Not logged in. · Lost password · Register
Forum: General Help and Support Installation and Configuration RSS
Shibboleth and Wiki Farm Login Problems
Avatar
asciiphil #1
Member since Apr 2014 · 3 posts
Group memberships: Members
Show profile · Link to this post
Subject: Shibboleth and Wiki Farm Login Problems
I know this is probably kind of a niche question, but I'm a little stumped here.

I've set up wiki farms with older versions of DokuWiki and I've set up Shibboleth-based logins (with Ivan Novakov's authshibboleth plugin), but I'm running into problems combining them.

I'm using the DokuWIki RPM for RHEL 6 in EPEL.  It's for Binky, 2013-12-08.  It installs the PHP code into /usr/share/dokuwiki, the configuration files into /etc/dokuwiki, and the data tree into /var/lib/dokuwiki.  I have added the authshibboleth plugin and can log in to the main wiki, view and edit pages, and so on.

I'm trying to set up a farm configuration.  I've edited /usr/share/dokuwiki/inc/preload.php and added the following lines:

if(!defined('DOKU_FARMDIR')) define('DOKU_FARMDIR', '/var/www/dokuwiki');
include(fullpath(dirname(__FILE__)).'/farm.php');

I then have a test wiki using the ".htaccess" farm configuration.  My Apache docroot is /var/www/html, so I have a directory named /var/www/html/testwiki that contains a .htaccess file with the following contents:

RewriteEngine on
RewriteRule ^(.*)            /dokuwiki/$1?animal=testwiki [QSA]
RewriteRule ^(index.html)?$  /dokuwiki/?animal=testwiki [QSA]

So far, this works; I can visit http://my.webserver.com/testwiki and get any pages that I manually add to the testwiki's data directory.

When I enable Shibboleth authentication for the animal (by putting "AuthType Shibboleth/Require Shibboleth" lines in the .htaccess file and enabling the authshibboleth authentication plugin) and click the "Login" link, I get directed to my IdP, log in, get redirected back to the wiki page, and then get immediately redirected to the Shibboleth logout page.  If I trigger a Shibboleth login from another place on the website and then visit the farmer wiki, it correctly recognizes the existing login.  If I instead go to the testwiki animal, it immediately sends me to the logout page.

I've looked through the authshibboleth code a bit.  I don't see anything in there that would initiate logouts; it just catches the logOff message and handles that in a Shibboleth-appropriate way.  That means that there's something in the main DokuWiki code deciding to log me out.  I just can't figure out what.

So here are my questions: What might be going wrong here?  I'm not that familiar with the DokuWIki codebase; where might I want to be looking to try and figure out why it seems to want to log me out when I visit the animal wiki?  Is there anything that might help me to more easily debug whatever's going wrong here?
Avatar
hartmut71 #2
Member since Mar 2014 · 17 posts · Location: Ulm, Germany
Group memberships: Members
Show profile · Link to this post
Just one little question, what let's me wonder: If you define ... DOKU_FARMDIR = "/var/www/dokuwiki"
then the place for the first wiki animal is as far as I know e.g.   "/var/www/dokuwiki/www.thisismyanimaldomain.com/",  (you wrote: "/var/www/html/testwiki", that is different).

And in addition to this, the apache document root should point to the dokuwiki engine, e.g. this would mean folder {x}, when "preload.php" resides in {x}/inc/

(But those things are not related to authshibboleth)
Avatar
asciiphil #3
Member since Apr 2014 · 3 posts
Group memberships: Members
Show profile · Link to this post
As far as I understand it, the place for the animal is determined by the "?animal=" URL parameter passed to the farmer instance.  You can set it up for virtualhost-based animal names, but I'm more or less using the .htaccess-based structure defined on the farms page.  (Also, the farm by itself works with this configuration; it's only when I add authshibboleth that I have problems.)

Pointing the docroot at the dokuwiki instance might make sense in a virtualhost based setting, but that's not what I need to do.  (Among other things, I need SSL, and a) I can't get a wildcard cert, b) getting (and updating) a SAN cert is a hassle and the PKI people don't like me doing it, and c) getting and tracking separate certs for each virtualhost is more of a pain thain I want to undertake, not to mention the fact that I'd have to throw a separate IP address at each virtualhost to handle the clients that don't yet do SNI.)  The RPMs I'm using ship with all the necessary configuration for having dokuwiki outside the docroot, namely an Alias from /dokuwiki to /usr/share/dokuwiki, <Directory> settings to allow access to doku.php (and index.php) scripts, and additional <Directory> settings to _diallow_ HTTP access to all of DokuWIki's supporting files.
Avatar
Michitux #4
Member since Apr 2008 · 377 posts · Location: Karlsruhe, Germany
Group memberships: Members, Wiki Managers
Show profile · Link to this post
I think that for some reason the login check fails that the plugin performs on every page load.

This is done in the "trustExternal" method, see https://github.com/ivan-novakov/dokuwiki-shibboleth-auth/b…

I don't know why this fails but it would explain the behavior that you are seeing. Is the configuration of the plugin the same for the farmer and the animal?
Did you like my help or work for DokuWiki (plugins)? Consider giving something back.
Avatar
asciiphil #5
Member since Apr 2014 · 3 posts
Group memberships: Members
Show profile · Link to this post
Well, that was fun.  The culprit may have been my browser.  I exited and restarted it for unrelated reasons and as I continued to test things with the wiki farm, logins on the animal suddenly began working correctly.

Thank you, hartmut71 and Michitux, for your suggestions.  I'm sorry I took up your time with what turned out to be an essentially unrelated problem.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-07-23, 14:18:00 (UTC +02:00)