This backend uses a PostgreSQL Database to store user data and passwords.
Compatible with DokuWiki
(bundled up to version Greebo)
Similar to authpdo, authsqlite
The PostgreSQL plugin is deprecated.
Please use its replacement: the authPDO plugin.
The PostgreSQL plugin was bundled up to Greebo (2018-04-22).
This backend uses a PostgreSQL Database to store user data and passwords.
Any database that contains basic user and group information could be used with DokuWiki. How to adapt the SQL statements to match your favorite database will be discussed in this page. All configuration and SQL statements are tested with Postgres 8.1 and are based on the example database structure below.
Before this plugin can be used, you need to setup some settings:
authpgsql
.The version supplied on this page uses a simple database setup, this can be modified to your own database setup.
Save the configuration settings to the conf/local.protected.php
file to protect the settings against changes via Config Manager.
Administration of users and its groups can be done in the User manager, when the needed statements are supplied in the config.
The backend will be enabled with the authtype configuration option by selecting authpgsql
this is part of “Authentication settings” section.
In the “Plugin Settings” are settings for the authpgsql plugin. Here you defines your database and all the statements that performs the authentication and administration actions.
There are more general authentication related settings available too.
The configuration options needs to be set in the Config Manager or added to conf/local.protected.php
to become used. At bottom of this page is a code snippet that collects all mentioned settings.
It will be enabled with the configuration option
$conf['authtype'] = "pgsql";
While configuring the PostgreSQL backend for the first time, you may want to enable it's debug mode to get meaningful feedback on whats going on behind the scenes. Be sure to disable this option again after everything is set up.
$conf['plugin']['authpgsql']['debug'] = 1;
This option defines the PostgreSQL server to connect to. If you are running PostgreSQL on the same server as your DokuWiki installation, localhost
would be sufficient. Otherwise put in your remote server here. Keep in mind that the remote database server must allow access from your DokuWiki server. See PostgreSQL documentation for details on this issue.
$conf['plugin']['authpgsql']['server'] = 'localhost';
This option defines which user DokuWiki should use to access the database.
$conf['plugin']['authpgsql']['user'] = 'dbuser';
Set the database password for user
here. Because it is entered in clear text some additional security prophylaxes should be performed.
$conf['plugin']['authpgsql']['password'] = 'dbpassword';
Last but not least you need to specify the database that stores all the user information.
$conf['plugin']['authpgsql']['database'] = 'users';
Normally password encryption is done by DokuWiki (recommended) but for some reasons it might be useful to let the database do the encryption.
If you set forwardClearPass
to 1
the backend expects the database to do the crypting. It will forward the clear text password to the database. Be aware of the security risk.
Set forwardClearPass
to 0
and DokuWiki do the password encryption. Which encryption method is used is set by the passcrypt option.
$conf['plugin']['authpgsql']['forwardClearPass'] = 0;
The SQL statements in this section are necessary to use DokuWiki with the PgSQL authentication backend. They are the minimum set you have to define.
This statement is used to grant or deny access to the wiki. The result should be a resultset with exact one line containing at least the password of the user. If the result is empty or contains more than one row, access will be denied. The module accesses the password as 'pass' so an alias might be necessary.
If you set forwardClearPass
to 1
the password must be verified from the database. An additional WHERE clause will do the job: AND pass = MD5('%{pass}')
. A much better way is and I really recommend to do it this way is to set 'forwardClearPass = 0' and let DokuWiki do the crypting.
%{user}
will be replaced by a user name%{pass}
will be replaced by an encrypted or clear text password (depends on 'forwardClearPass')%{dgroup}
will be replaced by the default group name $conf['plugin']['authpgsql']['checkPass'] = "SELECT pass FROM usergroup AS ug JOIN users AS u ON u.uid=ug.uid JOIN groups AS g ON g.gid=ug.gid WHERE u.login='%{user}' AND g.name='%{dgroup}'";
If you share the user database with other applications it might be useful to be able to define which user may access the Wiki. Ok, the main spirit of a Wiki is it not to limit the access and give all users the possibility to participate. But hey, you are reading an article about access control, what did you expect? So let us get the donkey from the ice.
