Differences

This shows you the differences between two versions of the page.

--- plugin:authpdo [2016-08-03 22:15] – [General Settings] uwe.kuhmann
+++ plugin:authpdo [2018-05-03 19:07] – Aleksandr
@@ Line 7: / Line 7: @@
 type       : auth
 lastupdate : 2016-01-30
-compatible : detritus
+compatible : (bundled)
 depends    :
 conflicts  :
@@ Line 22: / Line 22: @@
 This plugin allows to configure your wiki to authenticate against an existing database using PHP's PDO extension. Typical use cases are integrating DokuWiki with a web forum, blog or bug tracker.
+===== Real World Examples =====
+Before you go forward to [[#Configuration]] section, let's see quickly how many and what kind of real world configurations of PDO Authentication exist. The variation reflects the flexibility PDO is offering.
+  * [[plugin:authpdo:moodle|Moodle]] -- an e-learning system [[https://moodle.org/|moodle.org]]
+  * [[plugin:authpdo:phpbb3|phpBB3]] -- an open-source bulletin-board system [[https://www.phpbb.com/|phpbb.com]]
+  * [[plugin:authpdo:Nextcloud|Nextcloud]] -- a private cloud system [[https://nextcloud.com/|nextcloud.com]]
+  * [[plugin:authpdo:Questions2Answers|Questions2Answers]] -- Q&A Forum [[http://www.question2answer.org/|question2answer.org]]
 ===== Configuration =====
@@ Line 27: / Line 38: @@
 To configure this plugin, some experience with database queries and the SQL query language is required. Sample configurations for popular systems will soon be provided by the community.
-The configuration consists mostly of SQL statements to access your database. The plugin itself is completely database agnostic. You can use it to access any database supported by PDO - refer to [[http://php.net/manual/en/pdo.drivers.php|PDO Drivers]] to learn more.
+The configuration consists mostly of SQL statements to access your database. The plugin itself is completely database agnostic. You can use it to access any database supported by PDO -- refer to [[http://php.net/manual/en/pdo.drivers.php|PDO Drivers]] to learn more.
 In most of the statements named PDO placeholders are used (colon prefixed alphanumeric). These represent the actual data that will be inserted into the statement. The PDO driver takes care of proper escaping - you do not have to worry about it.
@@ Line 34: / Line 45: @@
 Each option below comes with an example that shows how the statement would look for a fictive [[#example database]] given at the end of this page.
 ==== General Settings ====
 === Option 'debug' ===
 This setting will output detailed error messages whenever something goes wrong. You most probably want to enable this during the initial configuration of the plugin. Once everything works you should definitely disable this again as it may leak important information to possible attackers.
 === Option 'dsn' ===
@@ Line 57: / Line 71: @@
   * [[http://php.net/manual/en/ref.pdo-pgsql.connection.php|PDO_PGSQL DSN]]
   * [[http://php.net/manual/en/ref.pdo-sqlite.connection.php|PDO_SQLITE DSN]]
 === Option 'user' ===
 This option configures the user to use to connect to the database. You can leave it empty for sqlite databases.
 === Option 'pass' ===
 This is the password for above user. You can leave it empty for sqlite databases.
 ==== Related Core Settings ====
@@ Line 70: / Line 87: @@
 There are a couple of settings you most probably want to tune when enabling authpdo:
-  * [[config:authtype|Configuration Setting: authtype]] - enable the plugin here
+  * [[config:authtype|Configuration Setting: authtype]] -- enable the plugin here
-  * [[config:superuser|Configuration Setting: superuser]] - all users are read from your database when enabling authpdo, your super user probably is named differently than your initial local wiki admin
+  * [[config:superuser|Configuration Setting: superuser]] -- all users are read from your database when enabling authpdo, your super user probably is named differently than your initial local wiki admin
-  * [[config:passcrypt|Configuration Setting: passcrypt]] - this setting defines how new passwords are saved in the database, it should match your database's application
+  * [[config:passcrypt|Configuration Setting: passcrypt]] -- this setting defines how new passwords are saved in the database, it should match your database's application
+  * [[config:defaultgroup|Configuration Setting: defaultgroup]] -- This group is added by default to all users regardless of the groups that might be pulled from the database. Make sure that you don’t grant more rights than necessary to this group.
 ==== Minimal SQL Setup ====
 This plugin gains more capabilities the more of the configuration you fill in. You can leave out configuration at the expense of functionality. However a few statements are required to have minimal login functionality:
 === Option 'select-user' ===
@@ Line 82: / Line 102: @@
 This statement is used to get a single user from the database. This statement should return exactly one row if the user exists. Or no row if it doesn't.
