Table of Contents
Compatible with DokuWiki
- 2022-07-31 "Igor" unknown
- 2020-07-29 "Hogfather" yes
- 2018-04-22 "Greebo" unknown
- 2017-02-19 "Frusterick Manners" unknown
Similar to authad
This plugin implements authentication via ActiveDirectory (and possibly other LDAP servers later). It does not require any LDAP support in PHP and aims to have much better performance than the bundled authad plugin. This is especially true for all operations that do bulk user data requests.
This plugin is beta software. Be sure to read the whole of this page before installing it.
Background: Limitations of the bundled Plugins
While authldap uses the PHP LDAP extension directly, authad makes use of the adLDAP library. There are multiple versions of this library - all slightly incompatible with each other. The authad Plugin uses version 1. The library abstracts away all the LDAP specifics, implements weird Microsoft quirks and makes it easier to configure AD access than doing it manually. However, it also limits the ability to customize the access to unusual AD setups.
The table below shows the features of both plugins
|Server Support||any||MS Active Directory only|
|Single Sign On||no||Kerberos/NTLM|
|Warn on expiring password||no||yes|
|Fetch additional attributes||yes||yes|
|Full control on all LDAP queries||yes||no|
Both plugins basically provide the same base features: authenticate users against an LDAP server and make the groups available for ACL management.
Both plugins share a few shortcomings when it comes to performance. This is especially notable when user data of many users needs to be queried.
- All user data has to be queried individually. Whenever a plugin requires the members of a given group, an additional query has to be made to fetch the user data for each individual member.
- Already queried user data isn't cached. So if a user's info is used several times, several LDAP queries have to be executed.
- The performance of the PHP LDAP extension itself isn't stellar either.
There are also quality problems in both plugins
- the adLDAP library is no longer maintained
- both plugins differ in functionality
- there is some code duplication between the plugins
- no automated tests
The pureLDAP plugin tries to remedy the issues above.
In implementing this plugin, the following goals should be met:
- single code base for LDAP and AD connections
- strong caching for queried data
- implement bulk queries
- implement the full feature set of both old plugins
Implementing all those features does not have to be done right away. It makes sense to first focus on one aspect (like AD connectivity) and implement features step by step.
A first prototype with focusing on Active Directory was created in April 2020. Connectivity is based on the pure PHP implementation of the LDAP protocol provided in the FreeDSx LDAP.
It implements all the basic features needed to authenticate users via AD and has support for bulk queries. Automated tests run against an AD Vagrant setup.
Funding to implement caching, SSO Support code clean up has been received in June 2021, and the plugin has been brought to a state where it is partly usable.
In some preliminary tests it already performed much better than authAD and should be good enough to replace simple AD setups. In fact, it is running in production at two of our clients and seems to hold out well.
Migrating from authAD
Usernames and group names are cleaned less aggressively than in the old plugins. Previously names where mangled to fit DokuWiki page ID requirements, stripping spaces and other special chars. This was a one-way transformation which made it difficult to do reverse lookups (like searching for group members). The pureLDAP plugin will only lowercase user and group names, but keeps them as is otherwise. Existing ACLs may need adjustments accordingly.
Next Steps for Development
The Github Project: Full Feature Set provides a rough overview on the next steps that are needed to make the plugin an adequate replacement for the two old plugins. Most importantly, supporting non AD-Setups is currently completely missing.
More work is clearly needed. However, as a private person I have absolutely no use for LDAP or AD connectivity. Setting up test servers etc. and trying to replicate complex corporate setups is nearly impossible. TBH. there is really nothing here that motivates me to implement this except that it would be nice to have and is an interesting challenge - but so are many other things .
So instead of me implementing this in my spare time, it makes more sense for CosmoCode to implement this. Or to rephrase it: it makes more sense for me to create this while being paid to do so. Doing it at my dayjob also provides me with the support of my colleagues when it comes to coding, research and sysadmin tasks.
In short: If you want to make use of more performant LDAP or AD connectivity in DokuWiki and have the company resources to fund that, please get in contact at dokuwiki [at] cosmocode [dot] de.