2010-02-12
ericnils
I am very appreciative of the much simpler Active Directory support enabled by adLDAP, but I need AD group level authentication. adLDAP already includes group membership validation so I modified inc/auth.php and inc/auth/ad.class.php to add that functionality to my DokuWiki installation. The patch file is below. Can this functionality be added to the next release?
Options required in local.protected.php:
$conf['auth']['ad']['group_membership_required_to_edit'] = 1;
$conf['auth']['ad']['groups_authorized_to_edit'] = ''; //multiple can be given, must contain superuser group and group names are literal (do not place @ before group name or replace spaces with underscores)
Patch file:
diff -rup dokuwiki-2009-12-25/inc/auth/ad.class.php dokuwiki-2009-12-25-with-ad-group-authentication/inc/auth/ad.class.php
--- dokuwiki-2009-12-25/inc/auth/ad.class.php 2010-01-17 05:35:46.000000000 -0500
+++ dokuwiki-2009-12-25-with-ad-group-authentication/inc/auth/ad.class.php 2010-02-12 11:57:36.496271304 -0500
@@ -87,6 +87,10 @@ class auth_ad extends auth_basic {
$this->opts['domain_controllers'] = array_filter($this->opts['domain_controllers']);
// we currently just handle authentication, so no capabilities are set
+
+ // handle multiple groups authorized to edit
+ $this->opts['groups_authorized_to_edit'] = explode(',',$this->opts['groups_authorized_to_edit']);
+ $this->opts['groups_authorized_to_edit'] = array_map('trim',$this->opts['groups_authorized_to_edit']);
}
/**
@@ -100,11 +104,29 @@ class auth_ad extends auth_basic {
* @return bool
*/
function checkPass($user, $pass){
+
if($_SERVER['REMOTE_USER'] &&
$_SERVER['REMOTE_USER'] == $user &&
$this->cnf['sso']) return true;
if(!$this->_init()) return false;
+
+ if($this->opts['group_membership_required_to_edit']){
+
+ // validate correct username and password and initialize the adldap object
+ if (!$this->adldap->authenticate($user, $pass)) return false;
+ else{
+ // loop through authorized groups
+ foreach($this->opts['groups_authorized_to_edit'] as $key => $group){
+ if ($this->adldap->user_ingroup($user, $group)) return true;
+ }
+
+ // Inform the user that logon failed due to lack of group membership
+ msg($user . " does not belong to a group authorized to edit this wiki.",-1);
+ if ($this->cnf['debug']) msg("Check \$conf['auth']['ad']['groups_authorized_to_edit'] in local.protected.php to add authorized groups",-1);
+ return "group failed";
+ }
+ }
return $this->adldap->authenticate($user, $pass);
}
diff -rup dokuwiki-2009-12-25/inc/auth.php dokuwiki-2009-12-25-with-ad-group-authentication/inc/auth.php
--- dokuwiki-2009-12-25/inc/auth.php 2010-01-17 05:35:46.000000000 -0500
+++ dokuwiki-2009-12-25-with-ad-group-authentication/inc/auth.php 2010-02-12 11:57:24.155342113 -0500
@@ -154,12 +154,14 @@ function auth_login($user,$pass,$sticky=
if(!empty($user)){
//usual login
- if ($auth->checkPass($user,$pass)){
+ $auth_return = $auth->checkPass($user,$pass);
+ if ($auth_return === true){
// make logininfo globally available
$_SERVER['REMOTE_USER'] = $user;
auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky);
return true;
}else{
+ if ($auth_return == "group failed") $silent = true; // prevent badlogin message from displaying
//invalid credentials - log off
if(!$silent) msg($lang['badlogin'],-1);
auth_logoff();