Tags:
create new tag
view all tags
Mail disabled on twiki.org  
Phone disabled on twiki.org  

Kevin Firko

Info:
Organization:
URL:  
City: Toronto
Country: Canada
Agree to Code
of Conduct
:
 
Hear from:  
Watchlist Changes of Kevin:
Info None (empty watchlist)
Arrow right More watchlist details
Tag Cloud of Kevin:
Unrecognized action

My Links

LdapAuthenticationCaseSensitivityBug

Issue Summary:

LDAP is case insensitive, but TWiki is case sensitive. If a user does not login with their username exactly as it appears in the LDAP tree itself (with identical caps), TWiki will successfully authenticate the user with an LDAP bind, but will fail to map the user to a WikiName, and will not recognize the user as being a member of any LDAP groups. This disjoint between LDAP and TWiki causes a variety of problems.

I’m sure my issue is not unique, and it could be responsible for at least some of the unresolved LDAP-authentication-access/control questions that litter the TWiki.org Support Web and other forums. It seems that almost all of the unresolved issues are posted by folks using Microsoft technology and Active Directory. It is typical for such setups to use capital letters for usernames and other information, unlike Linux/Unix. I would assume this is probably why linux-using contributors have not been able to diagnose the cause of the issue. See LdapContribUsersGroupsDoNotDisplay, LdapContribLoginsAreSpotty, LdapContribUsersGroupsDoNotDisplay, etc for more.

I’ll make a post here in the support so others with the same problem can hopefully find a resolution by editing their LDAP (something I am not permitted to do at my organization – I'm a student working on contract), and maybe someone can help me pinpoint what I need to fix. I’ll also make a post in the LdapContribDev topic so hopefully future versions of the LDAP contrib can resolve this issue.

Issue Detailed Description:

If the user enters their username with the CN (the attribute used for our login names) exactly as found in the tree, everything works wonderfully.

In our organization, the admin has decided that usernames with caps are “easier to read” and all usernames are entered into Novell eDirectory accordingly (eg: user “John Doe” is “JDoe” instead of convention “jdoe”). However, most users in our organization are accustomed to entering their usernames in lowercase to log into their machines and thus the vast majority of users will experience access control problems in TWiki if we deploy it on our intranet. This bug is thus urgent status in the sense that it alone is preventing a TWiki deployment.

Our configuration uses Apache mod_ldap + mod_auth_ldap to do the actual user authentication. The REMOTE_USER variable is correctly set by Apache to whatever username the user typed in. Since Apache successfully binds to LDAP when provided with correct credentials regardless of capitalization, it authenticates the user, and thus allows them access into TWiki. The problem is that the plugins erroneously set the WIKINAME and WIKIUSERNAME to exactly Apache’s REMOTE_USER instead of their desired values (in my configure settings, LdapWikiNameAttribute is set to fullName, and NormalizeWikiNames is set to 1). This results in a lot of obvious problems related to access control, viewing the user’s topic if it exists (which is based on their WIKINAME), etc. The biggest issue is that access control to webs and topics based on LDAP groups will fail and erroneously block authorized users because TWiki will not be able to correctly identify a user as being a member of a group.

I also experimented with a Template Login and the problem is even worse because there is no opportunity for the REMOTE_USER variable to be set, and thus TWiki has nothing to default WIKINAME/WIKIUSERNAME to, leaving them blank.

In case it is of interest to anyone attempting a fix, adding %GROUPS% to a topic successfully displays all LDAP groups and the WikiNames of all group members (ie: LDAP and user mapping worked correctly), even when the user is logged in as an all-lowercase username (ie: their WIKINAME is whatever they typed into Apache => REMOTE_USER). It is interesting to note that a call to %USERINFO{userdebug="1"}% for the example user “John Doe” logged in with the lowercase name “jdoe” (where “JDoe” is the username as found in LDAP) results in “UserInfo? : jdoe, Main.jdoe, JDoe@our-organization.ca”. If you look carefully, the email address appears as it does in LDAP! Another interesting piece of information is that if I create an entry in the Users topic and add an alias to a lower case username, the WikiName will correctly resolve. This is a poor workaround of course, as the LDAP’s purpose to replace TWiki’s own user management, and also is a problem because if a user tries to log in with their username typed with a different set of capitalization than LDAP or the all-lowercase alternative specified in the Users topic (eg: some users enter their login names in all caps for example, and I’m sure some folks in our organization will use messed up caps at some point), the issue remains.

You’ll notice in this submission that I have the NewUserPlugin disabled. Although I plan on using this valuable plugin, I will not turn it on until this issue is resolved because it will create separate topics for every caps variation of a username (!!!) because TWiki thinks they are all different users (that's right: jdoe, Jdoe, JDoe, JDOe, etc, etc).

I assume somewhere in the maze of perl that comprises TWiki this is probably a relatively simple fix because a case sensitive comparison is being done where a case insensitive one should be taking place. Can anyone point me in the right direction as to what files need to be changed? Please note that I am a very novice perl programmer, although I’m working to fix that ;-).

Thanks for your support, and thanks for all the effort everyone puts into TWiki!

Environment Details:

  • Server: Novell SuSE Enterprise Linux 9.0 (x86_64)
  • Relevant Software: Apache 2.0; mod_ldap, mod_auth_ldap, perl 5.8.3 with all modules required by Twiki
  • Apache's LDAP authentication directives are applied to the “bin” directory of TWiki
  • LDAP is the LDAP interface to Novell eDirectory (with the unusual characteristic of having usernames (CN) with capital letters due to an admin's preference)
  • I have the latest versions of TWiki and all plugins as the install is only a week old. Related to LDAP, versions are LdapNgPlugin v0.2; LdapContrib v1.01.

All active plugins: SpreadSheetPlugin, BreadCrumbsPlugin, CommentPlugin, EditTablePlugin, FilterPlugin, FlexWebListPlugin, GluePlugin, IfDefinedPlugin, Interwiki Plugin, LdapNgPlugin, NatSkinPlugin, PreferencesPlugin, RedDotPlugin, SlideShowPlugin, SmiliesPlugin, TablePlugin, TwistyPlugin, WysiwygPlugin

If anyone has questions regarding my specific configure settings, please email me directly.

Note: A mention of this post has been added to LdapContribDev

Personal Preferences

Uncomment preferences variables to activate them (remove the #-sign). Help and details on preferences variables are available in TWikiPreferences.

  • Show tool-tip topic info on mouse-over of WikiWord links, on or off:
    • #Set LINKTOOLTIPINFO = off
  • Horizontal size of text edit box:
    • #Set EDITBOXWIDTH = 70
  • Vertical size of text edit box:
    • #Set EDITBOXHEIGHT = 22
  • Style of text edit box. width: 99% for full window width (default), width: auto to disable.
    • #Set EDITBOXSTYLE = width: 99%

Related Topics

Edit | Attach | Watch | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r4 - 2007-05-25 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.