Login name not converted to WikiName

TWiki doesn't appear to parse the TWikiUsers properly when mod_ntlm (mod_sspi in Apache2) is used for authentication. The %REMOTE_USER variable passed on to twiki by NTLM takes the form of DOMAIN\username. So my entry in the TWikiUsers looks like this:

• MattWilkie - DOMAIN\mhwilkie - 07 Apr 2003

For the most part this doesn't cause a problem, editing authorship is retained, albeit with a slightly ugly looking syntax (author is DOMAIN\mwhilkie instead of MattWilkie). However it completely breaks TWiki Group authentication. For example I am no longer a member of the TWikiAdminGroup so can't manage webs or delete attachements, etc.

I've tried adding both my WikiName and my login-name to TWikiAdminGroup but I'm still not recognised.

Simple workarounds

The following workarounds remove the "DOMAIN\" portion of the remote_user, thus leaving yourself with a nice simple username. This is workaround NOT secure in that if people can create arbitrary usernames on a domain of their choice they can spoof other users. Also if two different users with the same username but on different domains exist, they will be treated as the same person. I'm on a corporate intranet so I don't care, otherwise look elsewhere on this page. If you are happy with these assumptions, here is what to do:

Option A, in Apache:

Add the following to your httpd.conf

<Perl>
sub My::Twiki::fix_handler
{
    my $r = shift;
    my $c = $r->connection;
    $ENV{'REMOTE_USER_REAL'} = $c->user();
    if ($ENV{'REMOTE_USER_REAL'} =~ m|^.*\\(.*)| ) {
        $c->user($1);
    }
}
</Perl>

Then for the section in httpd.conf that controls the bin directory, add this

PerlHandler Apache::Registry

-- KevinTam - 23 Jun 2004

Option B, in TWiki:

• ntlm-username.patch: change 'DOMAIN\jhsmith' to 'jhsmith'

This patch to lib/TWiki.pm adds an (harmless) error message for the mailnotify script (unkown user). Run it interactively without '-q' from the shell prompt to see the message.

-- MattWilkie - 15 Sep 2003

---

Related Topics: WindowsInstallModNTLM

---

older stuff:

UPDATE: there is an error message in the apache error.log which looks related (reformatted for legible display)

[Wed Jul 16 06:22:19 2003] [error] [client 199.247.217.124] [Wed Jul 16 22:22:18 2003] 
   view: Unrecognized escape \m passed through in regex; marked by <-- HERE in 
   m/^Users.YNET\m <-- HERE hwilkie$/ at ../lib/TWiki/Access.pm line 187., 
   referer: http://199.247.217.236/
[Wed Jul 16 06:22:31 2003] [error] [client 199.247.217.124] [Wed Jul 16 22:22:30 2003] 
   view: Unrecognized escape \m passed through in regex; marked by <-- HERE in 
   m/^Users.YNET\m <-- HERE hwilkie$/ at ../lib/TWiki/Access.pm line 187., 
   referer: http://wannabee/bin/view/Main/

• TWiki version: 2003-Feb-01 thu 2003-Jul-01
• Perl version: 5.8
• Web server & version: Apache 2.0.47
• Server OS: Windows 2000

-- MattWilkie - 15 Jul 2003

Answer

I hit exactly the same problem today with:

• TWiki version: 2003-Feb-01 thu 2003-Jul-01
• Perl version: 5.6.1
• Web server & version: Apache 1.3.2 + ModPerl + ModNTLM
• Server OS: Windows 2000 Server

My entries look like:

• MartinCleaver - mbs\m.cleaver -

Incidently, I took out the #A, #B separators between the names. I don't know whether this made a difference.

-- MartinCleaver - 16 Jul 2003

added error log clipping; I haven't remove the separators in the TWikiUsers topic.

-- MattWilkie - 16 Jul 2003

I took out the Main. from Main.MartinCleaver and made sure the date was included - bizarrely this seems to have fixed it.