As already mentioned we have a user database but not every user in this database should be allowed to log into the wiki. The easiest way to check this is the DokuWiki defaultgroup
. Every new DokuWiki user will automatically be a member of this group so all we have to do is to check the group besides the password at login time.
The above SQL statement already does this with g.name='%{dgroup}'
.
This statement should return a resultset with exact one row containing information about one user. The fields needed are:
pass
containing the encrypted or clear text password name
the user's full namemail
the user's email addressKeep in mind that DokuWiki will access these information through the names listed above so aliases might be necessary.
%{user}
will be replaced by a user name$conf['plugin']['authpgsql']['getUserInfo'] = " SELECT pass, fullname AS name, email AS mail FROM users WHERE login='%{user}'";
This statement is used to get all groups a user is member of. The result should be a table containing all groups the given user is member of. The module accesses the group name as 'group' so an alias might be necessary.
%{user}
will be replaced by a user name$conf['plugin']['authpgsql']['getGroups'] = "SELECT g.name as group FROM groups g, users u, usergroup ug WHERE u.uid = ug.uid AND g.gid = ug.gid AND u.login='%{user}'";
The SQL statements in this section are necessary to use the user manager plugin. They set up only basic support and you will only be able to get and display the user list.
This statement should return a table containing all user login names that meet certain filter criteria. The filter expressions will be added case dependent by the module. At the end a sort expression will be added.
Important is that this list contains no double entries to a user. Each user name is only allowed once in the table.
The login name will be accessed as user
to an alias might be necessary. No patterns will be replaced in this statement but following patters will be replaced in the filter expressions:
%{user}
in FilterLogin will be replaced by a user name%{name}
in FilterName will be replaced by user's full name%{email}
in FilterEmail will be replaced by user's email address%{group}
in FilterGroup will be replaced by a group name$conf['plugin']['authpgsql']['getUsers'] = " SELECT DISTINCT u.login AS user FROM users AS u LEFT JOIN usergroup AS ug ON u.uid=ug.uid LEFT JOIN groups AS g ON ug.gid=g.gid"; $conf['plugin']['authpgsql']['FilterLogin'] = "u.login LIKE '%{user}'"; $conf['plugin']['authpgsql']['FilterName'] = "u.fullname LIKE '%{name}'"; $conf['plugin']['authpgsql']['FilterEmail'] = "u.email LIKE '%{email}'"; $conf['plugin']['authpgsql']['FilterGroup'] = "g.name LIKE '%{group}'"; $conf['plugin']['authpgsql']['SortOrder'] = "ORDER BY u.login";
You additionally need the SQL statements in this section if you want to add new users in the database with the user manager either through user self registration, for disabling use disableactions register
.
This statement should add a user to the database. Minimum information to store are: login name, password, email address and full name.
%{user}
will be replaced by the user name%{pass}
will be replaced by the password (encrypted or clear text, depends on 'forwardClearPass')%{email}
will be replaced by user's email address%{name}
will be replaced by user's full name$conf['plugin']['authpgsql']['addUser'] = " INSERT INTO users (login, pass, email, fullname) VALUES ('%{user}', '%{pass}', '%{email}', '%{name}')";
Please keep in mind that if you set forwardClearPass
to 1
the clear text password is filled in here. You should at least replace %{pass}
with MD5('%{pass}')
or better set forwardClearPas
to 0
and let DokuWiki do the crypting. I really recommend the second method.
This statement should add a group to the database.
%{group}
will be replaced by a group name$conf['plugin']['authpgsql']['addGroup'] = "INSERT INTO groups (name) VALUES ('%{group}')";
This statement should connect a user to a group (a user becomes member of that group).
