Howto setup PAM authentication on TikiWiki=-
Hi, there. I just wrote a small patch for Tikiwiki 1.8.2 (Polaris) to make it capable of using PAM authentication as it does with LDAP. I did it because I needed that feature for my plans with Tikiwiki (hehe) so here it is for anyone who wants it.
There's a thing to know before, that patch relays on an external Perl script that handles the user-password checking against PAM, you'll need to put it somewhere with execute permissions for the web servers user (www-data in Debian for example). Also I have read that it could need root permissions to perform its stuff (I didn't need it) but if you get in trouble with that you could try to enable setuid or using sudo.
More information about that script can be found on: http://www.gelato.unsw.edu.au/IA64wiki/PAMPHPAuthentication
Note that the script attached to that page has been modified!!
After putting the script somewhere you'll have to add a PAM service for Tikiwiki (or use an existing one like mail, ftp or so) for that just take a look at one of /etc/pam.d/ files (that location may vary in some distributions) and create a new one with some name you can recognise (like tikiwiki)
Now the nice thing... just apply the patch (also attached). Change to the main Tikiwiki directory and run patch -p1 < <location_where_you_downloaded_the_diff_file>
And that's all the hard job, now just go into your Tikiwiki, login as admin, go to the Login setting tab of the Admin area and VOILA! there are new things!!
On the dropdown menu of the auth method you see a new option: Tiki and PAM !
Also at the end of the page a new options appear, the most important is to write the correct path to the perl script (absolute path) like: /usr/local/bin/auth_pam.pl and also make sure you write down the correct PAM service to use. I recommend you to mark the option 'Use tiki for admin only' if you don't know really what you are doing
Apply your preferences and... try to login as a user that PAM would allow to enter (maybe your linux user, or also root in some cases).
With a default PAM service any account will be granted (try user: nobody ) so here are a few things to take care about that:
I recomend you to make use of pam_require module to require a specific group to be in for the user. Also you can take a look at PAM Modules at kernel.org to refine a bit more your pam service for tiki.
Also take note that pam only receive a user/pass pair and checks it, it relays on your web server settings to handle a secure transaction of that pair from the browser to the server, I recommend SSL
Thanks damian for advising me that two things.
The patch adds a new function called validate_user_pam() based on validate_user_auth() both in lib/userslib.php
The patch adds 4 new setting into tiki_preferences table of the db called: pam_create_user_tiki, pam_skip_admin, pam_service, pam_authpam_path
The patch adds 1 new option for auth_method called pam
The patch modifies tiki-admin_include_login.php in Tiki's root dir so it can handle the new options
The patch modifies tiki-admin-include-login.tpl in templates/ to show up the new options
By now I have only tested that patch on Tikiwiki 1.8.2 (Polaris) If you get it running with other versions please leave your comments here, also leave your comments for anything else related.
Well, I have no idea on how to un-applyy a patch but you can take the original files from the release tarball, the files are: ./tiki-admin_include_login.php templates/tiki-admin-include-login.tpl and lib/userslib.php
Also if you don't want to leave anything on the db about that just make the following SQL query on MySQL's tiki db.
DELETE FROM tiki_preferences WHERE name LIKE 'pam_%';
And if you have pam enabled when removing the patches also run that on MySQL
UPDATE tiki_preferences SET value='tiki' WHERE name='auth_method';
0.1: Initial release
0.2: Major bugfix: messed up with $user and $pass (just wrote $username and $password )
First release of AuthPAM patch.
Major bugfix: had a big mess with a few vars, now corrected. Removed previous patch from the page attachments to avoid people getting that reallllyy buggi 0.1 version (sorry).