Tags:
create new tag
, view all tags

LdapContrib Enhancement: Provide functionality to take mappings defined by TWikiUserMapping into consideration when migrating to LdapUserMapping

Motivation

When a SSO (Single Sign On) solution is used with UserMappingManager set to TWikiUserMapping, a topic defining TWikiUser ⇔ SSO login mappings exists. If LdapContrib with UserMappingManager LdapUserMapping later is installed, there is a need to preserve these mappings, so that SSO logins does not get a new TWikiName before and after the installation.

Description and Documentation

When migrating to LdapUserMapping from TWikiUserMapping, TWikiNames are no longer chosen by the user using the TWikiRegistration form.

If a SSO (Single Sign On) solution is used, the TWikiUserMapping defines mappings between TWikiNames and logins in the topic $TWiki::cfg{UsersWebName}. $TWiki::cfg{UsersTopicName}, normally Main.TWikiUsers.

When the LdapContrib cache is built, it uses data from a LDAP server to automatically compute TWikiNames for the logins present in the LDAP data tree. If these logins are present in "the old" Main.TWikiUsers topic, there is a real chance that some logins will get a new TWikiName, unless logic is added to preserve the rules from this topic.

This can lead to users getting access rights that weren't really given to them.

Examples

Using SSO and TWikiUserMapping, SSO login=frankie= logs in to the TWiki for the first time. The system can't find him in topic Main.TWikiUsers, so it sends frankie to TWikiRegistration, where he chooses a manual TWikiName, FrankieJones.

At a later date, LdapContrib is installed and a local cache is built. It is defined in local configuration that LDAP attributes firstName and lastName should be used to compute TWikiNames. For login frankie, this is Frankie and Smith Jones. This leads to LdapContrib caching the TWikiName FrankieSmithJones for login frankie.

Before LdapContrib; frankieFrankieJones.

After LdapContrib; frankieFrankieSmithJones.

Impact

If users are in danger of suddenly getting a new TWikiName after migrating to LdapUserMapping, bad things can happen:

  • Users may lose access rights that were given to them (their old TWikiName)
  • Users may acquire access to content that weren't really meant for them. (they got a TWikiName that previously belonged to somebody else)

Implementation

In lib/LocalSite.cfg, the following flag is set:

TWiki::cfg{Ldap}{PreserveTWikiUserMapping} = 1;

Then, when TWiki::Contrib::LdapContrib::refreshUsersCache() is run, Main.TWikiUsers are taken into consideration if either of these conditions are true:

  • The cache is empty
  • The refresh mode is set to forced
As all the LDAP entries are fetched from the LDAP server, the users are not cached right away, instead they are put into one of two lists: Then, the users are cached. This ensures that all users in @processFirst "wins" in a TWikiName clash (two logins resolving to the name TWikiName, where the first one always wins).

Next time the cache is refreshed in "normal" mode, the initial test fails (empty cache or refresh mode forced), and the cache is built just like today, but with the existing mappings already in cache, taking precedence.

NB: logins in Main.TWikiUsers which is not present at the LDAP user will naturally not be cached. But this leads their TWikiName up for grabs. If this TWikiName has rights attached to it, this can be an issue (for another proposal).

-- Contributors: Terje Ness Andersen - 2013-08-19

Discussion

Looks good! Thanks for contributing!

-- Peter Thoeny - 2013-08-29

BTW, I changed the form on this topic to ChangeProposalForm. If you fill out the form at TWikiFeatureProposals you will get automatically the proper TWiki change proposal form.

-- Peter Thoeny - 2013-08-29

Functionality implemented with tag TWikibug:Item7331. Updated the LdapContrib topic as well, and tested the extension. Things seem to be working fine.

-- Terje Ness Andersen - 2013-09-03

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2013-09-03 - TerjeAndersen
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.