Installation guide for CasLdapAuthSPIP
1. Pre-installation tasks2. cfg3. Installation4. Configuration5. TODO
1. Pre-installation tasks
SPIP is an web application programmed in php, it need next tools to works fine
- An http web server (Apache)
- A database (MySQL, postgreSQL)
- PHP, with modules required by phpBB2 (php-mysql ou php-pgsql)
- php-ldap
- phpCAS is also required.
On the same machine, or on other hosts, you need at least an LDAP directory, and a CAS server if you want to offer single-sign-on authentication.
Then install SPIP, this is easy to install, just follow next guide : SPIP Userguide.
Next, we'll assume SPIP is installed on a webserver with FTP access. $SPIP_HOME is the root directory of your SPIP instance on this machine.
CasLdapAuthSPIP has been validated with SPIP 1.9.2a, phpCAS 0.5.1-1, running under Apache 2, PHP5 and MySQL 5. LDAP directory was OpenLDAP 2.2.26, and CAS server CAS 2.0.
2. cfg
CasLdapAuthSPIP require SPIP plugin named cfg.
To install cfg, just upload extracted cfg package archive in $SPIP_HOME/plugins/1-config/, then, in SPIP administration, go to configuration panel, plugins management and activate this plugin.
Very important :
cfg plugin must be loaded before CasLdapAuthSPIP. In order to do that, create $SPIP_HOME/plugins/1-config/ directory, and unzip cfg archive there.
Activation of SPIP plugins
3. Installation
Once cfg is installed, create $SPIP_HOME/plugins/2-auth/ directory and unzip CasLdapAuthBB archive there. Then, activate this plugin in SPIP administration.
4. Configuration
CAS plugin configuration
- CASsify access to SPIP public area : while CASsified, access to SPIP public area must be restricted with an LDAP filter. Furthermore next line must be included at the top of all public templates you want to protect with CAS : <INCLUDE(checkauth.php)>
,templates-public.py may help you to do this automatically. - CASify access to SPIP backoffice : accounts must have been created in SPIP user database with the same login than in CAS user database. If SPIP is connected with LDAP, users must first login with SPIP classical login form, and then use CAS access. CasLdapAuthSPIP plugin provides a SPIP tag named #LOGIN_CAS in order to display a link to CAS authentication in SPIP login page. You cas use login.html template provided with this plugin to create your own login.html template. This template allow users to use both SPIP local authentication and CAS authentication.
Security issues
RSS are still avalaible in anonymous mode, you should restrict them : See SPIP documentation. Furthermore, if your SPIP templates are in squelettes directory, then CAS authentication can be twisted by putting ?var_skel=dist at the end of SPIP URL. The solution is to delete the dist directory or to include <INCLUDE(checkauth.php)>
in default templates.
5. TODO
- Use with a specialized autorisations management plugin.