LDAP TWiki authentication
Principles
This is how we use LDAP auth with TWiki (Cairo) with Microsoft Active Directory
- We make TWiki use standard apache basic authentication (The non-cookie, standard method). In this mode TWiki expects Apache to do all the auth work, and then execute TWiki perl scripts with the user login set into the environment variable
REMOTE_USER
by apache. Our trick is to use a modified mod_ladp apache module that wil get the AD login of the user, auth with AD/LDAP with it, and then change the REMOTE_USER
variable from windows login to the wiki name that is dynamically computed by fetching First Name and Last Name in LDAP, and concatenating them after some cleaning (capitalization, removing on non-letter chars)
- every N hours (for us, 4) a shell script dumps all the LDAP accounts, checks the one not yet declared as TWiki accounts, and for them create them via a modified (to be used non-interactively, and without declaring a password) version of the
register
TWiki perl CGI script
- This shell script keeps the list of all LDAP accounts as a wiki page for reference, and mails the changes to an admin mailing list
Implementation
Apache module
We are based on the v2.4.2 of
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
The modified register TWiki file
to be placed in the TWiki bin/
dir
- register-ldap: modified version of the Cairo TWiki bin/register script
The offline account-generation scripts
debug / dev ones: