DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authsplit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugin:authsplit [2013-05-04 16:21]
62.143.180.167
plugin:authsplit [2017-02-27 15:37] (current)
88.128.80.16
Line 1: Line 1:
-====== Split authentication ​Plugin ======+====== Split Authentication ​Plugin ======
  
 ---- plugin ---- ---- plugin ----
Line 6: Line 6:
 email      : pieter@hollants.com email      : pieter@hollants.com
 type       : auth type       : auth
-lastupdate : 2013-05-04 +lastupdate : 2017-02-27 
-compatible : Weatherwax+compatible : Elenor of tsort, Ponder Stibbons, Hrun, Detritus, Frusterick Manners
 depends ​   :  depends ​   : 
 conflicts ​ :  conflicts ​ : 
 similar ​   :  similar ​   : 
-tags       : ​auth authentication split+tags       : authentication split
  
 downloadurl:​ https://​github.com/​pief/​authsplit/​zipball/​master downloadurl:​ https://​github.com/​pief/​authsplit/​zipball/​master
Line 21: Line 21:
 ---- ----
  
-:!: This is an authentication plugin for DokuWiki Weatherwax ​RC1 (2013-03-06) and later! For a solution for earlier DokuWiki versions please refer to [[auth:​ggauth|ggauth]].+:!: This is an authentication plugin for DokuWiki Weatherwax (2013-05-10a) and later! For a solution for earlier DokuWiki versions please refer to [[auth:​ggauth|ggauth]].
  
 ===== Description ===== ===== Description =====
Line 40: Line 40:
  
