tech_documents:dokuwiki

Dokuwiki (Hogfather release) on CentOS 8
Install Prequisites
Initial Setup and Security Changes
Active Directory Authentication

Dokuwiki (Hogfather release) on CentOS 8

This is a document on how to install Dokuwiki on a CentOS 8 LAMP server, it includes the option for authenticating against Microsoft Active Directory.

To begin with follow the guide on setting up a LAMP server (minus MariaDB as it's not needed): Install CentOS 8 LAMP stack

Install Prequisites

Install Dokuwiki: https://www.dokuwiki.org/install:centos

Install PHP modules

sudo dnf install php-gd php-mbstring php-ldap

Download Dokuwiki & Install

wget https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz

Unpack

tar xvfz dokuwiki-stable.tgz

Remove existing public_html folder and replace

sudo rm -r /var/www/html/webdomain.com/public_html
sudo mv dokuwiki... /var/www/html/webdomain.com/public_html

Fix permissions

sudo chown -R apache:apache /var/www/html/webdomain.com/public_html
sudo chmod -R 755 /var/www/html/webdomain.com/public_html
sudo restorecon -r /var/www/html/webdomain.com/public_html
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/data
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/data
sudo restorecon -v /var/www/html/webdomain.com/public_html/data
sudo chmod -R 775 /var/www/html/webdomain.com/public_html/data
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/conf
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/conf
sudo restorecon -v /var/www/html/webdomain.com/public_html/conf
sudo chmod -R 775 /var/www/html/webdomain.com/public_html/conf

Initial Setup and Security Changes

Go to ip.add.re.ss/install.php to start install, ignore data dir security issue. (if you're using virtual hosts and TLS then use the domain name instead (this assumes you have DNS entries already, or add them temporarily to your hosts file… no, do it the correct way, setup proper DNS entries. Setup PKI servers while you at it, after all we're going to use AD authentication over LDAPS… I hate roots)

Once complete delete install.php

sudo rm /var/www/html/webdomain.com/public_html/install.php

Move Data Dir

This is done for security as it gets the dir out of the Apache published pages

sudo mkdir /var/www/html/webdomain.com/dokuwiki-data
sudo mv /var/www/html/webdomain.com/public_html/data /var/www/html/webdomain.com/dokuwiki-data/

Edit local.php to reflect the change

sudo vim /var/www/html/webdomain.com/public_html/conf/local.php

Set the following:

$conf['savedir'] = '/var/www/html/webdomain.com/dokuwiki-data/data';

Move Conf Dir

Same reason, for security

sudo mv /var/www/html/webdomain.com/public_html/conf /var/www/html/webdomain.com/dokuwiki-data/

Edit preload.php to reflect change

sudo vim /var/www/html/webdomain.com/public_html/inc/preload.php

Set the following:

<?php
define('DOKU_CONF','/var/www/html/webdomain.com/dokuwiki-data/conf/');

Set permissions

sudo chown -R apache:apache /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/bin

Allow Additional Upload File Types

https://www.captechconsulting.com/blogs/dokuwiki-a-step-by-step-install-guide
See end of document for a list of most file types

sudo vim /var/www/html/webdomain.com/dokuwiki-data/conf/mime.local.conf

Add the following

mp3     !audio/mpeg
avi     video/x-msvideo
mpg     video/mpeg
mpeg    video/mpeg
bin     application/octet-stream
exp     application/octet-stream
cfg     application/octet-stream
ovpn	application/octet-stream
unf     application/octet-stream

Fix Permissions Again...

sudo chmod -R 755 /var/www/html/webdomain.com/public_html
sudo restorecon -r /var/www/html/webdomain.com/public_html
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/dokuwiki-data
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/plugins
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/tpl
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/dokuwiki-data
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/plugins
sudo semanage fcontext -a -t httpd_sys_rw_content_t /var/www/html/webdomain.com/public_html/lib/tpl
sudo restorecon -v /var/www/html/webdomain.com/dokuwiki-data
sudo restorecon -v /var/www/html/webdomain.com/public_html/lib/plugins
sudo restorecon -v /var/www/html/webdomain.com/public_html/lib/tpl
sudo setsebool -P httpd_can_network_connect on
sudo chown -R apache:apache /var/www/html/webdomain.com
sudo chmod -R 700 /var/www/html/webdomain.com/dokuwiki-data
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/inc
sudo chmod -R 700 /var/www/html/webdomain.com/public_html/bin

