Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
LDAP authentication, local user/group control
Avatar
ToeBee #1
Member since Jul 2006 · 4 posts · Location: Kansas
Group memberships: Members
Show profile · Link to this post
Subject: LDAP authentication, local user/group control
I set up dokuwiki for some internal documentation within my department at a university.  It started out as kind of a play toy but has started growing to the point that we want some user authentication to keep track of changes and control which groups get to see/edit what. No big deal...  HOWEVER, The university has a central LDAP server that allows campus entities to auth off of it so that users can use the same username/password in all departments across campus. Of course we would like to use this if possible so that we can all use the same username/password that we use to check our email, log into the campus portal, etc to get into our wiki.  I had some issues getting LDAP authentication to work however it finally does work. So far so good.

The problem is that now anyone in the campus-wide LDAP can log into our wiki. Not good. Furthermore, enabling LDAP authentication seems to completely disable all user/group admin functions in dokuwiki. There are no more user profiles, no user management link inside the wiki administration panel. I can still manage ACLs but everything except the ALL group seems to be rather useless... What I want to do is basically use LDAP just for the password checking. In order to log in, a user still needs to exist in users.auth.php and all the group and permission settings should still be read from the acl.auth.php file. Am I just missing something or is this intended behavior?  Obviously if we had control of the LDAP server we could have extra fields and filter things based on that but alas, we do not.

If this doesn't work out I do have some ideas that would allow us to get similar functionality but it really would be preferable to do this without any such hacks. Any ideas?
Avatar
BlackFog #2
Member since May 2006 · 95 posts
Group memberships: Members
Show profile · Link to this post
We had the same problem as we switched from simple to LDAP authentification: No groups are recognized. I try to recall our solution...
Wouldn't it help you, if you have groups?

What I still know is, that the default group is not found by DW if it has no gid in it! Only (posixGroup) groups with gid's are recognized with this config:
Quote by local.protected.php:
//OpenLDAP config:
$conf['auth']['ldap']['server'] = 'ldap.domain.de';
$conf['auth']['ldap']['usertree'] = 'uid=%{user},OU=intern,OU=People,DC=domain,DC=de';
$conf['auth']['ldap']['userfilter'] = '(&(objectClass=posixAccount)(uid=%{user}))';
$conf['auth']['ldap']['grouptree'] = 'OU=Group,DC=cyperfection,DC=de';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))';
Im not sure, if this was the whole solution, but I'll post it, if it comes to my mind.


BlackFog


PS: Now i know it again: it was the need of urlencode the goup names if it contains "special" characters. Look at my quote at the last post: Group membership with LDAP
Did u try the seach funktion here?
This post was edited on 2006-07-21, 13:18 by BlackFog.
Avatar
ToeBee #3
Member since Jul 2006 · 4 posts · Location: Kansas
Group memberships: Members
Show profile · Link to this post
Yes, I did search the existing messages and even read yours however I don't think we are in the same situation. We don't have any groups in our LDAP since it is campus-wide and we can't have them add a field for us so that we can have groups within our departmental wiki. Plus the fact that we don't want everyone in LDAP (30,000+ users) to be able to log into the wiki. That is why I want to use the wiki's user/group functions and use LDAP for password verification ONLY.

My other option is somewhat hackish...  We have access to the Oracle database that backends LDAP, including the password hashes. I may end up writing a program to run every hour or so that sucks the password hashes out of the database for the users I want on the wiki and creates the users.auth.php file "by hand".  This WOULD have the added benefit of allowing the wiki to still operate if the network goes down. I work for the networking department and we may need the wiki to fix the network if it breaks :)
Avatar
BlackFog #4
Member since May 2006 · 95 posts
Group memberships: Members
Show profile · Link to this post
Quote by ToeBee:
Yes, I did search the existing messages and even read yours however I don't think we are in the same situation. We don't have any groups in our LDAP since it is campus-wide and we can't have them add a field for us so that we can have groups within our departmental wiki. Plus the fact that we don't want everyone in LDAP (30,000+ users) to be able to log into the wiki. That is why I want to use the wiki's user/group functions and use LDAP for password verification ONLY.
Your are kidding, aren't you? You have 30k+ users and all are at the same default global group? No OU and/or group "student", "professor", "department" etc. ???  8-(
Quote by ToeBee:
My other option is somewhat hackish...  We have access to the Oracle database that backends LDAP, including the password hashes. I may end up writing a program to run every hour or so that sucks the password hashes out of the database for the users I want on the wiki and creates the users.auth.php file "by hand".  This WOULD have the added benefit of allowing the wiki to still operate if the network goes down. I work for the networking department and we may need the wiki to fix the network if it breaks :)
If you can't use groups but still want to use the LDAP user DB, I think you are right. You have to write a script that filters and feeds the wiki auth files or the Orcale DB. Atm I don't see another way for you. I hope you don't have too much users...
With the first plain text file aproach (basic auth) you could write a small little script that sucks only the coresponding pw of the DW user out of the LDAP (on an hourly bases too) and writes it into. So you only have to disable pw changing and don't need a second DB.


BlackFog
Avatar
ToeBee #5
Member since Jul 2006 · 4 posts · Location: Kansas
Group memberships: Members
Show profile · Link to this post
Quote by BlackFog:
Your are kidding, aren't you? You have 30k+ users and all are at the same default global group? No OU and/or group "student", "professor", "department" etc. ???  8-(
Well ok I'm sure there is SOME group info in there...  but nothing we could use as a mechanism to backend our wiki. We will probably want a group for the networking guys and a group for the programmers and a group for sysadmins, etc...

Quote by BlackFog:
Quote by ToeBee:
My other option is somewhat hackish...  We have access to the Oracle database that backends LDAP, including the password hashes. I may end up writing a program to run every hour or so that sucks the password hashes out of the database for the users I want on the wiki and creates the users.auth.php file "by hand".  This WOULD have the added benefit of allowing the wiki to still operate if the network goes down. I work for the networking department and we may need the wiki to fix the network if it breaks :)
If you can't use groups but still want to use the LDAP user DB, I think you are right. You have to write a script that filters and feeds the wiki auth files or the Orcale DB. Atm I don't see another way for you. I hope you don't have too much users...
With the first plain text file aproach (basic auth) you could write a small little script that sucks only the coresponding pw of the DW user out of the LDAP (on an hourly bases too) and writes it into. So you only have to disable pw changing and don't need a second DB.


BlackFog

Yeah, this doesn't sound too painful I guess.  Just parse the DW user file for usernames and update the password hash as needed to keep it up to date. Could probably whip up a perl script for that before I go home today :)

Thanks for your input.
Avatar
andi (Administrator) #6
User title: splitbrain
Member since May 2006 · 3522 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
The cleaner way would be writing your own auth backend inheriting from the ldap backend reimplementing the group check methods (probably reusing some code from the plain backend).
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2020-02-17, 22:42:55 (UTC +01:00)