Differences

This shows you the differences between two versions of the page.

--- plugin:authsplit [2013-07-07 11:49] – Synchronize with README rev b09b2fca73 78.53.205.96
+++ plugin:authsplit [2018-04-29 20:24] – Aleksandr
@@ Line 1: / Line 1: @@
-====== Split authentication Plugin ======
+====== Split Authentication Plugin ======
 ---- plugin ----
@@ Line 6: / Line 6: @@
 email      : pieter@hollants.com
 type       : auth
-lastupdate : 2013-07-07
+lastupdate : 2017-12-12
-compatible : Weatherwax
+compatible : Elenor of tsort, Ponder Stibbons, Hrun, Detritus, Frusterick Manners
 depends    :
 conflicts  :
-similar    :
+similar    : authchained
 tags       : authentication split
@@ Line 47: / Line 47: @@
   * ''logOff()'': DokuWiki documentation says this method is run //"in addition to the usual logOff. Useful with trustExternal() to initiate actions for the external backend, eg. use it to clear cookies or similar actions".//\\ \\ authsplit just delegates the call to the //primary// auth plugin's ''logOff()'' method.\\ \\
   * ''getUserData()'': this is the method DokuWiki uses eg. to retrieve the user's real name for display in the "Logged in as" section in the upper right (if you use the default "DokuWiki" template). authsplit will call the //primary// auth plugin's ''getUserData()'' method only to make sure the user exists there and then return the //secondary// auth plugin's ''getUserData()'' information to DokuWiki. Thus, a user has to be known to both auth plugins, but the //secondary//'s user information matters. Any group membership information returned from the //primary// auth plugin will be silently ignored.\\ \\
-  * ''createUser()'': this is the method that gets called if users register themselves or the Admin uses DokuWiki's user manager to create an account for them.\\ \\ authhttp will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //secondary// auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:authhttp]]), this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn't be stored anywhere and the user would thus get irritated. [[plugin:authhttp]] eg. comes with an action plugin that takes care of this.\\ \\
+  * ''createUser()'': this is the method that gets called if users register themselves or the Admin uses DokuWiki's user manager to create an account for them.\\ \\ authsplit will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //secondary// auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:authhttp]]), this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn't be stored anywhere and the user would thus get irritated. [[plugin:authhttp]] eg. comes with an action plugin that takes care of this.\\ \\
   * ''modifyUser()'': where authsplit routes a change depends on the actual change itself:
+    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //secondary// auth plugin.
     * passwords are modified in the //primary// auth plugin only since by design the //secondary// auth plugin knows empty ones only
-    * group membership is always modified in the //secondary// auth plugin
+    * group membership is always modified in the //secondary// auth plugin\\ \\
-    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //secondary// auth plugin.\\ \\
   * ''deleteUser()'': authsplit will **always** route delete user requests to the //secondary// auth plugin only. This is because it can't know whether user accounts known to the //primary// auth plugin are yet in use by other software. Thus, deleting a user with the user manager will remove knowledge of his or her existance in DokuWiki only.\\ \\
   * ''retrieveUsers()'' / ''getUserCount()'': authsplit will always route these method calls to the //secondary// auth plugin, following the concept that DokuWiki's user manager is supposed to manage DokuWiki users in the first place. Thus, even if the //primary// auth plugin offered these methods, the user lists and counts obtained there would not be of much use since, unless ''autocreate_users'' is enabled, only the //secondary// auth plugin would really know which users resp. how many users really had DokuWiki access.\\ \\
@@ Line 60: / Line 60: @@
 So to summarize which auth plugins are involved in which method calls:
-| | **Primary auth plugin** | **Secondary auth plugin** |
+| || **Primary auth plugin** | **Secondary auth plugin** |
-| ''checkPass()'' | Authenticated here | Existance required\\ (Can create if enabled) |
