DokuWiki

It's better when it's simple

User Tools

Site Tools


tips:htdigestauth

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
tips:htdigestauth [2008-04-18 12:03]
zydeco created
tips:htdigestauth [2009-02-08 10:40] (current)
80.24.114.19 updated for dokuwiki 2009-02-26
Line 1: Line 1:
 +====== Setting up htdigest user identification ======
 +I have set up my DokuWiki in a domain that is protected by the server, to reach it users have to log in via an HTTP digest authentication.
 +I have made an extension of the [[htaccessauth|htaccess authentication backend]] to support digest-based authentication. You need to have the [[htaccessauth|htaccess]] backend installed, and modify some core files for it to work.
  
 +===== Installation =====
 +  - Follow the installation instructions for the [[htaccessauth#installation|htaccess class]] installation.
 +  - Install [[#htdigest.class.php]]
 +  - Apply [[#htdigest.patch]]
 +  - [[htaccessauth#htusers.auth.php|htusers.auth.php]] and [[htaccessauth#acl.auth.php|acl.auth.php]] work like in the [[htaccessauth|htaccess backend]]
 +===== htdigest.class.php =====
 +
 +Create a ''htdigest.class.php'' file in ''inc/auth/'' directory with these contents:
 +<code php>
 +<?php
 +/**
 + * htdigest authentication backend
 + * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 + * @author     Jesús A. Álvarez <zydeco@namedfork.net>
 + * Version: 1.0
 + * last modified: 2008-04-18 09:22
 + *
 + * Work based on the htaccess authentication backend:
 + * @author     Samuele Tognini <samuele@cli.di.unipi.it>
 + *
 + * Work based on the plaintext authentication backend:
 + * @author     Andreas Gohr <andi@splitbrain.org>
 + * @author     Chris Smith <chris@jalakai.co.uk>
 + 
 + * and on the .htaccess authentication backed:
 + * @author     Marcel Meulemans <marcel_AT_meulemans_DOT_org>
 + * Additions:  Sebastian S <Seb.S@web.expr42.net>
 + *
 + */
 + 
 +define('DOKU_AUTH', dirname(__FILE__));
 +require_once(DOKU_AUTH.'/htaccess.class.php');
 + 
 +define('AUTH_USERFILE',DOKU_CONF.'htusers.auth.php');
 + 
 +if(isset($_REQUEST['u']))
 +     $_REQUEST['u'] = cleanID($_REQUEST['u']);
 +     if(isset($_REQUEST['acl_user']))
 +     $_REQUEST['acl_user'] = cleanID($_REQUEST['acl_user']);
 + 
 +     class auth_htdigest extends auth_htaccess {
 + 
 +       var $users = null;
 +       var $_pattern = array();
 + 
 +       /**
 + * Constructor
 +
 + * Calls the parent class' constructor, but we can't logoff using digest
 + *
 + * @author Jesús A. Álvarez <zydeco@namedfork.net>
 + */
 +       function auth_htdigest() {
 + $this->auth_htaccess();
 + $this->cando['logoff'] = false;
 + $this->cando['userLogout'] = false; // see template.php modification, will hide login/logout button
 +       }
 + 
 + 
 +       /**
 + * Check user+password [required auth function]
 + *
 + * Checks if the given user exists
 + *
 + * @author  Jesús A. Álvarez <zydeco@namedfork.net>
 + * @return  bool
 + */
 +       function checkPass($user='',$pass=''){
 + global $conf;
 + if (isset($_SERVER['PHP_AUTH_DIGEST'])) {
 +    preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
 +    $userinfo = $this->getUserData($digest['username']);
 +    if ($userinfo === false) return false;
 +    return true;
 + }else{
 +    return false;
 + }
 + return false;
 +       }
 +      }
 +?></code>
 +===== htdigest.patch =====
 +These modifications will allow detection of users that are logged in via htdigest, and hide the login/logout button, as I can't find any reliable way to log out.
 +<code diff>
 +diff -aur inc.orig/auth.php inc/auth.php
 +--- inc.orig/auth.php 2008-04-18 09:16:46.000000000 +0000
 ++++ inc/auth.php 2008-04-17 22:37:01.000000000 +0000
 +@@ -60,9 +60,18 @@
 +       if (!isset($_REQUEST['r'])) $_REQUEST['r'] = '';
 + 
 +       // if no credentials were given try to use HTTP auth (for SSO)
 +-      if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){
 +-        $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];
 +-        $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
 ++      if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE])){
 ++        if (!empty($_SERVER['PHP_AUTH_DIGEST']))
 ++        {
 ++          preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
 ++          $_REQUEST['u'] = $digest['username'];
 ++          $_REQUEST['p'] = md5($digest['username']); // FIXME why do we need this?
 ++        }
 ++        elseif (!empty($_SERVER['PHP_AUTH_USER']))
 ++        {
 ++          $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER'];
 ++          $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW'];
 ++        }
 +       }
 + 
 +       // external trust mechanism in place?
 +diff -aur inc.orig/template.php inc/template.php
 +--- inc.orig/template.php 2008-04-18 09:16:46.000000000 +0000
 ++++ inc/template.php 2008-04-18 09:08:36.000000000 +0000
 +@@ -495,7 +495,7 @@
 +       print html_topbtn();
 +       return true;
 +     case 'login':
 +-      if($conf['useacl'] && $auth){
 ++      if($conf['useacl'] && $auth && $auth->cando['userLogout'] !== false){
 +         if($_SERVER['REMOTE_USER']){
 +           print html_btn('logout',$ID,'',array('do' => 'logout', 'sectok' => getSecurityToken()));
 +         }else{
 +
 +</code>
 +
 +===== Configuration =====
 +You must add this to your ''conf/local.php'' file:
 +<code php>$conf['authtype'      = 'htdigest';
 +
 +if (!isset($_SESSION[$conf['title']]['auth']['info']) && (isset($_SERVER["PHP_AUTH_DIGEST"])))
 +{   // analyze the PHP_AUTH_DIGEST variable
 +    preg_match('/username="(?P<username>.*)"/U', $_SERVER['PHP_AUTH_DIGEST'], $digest);
 +    $_REQUEST['u'] = $digest['username'];
 +    $_REQUEST['p'] = md5($digest['username']); // FIXME why do we need this?
 +}
 +</code>
 +
 +==== Optional settings ====
 +See optional settings in [[htaccessauth#optional_settings|htaccess backend]].
 +htaccess_realm, htaccess_logout and htaccess_unauthurl don't apply.
 +
 +===== Bugs =====
 +  * You can't log out