Stoo Network
 
 
PDF -icon
PDF

WikkaWiki PAM Authentication Installation

Instructions for setting up WikkaWiki PAM Authentication.

Requirements

First, download the appropriate packages:

Procedure

Follow these steps to setup WikkaWiki with PAM Authentication.

1. Install pam_auth PHP Module

Install the pam_auth PHP module. Follow the instructions in the INSTALL file located within the tarball or the copy at the pam_auth homepage. Note that you may need to install the php4-devel package for you distribution to get the phpize command required for installation.

If everything goes as planned, you should end up with pam_auth.so located in your PHP4 extensions directory. This location will vary depending on your distribution.

2. Install WikkaWiki

Install WikkaWiki according to the instructions at the WikkaWiki homepage. I recommend that you set up SSL through Apache, since you will be using system passwords for authentication. Also, it does not matter who you choose as the admin user, we will be reconfiguring this later. Once you have verified the Wiki works, apply the PAM Authentication patch:

# cd /path/to/Wikka
# patch -p1 < /path/to/wikkawiki-1.1.6.0_pam_auth.diff
patching file actions/usersettings.php

Now the login page disallows new user registration, and only allows logins from exising system users. You need to create a PAM configuration file called /etc/pam.d/php; see your system documentation for help doing this.

Note
Configuring MySQL, Apache and PAM is beyond the scope of these instructions. Consult the documentation for your system and these packages for more information.

3. Configure WikkaWiki

To lock down the wiki properly we need to edit the config.wikka.php file and do some manual edits of the SQL database. In config.wikka.php (located in the root of your WikkaWiki installation), set the following items:

"admin_users" => "admin_user",
"admin_email" => "admin_user@domain.com",
"default_write_acl" => "!*",
"default_read_acl" => "*",
"default_comment_acl" => "*",

Set admin_users and admin_email as appropriate for your system. The administrative accound must be able to log in through PAM for things to work properly. The default_* options set the default ACL for writes to nobody (except for the page owner), reads for everyone, and comments for everyone. Tighten up these settings if you so desire, but I've found them to be good defaults. You can always change the ACLs on specific pages after you create them.

Now we need to remove the "Lost Password" page (because it no longer applies) and change the page ownership for all preinstalled pages to the admin user. Execute the following commands:

# mysql -p wikka
Enter password: ********
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 703 to server version: 4.0.21

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> delete from pages where tag='PasswordForgotten';
Query OK, 1 row affected (0.02 sec)
Rows matched: 1  Changed: 0  Warnings: 0

mysql> update pages set owner='adminuser' where owner='(Public)';
Query OK, X rows affected (0.02 sec)
Rows matched: X  Changed: X  Warnings: 0

mysql> delete from users;
Query OK, 1 row affected (0.02 sec)
Rows matched: 1  Changed: 0  Warnings: 0

Substitute your database name for wikka on the first line, and you administrative user for adminuser in the second SQL command. The first SQL command removes the unnecessary "Forgotten Password" page, and the second changes the ownsership of the default pages to the administrative user. The third command clears out the user table.

Users will be added automatically to the database the first time they log in to the Wiki. They are not deleted if the system account is removed; this is desired to preserve history in the Wiki.

Conclusion

The installation is now complete. New pages that are created can only be edited by the owner by default. The owner can always change the ACLs to allow other users to edit the page. You can also restrict the read access to specific users.

You could also restrict logins to the Wiki to a certain group of users via the PAM configuration. See the PAM documentation for details.

References