====Dokuwiki (Hogfather release) on CentOS 8====
This is a document on how to install Dokuwiki on a CentOS 8 LAMP server, it includes the option for authenticating against Microsoft Active Directory.

To begin with follow the guide on setting up a LAMP server (minus MariaDB as it's not needed): [[tech_documents:misc:lamp_stack_centos8|Install CentOS 8 LAMP stack]]

====Install Prequisites====
Install Dokuwiki: https://www.dokuwiki.org/install:centos

==Install PHP modules==
<code>
sudo dnf install php-gd php-mbstring php-ldap
</code>

==Download Dokuwiki & Install==
<code>
wget https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
</code>
Unpack
<code>
tar xvfz dokuwiki-stable.tgz
</code>
Remove existing public_html folder and replace
<code>
sudo rm -r /var/www/html/webdomain.com/public_html
sudo mv dokuwiki... /var/www/html/webdomain.com/public_html
</code>
Fix permissions
<code>
sudo chown -R apache:apache /var/www/html/webdomain.com/public_html
sudo chmod -R 755 /var/www/html/webdomain.com/public_html
sudo restorecon -r /var/www/html/webdomain.com/public_html
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/data
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/data
sudo restorecon -v /var/www/html/webdomain.com/public_html/data
sudo chmod -R 775 /var/www/html/webdomain.com/public_html/data
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/conf
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/conf
sudo restorecon -v /var/www/html/webdomain.com/public_html/conf
sudo chmod -R 775 /var/www/html/webdomain.com/public_html/conf
</code>

====Initial Setup and Security Changes====
Go to ip.add.re.ss/install.php to start install, ignore data dir security issue. (if you're using virtual hosts and TLS then use the domain name instead (this assumes you have DNS entries already, or add them temporarily to your hosts file... no, do it the correct way, setup proper DNS entries. Setup PKI servers while you at it, after all we're going to use AD authentication over LDAPS... I hate roots)


Once complete delete install.php
<code>
sudo rm /var/www/html/webdomain.com/public_html/install.php
</code>
==Move Data Dir==
This is done for security as it gets the dir out of the Apache published pages
<code>
sudo mkdir /var/www/html/webdomain.com/dokuwiki-data
sudo mv /var/www/html/webdomain.com/public_html/data /var/www/html/webdomain.com/dokuwiki-data/
</code>
Edit local.php to reflect the change
<code>
sudo vim /var/www/html/webdomain.com/public_html/conf/local.php
</code>
Set the following:
<code>
$conf['savedir'] = '/var/www/html/webdomain.com/dokuwiki-data/data';
</code>

==Move Conf Dir==
Same reason, for security
<code>
sudo mv /var/www/html/webdomain.com/public_html/conf /var/www/html/webdomain.com/dokuwiki-data/
</code>
Edit preload.php to reflect change
<code>
sudo vim /var/www/html/webdomain.com/public_html/inc/preload.php
</code>
Set the following:
<code>
<?php
define('DOKU_CONF','/var/www/html/webdomain.com/dokuwiki-data/conf/');
</code>
Set permissions
<code>
sudo chown -R apache:apache /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/bin
</code>

==Allow Additional Upload File Types==
https://www.captechconsulting.com/blogs/dokuwiki-a-step-by-step-install-guide \\
See end of document for a list of most file types
<code>
sudo vim /var/www/html/webdomain.com/dokuwiki-data/conf/mime.local.conf
</code>
Add the following
<code>
mp3     !audio/mpeg
avi     video/x-msvideo
mpg     video/mpeg
mpeg    video/mpeg
bin     application/octet-stream
exp     application/octet-stream
cfg     application/octet-stream
ovpn	application/octet-stream
unf     application/octet-stream
</code>

==Fix Permissions Again...==
<code>
sudo chmod -R 755 /var/www/html/webdomain.com/public_html
sudo restorecon -r /var/www/html/webdomain.com/public_html
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/dokuwiki-data
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/plugins
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/tpl
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/dokuwiki-data
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/plugins
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/tpl
sudo restorecon -v /var/www/html/webdomain.com/dokuwiki-data
sudo restorecon -v /var/www/html/webdomain.com/public_html/lib/plugins
sudo restorecon -v /var/www/html/webdomain.com/public_html/lib/tpl
sudo setsebool -P httpd_can_network_connect on
sudo chown -R apache:apache /var/www/html/webdomain.com
sudo chmod -R 700 /var/www/html/webdomain.com/dokuwiki-data
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/bin
</code>

