Hi,
We were searching for a nice and easy to use wiki engine when we stumble in DokuWiki!
Love @ 1st sight... however, it's been a long and complicated relation, respecting authentication!
So, here's a snapshot of the environment:
- We setup DokuWiki on a Synology RS812+ running DSM 6.1.2-15132 (from jun 4th 2016).
- We have the Synology bound to our AD (2012 R2 level)
- We configured the
authad module from DokuWiki and set the global group
g_wiki-admins as superuser
Setting this up and running was peace of cake... Now, the problem started when we tried to grant permissions to users based on custom AD groups...
We created a global group called
g_wiki-contributors-test, which are the contributors of namespace
test:* and we add some users to it; keeping the focus on
test.user, which is a member of both
Domain User and
g_wiki-contributors-test.
Searching for
test.user using the
User Manager, we see that
test.user belongs to
g_wiki-contributors-test, sample, domain_users, users, @user.
On the ACL Management, we add the
g_wiki-contributors-test to the
test:* namespace, with
'Delete' permissions.
The
acl.auth.php has:
* @ALL 1
* @domain%5fusers 1
test:* @g%5fwiki%2dcontributors%2dtest 16
Now is where the fun starts...
- if I login with a user that belongs to the
g_wiki-admins but not to
g_wiki-contributors-test, it logs on as wiki administrator
- if I log on with a user that belongs to the
g_wiki-contributors-test and not to the
g_wiki-admins (e.g. our test.user), it logs on, but the user has only
read access.
If I remove the
@ALL from the ACL file, that is, the acl.auth.php has
* @domain%5fusers 1
test:* @g%5fwiki%2dcontributors%2dtest 16
the user gets a
permission denied -- despite the fact that he belongs to the Domain Users group.
* @domain%5fusers 1
test:* @g%5fwiki%2dcontributors%2dtest 16
Finally, giving the user permission 16 on the
test:* namespace, gives it the write to edit.
* @ALL 1
* @domain%5fusers 1
test:* test%2euser 16
Does anyone has a clue why the AD groups are not being considered for the authentication?
Thanks in advance,
José