 | The ElectricImages.UserAuth plugin adds user authentication facilities from a Windows Active Directory domain. |
EditConfiguring the Plugin
The administrator will configure the default setup for plugin, defining the following parameters.
Each entry must start on a new line in the configuration window of ScrewTurn.
Note that this can look strange when not editing, due to line wrapping inherent in the display page.
EditAuthentication Protocol
Provider=<protocol>
This configuration tag will set the authentication method to use. Currently the only authentication method supported is LDAP.
Parameters
| <protocol> | required literal | Protocol to use - must be set as 'LDAP'. |
Example
Set the authentication protocol to LDAP
Provider=LDAP
EditAuthentication Source
SourceServer=<server>[:<port>]
This optional tag defines the server name or IP address and optionally the port number, for the server providing the authentication resource. eg domctr:1234
| | This setting should only be provided when normal AD auto-discovery cannot be used. | |
Note This action has been requested by a user, and has
not yet been confirmed as functional -
use at own risk.Parameters
| <server> | required | The server name or IP address of the authenticating server |
| <port> | optional | The port number to use to access the authenticating server. The colon preceding the port number is required |
Example
Sets the authentication server to 'OurDC'
SourceServer=OurDC
Sets the authentication server to 'YourDC' on port 1234
SourceServer=YourDC:1234
EditAuthentication Source
Source=<authentication>
This mandatory configuration tag defines the source of the authentication resource. For LDAP, this will be the domain name of the authentication domain, eg some.domain.net
Parameters
| <authentication> | required | | For LDAP, fully qualified name of the Domain to authenticate against.
Note, this is the domain name, not the name of the AD server. |
Example
Sets the LDAP authentication domain to my.domain.net for logins of type: user@my.domain.net
Source=my.domain.net
EditAdministrator Group
AdminGroup=<group>
This mandatory configuration tag defines the name of the local authentication group (Domain Local for Active Directory) containing the users who will be given Admin rights in the Wiki.
If there are nested groups with AD, all groups found throughout all levels will be checked to locate the logging in user.
Parameters
| <group> | required | The name of the AD group holding the list of admin users or sub-groups of users. |
Example
Sets the administator group to ScrewTurn-Wiki-Admins
AdminGroup=ScrewTurn-Wiki-Admins
EditUser Group
UserGroup=<group>
This configuration tag can defines the name of the local authentication group (Domain Local for Active Directory) containing the normal users who will be permitted to log into the Wiki.
If there are nested groups with AD, all groups found throughout all levels will be checked to locate the user logging in.
| | This setting can be omitted if all authenticated domain users are to be permitted to log in as normal users. | |
Parameters
| <group> | optional | The name of the AD group holding the list of normal users or sub-groups of users. |
Example
Sets the normal users group to ScrewTurn-Wiki-Users
UserGroup=ScrewTurn-Wiki-Users
EditUser Group
CacheLife=<time>
This configuration tag defines the cache lifetime for the resolved AD user data. The number given defines the length of time until the previously discovered data is tombstoned.
| | This setting can be omitted if caching is not required. (This will cause an AD lookup on every request for user details, including name and email address) | |
Parameters
| <time> | optional | The number of seconds to maintain a cached entry. Set to zero to disable caching. |
Example
Sets the cache lifetime to 1 minute (60 seconds)
CacheLife=60
EditName returned to Wiki
Name=<User|Fullname>
This configuration tag defines the name to be returned to the Wiki - either the login user id, or the full AD display name for the authenticated user.
Use of the AD display name (Fullname option) is restricted to Wiki v2.0.33 and later.
Parameters
| <User|Fullname> | optional literal | Set to 'User' for the login name, 'Fullname' for the AD display name. |
Example
Sets the name to return to the Wiki as the login User ID
Name=User
EditPlugin Diagnostics
Logging=<type>
This configuration tag sets the logging state for the plugin. Enabling logging will cause diagnostics details to be written to the System Log.
Enabling logging is particularly useful when initialing setting up the authentication. Use care when enabling logging, as this will significant slow the site in Screwturn versions 2.0.31 and later. Verbose logging is the highest level of logging.
Parameters
| <type> | optional literal | Either 'true', 'false' or 'verbose' |
Example
Turns on the logging to the system log
Logging=true
Configuration Example
The following is an example of setting up the Formatter plugin. Any user who can successfully authenticate with the
some.domain.net domain will be allowed to log in, while users in the
ScrewTurn-Wiki-Admins group (or subgroups) will be given Admin rights.
Provider=LDAP
Source=some.domain.net
AdminGroup=ScrewTurn-Wiki-Admins
CacheLife=10
Name=User
Logging=false
Ian Harding, Christchurch, New Zealand