Unpack the htauth-1.01.zip in your dokuwiki/inc/auth folder.

The files use some PHP5 OO features (private,protected,abstract modifiers). If you are using PHP4 you'll need to apply the supplied patch.

 patch < htauth-php4.patch 

local.php options.

$conf['authtype']     = 'htaccess';
$conf['htaccess_defaultgrp'] = "guest"; //optional. All valid users will be members of this group.
 
//Optional path to htaccess configuration. Blank or not included will autodiscover a ".htaccess" file like Apache does.
//This is useful where you are not using BASIC authentication but still want to use these formats for user/password/group info.
//$conf['htaccess_file'] = "conf/htauth";
 
$conf['htaccess_htuser'] = "htuser"; //Name of htuser file. If no path specified will be in same directory as AuthUserFile.
$conf['autopasswd'] = 1;  //set to zero if you want to specify passwords to users. 
$conf['openregister']= 0; //open register won't work behind basic auth
$conf['resendpasswd']= 0; //also won't work behind basic auth

A typical .htaccess file would live in the dokuwiki root directory or somewhere further up the path

AuthName Dokuwiki
AuthUserFile /home/unison/dokuwiki/htpasswd
AuthGroupFile /home/unison/dokuwiki/htgroups

# Use Basic authentication
AuthType Basic
<Limit GET POST>
satisfy all
require valid-user
</Limit>

AuthUserFile must point to an existing (possibly empty) file.

AuthGroupFile is optional, but omitting it will only make sense if you set $conf['htaccess_defaultgrp'] and set default acl to allow something on that group.

These files must be writable by your webserver user if you want to add new users, allow users to change passwords etc…

This backend will also work with dokuwiki's normal login page by setting $conf['htaccess_file'] to point to a different file that has the same format as above but is not the one used to control the webserver. In this case the only relevant directives are AuthUserfile and AuthGroupFile.

You will lose single sign-on capability between applications but things like openregister and resendpasswd will work as dokuwiki intends.

If $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are set, indicating BASIC authentication are in place then the class is deemed to support “trustExternal” and will re-verify the username and password based on these parameters. Otherwise the normal dokuwiki login page method will be used.

flock is used on the .htaccess file itself whenever the other files need to be read or written to. Should be safe as long as nothing else is updating these files.

• Test the locking strategy (uses flock) to see if it really works under load. (Lots of users changing passwords etc)
• Test under a real apache implementation (I'm using Jetty with a HTAccessHandler that attempts to mimic apache behaviour)
• Test on non Linux OS
• Allow the “htuser” file to be optional (only makes sense if autopasswd is off because otherwise email is necessary for registering users)

— Grant Gardner 2006-09-06 14:59

• Fixed bug where deleting users would leave their groups behind
• Fixed incorrect case-sensitive matching of values in .htaccess files
• Allow configuration of htaccess file location to bypass .htaccess auto-discovery

If I understand the purpose of this authentication method, it allows the task of authentication to be handled externally by the web server, with fallback to DokuWiki, and all group administration to be managed locally (and compatible with the user manager plug-in). If that's true, then this authentication method would be very useful in environments with an existing authentication source (e.g. Active Directory) that don't wish to use that same authentication source for group membership. One question though. Has anyone been able to get this to work under Windows/IIS? — Gary 2007-02-14 21:30

If it's helpful I wrote a howto a while ago about how to get Apache to authenticate against an Active Directory server. – Adam Shand

Interesting thought. You'll need cando['modPass'] set to false and I'm not sure how that would work with User Manager when adding users. Happy to help if someone wants to try this out. — Grant Gardner 2007-04-11 13:57

I'm interested to know if someone has tried any of the “Test” TODO items above and the results. In particular if you've used this on Windows or a real Apache implementation. — Grant Gardner 2007-04-11 13:57

* please add a “defaultdomain” type option that would be the default domain name for e-mail addresses (instead of localhost) [ +1 vote – 2007.01.03 MiMe ]* I don't really get it. Where can I tell dokuwiki to get the user/password from the http session instead of displaying the login page (IMHO that's all i need to do) Also I can't use the solution above, because we use http auth with ldap as backend and not with a flat file..

• Bug: doku.php?do=check isn't working because cookie is not set properly – 2007.01.03 MiMe

* I guess I did something wrong in DokuWiki Release 2007-06-26b, but by doing everything as suggested the “admin” option disappears and is generally not available. I found a solution. I had to create .htgroup with admin group. – Muki 2008-29-1

* Tip: if your auth config is in your main apache config you can set $conf['htaccess_file'] to point to the main config Versatilia 2008-09-19

* Bug: inc/auth/htaccess.class.php line 422 - assumes no spaces before AuthUserFile/AuthGroupFile directives and separation with single tab/space in apache config. Replace lines 421-424 with this:

  foreach ($lines as $line) {
    $row = preg_split("/\s+/", $line,3);
    if(trim($row[0])==""){ array_shift($row); }
    $var = strtolower(trim($row[0]));
    $value = trim($row[1]);

Versatilia 2008-09-19

* Bug: I'm running this under Apache 2.2.9 / DW 2008-05-05 on a Debian machine and it works well (good front end to managing my htaccess files!), however the mediamanager.php (when adding an image in edit mode) claims “User authentication is temporarily unavailable. If this situation persists, please inform your Wiki Admin”, disabling the ability to upload files. Ex 2008-10-12

* Problem: I'm running this on Solaris (SunOS 5.11) and whenever it tries to save user data, it dies saying it can't get a lock on the file. It's dying on line 461 of htaccess.class.php, and $this→lockFile is pointing to my .htaccess file at the time that it happens. My .htaccess file is chmoded to 777 so I don't think it's a permission issue. I noticed that even though the function is called “lockWrite”, the fopen on line 460 opens the file is opened with 'r'. I changed that to 'r+' and the problem seems to be fixed. Sean 2008-10-14

• Prior to writing to any of (htpasswd,htgroups,htuser) it tries to get an exclusive lock on .htaccess. It never writes to that file but we have to open it to get a filehandle. Perhaps Solaris needs the file to be opened for writing in order to get an exclusive lock. — Grant Gardner 2008-11-30