Restart Apache
<code>
sudo systemctl restart httpd
</code>

==List of Recommended Plugins==
Items marked as optional are just that, otherwise add the plugin.
<code>
ckgedit (Myron Turner)
prosemirror (dokuwiki beta alternative to ckgedit Andreas Gohr)
Diagram plugin (Nikita) (optional)
discussion plugin (Michael Hamann) (optional)
dw2pdf plugin (Andreas Gohr)
edittable plugin (Andreas Gohr)
flowchartjs plugin (Hua GAO) (optional)
gallery plugin (Andreas Gohr) 
imgpaste plugin (Andreas Gohr) (optional)
indexmenu plugin (Samuele)
move plugin (michael hamann) (optional)
note plugin (olivier Cortes) (optional)
Open Document Plugin (Andreas) (optional)
Pagelist Plugin (Matthias Schulte) 
Dokuwiki Upgrade Plugin (Andreas Gohr)
Wrap Plugin (Anika Henke)
Log Statistics Plugin (Andreas Gohr)
Statdisplay Plugin (Andreas Gohr)
Toolbox Plugin (Andreas Gohr)
SMTP Plugin (Andreas Gohr)
IP Banning Plugin (Andreas Gohr)
IssueTracker (Taggic) (optional)
nssearch (Eli Fenton)
</code>

For a theme the bootstrap3 template is ideal, and change the setting so it doesn't use the whole width of the screen...

====Active Directory Authentication====
This is for authenticating against Active Directory, you'll need to have an AD domain setup, DNS and PKI infrastructure. \\
https://www.dokuwiki.org/plugin:authad

Here we are using LDAPS on port 636. If you aren't going to use LDAPS then remove the preceding <code>ldaps:// and appended :636</code> from the LDAP server names... or just do it properly and use LDAPS so your user credentials aren't flying all over your network in plain text... It's tedious I know, but you feel dirty if you don't.

Create protected config file
<code>
sudo vim /var/www/html/domain.com/dokuwiki-data/conf/local.protected.php
</code>
Add the following:
<code>
<?php
  // general DokuWiki options
  $conf['useacl']         = 1;
  $conf['authtype']       = 'authad';

  // configure your Active Directory data here
  $conf['plugin']['authad']['account_suffix']     = '@name.domain.local';
  $conf['plugin']['authad']['base_dn']            = 'OU=Users,OU=SomeOrgnizationalUnit,DC=name,DC=domain,DC=local';
  $conf['plugin']['authad']['domain_controllers'] = 'ldaps://srv01.name.domain.local:636, ldaps://srv02.name.domain.local:636'; //multiple can be given

    $conf['plugin']['authad']['admin_username']        = 'dokuwiki.bind';  //optional, only needed for looking email addresses, etc.
    $conf['plugin']['authad']['admin_password']        = 'someSuperPassword';
//  $conf['plugin']['authad']['sso']                = 1;
//  $conf['plugin']['authad']['real_primarygroup']  = 1;
//  $conf['plugin']['authad']['use_ssl']            = 0; // Don't have ssl/tls options enabled at the same time. 
    $conf['plugin']['authad']['use_tls']            = 1; // Only one of them.
//  $conf['plugin']['authad']['debug']              = 1;
    $conf['plugin']['authad']['recursive_groups']   = 0; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
//  $conf['plugin']['authad']['additional']         = 'department,office'; // additional attributes to fetch
  // warn user about expiring password this many days in advance (in version 2012-03-10 and higher):
//  $conf['plugin']['authad']['expirywarn']         = 5;

//Manager and Superuser Groups
    $conf['manager']   = '@DokuWikiManagers';
    $conf['superuser'] = '@DokuWikiAdmins';

</code>

==Add the root/intermediate certificates used to sign your LDAPS certificates==
<code>
sudo vim /etc/pki/ca-trust/source/anchors/internaldomain.local-bundle
</code>
Add the intermediate certificate followed by the root certificate in BASE64 format in a single file.

Update the trusted certificate store
<code>
sudo update-ca-trust
</code>

Note: In my zealous attempts to keep only what is needed enabled I disabled the LDAPAuth plugin since I'm using AD, things still worked but there was a huge delay when loading each page and the php-fpm logs showed
<code>
PHP Warning:  ldap_start_tls(): Unable to start TLS: Operations error in /var/www/html/wiki.nytnetwork.com/public_html/lib/plugins/authad/adLDAP/adLDAP.php on line 638
</code>
Reenabling the LDAPauth plugin fixed this...

Note: To speed up AD auth (your initial page loads will be slow otherwise), specify the base OU as the root of the user OU where your AD users are located; also disable recursive AD Groups queries.