kadleto2
Show profile
Link to this post
Subject: Single sign-on and dokuwiki - idea and solution
Hi all,
I am trying to provide simple SSO solution for dokuwiki. The solution must be independent of auth class implementation! Imagine a situation:
You have several dokuwiki installations (or a farm) at your server therefore installations share DNS domain name and a part of URL path on the web server in some cases. It would be nice to authenticate user only once for all these installations.
Good news is that such approach is possible by altering configuration only. The solution is based on changing HTTP cookie path information to the common path of all SSO-enabled installation (/ at least or more). How to do it? Firstly, several facts has to be considered:
- common DNS domain name
- session id is transfered in a cookie and not in URL
- dokuwiki installations are able to share PHP session (typically stored somewhere in /tmp, can be hard to achieve with suExec & co.)
- shared database of users (MySQL, LDAP ...)
Dokuwiki does not provide a simple and transparent way (configuration variable) to change the path or I have not found it. Nevertheless, I have found constants DOKU_URL and DOKU_REL. DOKU_REL stores part of URL relative to web server root. If canonical URLs are off this constant is used as a part of links and as a cookie path. When canonical URL is on, behavior of dokuwiki changes. DOKU_REL is used ONLY as cookie path and DOKU_URL is used for links. That is it. Force use of canonical URLs and put define('DOKU_REL', '/common/url/part') into conf/local.php (or local.protected.php).
However, this approach has at least two drawbacks. Firstly, I am not sure that setting DOKU_REL is safe way and won't break media manager (which tends to be broken typically) or any plug-in. If here is someone who can tell I would be very thankful. Secondly, this approach addresses only authentication part. Additional information as group membership can be different for different installations. Therefore an action plug-in that handles group membership is required (and I am planning to start with it as a first thing tomorrow morning).
I would be very thankful for all ideas and guidance I am not a dokuwiki expert (yet
).
Tomas
I am trying to provide simple SSO solution for dokuwiki. The solution must be independent of auth class implementation! Imagine a situation:
You have several dokuwiki installations (or a farm) at your server therefore installations share DNS domain name and a part of URL path on the web server in some cases. It would be nice to authenticate user only once for all these installations.
Good news is that such approach is possible by altering configuration only. The solution is based on changing HTTP cookie path information to the common path of all SSO-enabled installation (/ at least or more). How to do it? Firstly, several facts has to be considered:
- common DNS domain name
- session id is transfered in a cookie and not in URL
- dokuwiki installations are able to share PHP session (typically stored somewhere in /tmp, can be hard to achieve with suExec & co.)
- shared database of users (MySQL, LDAP ...)
Dokuwiki does not provide a simple and transparent way (configuration variable) to change the path or I have not found it. Nevertheless, I have found constants DOKU_URL and DOKU_REL. DOKU_REL stores part of URL relative to web server root. If canonical URLs are off this constant is used as a part of links and as a cookie path. When canonical URL is on, behavior of dokuwiki changes. DOKU_REL is used ONLY as cookie path and DOKU_URL is used for links. That is it. Force use of canonical URLs and put define('DOKU_REL', '/common/url/part') into conf/local.php (or local.protected.php).
However, this approach has at least two drawbacks. Firstly, I am not sure that setting DOKU_REL is safe way and won't break media manager (which tends to be broken typically) or any plug-in. If here is someone who can tell I would be very thankful. Secondly, this approach addresses only authentication part. Additional information as group membership can be different for different installations. Therefore an action plug-in that handles group membership is required (and I am planning to start with it as a first thing tomorrow morning).
I would be very thankful for all ideas and guidance I am not a dokuwiki expert (yet
).Tomas