DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authsplit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
plugin:authsplit [2013-07-07 11:49]
78.53.205.96 Synchronize with README rev b09b2fca73
plugin:authsplit [2017-02-27 15:37] (current)
88.128.80.16
Line 1: Line 1:
-====== Split authentication ​Plugin ======+====== Split Authentication ​Plugin ======
  
 ---- plugin ---- ---- plugin ----
Line 6: Line 6:
 email      : pieter@hollants.com email      : pieter@hollants.com
 type       : auth type       : auth
-lastupdate : 2013-07-07 +lastupdate : 2017-02-27 
-compatible : Weatherwax+compatible : Elenor of tsort, Ponder Stibbons, Hrun, Detritus, Frusterick Manners
 depends ​   :  depends ​   : 
 conflicts ​ :  conflicts ​ : 
Line 47: Line 47:
   * ''​logOff()'':​ DokuWiki documentation says this method is run //"in addition to the usual logOff. Useful with trustExternal() to initiate actions for the external backend, eg. use it to clear cookies or similar actions"​.//​\\ \\ authsplit just delegates the call to the //primary// auth plugin'​s ''​logOff()''​ method.\\ \\    * ''​logOff()'':​ DokuWiki documentation says this method is run //"in addition to the usual logOff. Useful with trustExternal() to initiate actions for the external backend, eg. use it to clear cookies or similar actions"​.//​\\ \\ authsplit just delegates the call to the //primary// auth plugin'​s ''​logOff()''​ method.\\ \\ 
   * ''​getUserData()'':​ this is the method DokuWiki uses eg. to retrieve the user's real name for display in the "​Logged in as" section in the upper right (if you use the default "​DokuWiki"​ template). authsplit will call the //primary// auth plugin'​s ''​getUserData()''​ method only to make sure the user exists there and then return the //​secondary//​ auth plugin'​s ''​getUserData()''​ information to DokuWiki. Thus, a user has to be known to both auth plugins, but the //​secondary//'​s user information matters. Any group membership information returned from the //primary// auth plugin will be silently ignored.\\ \\    * ''​getUserData()'':​ this is the method DokuWiki uses eg. to retrieve the user's real name for display in the "​Logged in as" section in the upper right (if you use the default "​DokuWiki"​ template). authsplit will call the //primary// auth plugin'​s ''​getUserData()''​ method only to make sure the user exists there and then return the //​secondary//​ auth plugin'​s ''​getUserData()''​ information to DokuWiki. Thus, a user has to be known to both auth plugins, but the //​secondary//'​s user information matters. Any group membership information returned from the //primary// auth plugin will be silently ignored.\\ \\ 
-  * ''​createUser()'':​ this is the method that gets called if users register themselves or the Admin uses DokuWiki'​s user manager to create an account for them.\\ \\ authhttp ​will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //​secondary//​ auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:​authhttp]]),​ this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn'​t be stored anywhere and the user would thus get irritated. [[plugin:​authhttp]] eg. comes with an action plugin that takes care of this.\\ \\+  * ''​createUser()'':​ this is the method that gets called if users register themselves or the Admin uses DokuWiki'​s user manager to create an account for them.\\ \\ authsplit ​will first check if the user is not known to the //primary// auth plugin yet and whether it is capable of adding users. If so, it will try to create the user there, first. This is so that you can use DokuWiki to quickly create a user both in DokuWiki **and** your common authentication source without having to fire up whatever admin tool the //primary// auth plugin would otherwise require.\\ \\ If successful (or the //primary// auth plugin does not support adding users, as is the case for authhttp), the user is then created in the //​secondary//​ auth plugin but with an **empty** password. This is by intent since passwords are supposed to come from the //primary// auth plugin.\\ \\ This also means that an Admin can not specify a password in the user manager unless the //primary// auth plugin reports being capable of modifying passwords, too. If not (and this is the case eg. for [[plugin:​authhttp]]),​ this also means that in the user self-registration form, users should not be able to specify a password and DokuWiki should not try to generate one for them because it wouldn'​t be stored anywhere and the user would thus get irritated. [[plugin:​authhttp]] eg. comes with an action plugin that takes care of this.\\ \\
   * ''​modifyUser()'':​ where authsplit routes a change depends on the actual change itself:   * ''​modifyUser()'':​ where authsplit routes a change depends on the actual change itself:
 +    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //​secondary//​ auth plugin.
     * passwords are modified in the //primary// auth plugin only since by design the //​secondary//​ auth plugin knows empty ones only     * passwords are modified in the //primary// auth plugin only since by design the //​secondary//​ auth plugin knows empty ones only
-    * group membership is always modified in the //​secondary//​ auth plugin +    * group membership is always modified in the //​secondary//​ auth plugin\\ \\ 
-    * for login names, real names and email addresses, authsplit will try to modify in the //primary// auth plugin first (if that plugin reports being capable of modifying it, that is), then in the //​secondary//​ auth plugin.\\ \\ +
   * ''​deleteUser()'':​ authsplit will **always** route delete user requests to the //​secondary//​ auth plugin only. This is because it can't know whether user accounts known to the //primary// auth plugin are yet in use by other software. Thus, deleting a user with the user manager will remove knowledge of his or her existance in DokuWiki only.\\ \\   * ''​deleteUser()'':​ authsplit will **always** route delete user requests to the //​secondary//​ auth plugin only. This is because it can't know whether user accounts known to the //primary// auth plugin are yet in use by other software. Thus, deleting a user with the user manager will remove knowledge of his or her existance in DokuWiki only.\\ \\
   * ''​retrieveUsers()''​ / ''​getUserCount()'':​ authsplit will always route these method calls to the //​secondary//​ auth plugin, following the concept that DokuWiki'​s user manager is supposed to manage DokuWiki users in the first place. Thus, even if the //primary// auth plugin offered these methods, the user lists and counts obtained there would not be of much use since, unless ''​autocreate_users''​ is enabled, only the //​secondary//​ auth plugin would really know which users resp. how many users really had DokuWiki access.\\ \\   * ''​retrieveUsers()''​ / ''​getUserCount()'':​ authsplit will always route these method calls to the //​secondary//​ auth plugin, following the concept that DokuWiki'​s user manager is supposed to manage DokuWiki users in the first place. Thus, even if the //primary// auth plugin offered these methods, the user lists and counts obtained there would not be of much use since, unless ''​autocreate_users''​ is enabled, only the //​secondary//​ auth plugin would really know which users resp. how many users really had DokuWiki access.\\ \\
Line 60: Line 60:
 So to summarize which auth plugins are involved in which method calls: So to summarize which auth plugins are involved in which method calls:
  
