[dokuwiki] Support for ntlm authentication under Windows.

I've added a support for simple ntlm authentication under Windows.

NTLM is useful when you want to deploy a wiki in a Windows environment
(e.g. company's intranet) and allow people to use their existing Windows
login/password to access wiki.

My approach:
* needs to install ntlm module 
(http://www.gknw.net/development/apache/apache-1.3/win32/modules/) and 
protect dokuwiki directory with .htaccess to require logged in user.
NTLM module sets REMOTE_USER env variable (but not $_SERVER['REMOTE_USER'],
for some reason)
* I've added auth_ntlm.php module
* since with ntlm we only get username and no user e-mail or password,
  I had to add a small hack to auth.php to fabricate user info in
  request if 'authtype' is 'ntlm'
* and a small function that converts full user name in the form of
  'domain\\user' to just 'user'

The weakness of this approach is the need to hack things a bit to account
for the lack of user password/email when using ntlm. Also, it allows
anyone who can login to the domain be able to access the wiki and changing
that would require changing auth_ntlm.php.

The patch against current darcs repository is below. It works for me
under apache 1.3.33 on Windows XP and with mod_ntlm-1.3.

I would appreciate if it would get included in the main dokuwiki sources.
If the approach I've taken isn't the right one - I'll gladly re-work
the code.

If the patch gets accepted, I'll add info to wiki on how to setup ntlm
authentication for dokuwiki.

Krzysztof Kowalczyk | http://blog.kowalczyk.info

diff -rN -u -w old-dw/inc/auth.php new-dw-1/inc/auth.php
--- old-dw/inc/auth.php 2005-05-29 03:17:33.000000000 -0700
+++ new-dw-1/inc/auth.php       2005-05-29 15:35:23.000000000 -0700
@@ -26,6 +26,12 @@
   define('AUTH_ADMIN',255);
 
   if($conf['useacl']){
+    if ($conf['authtype'] == 'ntlm')
+    {
+        $_REQUEST['u'] = getRemoteUserNice();
+        $_REQUEST['p'] = "";
+        $_REQUEST['r'] = "";
+    }
     auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']);
     //load ACL into a global array
     $AUTH_ACL = file('conf/acl.auth.php');
diff -rN -u -w old-dw/inc/auth_ntlm.php new-dw-1/inc/auth_ntlm.php
--- old-dw/inc/auth_ntlm.php    1969-12-31 16:00:00.000000000 -0800
+++ new-dw-1/inc/auth_ntlm.php  2005-05-29 15:28:46.000000000 -0700
@@ -0,0 +1,72 @@
+<?php
+/**
+ * NTLM authentication backend
+ *
+ * To use it:
+ * - install ntlm module (e.g. mod_ntlm-1.3.zip from
+ *   http://www.gknw.net/development/apache/apache-1.3/win32/modules/
+ * - add the following to the .htaccess of your dokuwiki directory:
+AuthType NTLMNTLMAuth on
+NTLMAuthoritative on
+require valid-user
+ *   this will only allowed logged in and authenticated users to
+ *   access pages and puts the login of the user in $REMOTE_USER env
+ *   variable. This code relies on that
+ * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
+ */
+
+// we only accept page ids for auth_plain
+if(isset($_REQUEST['u']))
+  $_REQUEST['u'] = cleanID($_REQUEST['u']);
+
+/**
+ * Check user+password [required auth function]
+ *
+ * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
+ * @return  bool
+ */
+function auth_checkPass($user,$pass) {
+  return true;
+  if (!getenv('REMOTE_USER'))
+    return false;
+  return true;
+}
+
+/**
+ * Return user info [required auth function]
+ *
+ * Returns info about the given user needs to contain
+ * at least these fields:
+ *
+ * name string  full name of the user
+ * mail string  email addres of the user
+ * grps array   list of groups the user is in
+ *
+ * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
+ */
+function auth_getUserData($user) {
+  global $conf;
+  $userInfo['name'] = niceNtlmUserName($user);
+  $userInfo['mail'] = $user;
+  $userInfo['grps'] = array($conf['defaultgroup']);
+  return $userInfo;
+}
+
+/**
+ * Create a new User [required auth function]
+ *
+ * Returns false if the user already exists, null when an error
+ * occured and the cleartext password of the new user if
+ * everything went well.
+ *
+ * The new user HAS TO be added to the default group by this
+ * function!
+ *
+ * @author     Krzysztof Kowalczyk : http://blog.kowalczyk.info
+ */
+function auth_createUser($user,$pass,$name,$mail){
+  return false;
+}
+
+//Setup VIM: ex: et ts=2 enc=utf-8 :
diff -rN -u -w old-dw/inc/common.php new-dw-1/inc/common.php
--- old-dw/inc/common.php       2005-05-29 03:17:34.000000000 -0700
+++ new-dw-1/inc/common.php     2005-05-29 15:25:47.000000000 -0700
@@ -825,5 +825,26 @@
   }
 }
 
+// this is a hack for ntlm_module
(http://www.gknw.net/development/apache/apache-1.3/win32/modules/)
+// for some reason it only sets env variable REMOTE_USER but not
+// $_SERVER['REMOTE_USER']
+function getRemoteUser()
+{
+  if ($_SERVER['REMOTE_USER'])
+    return $_SERVER['REMOTE_USER'];
+  return getenv('REMOTE_USER');
+}
+
+function niceNtlmUserName($userName)
+{
+  return preg_replace("/^.+\\\\/", "", $userName);
+}
+
+// NTLM user name is in the form "domain\\user", this
+// function converts it to just "user"
+function getRemoteUserNice()
+{
+    return  niceNtlmUserName(getRemoteUser());
+}
 
 //Setup VIM: ex: et ts=2 enc=utf-8 :
--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts: