«
»

Dokuwiki Shibboleth authentication backend

by Ivan Novakov | November 7, 2008

DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required. (description taken from DokuWiki homepage)

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Making DokuWiki authenticate through Shibboleth is fairly easy due to the extensible DokuWiki authentication framework, which allows using different authentication backends easily. The Shibboleth backend itself only needs to check for some environment variables and determine user’s username and info.

You can get more information and download the backend at its homepage:

Dokuwiki Shibboleth Authentication Backend

Feel free to comment.

Tags: , , ,
Category: PHP, Shibboleth  |  Comment (RSS)  |  Trackback

10 Comments

  1. procaccia:

    hello,
    thank you for this great shibboleth-dikuwiki plugin.
    It works fine for me for authenticating.
    For autorisation I have doubt on how to use var_entitlement to map dokuwiki groups !?
    here’s what I did in local.php

    # ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
    $conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;

    But I can’t figure out how to use entitlement_groups
    # ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
    #$conf['auth']['shib']['entitlement_groups'] = array(
    # ‘https://www.example.org/special‘ => ‘special_group’,
    # ‘https://www.example.org/internal‘ => ‘internal_group’
    #);

    here my unscoped-affiliation attributes conains values from edupersonAffiliation (faculty, member, employee, student …) , how can I generate associated dokuwiki groups ?

    Thanks .

    November 25, 2009, 16:05

  2. Robert Kelly:

    Hello Ivan,
    I just wanted to say thanks for your Shibboleth plugins for Dokuwiki.
    Great work!
    I’m using both the auth and login plugins and I only had one issue which I thought I’d let you know about.
    Clicking the logout button did not work for me.
    I’m new to Dokuwiki, especially its internals, but I managed to get it working by adding an exit() at the end of the logOff() function. (Saw it used in another auth plugin)
    I’m not sure if that is the correct way of making it work, but, it worked for me.
    It seems to prevent Dokuwiki from sending its own redirect.

    Thanks again,
    Rob

    November 25, 2009, 19:32

  3. procaccia:

    forget my request about howto allocate dynamic groups with shib
    I found it myself, the example with URL mislead me …
    here’s how I use it now with success:
    # ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
    $conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;

    # ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
    $conf['auth']['shib']['entitlement_groups'] = array(
    ‘student’ => ‘student’,
    ‘employee’ => ‘employee’,
    ‘member’ => ‘member’
    );

    in my use case with edupersonAffiliation, when shibboleth retrieve user’s edupersonnAffiliation attribute (rewrote to unscoped-affiliation here)
    if he is a student he gets affected in the “student” dokuwiki group .
    That works like a charm, very clever !
    thanks again for your contribution to dokuwiki & shibboleth .

    regards .

    November 26, 2009, 17:18

  4. entitlement_groups:

    finally, allocating dynamically groups based on shib attributes value does’nt seem to work :-(
    I did a wrong test with too much open ACL in my previous post.
    Now I checked again with a better test, and it doesn’t work as expected.
    I use the ?do=check option on the page I want to check ACL, and now I can clearly see that I am not in the expected groups .
    ?do=check on the start page after logged in with shib and a username that has “employee” for var_entitlement value only gives me:
    “You are part of the groups allusers”
    not the expected additional group “employee” :-(
    as programmed in
    $conf['auth']['shib']['entitlement_groups'] = array(
    ’student’ => ’student’,
    ‘employee’ => ‘employee’,
    ‘member’ => ‘member’
    );

    did I missed something ?
    I also read that all users not connected with ‘plain’ auth aren’t in @user group which is supposed to group all connected users
    it’s quite ambarasing, any help greatly appreciated .

    Regards .

    January 6, 2010, 19:04

  5. procaccia:

    Sorry, I finally found the problem
    enable debug helped a lot, thanks for that fonctionnality
    The problem comes from the admin page (id=start&do=admin&page=config), when I edit config from the admin web interface of dokuwiki, it rewrites the config, but wrongly for entitlement_groups :-(

    original:
    $conf['auth']['shib']['entitlement_groups'] = array(
    ‘student’ => ‘student’,
    ‘member’ => ‘member’,
    ‘invite’ => ‘invite’,
    ‘employee’ => ‘employee’
    );

    had been rewriten to

    #$conf['auth']['shib']['entitlement_groups'] = ‘array( \’student\’ => \’student\’, \’invite\’ => \’invite\’, \’member\’ => \’member\’ \’employee\’ => \’employee\’ )’;
    which seems to be syntaxly wrong regarding debug message:

    [Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] entitlement groups not configured
    [Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n )\n\n)\n

    now I have that I reset the ['entitlement_groups'] = array(… in multiple lines manually in local.php, I have no more the “entitlement groups not configured” error in apache error_log, and “invite” shib group is now set :-) :
    [Thu Jan 07 22:28:36 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n [2] => invite\n )\n\n)\n

    I’ve checked ACL based on those shib group (?do=check also confirm that it is set), everything seems fine, I’ll post that positive experience on your blog when all my test will be concluant.

    Thanks again for that wonderfull and powerfull plugin !

    January 24, 2010, 10:07

  6. micro:

    you should put that part of the configuration in local.protected.php.

    When you save the settings in the admin panel, only local.php is modified.

    Thanks for the plugin!

    Regards,
    micro

    March 9, 2010, 20:12

  7. procaccia:

    When shib plugin is enabled and you restrict acces to namespace with ACL, media files/images aren’t anymore visible :-(
    I double check my ACL and file permissions, no way . is this a bug ?

    example
    user:* @shibusers 1

    for example, when accessing doku.php?id=user:shibusers:dsi page which contains images, before installing shib plugins (with @user acl 1 access at that time !) images were visible to a logged in user (plain), as soon as I enable shib auth, page and group access works fine, but not for images :-( .

    please help.
    thanks .

    May 9, 2010, 11:22

  8. procaccia:

    It’s not a bug , neither a mis-configuration of the ACL.
    It’s just a silly Carriage Return left at the end of the file pointed by $conf['auth']['shib']['customgroups_file'] that added a CR at the begening of every media :-(
    (0a FF D8 ….) instead of (FF D8 ….)
    I removed the CR at the end of my custom_group file, and now it works fine.

    May 10, 2010, 9:11

  9. KoS:

    thanks for the great plugin! some time ago i have extended it a little bit so that the users are cached locally (so the right name can be displayed on the wiki pages instead of the uniqueID that i use as username, which is just a “random” string). i tried to contact ivan to get it merged with his version, but so far haven’t got any answer :-( ivan? are you there? :-)

    greets
    KoS

    October 6, 2010, 10:05

  10. Ivan Novakov:

    Hi KoS,
    I’m here, but I don’t have much time running the blog. I remember your contribution, but it reached me after some time and I was too busy to examine it more carefully and as a result I didn’t answer at all, I’m sorry for that.

    Now it seems I’ll be updating the plugin, so if you send me again your modification, I’ll be glad to merge them.

    In fact, I dealed with the same problem, but I had to modify directly the Dokuwiki code, to make it display the “name” instead of the principal/targeted/persistent ID.

    October 7, 2010, 11:40

Leave a comment

ERROR: si-captcha.php plugin says GD image support not detected in PHP!

Contact your web host and ask them why GD image support is not enabled for PHP.

ERROR: si-captcha.php plugin says imagepng function not detected in PHP!

Contact your web host and ask them why imagepng function is not enabled for PHP.