LDAP TWiki authentication
Principles
This is how we use LDAP auth with TWiki (Cairo) with Microsoft Active Directory
- We make TWiki use standard apache basic authentication (The
non-cookie, standard method). In this mode TWiki expects Apache to do
all the auth work, and then execute TWiki perl scripts with the user
login set into the environment variable
REMOTE_USERby apache. Our trick is to use a modified mod_ladp apache module that wil get the AD login of the user, auth with AD/LDAP with it, and then change theREMOTE_USERvariable from windows login to the wiki name that is dynamically computed by fetching First Name and Last Name in LDAP, and concatenating them after some cleaning (capitalization, removing on non-letter chars) - every N hours (for us, 4) a shell script dumps all
the LDAP accounts, checks the one not yet declared as TWiki accounts,
and for them create them via a modified (to be used non-interactively,
and without declaring a password) version of the
registerTWiki perl CGI script - This shell script keeps the list of all LDAP accounts as a wiki page for reference, and mails the changes to an admin mailing list
Implementation
Apache module
We are based on the v2.4.2 of https://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html
- mod_auth_ldap.colas.tgz : The whole module, modified
- README.colas : The readme
The modified register TWiki file
to be placed in the TWiki bin/ dir *
register-ldap
: modified version of the
Cairo TWiki bin/register script
The offline account-generation scripts
- README_scripts.txt : The README of scripts
- ldap-ilog-update-wikinames : main script
- ldap-ilog-dump-wikiname : dump info for one account
- wiki-register : shell script calling the CGI register-ldap via wget
debug / dev ones:
- wiki-register-all : batch account creation
- wiki-ldap-check-accounts : one shot: clean all wiki pages accounts