LDAP TWiki authentication

Principles

This is how we use LDAP auth with TWiki (Cairo) with Microsoft Active Directory

• We make TWiki use standard apache basic authentication (The non-cookie, standard method). In this mode TWiki expects Apache to do all the auth work, and then execute TWiki perl scripts with the user login set into the environment variable REMOTE_USER by apache. Our trick is to use a modified mod_ladp apache module that wil get the AD login of the user, auth with AD/LDAP with it, and then change the REMOTE_USER variable from windows login to the wiki name that is dynamically computed by fetching First Name and Last Name in LDAP, and concatenating them after some cleaning (capitalization, removing on non-letter chars)
• every N hours (for us, 4) a shell script dumps all the LDAP accounts, checks the one not yet declared as TWiki accounts, and for them create them via a modified (to be used non-interactively, and without declaring a password) version of the register TWiki perl CGI script
• This shell script keeps the list of all LDAP accounts as a wiki page for reference, and mails the changes to an admin mailing list

Implementation

Apache module

We are based on the v2.4.2 of http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

• mod_auth_ldap.colas.tgz: The whole module, modified
• README.colas: The readme

The modified register TWiki file

to be placed in the TWiki bin/ dir

• register-ldap: modified version of the Cairo TWiki bin/register script

The offline account-generation scripts

• README_scripts.txt: The README of scripts
• ldap-ilog-update-wikinames: main script
• ldap-ilog-dump-wikiname: dump info for one account
• wiki-register: shell script calling the CGI register-ldap via wget

debug / dev ones:

• wiki-register-all: batch account creation
• wiki-ldap-check-accounts: one shot: clean all wiki pages accounts