication has been enabled in the Web server. Note that does not seem to work with PHP >= 4.3.0 and safe mode enabled! */ list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); if ($_SERVER['PHP_AUTH_USER'] == "") { msg($this->getLang('nocreds'), -1); $this->success = false; return;
Plugin is working fine. Only one authentication in the http browser!