-| | **Primary auth plugin** | **Secondary auth plugin** | +|| **Primary auth plugin** | **Secondary auth plugin** | 
-| ''​checkPass()''​ | Authenticated here | Existance ​required\\ (Can create if enabled) | +| ''​checkPass()'' ​|| Authenticated here | User existance ​required\\ ​//(Can create if ''​autocreate_users''​ == 1)// 
-| ''​trustExternal()''​ | Authenticated here | Existance ​required\\ (Can create if enabled) | +| ''​trustExternal()'' ​|| Authenticated here | User existance ​required\\ ​//(Can create if ''​autocreate_users''​ == 1)// 
-| ''​logOff()''​ | Done here | - | +| ''​logOff()'' ​|| Done here | - | 
-| ''​getUserData()''​ | Existance ​required | Stored here | +| ''​getUserData()''​ || User existance ​required | Stored here | 
-| ''​createUser()''​ | Can create ​here if supported | Created here | +| ''​createUser()''​ || Created ​here\\ //(If supported ​by the auth plugin)// ​| Created here | 
-| ''​modifyUser()''​ | //Depends on the information being modified// || +| ''​modifyUser()'' ​|| //Depends on the information being modified:// |
-| ''​deleteUser()''​ | - | Deleted here | +| | Login names | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​retrieveUsers()''​ | - | Stored ​here | +| | Real names | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​getUserCount()''​ | - | Counted here | +| | eMail addresses | Modified here\\ //(If supported by the auth plugin)// | Modified here | 
-| ''​addGroup()''​ | - | Created here | +| | Passwords | Modified here | - | 
-| ''​retrieveGroups()''​ | - | Retrieved here | +| | Group memberships | - | Modified here 
-| ''​isCaseSensitive()''​ | Determined here | - | +| ''​deleteUser()'' ​|| - | Deleted here | 
-| ''​cleanUser()''​ | Determined here | - | +| ''​retrieveUsers()'' ​|| - | Retrieved ​here | 
-| ''​cleanGroup()''​ | - | Determined here |+| ''​getUserCount()'' ​|| - | Counted here | 
 +| ''​addGroup()'' ​|| - | Created here | 
 +| ''​retrieveGroups()'' ​|| - | Retrieved here | 
 +| ''​isCaseSensitive()'' ​|| Determined here | - | 
 +| ''​cleanUser()'' ​|| Determined here | - | 
 +| ''​cleanGroup()'' ​|| - | Determined here |
  
 This theory tells you, for example, that if you combine [[plugin:​authplain]] as //primary// auth plugin with [[plugin:​authmysql]] as //​secondary//​ auth plugin: This theory tells you, for example, that if you combine [[plugin:​authplain]] as //primary// auth plugin with [[plugin:​authmysql]] as //​secondary//​ auth plugin:
Line 115: Line 120:
 ===== Credits ===== ===== Credits =====
  
-This plugin ​in based on ideas in [[auth:​ggauth|the ggauth auth backend]] by [[mailto:​grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely.+This plugin ​is based on ideas in [[auth:​ggauth|the ggauth auth backend]] by [[mailto:​grant@lastweekend.com.au|Grant Gardner]]. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely
 + 
 +Support for external authentication was contributed by [[mailto:​david.darras@univ-lille1.fr|David Darras]].
  
 ===== Discussion ===== ===== Discussion =====
plugin/authsplit.1373190573.txt.gz · Last modified: 2013-07-07 11:49 by 78.53.205.96