%{user}
will be replaced by a user name%{uid}
will be replaced by the id of a user data-set%{group}
will be replaced by a group name%{gid}
will be replaced by the id of a group data-set$conf['plugin']['authpgsql']['addUserGroup']= "INSERT INTO usergroup (uid, gid) VALUES ('%{uid}', '%{gid}')";
This statement should remove a group from the database.
%{group}
will be replaced by the group name%{gid}
will be replaced by the id of a group data-set$conf['plugin']['authpgsql']['delGroup'] = "DELETE FROM groups WHERE gid='%{gid}'";
This statement should return the database index of a given user name. The module will access the index with the name id
so an alias might be necessary.
%{user}
will be replaced by the user name $conf['plugin']['authpgsql']['getUserID'] = "SELECT uid AS id FROM users WHERE login='%{user}'";
This statement should return the database index of a given group name. The module will access the index with the name id
so an alias might be necessary.
%{group}
will be replaced by the group name $conf['plugin']['authpgsql']['getGroupID'] = "SELECT gid AS id FROM groups WHERE name='%{group}'";
You additionally need the SQL statements in this section if you want to remove users from the database with the user manager.
This statement should remove a user from the database.
%{user}
will be replaced by the user name%{uid}
will be replaced by the id of a user data-set$conf['plugin']['authpgsql']['delUser'] = "DELETE FROM users WHERE uid='%{uid}'";
This statement should remove all connections from a user to any group (a user quits membership of all groups).
%{uid}
will be replaced by the id of a user data-set$conf['plugin']['authpgsql']['delUserRefs'] = "DELETE FROM usergroup WHERE uid='%{uid}'";
This statements should modify a user entry in the database. The statements UpdateLogin, UpdatePass, UpdateEmail and UpdateName will be added to updateUser on demand. Only changed parameters will be used.
%{user}
will be replaces by the user name%{pass}
will be replaced by the encrypted or clear text password (depends on 'forwardClearPass')%{email}
will be replaced by the email address%{name}
will be replaced by the user's full name%{uid}
will be replaced by the user id that should be updated$conf['plugin']['authpgsql']['updateUser'] = "UPDATE users SET"; $conf['plugin']['authpgsql']['UpdateLogin'] = "login='%{user}'"; $conf['plugin']['authpgsql']['UpdatePass'] = "pass='%{pass}'"; $conf['plugin']['authpgsql']['UpdateEmail'] = "email='%{email}'"; $conf['plugin']['authpgsql']['UpdateName'] = "fullname='%{name}'"; $conf['plugin']['authpgsql']['UpdateTarget']= "WHERE uid=%{uid}";
This statement should remove a single connection from a user to a group (a user quits membership of that group).
%{user}
will be replaced by a user name%{uid}
will be replaced by the id of a user data-set%{group}
will be replaced by a group name%{gid}
will be replaced by the id of a group data-set$conf['plugin']['authpgsql']['delUserGroup']= "DELETE FROM usergroup WHERE uid='%{uid}' AND gid='%{gid}'";
This is a very simple example database.
CREATE TABLE users ( uid SERIAL NOT NULL, login VARCHAR(20) NOT NULL, pass VARCHAR(255) NOT NULL, fullname VARCHAR(255) NOT NULL DEFAULT '', email VARCHAR(255) NOT NULL DEFAULT '', PRIMARY KEY (uid), UNIQUE (login) ); CREATE TABLE groups ( gid SERIAL NOT NULL, name VARCHAR(50) NOT NULL, PRIMARY KEY (gid), UNIQUE (name) ); CREATE TABLE usergroup ( uid INTEGER NOT NULL REFERENCES users, gid INTEGER NOT NULL REFERENCES groups, PRIMARY KEY (uid,gid) );
All option described above are collected here in one snippet, move it to conf/local.protected.php
and edit it for your settings.
