Tags:
create new tag
view all tags

Question

We are using modauthkerb for user authentication and on the whole it works ok. If a user wants to edit a file then then kerberos authentication is needed. .htaccess has entries such as. 


<Files "viewauth">
       require valid-user
</Files>

<Files "edit">
       require valid-user
</Files>

There is a small problem on registration however as a user can successfully register with a bogus username. The user is then unable to edit a topic but this is annoying as real users make typos on their usernames and I have to correct them.

During registration is the authentication checked in any way? How can I make the registration process check against the kerberos authentication first?

Also some users are attempting to register by simply creating a user topic in the Mainweb. If access control is set on the Mainweb then users can not create personnel Menu topics etc. How can I stop people from trying to register incorrectly in this manner without upsetting other TWiki functionalities? Many thanks for any help.

Environment

TWiki version: TWikiRelease02Sep2004
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: RH Linux
Web server: Apache 1.3
Perl version: 5.008
Client OS: Windows, Linux
Web Browser: IE, Mozilla, Firefox
Categories: Registration

-- PeterJones - 28 Sep 2005

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Peter, I am not sure that you can force Twiki to re-check the entered login id without you personally writing some kind of plugin and/or changing the core code. We use LDAP for authetication. The login id is picked up by TWiki and is therefore guaranteed to be what the user entered at Auth time. Problem is, LDAP is case agnostic - in that, a user can type UPPERCASE or lowercase as their login id and LDAP will happily oblige. Most people use lowercase, but sometimes I get someone who has registered as an UPPERCASE and then cannot figure out why their friendly TWIki name doesn't show up. I have to manually fix the lookup table.

So, doesn't your kerberos module cause TWiki to pickup the auth id as the twiki %REMOTE_USER% variable? It should and if not, then something isn't quite right. You have to tell TWiki to perform this function via a setting in twiki/lib/TWiki.cfg.

-- SteveRJones - 29 Sep 2005

You can get the correct default value into the form by adding the following to your Apache config: 

<Files "register">
       require valid-user
</Files>

However, there are some issues with mod_auth_kerb userids: They usually read username@MY.REALM, which seems to confuse TWiki.

I've worked around this by manually removing the @MY.REALM part in the form so that only the username part remains (a one-line-hack in /bin/register) and by using LoginNameAliasesPlugin to strip (REMOVE_SUFFIX in the plugin's terms) @MY.REALM in subsequent access control checks.

-- HaraldJoerg - 30 Sep 2005

I do have 

<Files "register">
       require valid-user
</Files>
configured in apache the LoginNameAliasesPlugin

Is there anything else?

-- PeterJones - 30 Sep 2005

Peter you should look at the Beta for DevelopBranch as it has a RegisterCgiScriptRewrite. It sounds like you need to add hooks into that process but you don't want to look at Cairo code for that is very outdated and DakarRelease is likely within the next couple of weeks.

-- MartinCleaver - 01 Oct 2005

Of course Martin is right. Well... Since I myself am currently moving to DakarRelease I am finding it difficult to speak for Cairo here, but y'know, it might nevertheless be possible to do it with Cairo (as I have exactly the same setup running)....

In addition to having register authenticated by Apache (Peter surely meant to say "Apache Config" instead of "!LoginNameAliasesPlugin") I have changed a few things. Note that this is specific for mod_auth_kerb and definitely different for other authentication schemes!

  1. Use TWikiRegistrationPub for registration (this makes the login name visible)
  2. Hack bin/register by adding one line (see below)
  3. Install and configure LoginNameAliasesPlugin by setting: REMOVE_SUFFIX = @YOUR.KERBEROS.DOMAIN in the plugin page
  4. Activate the plugin by setting $useLoginNameAliasesPlugin to a true value in lib/TWiki.cfg (see LoginNameAliasesPlugin)

The one-liner for bin/register is: 

--- /srv/www/CairoTWiki/bin/register    2005-08-05 20:33:22.000000000 +0200
+++ /home/haj/register  2005-10-02 00:31:57.000000000 +0200
@@ -75,4 +75,5 @@
             } elsif( $name eq "Login Name" ) {
                 $remoteUser = $value;
+                $remoteUser =~ s/\@.*$//;
             } elsif( $name eq "Email" ) {
                 $emailAddress = $value;

Note that the plugin won't work at all under DakarRelease, so another solution is needed there.

-- HaraldJoerg - 01 Oct 2005

FYI: I plan on making LoginNameAliasesPlugin work under Daker.

-- ClaussStrauch - 02 Oct 2005

WebForm
SupportStatus AnsweredQuestions
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2005-10-02 - ClaussStrauch
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.