 authsplit maps DokuWiki'​s authentication method calls as follows: authsplit maps DokuWiki'​s authentication method calls as follows:
-  * ''​checkPass()'':​ this is DokuWiki'​s method that validates login names and passwords. authsplit will first make sure that the //primary// auth plugin validates both login name and password successfully. If a user is not known here, he is not known to DokuWiki at all.\\ \\ If known and the password matches, authsplit will then try to obtain the additional user information (real name, email address, groups) from the //​secondary//​ auth plugin which means that the user will have to be known there by the same login name, too. If not, behaviour depends on the ''​autocreate_users''​ configuration setting:+  * ''​checkPass()'':​ this is DokuWiki'​s method that validates login names and passwords. authsplit will first make sure that the //primary// auth plugin validates both login name and password successfully. If a user is not known here, he is not known to DokuWiki at all.\\ \\ If known and the password matches, ​authsplit then calls the internal helper method ''​_checkUserOnSecondaryAuthPlugin()''​ (see below).\\ \\ 
 +  * ''​trustExternal()'':​ this is the method DokuWiki calls if the //primary// auth plugin uses external authentication. ​authsplit will let the auth plugin itself do whatever authentication is required, eg. against a third-party cookie.\\ \\ As with ''​checkPass()'',​ ''​_checkUserOnSecondaryAuthPlugin()''​ is then called. Due to the semantics of external authentication,​ however, the method ends by doing an additional call to ''​getUserData()''​ to update the global ''​$USERINFO''​ array with the information from the //​secondary//​ auth plugin.\\ \\ 
 +  * ''​_checkUserOnSecondaryAuthPlugin()'':​ This is an internal helper method that tries to obtain the additional user information (real name, email address, groups) from the //​secondary//​ auth plugin which means that the user will have to be known there by the same login name, too. If not, behaviour depends on the ''​autocreate_users''​ configuration setting:
     * if enabled (and the //​secondary//​ auth plugin reports being capable of adding users), authsplit will create a user account there, too, using user information from the //primary// auth plugin as basis. As this information will most likely not be very useful, the user will not only be notified that an account has been automatically created for him or her, but that (s)he should also review his or her user profile.     * if enabled (and the //​secondary//​ auth plugin reports being capable of adding users), authsplit will create a user account there, too, using user information from the //primary// auth plugin as basis. As this information will most likely not be very useful, the user will not only be notified that an account has been automatically created for him or her, but that (s)he should also review his or her user profile.
     * otherwise the user seems to DokuWiki to be not logged in and will thus most likely see an "​Access denied"​ page. He or she will either have to register him- or herself or, if self-registration has been disabled, the Admin will have to create an account for him or her.\\ \\      * otherwise the user seems to DokuWiki to be not logged in and will thus most likely see an "​Access denied"​ page. He or she will either have to register him- or herself or, if self-registration has been disabled, the Admin will have to create an account for him or her.\\ \\ 
 +  * ''​logOff()'':​ DokuWiki documentation says this method is run //"in addition to the usual logOff. Useful with trustExternal() to initiate actions for the external backend, eg. use it to clear cookies or similar actions"​.//​\\ \\ authsplit just delegates the call to the //primary// auth plugin'​s ''​logOff()''​ method.\\ \\ 
   * ''​getUserData()'':​ this is the method DokuWiki uses eg. to retrieve the user's real name for display in the "​Logged in as" section in the upper right (if you use the default "​DokuWiki"​ template). authsplit will call the //primary// auth plugin'​s ''​getUserData()''​ method only to make sure the user exists there and then return the //​secondary//​ auth plugin'​s ''​getUserData()''​ information to DokuWiki. Thus, a user has to be known to both auth plugins, but the //​secondary//'​s user information matters. Any group membership information returned from the //primary// auth plugin will be silently ignored.\\ \\    * ''​getUserData()'':​ this is the method DokuWiki uses eg. to retrieve the user's real name for display in the "​Logged in as" section in the upper right (if you use the default "​DokuWiki"​ template). authsplit will call the //primary// auth plugin'​s ''​getUserData()''​ method only to make sure the user exists there and then return the //​secondary//​ auth plugin'​s ''​getUserData()''​ information to DokuWiki. Thus, a user has to be known to both auth plugins, but the //​secondary//'​s user information matters. Any group membership information returned from the //primary// auth plugin will be silently ignored.\\ \\ 
-  * ''​createUser()'':​ this is the method that gets called if users register themselves or the Admin uses DokuWiki'​s user manager to create an account for them.\\ \\ authhttp ​will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //​secondary//​ auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:​authhttp]]),​ this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn'​t be stored anywhere and the user would thus get irritated. [[plugin:​authhttp]] eg. comes with an action plugin that takes care of this.\\ \\+  * ''​createUser()'':​ this is the method that gets called if users register themselves or the Admin uses DokuWiki'​s user manager to create an account for them.\\ \\ authsplit ​will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //​secondary//​ auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:​authhttp]]),​ this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn'​t be stored anywhere and the user would thus get irritated. [[plugin:​authhttp]] eg. comes with an action plugin that takes care of this.\\ \\
   * ''​modifyUser()'':​ where authsplit routes a change depends on the actual change itself:   * ''​modifyUser()'':​ where authsplit routes a change depends on the actual change itself:
 +    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //​secondary//​ auth plugin.
     * passwords are modified in the //primary// auth plugin only since by design the //​secondary//​ auth plugin knows empty ones only     * passwords are modified in the //primary// auth plugin only since by design the //​secondary//​ auth plugin knows empty ones only
-    * group membership is always modified in the //​secondary//​ auth plugin +    * group membership is always modified in the //​secondary//​ auth plugin\\ \\ 
-    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //​secondary//​ auth plugin.\\ \\ +
   * ''​deleteUser()'':​ authsplit will **always** route delete user requests to the //​secondary//​ auth plugin only. This is because it can't know whether user accounts known to the //primary// auth plugin are yet in use by other software. Thus, deleting a user with the user manager will remove knowledge of his or her existance in DokuWiki only.\\ \\   * ''​deleteUser()'':​ authsplit will **always** route delete user requests to the //​secondary//​ auth plugin only. This is because it can't know whether user accounts known to the //primary// auth plugin are yet in use by other software. Thus, deleting a user with the user manager will remove knowledge of his or her existance in DokuWiki only.\\ \\
   * ''​retrieveUsers()''​ / ''​getUserCount()'':​ authsplit will always route these method calls to the //​secondary//​ auth plugin, following the concept that DokuWiki'​s user manager is supposed to manage DokuWiki users in the first place. Thus, even if the //primary// auth plugin offered these methods, the user lists and counts obtained there would not be of much use since, unless ''​autocreate_users''​ is enabled, only the //​secondary//​ auth plugin would really know which users resp. how many users really had DokuWiki access.\\ \\   * ''​retrieveUsers()''​ / ''​getUserCount()'':​ authsplit will always route these method calls to the //​secondary//​ auth plugin, following the concept that DokuWiki'​s user manager is supposed to manage DokuWiki users in the first place. Thus, even if the //primary// auth plugin offered these methods, the user lists and counts obtained there would not be of much use since, unless ''​autocreate_users''​ is enabled, only the //​secondary//​ auth plugin would really know which users resp. how many users really had DokuWiki access.\\ \\
Line 57: Line 60:
 So to summarize which auth plugins are involved in which method calls: So to summarize which auth plugins are involved in which method calls:
  