<?php /** * Example PgSQL Auth Plugin settings * See https://www.dokuwiki.org/plugin:authpgsql for details and explanation */ /** * Options */ $conf['authtype'] = "pgsql"; $conf['plugin']['authpgsql']['debug'] = 1; $conf['plugin']['authpgsql']['server'] = 'localhost'; $conf['plugin']['authpgsql']['user'] = 'dbuser'; $conf['plugin']['authpgsql']['password'] = 'dbpassword'; $conf['plugin']['authpgsql']['database'] = 'users'; $conf['plugin']['authpgsql']['forwardClearPass'] = 0; /** * SQL User Authentication */ $conf['plugin']['authpgsql']['checkPass'] = "SELECT pass FROM usergroup AS ug JOIN users AS u ON u.uid=ug.uid JOIN groups AS g ON g.gid=ug.gid WHERE u.login='%{user}' AND g.name='%{dgroup}'"; $conf['plugin']['authpgsql']['getUserInfo'] = "SELECT pass, fullname AS name, email AS mail FROM users WHERE login='%{user}'"; $conf['plugin']['authpgsql']['getGroups'] = "SELECT g.name as group FROM groups g, users u, usergroup ug WHERE u.uid = ug.uid AND g.gid = ug.gid AND u.login='%{user}'"; $conf['plugin']['authpgsql']['getUsers'] = "SELECT DISTINCT u.login AS user FROM users AS u LEFT JOIN usergroup AS ug ON u.uid=ug.uid LEFT JOIN groups AS g ON ug.gid=g.gid"; $conf['plugin']['authpgsql']['FilterLogin'] = "u.login LIKE '%{user}'"; $conf['plugin']['authpgsql']['FilterName'] = "u.fullname LIKE '%{name}'"; $conf['plugin']['authpgsql']['FilterEmail'] = "u.email LIKE '%{email}'"; $conf['plugin']['authpgsql']['FilterGroup'] = "g.name LIKE '%{group}'"; $conf['plugin']['authpgsql']['SortOrder'] = "ORDER BY u.login"; /** * SQL Support for Add User */ $conf['plugin']['authpgsql']['addUser'] = "INSERT INTO users (login, pass, email, fullname) VALUES ('%{user}', '%{pass}', '%{email}', '%{name}')"; $conf['plugin']['authpgsql']['addGroup'] = "INSERT INTO groups (name) VALUES ('%{group}')"; $conf['plugin']['authpgsql']['addUserGroup']= "INSERT INTO usergroup (uid, gid) VALUES ('%{uid}', '%{gid}')"; $conf['plugin']['authpgsql']['delGroup'] = "DELETE FROM groups WHERE gid='%{gid}'"; $conf['plugin']['authpgsql']['getUserID'] = "SELECT uid AS id FROM users WHERE login='%{user}'"; $conf['plugin']['authpgsql']['getGroupID'] = "SELECT gid AS id FROM groups WHERE name='%{group}'"; /** * SQL Support for Delete User */ $conf['plugin']['authpgsql']['delUser'] = "DELETE FROM users WHERE uid='%{uid}'"; $conf['plugin']['authpgsql']['delUserRefs'] = "DELETE FROM usergroup WHERE uid='%{uid}'"; /** * SQL Support for Modify User */ $conf['plugin']['authpgsql']['updateUser'] = "UPDATE users SET"; $conf['plugin']['authpgsql']['UpdateLogin'] = "login='%{user}'"; $conf['plugin']['authpgsql']['UpdatePass'] = "pass='%{pass}'"; $conf['plugin']['authpgsql']['UpdateEmail'] = "email='%{email}'"; $conf['plugin']['authpgsql']['UpdateName'] = "fullname='%{name}'"; $conf['plugin']['authpgsql']['UpdateTarget']= "WHERE uid=%{uid}"; $conf['plugin']['authpgsql']['delUserGroup'] = "DELETE FROM usergroup WHERE uid='%{uid}' AND gid='%{gid}'";