-- MartinCleaver - 17 Jul 2003

Umm, I'm confused. Do you mean that the entry for you in the Main.TWikiUsers topic used to have the Main prefix like this:

   * Main.MartinCleaver - mbs\m.cleaver - 

and changing it to this:

   * MartinCleaver - mbs\m.cleaver - 01 Jan 1905

made it work?? If so there is something weird going on here, because my entry has always been like the second example (excepting upper case for the domain and no period in the username). Do you still get the "unrecognised escape" apache error message?

I think I found the place where this problem stems from, but I don't know what to do about it. See lib/TWiki.pm starting at sub userToWikiListInit, about line 775.

It looks like the search code ignores all lines which don't have a WikiWord and two dashes, which is why adding the date worked for you.

-- MattWilkie - 17 Jul 2003

Login names like YNET\mhwilkie do not work in TWiki because of a security filter. See TWiki.pm, sub userToWikiListInit:

 
        if(  ( /^\s*\* ($wikiWordRegex)\s*\-\s*([^\s]*).*/o ) && $2 ) {
            $wUser = $1;   # WikiName
            $lUser = $2;   # userid
            $lUser =~ s/$securityFilter//go;
            $userToWikiList{ $lUser } = $wUser;
            $wikiToUserList{ $wUser } = $lUser;
        }

The $securityFilter removes backslash chars.

Workaround: Comment out the line with the security filer.

Correct fix: Apply a filter that does not remove the backslash.

-- PeterThoeny - 20 Jul 2003

I commented out the security line but I am still YNET\mhwilkie according to TWikiVariables. I also removed the initial \\ from the $securityFilter definition in TWiki.cfg without apparent effect. Updated filter:

$securityFilter     = "[\*\?\~\^\$\@\%\`\"\'\&\;\|\<\>\x00-\x1F]";

I don't know if this is significant or not, but my lUser line is slightly different from the one you posted:

      $lUser =~ s/$securityFilter//go;   # FIXME: Should filter in for security...

-- MattWilkie - 21 Jul 2003

I would not change the security filter in TWiki.cfg, this could be a security issue.

Other places where the login name gets filtered: In TWiki.pm, function initializeRemoteUser, userToWikiName.

-- PeterThoeny - 23 Jul 2003

Thank you Peter. I think I might have figured it out with the aid of the whoami script included with mod_auth_sspi. Please test the attached patch. It works for my site; hopefully it doesn't screw anybody elses up. It shouldn't though as it tests for the existance of NTLM auth first.

-- MattWilkie - 23 Jul 2003

The patch successfully changes the DOMAIN\remote_user to $username, and gets rid of the "unrecognized escape" error, however the translation from $username to WikiName still does not happen.

I tried adding the same code to sub userToWikiName but that made it look like all edits were done by the current user (and still didn't convert username to wikiname).

Maybe somebody who actually understands perl will have better luck!

-- MattWilkie - 24 Jul 2003

This patch adds an (harmless) error message for the mailnotify script (unkown user). Run it interactively without '-q' from the shell prompt to see the message.

-- MattWilkie - 15 Sep 2003

• ntlm-username.patch: change 'DOMAIN\jhsmith' to 'jhsmith'

MattWilkie - are you proposing a patch that we should put into Cairo? -- SvenDowideit - 24 Jun 2004

If you think it's suitable, then yes.

-- MattWilkie - 24 Jun 2004

I got the same problem on my using ntlm TWiki installation and I fixed it in Access.pm by simply surrounding userName variable with (\Q, \E) couples (\Q@theUserName\E) in all regexp to avoid the interpretation of special escape characters -> 3 occurrences :

Access.pm:

      if( @denyList ) {      
        if( grep { /^\Q$theUserName\E$/ } @denyList  )

      if( @allowList ) {      
        if( grep { /^\Q$theUserName\E$/ } @allowList  ) {
   
       my $isInGroup = grep { /^\Q$usrTopic\E$/ } @grpMembers;

I think that is the good fix because allow the users discrimination function of their network domains

-- CostinCerchez - 02 Aug 2005