-^ Guaranteed Placeholders ^^
+^ Guaranteed Placeholders                                                                                                                                                                                                                         ||
-| '':user''    | the username of the user whose data is requested  |
+| '':user''                   | the username of the user whose data is requested                                                                                                                                                                   |
-^ Mandatory fields to return ^^
+^ Mandatory fields to return                                                                                                                                                                                                                      ||
-| ''user''     | the user name as written in the database |
+| ''user''                    | the user name as written in the database                                                                                                                                                                           |
-| ''hash'' or ''clear''  | either the hashed password of the user or the clear text password((you really shouldn't store clear text passwords!)) |
+| ''hash'' or ''clear''       | either the hashed password of the user or the clear text password((you really shouldn't store clear text passwords!))\\ If you do not return this field you have to implement the [[#Option check-pass]] instead.  |
-| ''mail''     | the email address of the user |
+| ''mail''                    | the email address of the user                                                                                                                                                                                      |
-| ''name''     | the full name of the user |
+| ''name''                    | the full name of the user                                                                                                                                                                                          |
-^ Optional fields to return ^^
+^ Optional fields to return                                                                                                                                                                                                                       ||
-| ''*''        | you may return any arbitrary field you may need later to identify the user. Typically a user ID makes sense. Eg. we're returning a ''uid'' in the example below |
+| ''*''                       | you may return any arbitrary field you may need later to identify the user. Typically a user ID makes sense. Eg. we're returning a ''uid'' in the example below                                                    |
 Example:
@@ Line 102: / Line 122: @@
  WHERE "login" = :user
 </code>
 === Option 'select-user-groups' ===
@@ Line 122: / Line 143: @@
    AND m."uid" = :uid
 </code>
+=== Option 'check-pass' ===
+:!: If your database uses one of the [[config:passcrypt|hashing mechanisms]] supported in DokuWiki you don't need (and shouldn't) set this option. It is only needed if you want to do the password check directly in a SQL statement. This is useful where other fields are used as salt.
+This statement is used to check the password a user is providing upon login.
+When you set up this setting, your ''select-user'' user statement does not need to return a ''hash'' or ''pass'' field.
+This statement should return a single row on success and no rows on failure.
+^ Guaranteed Placeholders ^^
+| '':user''    | the username of the user who is trying to login  |
+| '':clear''   | the clear text password the user entered  |
+| '':hash''    | the hashed password using the hashing defined in [[config:passcrypt|passcrypt]] |
+^ Optional Placeholders ^^
+| ''*''        | Any field you returned in [[#Option 'select-user']] is available as a placeholder here (prefixed by a colon). |
+Example:
+<code tsql>
+SELECT uid
+  FROM user
+ WHERE login = :user
+   AND pass = MD5(CONCAT(MD5(user), MD5(:clear)))
+</code>
 ==== Additional SQL Setup ====
@@ Line 187: / Line 235: @@
      VALUES (:user, :hash, :name, :mail)
 </code>
 === Option 'delete-user' ===
@@ Line 201: / Line 250: @@
 DELETE FROM "user" WHERE "id" = :uid
 </code>
 === Option 'list-users' ===
@@ Line 208: / Line 258: @@
 ^ Guaranteed Placeholders ^^
 | '':user''    | A ''%'' wrapped search string to search in logins |
-| '':group''    | A ''%'' wrapped search string to search in group names  |
+| '':group''   | A ''%'' wrapped search string to search in group names  |
 | '':name''    | A ''%'' wrapped search string to search in user full names |
 | '':mail''    | A ''%'' wrapped search string to search in email addresses   |
-| '':start''    | The start offset to limit the results  |
+| '':start''   | The start offset to limit the results  |
-| '':limit''    | The wanted number of results  |
+| '':limit''   | The wanted number of results  |
-| '':end''    | The end offset of wanted results (start+limit) |
+| '':end''     | The end offset of wanted results (start+limit) |
 ^ Mandatory fields to return ^^
 | ''user''     | The login name |
@@ Line 232: / Line 282: @@
    LIMIT :start,:limit
 </code>
 === Option 'count-users' ===
@@ Line 239: / Line 290: @@
 ^ Guaranteed Placeholders ^^
 | '':user''    | A ''%'' wrapped search string to search in logins |
-| '':group''    | A ''%'' wrapped search string to search in group names  |
+| '':group''   | A ''%'' wrapped search string to search in group names  |
 | '':name''    | A ''%'' wrapped search string to search in user full names |
 | '':mail''    | A ''%'' wrapped search string to search in email addresses   |
 ^ Mandatory fields to return ^^
-| ''user''     | The login name |
+| ''count''    | Number of users |
 <code tsql>
@@ Line 258: / Line 308: @@
    AND U."mail"  LIKE :mail
 </code>
 === Option 'update-user-login' ===
@@ Line 275: / Line 326: @@
  WHERE "id"    = :uid
 </code>
 === Option 'update-user-info' ===
@@ Line 296: / Line 348: @@
  WHERE "id"   = :uid
 </code>
 === Option 'update-user-pass' ===
@@ Line 315: / Line 368: @@
  WHERE "id"   = :uid
 </code>
 === Option 'insert-group' ===
@@ Line 327: / Line 381: @@
      VALUES (:group)
 </code>
 === Option 'join-group' ===
@@ Line 343: / Line 398: @@
      VALUES (:uid, :gid)
 </code>
 === Option 'leave-group' ===
@@ Line 359: / Line 415: @@
         AND "gid" = :gid
 </code>
 ===== Example Database =====
@@ Line 366: / Line 423: @@
 {{ :plugin:authpdo-example.png?280}}
-<code sql>
+<code tsql>
 CREATE TABLE user (
     "id" INTEGER PRIMARY KEY AUTOINCREMENT,
@@ Line 384: / Line 441: @@
 );
 </code>
 ===== A Warning on MySQL MyISAM =====