Tags:
create new tag
view all tags

SID-01191: LDAP Security

Status: Answered Answered TWiki version: Perl version:
Category: CategoryAuthentication Server OS: Last update: 12 years ago

I'm thinking about using Twiki with my existing LDAP server and I security is my top concern. I saw that Twiki has the ability to use TLS with LDAP which is good. My question is does Twiki store/cache any credential information on the wiki system or the client.

Thank you

-- EricGruber - 2011-05-31

Discussion and Answer

The current LdapContrib caches user credentials for speed on the twiki server in the twiki/working/work_areas/LdapContrib directory. Even with shell access, only the webserver user and root have access to the binary cache file (shell access to TWiki server should be restricted to sysadmins anyway). Login can be configured to require SSL, so the password is encrypted between client and twiki server. Nothing is cached on the client besides a session cookie. I do not recommend using the LdapContrib if you have more then a few thousand LDAP entries, it needs to be redesigned to scale to 10K+ entries. You can hire a TWiki consultant if the current LdapContrib does not meet your needs.

-- PeterThoeny - 2011-05-31

Is it possible to disable the cache in LdapContrib?

-- EricGruber - 2011-05-31

Not possible with current version. Again, you can hire a consultant. Open source is about taking and giving back.

There is an alternative: Apache has LDAP auth module(s).

-- PeterThoeny - 2011-06-01

Basically we want to have users securely connect to the wiki with their LDAP credentials and have access controls configured for certain groups and users. All without the server saving any credential information about the users, even for caching purposes. I understand that the Apache auth modules will do what they say, that is just authorize users. Perhaps this is not possible yet, but I will still look around. Thank you very much for the help btw.

-- EricGruber - 2011-06-01

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2011-07-08

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title LDAP Security
SupportCategory CategoryAuthentication
TWiki version

Server OS

Web server

Perl version

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2011-07-08 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.