I am setting up a wiki, and all goes well. SSO via authad works (using mod_auth_gssapi). However, not everyone is on a domain machine. They need access as well.
If I turn off the SSO options in dokuwiki and in apache I can login with AD credentials everywhere. When I turn on the SSO options I can only login on a domain machine. This does not seem very weird.
I have already tried something with the authchain plugin, to also make a local admin login possible. This works when the SSO options are off. When turning those options you get redirected to the login page (from a non-domain machine of course). Using any credentials there does not work.
When messing with an other plugin I got the 'login not available' message, which might as well be not possible when using authad and SSO. But this last bit is only a hunch, and probably related to that other plugin.
My configuration:
$conf['title'] = 'Need more beer Wiki';
$conf['license'] = '0';
$conf['allowdebug'] = 1;
$conf['dformat'] = '%Y-%m-%d %H:%M';
$conf['useacl'] = 1;
$conf['authtype'] = 'authchained';
$conf['superuser'] = '@admin';
$conf['plugin']['authad']['account_suffix'] = '@DOMAIN.LOCAL';
$conf['plugin']['authad']['base_dn'] = 'DC=domain,DC=local';
$conf['plugin']['authad']['domain_controllers'] = 'win2003-1.domain.local,win2003-2.domain.local';
$conf['plugin']['authad']['debug'] = 1;
$conf['plugin']['authad']['sso'] = 0;
$conf['plugin']['authchained']['authtypes'] = 'authplain:authad';
What I mean by 'SSO options' is setting sso to 1 in the previous config. And, most importantly, uncommenting this piece in the VirtualHost configuration of Apache:
#<Directory "/var/www/html/dokuwiki/doku.php">
# AuthType GSSAPI
# AuthName "Need more beer Wiki login"
# GssapiAllowedMech krb5
# GssapiCredStore keytab:/etc/httpd/conf.d/wiki-http.keytab
# Require valid-user
# ErrorDocument 401 /doku.php?do=login
#</Directory>
If I uncomment this SSO works. On non-domain machines I get redirected to a login page, which does not work without setting the ErrorDocument like this.
So I would like a bit of help to put this all together. Preferably with the plain login option too, but that is not really the issue. If SSO somehow fails, I want it to fallback to the login page, so you can login with your Active Directory credentials.