[dokuwiki] Re: Authenticate against LDAP but retain users.auth.php group assignment?

On Fri, 21 Nov 2008 13:37:03 -0500
"Metz, Bobby" <Bobby.Metz@xxxxxxxxxxxxxxxxxx> wrote:

> I've recently upgraded my doku version and I want to switch to LDAP
> authentication but I want to retain the ability to assign groups to
> users via users.auth.php instead of using LDAP groups since I have a
> lot of automation around this file already and it affords me stricter
> security control than with my LDAP server which several departments
> use. I looked through the LDAP auth documentation but it seems to be
> all or nothing.  Can someone more knowledgeable of using LDAP with
> doku provide some advice please?  Is my assumption correct that I can
> only use LDAP groups with LDAP authentication?  Or is there a middle
> ground and if so what it might be and where can I find info for
> configuring it?
> 

Well, I've had the same problem - a company-wide LDAP that I cannot
control in any respect and just a handful of those 5000+ users should
be able to access and/or edit a wiki. The wiki contains documentation
for different project groups that should be read and edited in most
cases only by those groups.

To achieve that, I have patched ldap.class.php with a snippet from
plain.class.php so that local, plain text groups get read when a
configuration variable ($conf['ldap']['localgroup']) is set.

In my configuration the default group has no rights at all, so all
users have no access to the wiki even if they can login. 

All user administration takes place locally but users can use their
company wide login and password.

I have put that as a wish-list bug into dokuwiki's bug tracking system.

The (very short) patch is enclosed.

Klaus

--- ldap.class.php.ori  2008-11-23 21:06:36.000000000 +0100
+++ ldap.class.php      2008-11-23 21:07:34.000000000 +0100
@@ -244,6 +244,27 @@
         if(!in_array($conf['defaultgroup'],$info['grps'])){
             $info['grps'][] = $conf['defaultgroup'];
         }
+/* read additional group from user.auth file  */
+        if($this->cnf['localgroup']) {
+            define('AUTH_USERFILE',DOKU_CONF.'users.auth.php');
+  
+            if(@file_exists(AUTH_USERFILE)) {
+                $lines = file(AUTH_USERFILE);
+                foreach($lines as $line){
+                    $line = preg_replace('/#.*$/','',$line); //ignore comments
+                    $line = trim($line);
+                    if(empty($line)) continue;
+                    $row = split(":",$line,5);
+                    $groups = split(",",$row[4]);
+                    if($row[0] != $user) continue;
+                    foreach($groups as $group) {
+                        if(in_array($group,$info['grps'])) continue;
+                        $info['grps'][] = $group;
+                    }
+                }
+            }
+        }
+ /* end  */
         return $info;
     }

Other related posts: