[dokuwiki] Re: Authenticate against LDAP but retain users.auth.php group assignment?
- From: "Metz, Bobby" <Bobby.Metz@xxxxxxxxxxxxxxxxxx>
- To: <dokuwiki@xxxxxxxxxxxxx>
- Date: Mon, 24 Nov 2008 12:03:58 -0500
Yes, I remember hoping that chainedauth would handle what I needed when
you published it. Very cool plug-in...I was bummed that it didn't do
what I'd hoped.
As for merging info from several backends I like the concept. I would
be concerned about group overlap between multiple sources though.
Specifying which source was authoritative might be challenging in a
corporate environment. You'd have to be able to specify the order of
authority for each group somehow in addition to just merged results. For
example, local is authoritative for groups A..C, LDAP is authoritative
for groups X..Z, both are authoritative for group L..N, i.e. local
groups X..Z and LDAP groups A..C would be ignored if they existed.
Bobby
> -----Original Message-----
> From: dokuwiki-bounce@xxxxxxxxxxxxx
[mailto:dokuwiki-bounce@xxxxxxxxxxxxx]
> On Behalf Of lwoggardner
> Sent: Sunday, November 23, 2008 2:09 PM
> To: dokuwiki@xxxxxxxxxxxxx
> Subject: [dokuwiki] Re: Authenticate against LDAP but retain
> users.auth.php group assignment?
>
>
> Sorry, no code or config to offer, just an idea.
>
> This concept can possibly be generalised with an new auth backend
class
> that delegates authentication (checkPass) to one backend and
authorisation
> (getUserData) to another. A bit like the approach I took with
> http://www.dokuwiki.org/tips:chainedauth.
>
> It might be configured with some conf values eg...
> $conf['splitauth_authentication_backend'] = 'ldap'
> $conf['splitauth_authorisation_backend'] = 'plain'
>
> Alternatively if you want to merge group info from multiple backends
then
> the concept in chainedauth could be enhanced so that the getUserData
> function merges the information from all backends rather then breaking
out
> of the chain at the first backend that finds a matching user.
>
> Grant.
> (poss reposting from subscribed address)
>
> On Sat, 22 Nov 2008 13:01:19 +0100, Sebastian Menge
> <sebastian.menge@xxxxxxxxxxxxxxx> wrote:
> > Am Fri, 21 Nov 2008 13:37:03 -0500
> > schrieb "Metz, Bobby" <Bobby.Metz@xxxxxxxxxxxxxxxxxx>:
> >
> >> I've recently upgraded my doku version and I want to switch to LDAP
> >> authentication but I want to retain the ability to assign groups to
> >> users via users.auth.php instead of using LDAP groups since I have
a
> >> lot of automation around this file already and it affords me
stricter
> >> security control than with my LDAP server which several departments
> >> use. I looked through the LDAP auth documentation but it seems to
be
> >> all or nothing. Can someone more knowledgeable of using LDAP with
> >> doku provide some advice please? Is my assumption correct that I
can
> >> only use LDAP groups with LDAP authentication? Or is there a
middle
> >> ground and if so what it might be and where can I find info for
> >> configuring it?
> >
> > With our RADIUS-Backend we just wrote our own
> > "checkPass(user,pass)->bool" and do the rest via users.auth.php. So
it's
> > possible, but perhaps you have to customize/enhance the
LDAP-Backend.
> >
> > I have to update http://www.dokuwiki.org/auth:radius when i find the
> > time, since we really extend auth_basic such that we can use the
> > user_manager plugin.
> >
> > Let me know if you're interested in this.
> >
> > Sebastian.
> > --
> > DokuWiki mailing list - more info at
> > http://wiki.splitbrain.org/wiki:mailinglist
> --
> DokuWiki mailing list - more info at
> http://wiki.splitbrain.org/wiki:mailinglist
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist
Other related posts: