Warning: 2015-10-19: Major upgrade in progress. Site somewhat functional, with bugs...

LDAP TWiki authentication

Principles

This is how we use LDAP auth with TWiki (Cairo) with Microsoft Active Directory
  • We make TWiki use standard apache basic authentication (The non-cookie, standard method). In this mode TWiki expects Apache to do all the auth work, and then execute TWiki perl scripts with the user login set into the environment variable REMOTE_USER by apache. Our trick is to use a modified mod_ladp apache module that wil get the AD login of the user, auth with AD/LDAP with it, and then change the REMOTE_USER variable from windows login to the wiki name that is dynamically computed by fetching First Name and Last Name in LDAP, and concatenating them after some cleaning (capitalization, removing on non-letter chars)
  • every N hours (for us, 4) a shell script dumps all the LDAP accounts, checks the one not yet declared as TWiki accounts, and for them create them via a modified (to be used non-interactively, and without declaring a password) version of the register TWiki perl CGI script
  • This shell script keeps the list of all LDAP accounts as a wiki page for reference, and mails the changes to an admin mailing list

Implementation

Apache module

We are based on the v2.4.2 of http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

The modified register TWiki file

to be placed in the TWiki bin/ dir
  • register-ldap: modified version of the Cairo TWiki bin/register script

The offline account-generation scripts

debug / dev ones:
Topic attachments
I Attachment Action Size Date Who Comment
README.colascolas README.colas manage 1 K 19 May 2007 - 17:34 ColasNahaboo The readme
README_scripts.txttxt README_scripts.txt manage 2 K 19 May 2007 - 17:42 ColasNahaboo The README of scripts
ldap-ilog-dump-wikinameEXT ldap-ilog-dump-wikiname manage 1 K 19 May 2007 - 17:45 ColasNahaboo dump info for one account
ldap-ilog-update-wikinamesEXT ldap-ilog-update-wikinames manage 2 K 19 May 2007 - 17:44 ColasNahaboo main script
mod_auth_ldap.colas.tgztgz mod_auth_ldap.colas.tgz manage 42 K 19 May 2007 - 17:34 ColasNahaboo The whole module, modified
register-ldapEXT register-ldap manage 3 K 19 May 2007 - 17:37 ColasNahaboo modified version of the Cairo TWiki bin/register script
wiki-ldap-check-accountsEXT wiki-ldap-check-accounts manage 1 K 19 May 2007 - 17:49 ColasNahaboo one shot: clean all wiki pages accounts
wiki-registerEXT wiki-register manage 249 bytes 19 May 2007 - 17:47 ColasNahaboo shell script calling the CGI register-ldap via wget
wiki-register-allEXT wiki-register-all manage 679 bytes 19 May 2007 - 17:48 ColasNahaboo batch account creation
Topic revision: r18 - 24 May 2007, ColasNahaboo
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Colas? Send feedback