Question

I would like to use WebAuth and Kerberos in front of TWiki to authenticate users. The problem is that we can't easily set the value for the variable REMOTE_USER, which is what TWiki seems to use for authentication. A previous user had a similar problem reported here, in which he replaced all instances of REMOTE_USER with HTTP_AUTH_USER. This seems like a possible solution, but it involves hacking the base code. Before attempting to do so, I would like to ask:

• Is this indeed the proper method for solving this problem? Wouldn't this jeopardize the TWiki instance for future upgrades? Or is there another, better way to do this?
• If this is the way, which of the base TWiki files should be modified in order to efficiently and effectively change the authentication variable?

Environment

-- JohnDeStefano - 13 Aug 2007

Answer

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

The solution you found seems a bit over-engineering the wrong way.

I'd simply add a line to bin/LocalLib.cfg:

   $ENV{REMOTE_USER} ||= $ENV{WEBAUTH_USER};

Probably you will need to "escape" the @ sign which occurs in Kerberos principals so that TWiki will not mis-interpret it as a Mail address, with an additional line:

   $ENV{REMOTE_USER} =~ tr/@/_/;

Changes in bin/LocalLib.cfg are robust to upgrades since this file is supposed to hold installation specific data.

-- HaraldJoerg - 13 Aug 2007

Good fix, closing...

-- PeterThoeny - 03 Oct 2007

One comment to add, this method is what I used to integrate SUN's Identity Manager using the Apache Policy Agent v2.1. Works perfectly. But, I am still working on the Idm Group and TWiki Group integration.

-- AdamRoybal - 07 Aug 2008