-| | **Primary auth plugin** | **Secondary auth plugin** | +|| **Primary auth plugin** | **Secondary auth plugin** | 
-| ''​checkPass()''​ | Stored ​here | Existance ​required\\ (Can create if enabled) | +| ''​checkPass()''​ || Authenticated ​here | User existance ​required\\ ​//(Can create if ''​autocreate_users''​ == 1)// | 
-| ''​getUserData()''​ | Existance ​required | Stored here | +| ''​trustExternal()''​ || Authenticated here | User existance required\\ //(Can create if ''​autocreate_users''​ == 1)// | 
-| ''​createUser()''​ | Can create ​here if supported | Created here | +| ''​logOff()''​ || Done here | - 
-| ''​modifyUser()''​ | //Depends on the information being modified// || +| ''​getUserData()''​ || User existance ​required | Stored here | 
-| ''​deleteUser()''​ | - | Deleted here | +| ''​createUser()''​ || Created ​here\\ //(If supported ​by the auth plugin)// ​| Created here | 
-| ''​retrieveUsers()''​ | - | Stored ​here | +| ''​modifyUser()'' ​|| //Depends on the information being modified:// |
-| ''​getUserCount()''​ | - | Counted here | +| | Login names | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​addGroup()''​ | - | Created here | +| | Real names | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​retrieveGroups()''​ | - | Retrieved here | +| | eMail addresses | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​isCaseSensitive()''​ | Determined here | - | +| | Passwords | Modified here | - | 
-| ''​cleanUser()''​ | Determined here | - | +| | Group memberships | - | Modified here 
-| ''​cleanGroup()''​ | - | Determined here |+| ''​deleteUser()'' ​|| - | Deleted here | 
 +| ''​retrieveUsers()'' ​|| - | Retrieved ​here | 
 +| ''​getUserCount()'' ​|| - | Counted here | 
 +| ''​addGroup()'' ​|| - | Created here | 
 +| ''​retrieveGroups()'' ​|| - | Retrieved here | 
 +| ''​isCaseSensitive()'' ​|| Determined here | - | 
 +| ''​cleanUser()'' ​|| Determined here | - | 
 +| ''​cleanGroup()'' ​|| - | Determined here |
  
 This theory tells you, for example, that if you combine [[plugin:​authplain]] as //primary// auth plugin with [[plugin:​authmysql]] as //​secondary//​ auth plugin: This theory tells you, for example, that if you combine [[plugin:​authplain]] as //primary// auth plugin with [[plugin:​authmysql]] as //​secondary//​ auth plugin:
Line 94: Line 104:
   * ''​autocreate_users'':​ If enabled, authsplit will automatically create user accounts for any users that exist in the //primary// auth plugin, but are yet unknown in the //​secondary//​ auth plugin. If disabled, users will either have to register themselves or created by the admin (eg. if registration has been disabled).   * ''​autocreate_users'':​ If enabled, authsplit will automatically create user accounts for any users that exist in the //primary// auth plugin, but are yet unknown in the //​secondary//​ auth plugin. If disabled, users will either have to register themselves or created by the admin (eg. if registration has been disabled).
  
-Note that you'll have to take some of the used auth plugin'​s ​settings ​into consideration whereas some may not apply any longer due to the way authsplit works. For example, when using [[plugin:authhttp]] as the //primary// auth plugin[[plugin:authhttp]]'​s configuration settings no longer have any effect since all email addresses and group information come from the //​secondary//​ auth plugin instead.+Sample ​settings ​for using authhttp ​and authplainwithout automatic user creation:
  
 +<code php>
 +$conf['​authtype'​] = '​authsplit';​
 +$conf['​plugin'​]['​authsplit'​]['​primary_authplugin'​] = '​authhttp';​
 +$conf['​plugin'​]['​authsplit'​]['​secondary_authplugin'​] = '​authplain';​
 +$conf['​plugin'​]['​authsplit'​]['​autocreate_users'​] = 0;
 +</​code>​
 +
 +Note that you'll have to take some of the used auth plugin'​s settings into consideration whereas some may not apply any longer due to the way authsplit works. For example, when using [[plugin:​authhttp]] as the //primary// auth plugin, [[plugin:​authhttp]]'​s configuration settings no longer have any effect since all email addresses and group information come from the //​secondary//​ auth plugin instead.
 ===== Change Log ===== ===== Change Log =====
  
Line 102: Line 120:
 ===== Credits ===== ===== Credits =====
  
-This plugin ​in based on ideas in [[auth:​ggauth|the ggauth auth backend]] by [[mailto:​grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely.+This plugin ​is based on ideas in [[auth:​ggauth|the ggauth auth backend]] by [[mailto:​grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely
 + 
 +Support for external authentication was contributed by [[mailto:​david.darras@univ-lille1.fr|David Darras]].
  
 ===== Discussion ===== ===== Discussion =====
plugin/authsplit.1367677315.txt.gz · Last modified: 2013-05-04 16:21 by 62.143.180.167