Question
I set up TWiki a few months ago and it has been working great. The users are happy and information gets added to the wiki every day. We are using just basic authentication (if that is the right way to say it; each user must register and get a password). We are using the convention of having each user name be FirstnameLastname. So users self-register and pick their own passwords. This has worked fine for months. But now corporate security wants me to lock down access to this wiki to only members of my organization. We use Windows AD, and I have been able to set up the mod_authz_ldap module on a test page outside the wiki to require entering a valid username and password to access it. However, our usernames are first initial followed by last initial and employee ID number. So Bob Smith's username may be bs12345 and his wiki username would be BobSmith. How can I map the corporate username to the WikiName of each user so that they will only have to supply one username and password when trying to access or modify the wiki? I will also have to restrict access to just one group (defined in LDAP) and possibly a few additional users. I'm new to LDAP (and Apache) configuration options, so any pointers would be much appreciated. AlfredEnvironment
Answer
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box. lib/LocalSite.cfg (according to your AD setup):
$TWiki::cfg{Ldap}{Host} = 'ad-server';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=location,dc=company,dc=local';
$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=Users,ou=Group,dc=location,dc=company,dc=local';
$TWiki::cfg{Ldap}{BindPassword} = 'secretpassword';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UserBase} = 'ou=Group,dc=location,dc=company,dc=local';
$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{GroupBase} = 'ou=Group,dc=location,dc=company,dc=local';
$TWiki::cfg{Ldap}{GroupAttribute} = 'ou';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=organizationalUnit';
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{MemberAttribute} = 'department';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{MaxCacheHits} = -1;
$TWiki::cfg{Ldap}{MaxCacheAge} = 600;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Ldap}{PageSize} = 200;
$TWiki::cfg{Ldap}{Debug} = 0;
As we don't use the AD groups, the group settings in the above example are most likely wrong.
The password manager has to be changed as well:
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
Additionally, you might like to modify parts of your installation (see LdapAuthenticatedTwikiModifications) and install NewUserPlugin to create user topics on first login.
-- MartinKaufmann - 16 Jan 2008
Thanks for the information. I will certainly study the LdapContrib module. However, I think I need to use httpd authentication, since I have been told that we don't want anyone outside of our group to be able to read the wiki. So after the user has authenticated to Apache, he or she should be able to:
- Access (i.e., read) the wiki
- Modify the wiki without having to enter their current wiki password
mod_auth_ldap myself. However, I don't see why it wouldn't work with LdapContrib.
-- MartinKaufmann - 23 Jan 2008
-- NigelWhitley - 24 Jan 2008
We use mod_authnz_ldap and only need to authenticate with a user once. Although I'm struggling to get nested groups working, a user can login with their AD usernname and password and edit a page without a second authentication. Perhaps check in twiki_httpd_conf.txt for the restrictions on the edit script - I use require ldap-group there and it seems to work fine (as long as I don't have the usernames in a nested group). The only time a user gets prompted again is if their user is not in the authorised group for editing.
-- NigelWhitley - 24 Jan 2008
Thanks for the information Martin and Nigel. I guess I will just have to try this. I can believe that this works as I want with LdapContrib if set up from scratch that way. My apprehension stems from the fact that we've used this wiki for 6 months or so without LDAP authentication from Apache, and everyone was free to create their own username and password (following the TWiki convention). Now I need to map the LDAP authenticated users to their self-created TWiki accounts, and this is the part I am not sure how to do.
My plan is to make a copy of the entire TWiki instance and hammer out these details on that copy. I'll report back with my progress so this can help others in the future that follow the same path.
Alfred
-- AlfredvonCampe - 24 Jan 2008
As long as the user names you've got now, are the same as the ones that will be created from your LDAP entries (e.g. FirstnameLastname), I don't see a problem. At least it worked in our setup (using LdapContrib).
-- MartinKaufmann - 24 Jan 2008
Seems to be answered.
-- PeterThoeny - 02 Mar 2008
Topic revision: r10 - 2008-03-02 - PeterThoeny
Site map
Blog web
Search
Changes
RSS Feed
Notifications
Statistics
Preferences
Register new user
Support Forum 
Ask a question
Open questions 
My recent questions
Get quick help in #twiki IRC channel
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.