Looking for Wiki software with good access control and security

Michael Torrie torriem at gmail.com
Wed Nov 4 20:49:59 MST 2009


Michael Torrie wrote:
> Matt Nelson wrote:
>> Michael, would you mind posting a followup in a few weeks, or after
>> you have rolled it?  We currently use MediaWIKI for our internal
>> docs, but are looking to use Confluence which our developers
>> currently have used for years.  If DokuWiki works out for you I
>> might give it a try.
>
> Sure. I'm doing the integration with CAS and LDAP now.  Will let you
> know how it goes.

Everything is up and running now.  I used the CAS plugin that inherits
from the LDAP auth plugin.  This lets me use CAS for authentication and
then LDAP (with anonymous bind) to pull group information plus a custom
LDAP field I have.  This is very slick as I can do ACLs based on group
pulled from LDAP.  I also have a field in each user's record called
"directoryRole" which contains arbitrary roles (strings) that I pull out
and convert to DokuWiki user groups, letting me filter access based in
gidNumber, secondary group membership, and directory role.  ACLs are
pretty flexible, and cascade all the way down the list (I think).  Hence
you can grant everyone read access of certain documents at the root,
then give full access to namespaces based on the group criteria I
mentioned.  I believe you could also grant read access to other users or
groups to individual portions, but I think you have to allow read access
at least for the parent part of the path.  But I haven't checked this
just yet.

I will post a tarball of my sanitized plugin and config files and
patches to the doku core source if you wish.  I just patched core code
in a couple of places to get the behavior I wanted, such as forcing CAS
logins only when the login button is clicked.

The only downsides to Doku that I see so far is that certain config
files must be writable to apache if you want to configure it from the
web interface (can be hardened though) and that the pages and uploaded
files have to be written to disk somewhere.  I bet it wouldn't be hard
to hack in a mysql backend though.  But txt files on disk have a lot of
advantages, including secondary version control (doku has it's own VC too).

Michael



More information about the PLUG mailing list