Remote Authentication
New in Geeklog 1.4.0 is the Remote Authentication system. With Remote Authentication enabled, users can login to your site via any authorised external service and act as a regular user.
This allows you to disable anonymous comments and make it easier for people to comment (they don't have to sign up on yet another site (yours) they can use a pre-existing central account to make comments).
To enable Remote Authentication:
- Install one or more Authentication classes in /path/to/geeklog/system/classes/authentication (Geeklog ships with a class for for LiveJournal.com and an LDAP class)
- In Geeklog 1.5 or later:
- In the Configuration, go to "Users and Submissions" > "Users" and set "User Login Method[3rdparty]" to "True"
- (optional) On the same Configuration panel under "User Submission", set "User Submission Queue?" to "False"
- In Geeklog 1.4.x:
- Set
$_CONF['remoteauthentication'] = true;
in config.php - (optional) Set
$_CONF['usersubmission'] = 0;
in config.php
- Set
With Remote Authentication enabled, the user is presented with a select box on the login screen to choose the login service. This will default to your site, but allow them to choose an external service. Users are authenticated via their remote username and password, and if they pass authentication a local account is created on your geeklog site that is slaved to that remote account. These local slave accounts can be banned, have special permissions etc just like any regular site user. The account creation process is the same as for local accounts, so all custom functions and plugin notifications are carried out as normal.
In addition, the user is added to the group 'Remote Users' allowing you to automaticaly grant/deny specific permissions to all remote users.
Unique Usernames
When a new account is created, the local username for that account is set to the remote username. However, if there is already a user in the system with the same username a call is made to CUSTOM_uniqueUsername
passing in their remote username. This allows the admin to supply a custom function to ensure unique usernames for all users.
It is not necessary to have unique usernames. This does not break the security of a local user or remote users login, as the full remote username and service are stored locally to avoid collision and internally users are identified by a unique number. However, if you want to ensure it is clear who has posted a comment or article by the name displayed, this function allows you to ensure uniqueness.
Disabling Services
To disable a specific service, simply remove the (servicename).auth.class.php file from /path/to/geeklog/system/classes/authentication and that remote service will no longer be available to your users.
Adding Services
Currently authentication modules are available for:
- LiveJournal
- LDAP
A module for authentication with Blogger was shipped with Geeklog 1.4.0 and 1.4.1 but has since been removed after Blogger changed their login procedure (the module doesn't work any more).
If you wish to add further services you will have to write custom modules to do so. This can be done by creating a PHP file named ServiceName.auth.class.php which declares a class called ServiceName with a method called authenticate
. Authenticate takes username and password as arguments and should return a boolean. The class should expose an 'email' property and attempt to provide the users valid email address if this can be aquired from the remote server. If that information is available, the class can also provide the user's full name ('fullname' property) and homepage ('homepage' property).
OpenID
Support for OpenID 1.1 was added in Geeklog 1.5.0. For technical reasons, it could not be implemented as a Remote Authentication module but instead had to be built into Geeklog's core code.