Tuesday, 24 April 2007

Setting up dokuwiki on IIS with integrated authentication

Having enjoyed the benefits of MediaWiki, at my previous employer, I've been keen for some time to set one up a my new place. A friend of my recommended dokuwiki, which stacks up well against others.

Setting up was fairly easy, but as there were a few gotcha's, here's what worked for me.

The mix

  • IIS on XP Pro SP1
  • PHP (latest version at time of writing)
  • dokuwiki (latest version at time of writing)
  • Active Directory

The recipe

IIS + PHP

  1. Install PHP (used the Windows installer, despite recommendations against it). During the install process, selected to use the ISAPI server version and just the GD2 extension.
  2. Followed Peter Guy's excellent instructions for remaining configuration and testing.
  3. If you can, put php.ini under source control - it does require tweaking, which is worth tracking, i.e. in addition to the changes in step 2, the SMTP server needs pointing to the desired mail server.
  4. If you want to use integrated authentication, remember to uncheck anonymous access and check integrated authentication (see below)!
  5. NB: Don't skip the testing step - this may well save you grief later!

iis_ntlm

dokuwiki

  1. Unzip the download and point the default web site at the dokuwiki folder.
  2. Follow the dokuwiki instructions.
  3. Remember to move/rename the install.php script once you've set it up as you like it.
  4. Place all of the dokuwiki under source control, noting that conf/local.php will require to be editable if you configure dokuwiki from the configuration web page. Note also that using the web page can overwrite any manual changes to local.php, though it does attempt to include a second configuration file (local.protected.php) that such changes should be placed in.

Getting integration authentication to work

  1. Setup basic authentication so that you have a handle on how this works - this is a useful fall back position. Dokuwiki instructions are excellent.
  2. Using the ACL configuration page, create two acls: one for editors, one for readers. These are written to conf/acl.auth.php. The editor group name can then be used to match against the Active Directory group that you wish to give edit rights to. E.g. if you just want your developers to have edit rights and they exist in an AD group called "Development", create an ACL entry granting all access to a new group named Development, and change the ALL group access to read-only.
  3. Follow James Van Lommel's excellent instructions on getting LDAP to work. Note that you may require to set the credentials that are used to connect to ldap, should anonymous authentication be disabled.
  4. local.conf (or rather local.protected.php, as this is not overwritten) needs the following added to pick up the users credentials (taken from the dokuwiki ldap page):
if (isset($_SERVER['AUTH_USER']) and !isset($_SESSION[$conf['title']]['auth']['info'])) {
 list($d, $username) = split("\\\\", strtolower($_SERVER['AUTH_USER']), 2);
$_REQUEST['u'] = $username;
}
4. inc/auth/ntlm.php requires the following change (also taken from the dokuwiki ldap page):
function auth_checkPass($user, $pass){
// verify that IIS has authenticated this person via NTLM
if(isset($_SERVER['AUTH_USER']) and isset($_SERVER['AUTH_TYPE'])) {
return true;
}else{
return false;
}
}
If you're using Firefox to access the wiki, then my earlier post about NTLM authentication and Firefox may be of interest.

Implementing nice url's

dokuwiki provides instuctions for displaying nice url's with Apache, but none for IIS. Fortunately James van Lommel has already figured out using mod_rewrite for IIS. At the time of writing, the mod_rewrite website was unavailable, so I stuck with James's configuration, but used the free version of ISAPI_Rewrite instead. Having dokuwiki as the default website meant the following httpd.ini settings worked for me (note the addition of the idx handler, as James's configuration didn't handle indexes for namespaces).

[ISAPI_Rewrite]
RewriteRule ^/_media/(.*)\?(.*) /lib/exe/fetch.php?media=$1&$2 [L]
RewriteRule ^/_detail/(.*)\?(.*) /lib/exe/detail.php?media=$1&$2 [L]
RewriteRule ^/_detail/(.*) /lib/exe/detail.php?media=$1 [L]
RewriteRule ^/$ /doku.php [L]

RewriteRule ^/lib/(.*) /lib/$1 [L]
RewriteRule ^/(.*)\?do=(.*) /doku.php?id=$1&do=$2 [L]
RewriteRule ^/(.*)\?idx=(.*) /doku.php?idx=$2 [L]
RewriteRule ^/doku.php\?id=(.*) /doku.php?id=$1 [L]
RewriteRule ^/(.*) /doku.php?id=$1 [L]

No comments: