My Links
LdapAuthenticationCaseSensitivityBug
Issue Summary:
LDAP is case insensitive, but TWiki is case sensitive. If a user does not login with their username
exactly as it appears in the LDAP tree itself (with identical caps), TWiki will successfully authenticate the user with an LDAP bind, but will fail to map the user to a
WikiName, and will not recognize the user as being a member of any LDAP groups. This disjoint between LDAP and TWiki causes a variety of problems.
I’m sure my issue is not unique, and it could be responsible for at least some of the unresolved LDAP-authentication-access/control questions that litter the TWiki.org Support Web and other forums. It seems that almost all of the unresolved issues are posted by folks using Microsoft technology and Active Directory. It is typical for such setups to use capital letters for usernames and other information, unlike Linux/Unix. I would assume this is probably why linux-using contributors have not been able to diagnose the cause of the issue. See
LdapContribUsersGroupsDoNotDisplay,
LdapContribLoginsAreSpotty,
LdapContribUsersGroupsDoNotDisplay, etc for more.
I’ll make a post here in the support so others with the same problem can hopefully find a resolution by editing their LDAP (something I am not permitted to do at my organization – I'm a student working on contract), and maybe someone can help me pinpoint what I need to fix. I’ll also make a post in the
LdapContribDev topic so hopefully future versions of the LDAP contrib can resolve this issue.
Issue Detailed Description:
If the user enters their username with the CN (the attribute used for our login names) exactly as found in the tree, everything works wonderfully.
In our organization, the admin has decided that usernames with caps are “easier to read” and all usernames are entered into Novell eDirectory accordingly (eg: user “John Doe” is “JDoe” instead of convention “jdoe”). However, most users in our organization are accustomed to entering their usernames in lowercase to log into their machines and thus the vast majority of users will experience access control problems in TWiki if we deploy it on our intranet. This bug is thus urgent status in the sense that it alone is preventing a TWiki deployment.
Our configuration uses Apache mod_ldap + mod_auth_ldap to do the actual user authentication. The REMOTE_USER variable is correctly set by Apache to whatever username the user typed in. Since Apache successfully binds to LDAP when provided with correct credentials regardless of capitalization, it authenticates the user, and thus allows them access into TWiki. The problem is that the plugins erroneously set the WIKINAME and WIKIUSERNAME to exactly Apache’s REMOTE_USER instead of their desired values (in my configure settings,
LdapWikiNameAttribute is set to fullName, and
NormalizeWikiNames is set to 1). This results in a lot of obvious problems related to access control, viewing the user’s topic if it exists (which is based on their WIKINAME), etc. The biggest issue is that access control to webs and topics based on LDAP groups will fail and erroneously block authorized users because TWiki will not be able to correctly identify a user as being a member of a group.
I also experimented with a Template Login and the problem is even worse because there is no opportunity for the REMOTE_USER variable to be set, and thus TWiki has nothing to default WIKINAME/WIKIUSERNAME to, leaving them blank.
In case it is of interest to anyone attempting a fix, adding %GROUPS% to a topic successfully displays all LDAP groups and the
WikiNames of all group members (ie: LDAP and user mapping worked correctly), even when the user is logged in as an all-lowercase username (ie: their WIKINAME is whatever they typed into Apache => REMOTE_USER). It is interesting to note that a call to %USERINFO{userdebug="1"}% for the example user “John Doe” logged in with the lowercase name “jdoe” (where “JDoe” is the username as found in LDAP) results in “UserInfo? : jdoe, Main.jdoe,
JDoe@our-organization.ca”. If you look carefully, the email address appears as it does in LDAP! Another interesting piece of information is that if I create an entry in the Users topic and add an alias to a lower case username, the
WikiName will correctly resolve. This is a poor workaround of course, as the LDAP’s purpose to replace TWiki’s own user management, and also is a problem because if a user tries to log in with their username typed with a different set of capitalization than LDAP or the all-lowercase alternative specified in the Users topic (eg: some users enter their login names in all caps for example, and I’m sure some folks in our organization will use messed up caps at some point), the issue remains.
You’ll notice in this submission that I have the
NewUserPlugin disabled. Although I plan on using this valuable plugin, I will not turn it on until this issue is resolved because it will create separate topics for every caps variation of a username (!!!) because TWiki thinks they are all different users (that's right: jdoe, Jdoe, JDoe, JDOe, etc, etc).
I assume somewhere in the maze of perl that comprises TWiki this is probably a relatively simple fix because a case sensitive comparison is being done where a case insensitive one should be taking place. Can anyone point me in the right direction as to what files need to be changed? Please note that I am a very novice perl programmer, although I’m working to fix that ;-).
Thanks for your support, and thanks for all the effort everyone puts into TWiki!
Environment Details:
- Server: Novell SuSE Enterprise Linux 9.0 (x86_64)
- Relevant Software: Apache 2.0; mod_ldap, mod_auth_ldap, perl 5.8.3 with all modules required by Twiki
- Apache's LDAP authentication directives are applied to the “bin” directory of TWiki
- LDAP is the LDAP interface to Novell eDirectory (with the unusual characteristic of having usernames (CN) with capital letters due to an admin's preference)
- I have the latest versions of TWiki and all plugins as the install is only a week old. Related to LDAP, versions are LdapNgPlugin v0.2; LdapContrib v1.01.
All active plugins:
SpreadSheetPlugin, BreadCrumbsPlugin, CommentPlugin, EditTablePlugin, FilterPlugin, FlexWebListPlugin, GluePlugin, IfDefinedPlugin, Interwiki Plugin, LdapNgPlugin, NatSkinPlugin, PreferencesPlugin, RedDotPlugin, SlideShowPlugin, SmiliesPlugin, TablePlugin, TwistyPlugin, WysiwygPlugin
If anyone has questions regarding my specific configure settings, please email me directly.
Note: A mention of this post has been added to
LdapContribDev
Personal Preferences
Uncomment preferences variables to activate them (remove the #-sign). Help and details on preferences variables are available in
TWikiPreferences.
- Show tool-tip topic info on mouse-over of WikiWord links, on or off:
- #Set LINKTOOLTIPINFO = off
- Horizontal size of text edit box:
- Vertical size of text edit box:
- Style of text edit box.
width: 99%
for full window width (default), width: auto
to disable.
- #Set EDITBOXSTYLE = width: 99%
Related Topics