SID-02247: Apache feeds login information to twiki

Status:	Answered	TWiki version:	6.0.2	Perl version:	5.20
Category:	CategoryAuthentication	Server OS:	"Linux" x86-64	Last update:	9 years ago

Hello, I've been using tWiki for a few years now, with great success so far. It has it's foibles, but I like it. I originally inherited a 4.x.x installation when I took over as sysadmin, and now am upgrading to 6.0.2 due to some changes to our web host's system (mainly, perl upgrade causing Load.pm to error out, and me preferring to just use this as an excuse to upgrade rather than manually fixing the errors).

Important: This tWiki is hosted on a shared webhost, I have no access to root, or any apache cfgs, or any different versions of perl, php, etc. I don't have the exact versions of Apache or Linux kernel that run on the webserver.

Anyways, background out of the way. Until now, our login system was a bit convoluted. We would login to a restricted area of a website (.htaccess-style), then load the tWiki page, and login to tWiki (with a different username) due to issues with using email addresses as login names on tWiki. With the new version, it seems like this is no longer possible. Logging into the restricted are of the website now will trigger tWiki to use that login as its login name.

So, my question is kind of an 'either or'.

1. Is it possible to not have tWiki automagicly take the login information from Apache and return to our old system? It's clunky, but everyone else seemed happy with it.  

2. Barring that, would using the main site login (an email address) that gets filtered down to three space separated strings ( "email domain com") as far as twiki seems to be concerned actually be a problem? And if not, how would I go about editing user information to map those logins to pre-existing wikinames/accounts?

-- Jon Nieznanski - 2016-09-07

Discussion and Answer

I decided to go with option 2. It seems that while twiki does not print the @ and . symbols, they're still there in the login name, and that is the problem I was having.

So, I've gone through and edited our (small) userbase in the TWikiUsers topic to have, instead of: WikiName - loginname - date ; WikiName - loginemail - date ;

Which has spring up a new question. Which I will post shortly for some help with. If anyone has an answer for the first option, feel free to add that in.

-- Jon Nieznanski - 2016-09-07

I am not sure whether I fully understand your setup and what you are trying to achieve, but for sure TWiki has a lot of configuration variables to accomodate for shared webhosts, so probably the answer is sort of "yes, it can be done" - we only need to figure out how.

I understand that you are using Apache's login mechanism with .htaccess files, and I assume that you are usually using email addresses as user ids. The issues with using email addresses as login names on tWiki can be solved, as far as TWiki is concerned: By default, the at sign @ is not permitted for user ids, but that is configurable. There's an expert configuration setting {LoginNameFilterIn}, just delete the @ from the value and email addresses can be used as user ids. I do not understand why you would have to login to a restricted area and then login to TWiki instead of directly logging in to TWiki. I could, however, not observe that _ twiki does not print the @ and . symbols._

You can have TWiki use Apache's login mechanism like that:

1. In configure, replace {LoginManager} from TWiki::LoginManager::TemplateLogin to TWiki::LoginManager::ApacheLogin (maybe you've already done that).
2. Do .htaccess style access control in TWiki's bin directory. You can use the ApacheConfigGenerator to create a template (look for Auth... directives).
3. If you want (you probably do) use one single password, then several protected directories on one apache web server can share the same AuthUserFile, but there's a quirk: TWiki stores additional information in this file. So if you are using methods outside TWiki to change user passwords, then things will go wrong.

If your restricted area is, on the file system, containing TWiki's bin directory, then things are easier because step 2 is no longer needed.

-- Harald Jörg - 2016-09-18

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.