+| ''checkPass()'' || Authenticated here | User existance required\\ //(Can create if ''autocreate_users'' == 1)// |
-| ''trustExternal()'' | Authenticated here | Existance required\\ (Can create if enabled) |
+| ''trustExternal()'' || Authenticated here | User existance required\\ //(Can create if ''autocreate_users'' == 1)// |
-| ''logOff()'' | Done here | - |
+| ''logOff()'' || Done here | - |
-| ''getUserData()'' | Existance required | Stored here |
+| ''getUserData()'' || User existance required | Stored here |
-| ''createUser()'' | Can create here if supported | Created here |
+| ''createUser()'' || Created here\\ //(If supported by the auth plugin)// | Created here |
-| ''modifyUser()'' | //Depends on the information being modified// ||
+| ''modifyUser()'' || //Depends on the information being modified:// ||
-| ''deleteUser()'' | - | Deleted here |
+| | Login names | Modified here\\ //(If supported by the auth plugin)// | Modified here |
-| ''retrieveUsers()'' | - | Stored here |
+| | Real names | Modified here\\ //(If supported by the auth plugin)// | Modified here |
-| ''getUserCount()'' | - | Counted here |
+| | eMail addresses | Modified here\\ //(If supported by the auth plugin)// | Modified here |
-| ''addGroup()'' | - | Created here |
+| | Passwords | Modified here | - |
-| ''retrieveGroups()'' | - | Retrieved here |
+| | Group memberships | - | Modified here |
-| ''isCaseSensitive()'' | Determined here | - |
+| ''deleteUser()'' || - | Deleted here |
-| ''cleanUser()'' | Determined here | - |
+| ''retrieveUsers()'' || - | Retrieved here |
-| ''cleanGroup()'' | - | Determined here |
+| ''getUserCount()'' || - | Counted here |
+| ''addGroup()'' || - | Created here |
+| ''retrieveGroups()'' || - | Retrieved here |
+| ''isCaseSensitive()'' || Determined here | - |
+| ''cleanUser()'' || Determined here | - |
+| ''cleanGroup()'' || - | Determined here |
 This theory tells you, for example, that if you combine [[plugin:authplain]] as //primary// auth plugin with [[plugin:authmysql]] as //secondary// auth plugin:
@@ Line 97: / Line 102: @@
   * ''primary_authplugin'': This is the DokuWiki auth plugin that will be used to validate login names and passwords. An example candidate is my authhttp plugin.
   * ''secondary_authplugin'': This is the DokuWiki auth plugin that will be used to store additional user information such as real names, email addresses and groups.
+  * ''username_caseconversion'': If one of the two auth plugins used is case-sensitive, it may be necessary to enable this setting to let authsplit convert the username to either uppercase or lowercase (eg. when combining authldap which is case-insensitive with authsplit which is not).
   * ''autocreate_users'': If enabled, authsplit will automatically create user accounts for any users that exist in the //primary// auth plugin, but are yet unknown in the //secondary// auth plugin. If disabled, users will either have to register themselves or created by the admin (eg. if registration has been disabled).
+  * ''debug'': If enabled, authsplit will flood the screen with debugging messages meant to aid in troubleshooting its operation. This setting should not be enabled in productive setups.
-Sample settings for using authhttp and authplain, without automatic user creation:
-<code php>
-$conf['authtype'] = 'authsplit';
-$conf['plugin']['authsplit']['primary_authplugin'] = 'authhttp';
-$conf['plugin']['authsplit']['secondary_authplugin'] = 'authplain';
-$conf['plugin']['authsplit']['autocreate_users'] = 0;
-</code>
 Note that you'll have to take some of the used auth plugin's settings into consideration whereas some may not apply any longer due to the way authsplit works. For example, when using [[plugin:authhttp]] as the //primary// auth plugin, [[plugin:authhttp]]'s configuration settings no longer have any effect since all email addresses and group information come from the //secondary// auth plugin instead.
@@ Line 115: / Line 113: @@
 ===== Credits =====
-This plugin in based on ideas in [[auth:ggauth|the ggauth auth backend]] by [[mailto:grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely.
+This plugin is based on ideas in [[auth:ggauth|the ggauth auth backend]] by [[mailto:grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely.
+Support for external authentication was contributed by [[mailto:david.darras@univ-lille1.fr|David Darras]].
 ===== Discussion =====