Restart Apache

sudo systemctl restart httpd

List of Recommended Plugins

Items marked as optional are just that, otherwise add the plugin.

ckgedit (Myron Turner)
prosemirror (dokuwiki beta alternative to ckgedit Andreas Gohr)
Diagram plugin (Nikita) (optional)
discussion plugin (Michael Hamann) (optional)
dw2pdf plugin (Andreas Gohr)
edittable plugin (Andreas Gohr)
flowchartjs plugin (Hua GAO) (optional)
gallery plugin (Andreas Gohr) 
imgpaste plugin (Andreas Gohr) (optional)
indexmenu plugin (Samuele)
move plugin (michael hamann) (optional)
note plugin (olivier Cortes) (optional)
Open Document Plugin (Andreas) (optional)
Pagelist Plugin (Matthias Schulte) 
Dokuwiki Upgrade Plugin (Andreas Gohr)
Wrap Plugin (Anika Henke)
Log Statistics Plugin (Andreas Gohr)
Statdisplay Plugin (Andreas Gohr)
Toolbox Plugin (Andreas Gohr)
SMTP Plugin (Andreas Gohr)
IP Banning Plugin (Andreas Gohr)
IssueTracker (Taggic) (optional)
nssearch (Eli Fenton)

For a theme the bootstrap3 template is ideal, and change the setting so it doesn't use the whole width of the screen…

Active Directory Authentication

This is for authenticating against Active Directory, you'll need to have an AD domain setup, DNS and PKI infrastructure.
https://www.dokuwiki.org/plugin:authad

Here we are using LDAPS on port 636. If you aren't going to use LDAPS then remove the preceding

ldaps:// and appended :636

from the LDAP server names… or just do it properly and use LDAPS so your user credentials aren't flying all over your network in plain text… It's tedious I know, but you feel dirty if you don't.

Create protected config file

sudo vim /var/www/html/domain.com/dokuwiki-data/conf/local.protected.php

Add the following:

<?php
  // general DokuWiki options
  $conf['useacl']         = 1;
  $conf['authtype']       = 'authad';

  // configure your Active Directory data here
  $conf['plugin']['authad']['account_suffix']     = '@name.domain.local';
  $conf['plugin']['authad']['base_dn']            = 'OU=Users,OU=SomeOrgnizationalUnit,DC=name,DC=domain,DC=local';
  $conf['plugin']['authad']['domain_controllers'] = 'ldaps://srv01.name.domain.local:636, ldaps://srv02.name.domain.local:636'; //multiple can be given

    $conf['plugin']['authad']['admin_username']        = 'dokuwiki.bind';  //optional, only needed for looking email addresses, etc.
    $conf['plugin']['authad']['admin_password']        = 'someSuperPassword';
//  $conf['plugin']['authad']['sso']                = 1;
//  $conf['plugin']['authad']['real_primarygroup']  = 1;
//  $conf['plugin']['authad']['use_ssl']            = 0; // Don't have ssl/tls options enabled at the same time. 
    $conf['plugin']['authad']['use_tls']            = 1; // Only one of them.
//  $conf['plugin']['authad']['debug']              = 1;
    $conf['plugin']['authad']['recursive_groups']   = 0; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
//  $conf['plugin']['authad']['additional']         = 'department,office'; // additional attributes to fetch
  // warn user about expiring password this many days in advance (in version 2012-03-10 and higher):
//  $conf['plugin']['authad']['expirywarn']         = 5;

//Manager and Superuser Groups
    $conf['manager']   = '@DokuWikiManagers';
    $conf['superuser'] = '@DokuWikiAdmins';

Add the root/intermediate certificates used to sign your LDAPS certificates

sudo vim /etc/pki/ca-trust/source/anchors/internaldomain.local-bundle

Add the intermediate certificate followed by the root certificate in BASE64 format in a single file.

Update the trusted certificate store

sudo update-ca-trust

Note: In my zealous attempts to keep only what is needed enabled I disabled the LDAPAuth plugin since I'm using AD, things still worked but there was a huge delay when loading each page and the php-fpm logs showed

PHP Warning:  ldap_start_tls(): Unable to start TLS: Operations error in /var/www/html/wiki.nytnetwork.com/public_html/lib/plugins/authad/adLDAP/adLDAP.php on line 638

Reenabling the LDAPauth plugin fixed this…

Note: To speed up AD auth (your initial page loads will be slow otherwise), specify the base OU as the root of the user OU where your AD users are located; also disable recursive AD Groups queries.

Table of Contents